How to Align a Software Consulting/Contract Firm to ISO 13485+14971 & 62304

F

fottey

#1
Hello Everyone,


I recently joined this community because I was tasked with auditing my company's current QMS (which is ISO 9001:2008 certified) and doing a gap analysis on what would be necessary to align the company to ISO 13485. The jump to ISO 13485 would necessitate the implementation of new processes for risk management as defined and described in ISO 14971 (and to software in particular as described in IEC 80002-1). In addition, some moderate necessary language modifications and additions in the QMS would need to be made, as well as modifications and additions to the company activity/process maps. I also looked into the additional steps necessary for general IEC 62304 conformance as it is particularly relevant to the company's field of business. I think I have a fairly good understanding of what the collection of standards are trying to achieve and what should be done, IF the company were a traditional production/manufacturing company. The issue is, for me, that our company is not. It is a software contract/consulting company. Not every work item/project/contract follows all the steps laid out in Section 7 of ISO 13485 or the processes and activities laid out in IEC 62304. Our services are often bought "a la carte". A client might only pay for design work, or just testing review work, or simulations and testing tools, or isolated development work (refractoring/bug-fixing). Together all three of the aforementioned standards paint a good picture of how to run a full production run, but don't seem to provide much guidance for those in the service or subcontractor industries wherein only a piece of the process is the "product" or service referred to by the standards. As such I have the following questions:


1. Would it be possible to achieve ISO 13485 certification with language in our QMS that states that our company is only responsible for following the relevant sections of the ISO and IEC standards (13485/14971/62304) as applicable per each atomic activity that the client contracts/requests the company to complete? (Basically applying non-applicability to any and all items that fall outside the scope of the contracted work) Assume that the company has implemented processes and activities for each item necessary for standards compliance and/or conformance. The idea is in this way, the level of conformance is "chosen" by the client based on their needs, while the company overall maintains the processes necessary for complete conformance in its QMS.

For example:
a. If we area contracted to do only testing, then all of our output product (testing) follows all of the atomic rules for testing as laid out by the standards.
b. If the company were contracted to do isolated software development with all of the designs, documents, risk management items, and requirements etc. already received, the company would follow all of the "atomic" activity rules for software development as laid out in the standards using the provided documentation to the best of their ability. Received documents would be copied and used as seeds in document/design control and configuration management policies.
2. Say our company was contracted to do an isolated activity and NOT provided with necessary prerequisites, such as a contract to refactor or modify an existing codeset with no design documents or risk management documents or procedures, etc. Lets continue to suppose that the client does not contract, or request that the gaps to conformance be filled (whether the client doesn't need them or does not wish to pay for them). Could our company apply non-applicability status in this case according to section 7 as it pertains to ISO 13485? How does Non-applicability differ vs. exclusion? Currently we have all of Section 7.5 and 7.6 except for "7.5.4 Custom Property" excluded as per ISO 9001:2008 as they don't really relate to our processes, services and/or products. Thus, in our QMS these sections are simply explicitly noted as excluded. From my understanding we CAN'T exclude these items in 13485, only claim non-applicability. What is the functional difference here for our QMS? Are we required to describe and/or implement non-applicable processes, even if they aren't required or performed by our company? What about IEC 62304? By my reading there is NO official system for non-applicability to clauses in IEC 62304. This means, by my reading, that if the company wishes to certify and comply to 62304, there will be significant overhead to ALL actual code development projects, whether or not the client requests this overhead. Would the company be expected to perform these duties even if the client doesn't contract or request them, and if so, does anyone have any ideas on how to handle this overhead (cost) without passing all of it off to the client. (The overhead in man-hours spent on documentation and procedural conformance would increase the cost of every bid - something that as a contract/consulting firm, is not desired)) How modular are the systems described in the standards? The layout of requirements in the standards seems to discourage "a la carte" compliance, which admittedly is probably a good thing in general, but frustrating in this case. By my reading there is an implicit assumption that each party is fully responsible for NOT ONLY the work item they produce, BUT ALSO for the whole system. The standards assume that all of the parties involved in the process seem to be high-level decision makers and are equal stakeholders and decision makers in the product realization process. As a consulting/contracting firm this is not always the case (I think).

