How to interpret '8.3 Control of nonconforming product' for SaMD device while implementing ISO 13485 & MDSAP

Sravan Manchikanti

Starting to get Involved
#1
Dear Elsmar Team,

I am currently working on developing a QMS for a SaMD start-up working on AI & ML based product.

When it comes to section 8.3 Control of nonconforming product for a SaMD (Software as Medical Device), I am really confused as there wouldn't be any physical product that shall be treated as non-conforming product. At the same time, I feel we can not declare this section as 'Not Applicable'.

There might be software bugs (non-conformance) during development/after release which might be considered as complaints. For that IEC 62304 suggests 'software problem resolution'.

In that case, what could be the best solution in addressing the ISO 13485 section 8.3 Control of nonconforming product combining it with IEC 62304.
  • Can we replace 8.3 Control of nonconforming product with SW problem resolution?
  • What kind of SOPs are needed to address this requirement?
  • Where exactly, IEC 62304 'software problem resolution' come in to picture for SaMD QMS?
  • How does 8.3.4 Rework apply to SaMD products? Can we take it as 'Not Applicable'?
I really appreciate your expert opinion on this question.
 
Elsmar Forum Sponsor

Tidge

Trusted Information Resource
#2
Keep in mind that you can have nonconformances in your quality system itself, and not just with products. I think it is overly optimistic to think that this part of 13485 is "not applicable". For example: 62304 is not going to be much help if you discover that the development team is chosing to not follow configuration management.

13485 is a Quality System standard, 62304 is a Product Lifecycle standard.

Edit: I should clarify, as my above remarks are about non-conformances in general. More specific to SaMD product nonconformances:

You will need to have some mechanism that speaks to 8.3.3 for customers who have already accepted (nonconforming) product. 62304 doesn't speak to this.

It is typical that the Nonconformance reporting system is a feeder into Corrective Actions. CA is a different sort of process than software issue resolution. You could try to have your software issue system feed directly into CAPA, but I think that would rapidly become a mess.
 
Last edited:

yodon

Staff member
Super Moderator
#3
At the core, a nonconformance is a failure to meet specification so if you released software that ultimately failed a requirement, you could consider it an NC. To me, that muddies the water, though. (I have had auditors argue that software failures must be NCs, by the way.) As @Tidge points out, NCs aren't limited to product so you definitely need that aspect in your QMS. And there may even be product-related NCs if you released the wrong version or something.

In my thinking, any time after release that you have problems identified and determine a fix is in order, you really just do a design cycle (Product Realization in 13485). That, of course, includes risk management.

Agree you won't have rework.

Regarding feeding into CAPA, indeed, be careful or it will get messy. HOWEVER, you should be getting metrics on issues and if you have a systemic failure, you can certainly drive software development process improvements through the CAPA process. For example, maybe you find that you're having memory leaks. Maybe you drive improvements to testing or even code inspections.
 

Tagin

Trusted Information Resource
#4
Not a medical device guy, but 8.3 says "The organization shall ensure that product which does not conform to product requirements is
identified and controlled to prevent its unintended use or delivery."

So my take would be that 'nonconforming product' in this case could include things like libraries, compiled code, etc. that are 'produced' but which are not conforming (e.g., wrong compile switches were used, wrong library version, etc.). How does your system prevent these 'products' from "unintended use or delivery"?

How do you prevent code corruption from creeping in? Do you use SHA256 hashes? At what stages?
How do you prevent sending old revision software?

In short, for 8.3.2 - what keeps bad or incorrect software from reaching the customer? (and if you find bad/incorrect software, what do you do with it?)
And for 8.3.3 - what are your procedures for nonconforming software found after sending to the customer?
 
Last edited:

mihzago

Trusted Information Resource
#5
I do not have a specific "non conforming product procedure" but in the Quality Manual I'm referencing Software Problem Resolution Process and Design Transfer, because these are the two main procedures where all defects are addressed.
You could probably also reference Configuration Management.

Separately I have procedures dealing with defects before or after release (e.g. recall, complaints, CAPA, data analysis) that point to or reference the procedures above.
 
#6
Hi Sravan,

I'm interested to know how you went with this if you would be willing to share what direction you went in?
I thought that Tagin's take on this was interesting 'what keeps bad or incorrect software from reaching the customer?' and encorported into my own processes. My NCP for SaMD process is now much more integrated with my software release and software pre-installation procedures.
 

yodon

Staff member
Super Moderator
#7
I'll weigh in on a couple of things.

'what keeps bad or incorrect software from reaching the customer?
You CAN'T! :) Seriously, there's no such thing as bug-free software. And 62304 acknowledges it. For a release, you list all known anomalies, assess their impact on safety, and if unlikely to cause harm, it may be ok to release, with justification. When issues are reported from the field, you need to review those to determine any necessary actions and urgency.

How do you prevent code corruption from creeping in?
Our normal process is to include a checksum verification during install and at launch.
 

Sravan Manchikanti

Starting to get Involved
#8
Hi @Sravan,

I'm interested to know how you went with this if you would be willing to share what direction you went in?
Dear Lancaster,

Thank you for rejuvenating the thread :).

I do not have a specific "non conforming product procedure" but in the Quality Manual I'm referencing Software Problem Resolution Process and Design Transfer, because these are the two main procedures where all defects are addressed.
You could probably also reference Configuration Management.
We have followed mihzago's advise. We don't have a specific "non conforming product procedure" but augmented the section with Software problem management & Incident Management procedures along with SW Release management. On top of it we have other procedures like configuration management, CAPA and Regulatory reporting etc. refereed in these SOPs.
 
