Search the Elsmar Cove!
**Search ALL of Elsmar.com** with DuckDuckGo including content not in the forum - Search results with No ads.

How to Align a Software Consulting/Contract Firm to ISO 13485+14971 & 62304

F

fottey

#1
Hello Everyone,


I recently joined this community because I was tasked with auditing my company's current QMS (which is ISO 9001:2008 certified) and doing a gap analysis on what would be necessary to align the company to ISO 13485. The jump to ISO 13485 would necessitate the implementation of new processes for risk management as defined and described in ISO 14971 (and to software in particular as described in IEC 80002-1). In addition, some moderate necessary language modifications and additions in the QMS would need to be made, as well as modifications and additions to the company activity/process maps. I also looked into the additional steps necessary for general IEC 62304 conformance as it is particularly relevant to the company's field of business. I think I have a fairly good understanding of what the collection of standards are trying to achieve and what should be done, IF the company were a traditional production/manufacturing company. The issue is, for me, that our company is not. It is a software contract/consulting company. Not every work item/project/contract follows all the steps laid out in Section 7 of ISO 13485 or the processes and activities laid out in IEC 62304. Our services are often bought "a la carte". A client might only pay for design work, or just testing review work, or simulations and testing tools, or isolated development work (refractoring/bug-fixing). Together all three of the aforementioned standards paint a good picture of how to run a full production run, but don't seem to provide much guidance for those in the service or subcontractor industries wherein only a piece of the process is the "product" or service referred to by the standards. As such I have the following questions:


1. Would it be possible to achieve ISO 13485 certification with language in our QMS that states that our company is only responsible for following the relevant sections of the ISO and IEC standards (13485/14971/62304) as applicable per each atomic activity that the client contracts/requests the company to complete? (Basically applying non-applicability to any and all items that fall outside the scope of the contracted work) Assume that the company has implemented processes and activities for each item necessary for standards compliance and/or conformance. The idea is in this way, the level of conformance is "chosen" by the client based on their needs, while the company overall maintains the processes necessary for complete conformance in its QMS.

For example:
a. If we area contracted to do only testing, then all of our output product (testing) follows all of the atomic rules for testing as laid out by the standards.
b. If the company were contracted to do isolated software development with all of the designs, documents, risk management items, and requirements etc. already received, the company would follow all of the "atomic" activity rules for software development as laid out in the standards using the provided documentation to the best of their ability. Received documents would be copied and used as seeds in document/design control and configuration management policies.
2. Say our company was contracted to do an isolated activity and NOT provided with necessary prerequisites, such as a contract to refactor or modify an existing codeset with no design documents or risk management documents or procedures, etc. Lets continue to suppose that the client does not contract, or request that the gaps to conformance be filled (whether the client doesn't need them or does not wish to pay for them). Could our company apply non-applicability status in this case according to section 7 as it pertains to ISO 13485? How does Non-applicability differ vs. exclusion? Currently we have all of Section 7.5 and 7.6 except for "7.5.4 Custom Property" excluded as per ISO 9001:2008 as they don't really relate to our processes, services and/or products. Thus, in our QMS these sections are simply explicitly noted as excluded. From my understanding we CAN'T exclude these items in 13485, only claim non-applicability. What is the functional difference here for our QMS? Are we required to describe and/or implement non-applicable processes, even if they aren't required or performed by our company? What about IEC 62304? By my reading there is NO official system for non-applicability to clauses in IEC 62304. This means, by my reading, that if the company wishes to certify and comply to 62304, there will be significant overhead to ALL actual code development projects, whether or not the client requests this overhead. Would the company be expected to perform these duties even if the client doesn't contract or request them, and if so, does anyone have any ideas on how to handle this overhead (cost) without passing all of it off to the client. (The overhead in man-hours spent on documentation and procedural conformance would increase the cost of every bid - something that as a contract/consulting firm, is not desired)) How modular are the systems described in the standards? The layout of requirements in the standards seems to discourage "a la carte" compliance, which admittedly is probably a good thing in general, but frustrating in this case. By my reading there is an implicit assumption that each party is fully responsible for NOT ONLY the work item they produce, BUT ALSO for the whole system. The standards assume that all of the parties involved in the process seem to be high-level decision makers and are equal stakeholders and decision makers in the product realization process. As a consulting/contracting firm this is not always the case (I think).

3. Related to the above, one of the clauses on application in section 1.2 of ISO 13485 states, "The processes required by this International Standard, which are are applicable to the medical device(s), but which are not performed by the organization, are the responsibility of the organization and are accounted for in the organization's quality management system [see 4.2.2 a]." Now I understand from research that the intent of this line is to ensure that if company A contracts work for for the product realization of a medical device, then company A is as fully responsible for ensuring the compliance and conformance of that process, product or service. My concern is that this line doesn't differentiate between a first party producer, a contractor/consultant, or the product/intellectual property owner. The language seems to assume that those attempting to implement these standards are entities that satisfy a combination of the first and last items. By my current reading, a strict "letter of the law" approach implies that to truly claim conformance to ISO 13485, not only is the parent company responsible for complete standards compliance and conformance, BUT THAT ALSO THE CONTRACTOR/CONSULTING BODY are FULLY RESPONSIBLE for any and all standards compliance and conformance clauses, even those which would originate outside the scope of the contracted work!

4. Is it possible to achieve certification for the company as a whole but keep the work items/projects contracted as separate areas? If so, how would it be possible to achieve compliance if the area of work items looks like a spread of 90% non-compliant work (let's assume the best case, that all these non-compliant works are due to client request/contracts/non-appplicability) and only 10% compliant work? I have only been researching all of this for a week, and even to me, that doesn't look very promising...

I apologize for the lengthy post. I have never done any auditing or standardization work before and have no real effective experience in the area. As such, I have a lot of questions and concerns about trying to bring the company up to standards compliance and certification. Thank you all for your time and consideration.

Frank
 
Last edited by a moderator:

Ronen E

Problem Solver
Staff member
Super Moderator
#2
Hi Frank and welcome to the Cove :bigwave:

The number of (good) questions you ask and the level of detail you expect indicate that you might need a dedicated consultant to walk you through the QMS upgrade. The nature of this forum is that people like you volunteer their time, typically to answer a few focused questions at a time. You also have some basic misconceptions about ISO 13485 that require some lengthy discussion, if you really want to get a good grasp of what ISO 13485 is all about. As a header I'll just highlight that ISO 13485 is intended for companies manufacturing finished medical devices (a device can also be software).

Perhaps others will have more time to go into the detailed discussion. Meanwhile, I suggest you surf the Cove for threads related to ISO 13485 implementation by sub-contractors / component manufacturers.

Cheers,
Ronen.
 
Top Bottom