How to Align a Software Consulting/Contract Firm to ISO 13485+14971 & 62304



Hello Everyone,

I recently joined this community because I was tasked with auditing my company's current QMS (which is ISO 9001:2008 certified) and doing a gap analysis on what would be necessary to align the company to ISO 13485. The jump to ISO 13485 would necessitate the implementation of new processes for risk management as defined and described in ISO 14971 (and to software in particular as described in IEC 80002-1). In addition, some moderate necessary language modifications and additions in the QMS would need to be made, as well as modifications and additions to the company activity/process maps. I also looked into the additional steps necessary for general IEC 62304 conformance as it is particularly relevant to the company's field of business. I think I have a fairly good understanding of what the collection of standards are trying to achieve and what should be done, IF the company were a traditional production/manufacturing company. The issue is, for me, that our company is not. It is a software contract/consulting company. Not every work item/project/contract follows all the steps laid out in Section 7 of ISO 13485 or the processes and activities laid out in IEC 62304. Our services are often bought "a la carte". A client might only pay for design work, or just testing review work, or simulations and testing tools, or isolated development work (refractoring/bug-fixing). Together all three of the aforementioned standards paint a good picture of how to run a full production run, but don't seem to provide much guidance for those in the service or subcontractor industries wherein only a piece of the process is the "product" or service referred to by the standards. As such I have the following questions:

1. Would it be possible to achieve ISO 13485 certification with language in our QMS that states that our company is only responsible for following the relevant sections of the ISO and IEC standards (13485/14971/62304) as applicable per each atomic activity that the client contracts/requests the company to complete? (Basically applying non-applicability to any and all items that fall outside the scope of the contracted work) Assume that the company has implemented processes and activities for each item necessary for standards compliance and/or conformance. The idea is in this way, the level of conformance is "chosen" by the client based on their needs, while the company overall maintains the processes necessary for complete conformance in its QMS.

For example:
a. If we area contracted to do only testing, then all of our output product (testing) follows all of the atomic rules for testing as laid out by the standards.
b. If the company were contracted to do isolated software development with all of the designs, documents, risk management items, and requirements etc. already received, the company would follow all of the "atomic" activity rules for software development as laid out in the standards using the provided documentation to the best of their ability. Received documents would be copied and used as seeds in document/design control and configuration management policies.
2. Say our company was contracted to do an isolated activity and NOT provided with necessary prerequisites, such as a contract to refactor or modify an existing codeset with no design documents or risk management documents or procedures, etc. Lets continue to suppose that the client does not contract, or request that the gaps to conformance be filled (whether the client doesn't need them or does not wish to pay for them). Could our company apply non-applicability status in this case according to section 7 as it pertains to ISO 13485? How does Non-applicability differ vs. exclusion? Currently we have all of Section 7.5 and 7.6 except for "7.5.4 Custom Property" excluded as per ISO 9001:2008 as they don't really relate to our processes, services and/or products. Thus, in our QMS these sections are simply explicitly noted as excluded. From my understanding we CAN'T exclude these items in 13485, only claim non-applicability. What is the functional difference here for our QMS? Are we required to describe and/or implement non-applicable processes, even if they aren't required or performed by our company? What about IEC 62304? By my reading there is NO official system for non-applicability to clauses in IEC 62304. This means, by my reading, that if the company wishes to certify and comply to 62304, there will be significant overhead to ALL actual code development projects, whether or not the client requests this overhead. Would the company be expected to perform these duties even if the client doesn't contract or request them, and if so, does anyone have any ideas on how to handle this overhead (cost) without passing all of it off to the client. (The overhead in man-hours spent on documentation and procedural conformance would increase the cost of every bid - something that as a contract/consulting firm, is not desired)) How modular are the systems described in the standards? The layout of requirements in the standards seems to discourage "a la carte" compliance, which admittedly is probably a good thing in general, but frustrating in this case. By my reading there is an implicit assumption that each party is fully responsible for NOT ONLY the work item they produce, BUT ALSO for the whole system. The standards assume that all of the parties involved in the process seem to be high-level decision makers and are equal stakeholders and decision makers in the product realization process. As a consulting/contracting firm this is not always the case (I think).

3. Related to the above, one of the clauses on application in section 1.2 of ISO 13485 states, "The processes required by this International Standard, which are are applicable to the medical device(s), but which are not performed by the organization, are the responsibility of the organization and are accounted for in the organization's quality management system [see 4.2.2 a]." Now I understand from research that the intent of this line is to ensure that if company A contracts work for for the product realization of a medical device, then company A is as fully responsible for ensuring the compliance and conformance of that process, product or service. My concern is that this line doesn't differentiate between a first party producer, a contractor/consultant, or the product/intellectual property owner. The language seems to assume that those attempting to implement these standards are entities that satisfy a combination of the first and last items. By my current reading, a strict "letter of the law" approach implies that to truly claim conformance to ISO 13485, not only is the parent company responsible for complete standards compliance and conformance, BUT THAT ALSO THE CONTRACTOR/CONSULTING BODY are FULLY RESPONSIBLE for any and all standards compliance and conformance clauses, even those which would originate outside the scope of the contracted work!

4. Is it possible to achieve certification for the company as a whole but keep the work items/projects contracted as separate areas? If so, how would it be possible to achieve compliance if the area of work items looks like a spread of 90% non-compliant work (let's assume the best case, that all these non-compliant works are due to client request/contracts/non-appplicability) and only 10% compliant work? I have only been researching all of this for a week, and even to me, that doesn't look very promising...

I apologize for the lengthy post. I have never done any auditing or standardization work before and have no real effective experience in the area. As such, I have a lot of questions and concerns about trying to bring the company up to standards compliance and certification. Thank you all for your time and consideration.