3. Related to the above, one of the clauses on application in section 1.2 of ISO 13485 states, "The processes required by this International Standard, which are are applicable to the medical device(s), but which are not performed by the organization, are the responsibility of the organization and are accounted for in the organization's quality management system [see 4.2.2 a]." Now I understand from research that the intent of this line is to ensure that if company A contracts work for for the product realization of a medical device, then company A is as fully responsible for ensuring the compliance and conformance of that process, product or service. My concern is that this line doesn't differentiate between a first party producer, a contractor/consultant, or the product/intellectual property owner. The language seems to assume that those attempting to implement these standards are entities that satisfy a combination of the first and last items. By my current reading, a strict "letter of the law" approach implies that to truly claim conformance to ISO 13485, not only is the parent company responsible for complete standards compliance and conformance, BUT THAT ALSO THE CONTRACTOR/CONSULTING BODY are FULLY RESPONSIBLE for any and all standards compliance and conformance clauses, even those which would originate outside the scope of the contracted work!

4. Is it possible to achieve certification for the company as a whole but keep the work items/projects contracted as separate areas? If so, how would it be possible to achieve compliance if the area of work items looks like a spread of 90% non-compliant work (let's assume the best case, that all these non-compliant works are due to client request/contracts/non-appplicability) and only 10% compliant work? I have only been researching all of this for a week, and even to me, that doesn't look very promising...

I apologize for the lengthy post. I have never done any auditing or standardization work before and have no real effective experience in the area. As such, I have a lot of questions and concerns about trying to bring the company up to standards compliance and certification. Thank you all for your time and consideration.

Frank
 
Last edited by a moderator:
Elsmar Forum Sponsor

Ronen E

Problem Solver
Staff member
Moderator
#2
Hi Frank and welcome to the Cove :bigwave:

The number of (good) questions you ask and the level of detail you expect indicate that you might need a dedicated consultant to walk you through the QMS upgrade. The nature of this forum is that people like you volunteer their time, typically to answer a few focused questions at a time. You also have some basic misconceptions about ISO 13485 that require some lengthy discussion, if you really want to get a good grasp of what ISO 13485 is all about. As a header I'll just highlight that ISO 13485 is intended for companies manufacturing finished medical devices (a device can also be software).

Perhaps others will have more time to go into the detailed discussion. Meanwhile, I suggest you surf the Cove for threads related to ISO 13485 implementation by sub-contractors / component manufacturers.

Cheers,
Ronen.
 
