How to Align a Software Consulting/Contract Firm to ISO 13485+14971 & 62304



Hello Everyone,

I recently joined this community because I was tasked with auditing my company's current QMS (which is ISO 9001:2008 certified) and doing a gap analysis on what would be necessary to align the company to ISO 13485. The jump to ISO 13485 would necessitate the implementation of new processes for risk management as defined and described in ISO 14971 (and to software in particular as described in IEC 80002-1). In addition, some moderate necessary language modifications and additions in the QMS would need to be made, as well as modifications and additions to the company activity/process maps. I also looked into the additional steps necessary for general IEC 62304 conformance as it is particularly relevant to the company's field of business. I think I have a fairly good understanding of what the collection of standards are trying to achieve and what should be done, IF the company were a traditional production/manufacturing company. The issue is, for me, that our company is not. It is a software contract/consulting company. Not every work item/project/contract follows all the steps laid out in Section 7 of ISO 13485 or the processes and activities laid out in IEC 62304. Our services are often bought "a la carte". A client might only pay for design work, or just testing review work, or simulations and testing tools, or isolated development work (refractoring/bug-fixing). Together all three of the aforementioned standards paint a good picture of how to run a full production run, but don't seem to provide much guidance for those in the service or subcontractor industries wherein only a piece of the process is the "product" or service referred to by the standards. As such I have the following questions:

1. Would it be possible to achieve ISO 13485 certification with language in our QMS that states that our company is only responsible for following the relevant sections of the ISO and IEC standards (13485/14971/62304) as applicable per each atomic activity that the client contracts/requests the company to complete? (Basically applying non-applicability to any and all items that fall outside the scope of the contracted work) Assume that the company has implemented processes and activities for each item necessary for standards compliance and/or conformance. The idea is in this way, the level of conformance is "chosen" by the client based on their needs, while the company overall maintains the processes necessary for complete conformance in its QMS.

For example:
a. If we area contracted to do only testing, then all of our output product (testing) follows all of the atomic rules for testing as laid out by the standards.
b. If the company were contracted to do isolated software development with all of the designs, documents, risk management items, and requirements etc. already received, the company would follow all of the "atomic" activity rules for software development as laid out in the standards using the provided documentation to the best of their ability. Received documents would be copied and used as seeds in document/design control and configuration management policies.
2. Say our company was contracted to do an isolated activity and NOT provided with necessary prerequisites, such as a contract to refactor or modify an existing codeset with no design documents or risk management documents or procedures, etc. Lets continue to suppose that the client does not contract, or request that the gaps to conformance be filled (whether the client doesn't need them or does not wish to pay for them). Could our company apply non-applicability status in this case according to section 7 as it pertains to ISO 13485? How does Non-applicability differ vs. exclusion? Currently we have all of Section 7.5 and 7.6 except for "7.5.4 Custom Property" excluded as per ISO 9001:2008 as they don't really relate to our processes, services and/or products. Thus, in our QMS these sections are simply explicitly noted as excluded. From my understanding we CAN'T exclude these items in 13485, only claim non-applicability. What is the functional difference here for our QMS? Are we required to describe and/or implement non-applicable processes, even if they aren't required or performed by our company? What about IEC 62304? By my reading there is NO official system for non-applicability to clauses in IEC 62304. This means, by my reading, that if the company wishes to certify and comply to 62304, there will be significant overhead to ALL actual code development projects, whether or not the client requests this overhead. Would the company be expected to perform these duties even if the client doesn't contract or request them, and if so, does anyone have any ideas on how to handle this overhead (cost) without passing all of it off to the client. (The overhead in man-hours spent on documentation and procedural conformance would increase the cost of every bid - something that as a contract/consulting firm, is not desired)) How modular are the systems described in the standards? The layout of requirements in the standards seems to discourage "a la carte" compliance, which admittedly is probably a good thing in general, but frustrating in this case. By my reading there is an implicit assumption that each party is fully responsible for NOT ONLY the work item they produce, BUT ALSO for the whole system. The standards assume that all of the parties involved in the process seem to be high-level decision makers and are equal stakeholders and decision makers in the product realization process. As a consulting/contracting firm this is not always the case (I think).

3. Related to the above, one of the clauses on application in section 1.2 of ISO 13485 states, "The processes required by this International Standard, which are are applicable to the medical device(s), but which are not performed by the organization, are the responsibility of the organization and are accounted for in the organization's quality management system [see 4.2.2 a]." Now I understand from research that the intent of this line is to ensure that if company A contracts work for for the product realization of a medical device, then company A is as fully responsible for ensuring the compliance and conformance of that process, product or service. My concern is that this line doesn't differentiate between a first party producer, a contractor/consultant, or the product/intellectual property owner. The language seems to assume that those attempting to implement these standards are entities that satisfy a combination of the first and last items. By my current reading, a strict "letter of the law" approach implies that to truly claim conformance to ISO 13485, not only is the parent company responsible for complete standards compliance and conformance, BUT THAT ALSO THE CONTRACTOR/CONSULTING BODY are FULLY RESPONSIBLE for any and all standards compliance and conformance clauses, even those which would originate outside the scope of the contracted work!

4. Is it possible to achieve certification for the company as a whole but keep the work items/projects contracted as separate areas? If so, how would it be possible to achieve compliance if the area of work items looks like a spread of 90% non-compliant work (let's assume the best case, that all these non-compliant works are due to client request/contracts/non-appplicability) and only 10% compliant work? I have only been researching all of this for a week, and even to me, that doesn't look very promising...

I apologize for the lengthy post. I have never done any auditing or standardization work before and have no real effective experience in the area. As such, I have a lot of questions and concerns about trying to bring the company up to standards compliance and certification. Thank you all for your time and consideration.