Last edited by a moderator:
Elsmar Forum Sponsor

Ronen E

Problem Solver
Hi Frank and welcome to the Cove :bigwave:

The number of (good) questions you ask and the level of detail you expect indicate that you might need a dedicated consultant to walk you through the QMS upgrade. The nature of this forum is that people like you volunteer their time, typically to answer a few focused questions at a time. You also have some basic misconceptions about ISO 13485 that require some lengthy discussion, if you really want to get a good grasp of what ISO 13485 is all about. As a header I'll just highlight that ISO 13485 is intended for companies manufacturing finished medical devices (a device can also be software).

Perhaps others will have more time to go into the detailed discussion. Meanwhile, I suggest you surf the Cove for threads related to ISO 13485 implementation by sub-contractors / component manufacturers.

Thread starter Similar threads Forum Replies Date
G PolyWorks Alignment Issue - How to align the part General Measurement Device and Calibration Topics 1
M Informational TGA – Several proposed changes to classification to better align with the EU MDR Medical Device and FDA Regulations and Standards News 0
Q How to align a Business Strategy to Operative KPIs ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 10
D Does 7.6 Control of Monitoring and Measuring Equipment align with ISO 17025 ISO 17025 related Discussions 4
A One company, more plants, different to align them ? Document Control Systems, Procedures, Forms and Templates 9
S How to align our global ISO 9001 procedures to each specific project ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 22
J FPDS now GPDS - How does GPDS align with the 23 elements of APQP APQP and PPAP 8
T Software item classification and Detailed Design IEC 62304 - Medical Device Software Life Cycle Processes 4
T Software Unit definition - IEC 62304 - Medical Device Software Life Cycle Processes 3
T Software user interface - definition of hazards ISO 14971 - Medical Device Risk Management 15
T Classification Accessory Software medical device EU Medical Device Regulations 4
G Software Medical Device Classification EU Medical Device Regulations 7
D Software Validation Question ISO 13485:2016 - Medical Device Quality Management Systems 10
C. Tejeda Computer system validation approach for Minitab Statistical software Software Quality Assurance 7
B Can a software that receive data from a MD be classified as Class I?or is not a MD? EU Medical Device Regulations 5
A What JIRA Software workflows you use for your software lifecycle? IEC 62304 - Medical Device Software Life Cycle Processes 4
G Software change management Design and Development of Products and Processes 2
G IATF Calibration/verification records :Program/software verification IATF 16949 - Automotive Quality Systems Standard 7
John C. Abnet ...validation of computer software ISO 13485:2016 - Medical Device Quality Management Systems 14
N Free statistical software Reliability Analysis - Predictions, Testing and Standards 7
T ISO quality system software such as MQ1 (which is what we currently use) Document Control Systems, Procedures, Forms and Templates 7
X Looking for 17025 auditor to perform internal audit on IT software testing laboratory ISO 17025 related Discussions 3
B ERP software validation - risk assessment vs validation scope ISO 13485:2016 - Medical Device Quality Management Systems 11
D Guidance for Medical records software/template ISO 13485:2016 - Medical Device Quality Management Systems 1
M MDSW Software importer distributor CE Marking (Conformité Européene) / CB Scheme 2
B Software as a Medical Device - Language Requirements EU Medical Device Regulations 6
B Software as a NON-medical device Medical Information Technology, Medical Software and Health Informatics 22
qualprod 8.3 for software development. ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 1
S Software design document NMPA guidance and consultant China Medical Device Regulations 3
C How to place software version for SaMD product in HIBC secondary data structure (UDI-PI)? Other US Medical Device Regulations 3
L Acquiring software from 3rd party company IEC 62304 - Medical Device Software Life Cycle Processes 8
R Validation of Software used in Verification Testing ISO 13485:2016 - Medical Device Quality Management Systems 2
A FMEA Software IATF 16949 - Automotive Quality Systems Standard 6
A Medical Device Software POC Medical Device and FDA Regulations and Standards News 6
C Discus Software for First Article Inspection Inspection, Prints (Drawings), Testing, Sampling and Related Topics 1
D One Software as Medical Device product or two? EU Medical Device Regulations 4
V Internal Audit Software IATF 16949 - Automotive Quality Systems Standard 5
Watchcat New Draft Guidance on Content of Premarket Submissions for Software Device "Functions" Other US Medical Device Regulations 2
Watchcat Software validation vs design V&V? Other US Medical Device Regulations 27
M Initial Importer/Distributor and Software Validation IEC 62304 - Medical Device Software Life Cycle Processes 1
F Configurator for a power unit - Software or other solution? Manufacturing and Related Processes 0
D Test Management Software Software Quality Assurance 1
E ISO 13485 software validation ISO 13485:2016 - Medical Device Quality Management Systems 7
D Tracking software versions used with instruments ISO 13485:2016 - Medical Device Quality Management Systems 0
dgrainger Informational MHRA's Software and AI as a Medical Device Change Programme UK Medical Device Regulations 0
S Do you follow your QMS for non-device software features? Medical Information Technology, Medical Software and Health Informatics 4
J Can we register non-device clinical decision support software under draft guidance? Other US Medical Device Regulations 5
I Software (SaMD) mobile application verification testing: objective evidence Medical Information Technology, Medical Software and Health Informatics 2
J EU equivalent to Clinical Decision Support Software EU Medical Device Regulations 3
Y ISO 13485:2015 Software Validation IQ/OQ/PQ ISO 13485:2016 - Medical Device Quality Management Systems 13

Similar threads

Top Bottom