How to Align a Software Consulting/Contract Firm to ISO 13485+14971 & 62304



Hello Everyone,

I recently joined this community because I was tasked with auditing my company's current QMS (which is ISO 9001:2008 certified) and doing a gap analysis on what would be necessary to align the company to ISO 13485. The jump to ISO 13485 would necessitate the implementation of new processes for risk management as defined and described in ISO 14971 (and to software in particular as described in IEC 80002-1). In addition, some moderate necessary language modifications and additions in the QMS would need to be made, as well as modifications and additions to the company activity/process maps. I also looked into the additional steps necessary for general IEC 62304 conformance as it is particularly relevant to the company's field of business. I think I have a fairly good understanding of what the collection of standards are trying to achieve and what should be done, IF the company were a traditional production/manufacturing company. The issue is, for me, that our company is not. It is a software contract/consulting company. Not every work item/project/contract follows all the steps laid out in Section 7 of ISO 13485 or the processes and activities laid out in IEC 62304. Our services are often bought "a la carte". A client might only pay for design work, or just testing review work, or simulations and testing tools, or isolated development work (refractoring/bug-fixing). Together all three of the aforementioned standards paint a good picture of how to run a full production run, but don't seem to provide much guidance for those in the service or subcontractor industries wherein only a piece of the process is the "product" or service referred to by the standards. As such I have the following questions:

1. Would it be possible to achieve ISO 13485 certification with language in our QMS that states that our company is only responsible for following the relevant sections of the ISO and IEC standards (13485/14971/62304) as applicable per each atomic activity that the client contracts/requests the company to complete? (Basically applying non-applicability to any and all items that fall outside the scope of the contracted work) Assume that the company has implemented processes and activities for each item necessary for standards compliance and/or conformance. The idea is in this way, the level of conformance is "chosen" by the client based on their needs, while the company overall maintains the processes necessary for complete conformance in its QMS.

For example:
a. If we area contracted to do only testing, then all of our output product (testing) follows all of the atomic rules for testing as laid out by the standards.
b. If the company were contracted to do isolated software development with all of the designs, documents, risk management items, and requirements etc. already received, the company would follow all of the "atomic" activity rules for software development as laid out in the standards using the provided documentation to the best of their ability. Received documents would be copied and used as seeds in document/design control and configuration management policies.
2. Say our company was contracted to do an isolated activity and NOT provided with necessary prerequisites, such as a contract to refactor or modify an existing codeset with no design documents or risk management documents or procedures, etc. Lets continue to suppose that the client does not contract, or request that the gaps to conformance be filled (whether the client doesn't need them or does not wish to pay for them). Could our company apply non-applicability status in this case according to section 7 as it pertains to ISO 13485? How does Non-applicability differ vs. exclusion? Currently we have all of Section 7.5 and 7.6 except for "7.5.4 Custom Property" excluded as per ISO 9001:2008 as they don't really relate to our processes, services and/or products. Thus, in our QMS these sections are simply explicitly noted as excluded. From my understanding we CAN'T exclude these items in 13485, only claim non-applicability. What is the functional difference here for our QMS? Are we required to describe and/or implement non-applicable processes, even if they aren't required or performed by our company? What about IEC 62304? By my reading there is NO official system for non-applicability to clauses in IEC 62304. This means, by my reading, that if the company wishes to certify and comply to 62304, there will be significant overhead to ALL actual code development projects, whether or not the client requests this overhead. Would the company be expected to perform these duties even if the client doesn't contract or request them, and if so, does anyone have any ideas on how to handle this overhead (cost) without passing all of it off to the client. (The overhead in man-hours spent on documentation and procedural conformance would increase the cost of every bid - something that as a contract/consulting firm, is not desired)) How modular are the systems described in the standards? The layout of requirements in the standards seems to discourage "a la carte" compliance, which admittedly is probably a good thing in general, but frustrating in this case. By my reading there is an implicit assumption that each party is fully responsible for NOT ONLY the work item they produce, BUT ALSO for the whole system. The standards assume that all of the parties involved in the process seem to be high-level decision makers and are equal stakeholders and decision makers in the product realization process. As a consulting/contracting firm this is not always the case (I think).

3. Related to the above, one of the clauses on application in section 1.2 of ISO 13485 states, "The processes required by this International Standard, which are are applicable to the medical device(s), but which are not performed by the organization, are the responsibility of the organization and are accounted for in the organization's quality management system [see 4.2.2 a]." Now I understand from research that the intent of this line is to ensure that if company A contracts work for for the product realization of a medical device, then company A is as fully responsible for ensuring the compliance and conformance of that process, product or service. My concern is that this line doesn't differentiate between a first party producer, a contractor/consultant, or the product/intellectual property owner. The language seems to assume that those attempting to implement these standards are entities that satisfy a combination of the first and last items. By my current reading, a strict "letter of the law" approach implies that to truly claim conformance to ISO 13485, not only is the parent company responsible for complete standards compliance and conformance, BUT THAT ALSO THE CONTRACTOR/CONSULTING BODY are FULLY RESPONSIBLE for any and all standards compliance and conformance clauses, even those which would originate outside the scope of the contracted work!

4. Is it possible to achieve certification for the company as a whole but keep the work items/projects contracted as separate areas? If so, how would it be possible to achieve compliance if the area of work items looks like a spread of 90% non-compliant work (let's assume the best case, that all these non-compliant works are due to client request/contracts/non-appplicability) and only 10% compliant work? I have only been researching all of this for a week, and even to me, that doesn't look very promising...