Last edited by a moderator:

Ronen E

Problem Solver
Staff member
Hi Frank and welcome to the Cove :bigwave:

The number of (good) questions you ask and the level of detail you expect indicate that you might need a dedicated consultant to walk you through the QMS upgrade. The nature of this forum is that people like you volunteer their time, typically to answer a few focused questions at a time. You also have some basic misconceptions about ISO 13485 that require some lengthy discussion, if you really want to get a good grasp of what ISO 13485 is all about. As a header I'll just highlight that ISO 13485 is intended for companies manufacturing finished medical devices (a device can also be software).

Perhaps others will have more time to go into the detailed discussion. Meanwhile, I suggest you surf the Cove for threads related to ISO 13485 implementation by sub-contractors / component manufacturers.

Thread starter Similar threads Forum Replies Date
G PolyWorks Alignment Issue - How to align the part General Measurement Device and Calibration Topics 1
M Informational TGA – Several proposed changes to classification to better align with the EU MDR Medical Device and FDA Regulations and Standards News 0
Q How to align a Business Strategy to Operative KPIs ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 11
D Does 7.6 Control of Monitoring and Measuring Equipment align with ISO 17025 ISO 17025 related Discussions 4
A One company, more plants, different to align them ? Document Control Systems, Procedures, Forms and Templates 9
S How to align our global ISO 9001 procedures to each specific project ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 22
J FPDS now GPDS - How does GPDS align with the 23 elements of APQP APQP and PPAP 8
P Blood establishment computer software EU classification EU Medical Device Regulations 0
S Examples of FDA acceptable Software Design Specification (SDS) Medical Device and FDA Regulations and Standards News 6
D Integrated Management System Software Quality Manager and Management Related Issues 2
B Sampling strategies/techniques for software QA Software Quality Assurance 2
K MDCG-2020-3 (about the software of UI) EU Medical Device Regulations 3
D PFMEA Software search IATF 16949 - Automotive Quality Systems Standard 6
C MDR software classification EU Medical Device Regulations 12
H Class II a vs "software safety class A" IEC 62304 - Medical Device Software Life Cycle Processes 3
Z Software for design control ISO 13485:2016 - Medical Device Quality Management Systems 3
V Medical Device Literature Translation Software ISO 13485:2016 - Medical Device Quality Management Systems 1
D FDA Guidance on Computer Software Assurance versus 21 CFR Part 11 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 2
P Software verification and validation procedure IEC 62304 - Medical Device Software Life Cycle Processes 6
Aymaneh UDI-PI Software CE Marking (Conformité Européene) / CB Scheme 0
Q Software as a medical device vs software not sold as medical device: local regulations for sale? EU Medical Device Regulations 4
Y Software updates considered servicing (7.5.4) ISO 13485:2016 - Medical Device Quality Management Systems 4
S How to perform verification of the Statistical Analysis Software? Qualification and Validation (including 21 CFR Part 11) 7
I Document Control Software Document Control Systems, Procedures, Forms and Templates 2
E Software maintenance Process Software maintenance Process to IEC 6204? IEC 62304 - Medical Device Software Life Cycle Processes 3
L Micro-Vu InSpec Software Program Qualification and Validation (including 21 CFR Part 11) 6
A For software change - New Channel of interoperability CE Marking (Conformité Européene) / CB Scheme 5
T IVDR Medical device software CE Marking (Conformité Européene) / CB Scheme 8
N ISO 13485 7.3.9 Change control in medical device software ISO 13485:2016 - Medical Device Quality Management Systems 6
C SharePoint Contract Management Software General Information Resources 0
gramps What do you think about automated QA testing For software app industry? Misc. Quality Assurance and Business Systems Related Topics 5
V Software as medical device (SaMD) replicated for multiple clients through APIs IEC 62304 - Medical Device Software Life Cycle Processes 5
U API Spec Q1 - C (3) - Design software Oil and Gas Industry Standards and Regulations 3
B Complaint Records - Accessing records on Easy Track Software Records and Data - Quality, Legal and Other Evidence 3
GreatNate Master Control QMS software Quality Tools, Improvement and Analysis 0
GreatNate Anyone using the Intellect QMS software? Quality Assurance and Compliance Software Tools and Solutions 1
S DHF/DMR/MDF for a software-only, cloud-based, single-instance device Medical Information Technology, Medical Software and Health Informatics 2
H Software Validation for FFS Packaging Machine Qualification and Validation (including 21 CFR Part 11) 1
E Any sample of a full software life cycle IEC 62304 report ( any class )? IEC 62304 - Medical Device Software Life Cycle Processes 1
Q ISO 13485 7.5.6 Validation - Off the shelf Software ISO 13485:2016 - Medical Device Quality Management Systems 3
M ERP / QMS related software standards for Validation IEC 62304 - Medical Device Software Life Cycle Processes 6
J Do Software Subcontractors need to be ISO13485 compliant in the EU? EU Medical Device Regulations 3
D Safety data sheets software REACH and RoHS Conversations 2
N What are the software audit and control steps Reliability Analysis - Predictions, Testing and Standards 2
N Validating Software before getting approved as Class 2 device US Food and Drug Administration (FDA) 5
M Clinical Decision Support Software Question 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 2
P Missing 1m visual alarm signal in case of software/display failure, mitigation? ISO 14971 - Medical Device Risk Management 3
B Software service provider as critical supplier ISO 13485:2016 - Medical Device Quality Management Systems 5
S Asterisk in DOE minitab software Using Minitab Software 23
M Surgical angle measurement guide device with an application software Medical Device and FDA Regulations and Standards News 1

Similar threads

Top Bottom