Thread starter Similar threads Forum Replies Date
0 How to interpret s and x bar control charts Statistical Analysis Tools, Techniques and SPC 5
S "Level of Control" over Suppliers - How do you Interpret and Accomplish Supplier Quality Assurance and other Supplier Issues 1
J UDI-DI how should we interpret Device version or model to determine if a new UDI-DI is needed? EU Medical Device Regulations 0
V How to interpret AQL sampling tables AQL - Acceptable Quality Level 5
Q How do you interpret this dimension in my drawing Gage R&R (GR&R) and MSA (Measurement Systems Analysis) 2
Q IATF 16949 Cl. 4.4.1.2 - Product Safety - How to interpret IATF 16949 - Automotive Quality Systems Standard 13
B How to interpret Grindometer Gage R&R Results Gage R&R (GR&R) and MSA (Measurement Systems Analysis) 1
L How to interpret the average R bar Value shown in the R Chart Gage R&R (GR&R) and MSA (Measurement Systems Analysis) 2
N How to interpret the definition of clinical and preclinical trials? Other US Medical Device Regulations 3
K How to interpret Clause 7.6 for a service company? Service Industry Specific Topics 11
G Guidance Document to interpret IEC 60601-1 EU Medical Device Regulations 2
P How to interpret statement like 'Maintain a Procedure' Miscellaneous Environmental Standards and EMS Related Discussions 1
S How to interpret a Linear Regression in Minitab? Using Minitab Software 3
Q How to read and interpret an SIPOC (Suppliers Inputs Process Outputs Customers) ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 5
M Transport Vehicle Thermal Regulation - How would you interpret this requirement? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 7
A How to interpret Minitab Results? What is difference in Cpk and Ppk values? Using Minitab Software 2
C How to interpret Measurement Uncertainty (MU) Measurement Uncertainty (MU) 5
T Please help me interpret my GR&R results Gage R&R (GR&R) and MSA (Measurement Systems Analysis) 2
T Gage Bias and Linearity - How to interpret the Minitab results Gage R&R (GR&R) and MSA (Measurement Systems Analysis) 6
F Gage R&R - How to interpret results? Gage R&R (GR&R) and MSA (Measurement Systems Analysis) 5
W MDR Reporting - How to interpret requirements for MDR Other US Medical Device Regulations 14
T SPC Data - Autocorrelation - How do I interpret this result? Statistical Analysis Tools, Techniques and SPC 17
S Could someone tell me what are the results of a Gage R&R & how to interpret it? Gage R&R (GR&R) and MSA (Measurement Systems Analysis) 7
D How to interpret TS Clause 7.5.1.4 Preventive and Predictive Maintenance? IATF 16949 - Automotive Quality Systems Standard 8
J How do you audit or interpret 'Where Appropriate' in ISO 9001 Clauses such as 7.4.2 ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 6
P How to Interpret Caliper GR&R (Gage R&R) Graphical Result Gage R&R (GR&R) and MSA (Measurement Systems Analysis) 5
D How do we interpret the following XmR Trend Chart data? Statistical Analysis Tools, Techniques and SPC 3
D How to interpret np chart data - Monitoring 6 medical records Statistical Analysis Tools, Techniques and SPC 6
Q Looking for Case Studies for How to interpret the requirements of ISO 13485 ISO 13485:2016 - Medical Device Quality Management Systems 2
C CUSUM Chart - Can some one throw some light on use and how to interpret? Statistical Analysis Tools, Techniques and SPC 8
Peter Fraser "Anither language" - I'll Interpret your 'Jargon' Misc. Quality Assurance and Business Systems Related Topics 1
K Gage R&R - How do I interpret the %PV & %TV results? Gage R&R (GR&R) and MSA (Measurement Systems Analysis) 9
N How should I interpret Voice of the Customer QS-9000 - American Automotive Manufacturers Standard 1
Nihls Quality Control Card for CMM's Capability, Accuracy and Stability - Processes, Machines, etc. 0
M Change control on Tracking Sheet ISO 13485:2016 - Medical Device Quality Management Systems 11
K COPLANARITY: Composite profile tolerance on multiple surfaces- what does" lower dimensional reference frame tolerance" control? Inspection, Prints (Drawings), Testing, Sampling and Related Topics 4
M Medical Device Marketing Material - Control of Social Media 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 2
M Does 4.5 - Alternative RISK CONTROL apply to the Particular Standards? IEC 60601 - Medical Electrical Equipment Safety Standards Series 3
H Control of Change i.e. process and WI IATF 16949 - Automotive Quality Systems Standard 9
Sonja D AIAG VDA PFMEA and Control Plan training FMEA and Control Plans 6
F Quality Control in Electrical Calibration ISO 17025 related Discussions 0
Z Why Control Limits are not the same depending on type of exclusion of data points Using Minitab Software 7
D Engineering Change order vs. Change Control ISO 13485:2016 - Medical Device Quality Management Systems 3
D Computer access, password control ISO 13485:2016 - Medical Device Quality Management Systems 6
A How to control distribution list? Document Control Systems, Procedures, Forms and Templates 2
A Control plan for IATF - example? FMEA and Control Plans 1
J ISO 9001:2015 Clause 8.5.1 Control of Production and service provision - Help with Work Instruction Access ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 13
A Final quality control corrective actions ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 10
J Training on the importance of Document Control Document Control Systems, Procedures, Forms and Templates 3
G How to implement H&S and Quality Control Requirements in Contract for Potential Supplier? Contract Review Process 6

Similar threads

Top Bottom