I apologize for the lengthy post. I have never done any auditing or standardization work before and have no real effective experience in the area. As such, I have a lot of questions and concerns about trying to bring the company up to standards compliance and certification. Thank you all for your time and consideration.

Last edited by a moderator:
Elsmar Forum Sponsor

Ronen E

Problem Solver
Hi Frank and welcome to the Cove :bigwave:

The number of (good) questions you ask and the level of detail you expect indicate that you might need a dedicated consultant to walk you through the QMS upgrade. The nature of this forum is that people like you volunteer their time, typically to answer a few focused questions at a time. You also have some basic misconceptions about ISO 13485 that require some lengthy discussion, if you really want to get a good grasp of what ISO 13485 is all about. As a header I'll just highlight that ISO 13485 is intended for companies manufacturing finished medical devices (a device can also be software).

Perhaps others will have more time to go into the detailed discussion. Meanwhile, I suggest you surf the Cove for threads related to ISO 13485 implementation by sub-contractors / component manufacturers.

Thread starter Similar threads Forum Replies Date
G PolyWorks Alignment Issue - How to align the part General Measurement Device and Calibration Topics 1
M Informational TGA – Several proposed changes to classification to better align with the EU MDR Medical Device and FDA Regulations and Standards News 0
Q How to align a Business Strategy to Operative KPIs ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 10
D Does 7.6 Control of Monitoring and Measuring Equipment align with ISO 17025 ISO 17025 related Discussions 4
A One company, more plants, different to align them ? Document Control Systems, Procedures, Forms and Templates 9
S How to align our global ISO 9001 procedures to each specific project ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 22
J FPDS now GPDS - How does GPDS align with the 23 elements of APQP APQP and PPAP 9
K Monitors supplied with software EU EU Medical Device Regulations 3
K Best automation presentation software Manufacturing and Related Processes 0
Paul Simpson Quality management system software development - looking for candidate organizations Quality Assurance and Compliance Software Tools and Solutions 2
N Software update after placed on the market Medical Device and FDA Regulations and Standards News 2
MaHoDie Is it possible to assign medical software to security class A (according to IEC 62304)? EU Medical Device Regulations 5
T Aircraft GAPP Software Testing Compliance Question AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 1
Q Training Matrix Software Training - Internal, External, Online and Distance Learning 2
I SaMD Software bug and issue tracking. Manufacturing and Related Processes 3
MaHoDie Where to show the Software version IEC 62304 - Medical Device Software Life Cycle Processes 2
W Looking for IATF 16949 (and ISO 17025) QMS software Suggestions Quality Tools, Improvement and Analysis 8
9 ECi M1 Software Consultants in Ohio Manufacturing and Related Processes 0
T SaMD or Software system? EU Medical Device Regulations 2
I Registration of MD software IEC 62304 - Medical Device Software Life Cycle Processes 0
Q Quality Plan for eQMS software ISO 13485:2016 - Medical Device Quality Management Systems 2
Ed Panek Validation of Signature Software (Off the shelf) US Medical Device Regulations 4
C FMEA Software Report View FMEA and Control Plans 1
jeancloude17 Advice for ISO 9001 for software Design and Development of Products and Processes 2
T Determination of Software/system end-of-life IEC 62304 - Medical Device Software Life Cycle Processes 5
D Software Bill of Materials (SBOM) preparation Other Medical Device Related Standards 6
D Software Registration GUDID 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 0
Sam.F Quotation software or spreadsheet Contract Review Process 2
T IVD Device Software - Risk Classification IEC 62304 - Medical Device Software Life Cycle Processes 16
T Wanted: Software for Developing Front-end Interfaces to (SQL) Databases Quality Tools, Improvement and Analysis 1
M Software "Nonconformances" ISO 13485:2016 - Medical Device Quality Management Systems 21
M Software as Medical Device import activities for Chile and Mexico Other Medical Device Regulations World-Wide 0
J Document Control of Online Management Software ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 10
S Functionality of software in countries with different legal requirements IEC 62304 - Medical Device Software Life Cycle Processes 2
J Using an online software to maintain your QMS Quality Assurance and Compliance Software Tools and Solutions 7
R Quality System Software AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 8
V Software license key regulatory requirements Medical Information Technology, Medical Software and Health Informatics 2
I Request for information regarding remote medical monitoring software (its technical documentation and the IUD system) IEC 62304 - Medical Device Software Life Cycle Processes 2
M Software Validation SAP B1 for ERP ISO 13485:2016 - Medical Device Quality Management Systems 2
P Computer Software Assurance Software Quality Assurance 2
P Software validation for FPGA Software Quality Assurance 1
R IVD Software FDA/CLIA doubts Medical Device and FDA Regulations and Standards News 1
R IVD software FDA and CLIA US Food and Drug Administration (FDA) 2
G Software verification vs. system verification IEC 62304 - Medical Device Software Life Cycle Processes 3
S Process Monitoring using SPC software Quality Assurance and Compliance Software Tools and Solutions 6
J Megger MIT520/2 adjustment software? Calibration and Metrology Software and Hardware 0
M Product Acceptance Software (PAS) PROCEDURE (BOEING D6-51991) AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 3
M 3D Scanner Software validation ISO 13485:2016 - Medical Device Quality Management Systems 7
Y Software to Manage IEC 62304 Traceability Requirement IEC 62304 - Medical Device Software Life Cycle Processes 3
T Software item classification and Detailed Design IEC 62304 - Medical Device Software Life Cycle Processes 4

Similar threads

Top Bottom