Thread starter Similar threads Forum Replies Date
G PolyWorks Alignment Issue - How to align the part General Measurement Device and Calibration Topics 1
M Informational TGA – Several proposed changes to classification to better align with the EU MDR Medical Device and FDA Regulations and Standards News 0
Q How to align a Business Strategy to Operative KPIs ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 7
D Does 7.6 Control of Monitoring and Measuring Equipment align with ISO 17025 ISO 17025 related Discussions 4
A One company, more plants, different procedures..how to align them ? Document Control Systems, Procedures, Forms and Templates 9
S How to align our global ISO 9001 procedures to each specific project ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 22
J FPDS now GPDS - How does GPDS align with the 23 elements of APQP APQP and PPAP 8
K Software Updates in the Field and ISO scope ISO 13485:2016 - Medical Device Quality Management Systems 0
M Recurrent event analysis software (python) General Auditing Discussions 2
Y UL 1998 Standard: software classes Software Quality Assurance 0
P Need a programmer for QVI's VMS software for optical inspection machine Inspection, Prints (Drawings), Testing, Sampling and Related Topics 0
S IEC 62304 software costs and time Medical Device and FDA Regulations and Standards News 2
S IEC 62304 - Software verification cost IEC 62304 - Medical Device Software Life Cycle Processes 3
Sravan Manchikanti Software Risk Management & probability of occurrence as per IEC 62304 IEC 62304 - Medical Device Software Life Cycle Processes 8
I Form templates for software (iso9001) Document Control Systems, Procedures, Forms and Templates 0
H Software Interface Translation IVD Regulation EU Medical Device Regulations 0
C 8.5.1.1 Control of Equipment, Tools, and Software Programs - Questions about the extent of control of NC programs AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 5
M IEC 62304 Software changes - Minor labeling changes on the GUI IEC 62304 - Medical Device Software Life Cycle Processes 3
silentmonkey Rationalising the level of effort and depth of software validation based on risk ISO 13485:2016 - Medical Device Quality Management Systems 10
T Do I need a qualified compiler for class B software? IEC 62304 - Medical Device Software Life Cycle Processes 3
S Manufacturing Execution Systems Software Costs Manufacturing and Related Processes 0
E 13485:2016, Sections 4.1.6, 7.5.6 and 7.6 - Validation of Software - Need some Advice please ISO 13485:2016 - Medical Device Quality Management Systems 2
R Medical Device Software Certification IEC 62304 - Medical Device Software Life Cycle Processes 1
S HIPAA-compliant monitoring software (advice needed) Hospitals, Clinics & other Health Care Providers 0
A Software bug fixes after shipping a product EU Medical Device Regulations 3
J Medical software Patient outcome Medical Information Technology, Medical Software and Health Informatics 2
Y We are Looking for EASA LOA TYPE 1 experienced software developer Job Openings, Consulting and Employment Opportunities 0
F Grand Avenue Software, Q-Pulse or Qualio - which for a full eQMS? Medical Information Technology, Medical Software and Health Informatics 1
K SOUP (Software of Unknown Provenance) Anomaly Documentation IEC 62304 - Medical Device Software Life Cycle Processes 2
Q Storing and developing SAMD (Software as a Medical Device) in the Cloud IEC 62304 - Medical Device Software Life Cycle Processes 3
I Old Time Scatter diagrams for defect type and location- software Quality Tools, Improvement and Analysis 3
SocalSurfer AS9100 new certificate, but need QMS software, help Quality Assurance and Compliance Software Tools and Solutions 2
C Is my software an accessory? Telecommunication between HCP and patients EU Medical Device Regulations 10
K Verify Software Architecture - supporting interfaces between items IEC 62304 - Medical Device Software Life Cycle Processes 1
A What are the pros and cons of using an audit software for internal auditing? General Auditing Discussions 4
A Risk Number for each software requirement IEC 62304 - Medical Device Software Life Cycle Processes 7
R Shall a new UDI-DI be required when stand-alone software device's version is updated? EU Medical Device Regulations 1
R MSA for ATE (Automatic Test Equipment Embedded Software) Gage R&R (GR&R) and MSA (Measurement Systems Analysis) 9
S MDR GSPR Clause 17 - Software Requirements EU Medical Device Regulations 2
L Turkish Requirements - Does the Software need to be translated? CE Marking (Conformité Européene) / CB Scheme 2
MDD_QNA Medical Device Software - Is a Help Button required? IEC 62304 - Medical Device Software Life Cycle Processes 1
F Software as a Medical Device (SaMD) Technical File Requirements Manufacturing and Related Processes 1
D Software User Interface Languages for LVD and IVD CE Marking (Conformité Européene) / CB Scheme 2
A Software as Medical Device (SaMD) definition and its applicability Other Medical Device and Orthopedic Related Topics 4
K Software Validation for Measurement Tools used in Process Validation ISO 13485:2016 - Medical Device Quality Management Systems 2
B ISO 14971 Applied to Software ISO 14971 - Medical Device Risk Management 2
N ERP Software Implementation Manufacturing and Related Processes 3
C NCR (Nonconformance System) Software Nonconformance and Corrective Action 7
U Document Approval - Software company ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 3
B Risk Assessment Checklist for Non product Software IEC 62304 - Medical Device Software Life Cycle Processes 1

Similar threads

Top Bottom