How to interpret '8.3 Control of nonconforming product' for SaMD device while implementing ISO 13485 & MDSAP

#1
Dear Elsmar Team,

I am currently working on developing a QMS for a SaMD start-up working on AI & ML based product.

When it comes to section 8.3 Control of nonconforming product for a SaMD (Software as Medical Device), I am really confused as there wouldn't be any physical product that shall be treated as non-conforming product. At the same time, I feel we can not declare this section as 'Not Applicable'.

There might be software bugs (non-conformance) during development/after release which might be considered as complaints. For that IEC 62304 suggests 'software problem resolution'.

In that case, what could be the best solution in addressing the ISO 13485 section 8.3 Control of nonconforming product combining it with IEC 62304.
  • Can we replace 8.3 Control of nonconforming product with SW problem resolution?
  • What kind of SOPs are needed to address this requirement?
  • Where exactly, IEC 62304 'software problem resolution' come in to picture for SaMD QMS?
  • How does 8.3.4 Rework apply to SaMD products? Can we take it as 'Not Applicable'?
I really appreciate your expert opinion on this question.
 
Elsmar Forum Sponsor

Tidge

Quite Involved in Discussions
#2
Keep in mind that you can have nonconformances in your quality system itself, and not just with products. I think it is overly optimistic to think that this part of 13485 is "not applicable". For example: 62304 is not going to be much help if you discover that the development team is chosing to not follow configuration management.

13485 is a Quality System standard, 62304 is a Product Lifecycle standard.

Edit: I should clarify, as my above remarks are about non-conformances in general. More specific to SaMD product nonconformances:

You will need to have some mechanism that speaks to 8.3.3 for customers who have already accepted (nonconforming) product. 62304 doesn't speak to this.

It is typical that the Nonconformance reporting system is a feeder into Corrective Actions. CA is a different sort of process than software issue resolution. You could try to have your software issue system feed directly into CAPA, but I think that would rapidly become a mess.
 
Last edited:

yodon

Staff member
Super Moderator
#3
At the core, a nonconformance is a failure to meet specification so if you released software that ultimately failed a requirement, you could consider it an NC. To me, that muddies the water, though. (I have had auditors argue that software failures must be NCs, by the way.) As @Tidge points out, NCs aren't limited to product so you definitely need that aspect in your QMS. And there may even be product-related NCs if you released the wrong version or something.

In my thinking, any time after release that you have problems identified and determine a fix is in order, you really just do a design cycle (Product Realization in 13485). That, of course, includes risk management.

Agree you won't have rework.

Regarding feeding into CAPA, indeed, be careful or it will get messy. HOWEVER, you should be getting metrics on issues and if you have a systemic failure, you can certainly drive software development process improvements through the CAPA process. For example, maybe you find that you're having memory leaks. Maybe you drive improvements to testing or even code inspections.
 

Tagin

Trusted Information Resource
#4
Not a medical device guy, but 8.3 says "The organization shall ensure that product which does not conform to product requirements is
identified and controlled to prevent its unintended use or delivery."

So my take would be that 'nonconforming product' in this case could include things like libraries, compiled code, etc. that are 'produced' but which are not conforming (e.g., wrong compile switches were used, wrong library version, etc.). How does your system prevent these 'products' from "unintended use or delivery"?

How do you prevent code corruption from creeping in? Do you use SHA256 hashes? At what stages?
How do you prevent sending old revision software?

In short, for 8.3.2 - what keeps bad or incorrect software from reaching the customer? (and if you find bad/incorrect software, what do you do with it?)
And for 8.3.3 - what are your procedures for nonconforming software found after sending to the customer?
 
Last edited:

mihzago

Trusted Information Resource
#5
I do not have a specific "non conforming product procedure" but in the Quality Manual I'm referencing Software Problem Resolution Process and Design Transfer, because these are the two main procedures where all defects are addressed.
You could probably also reference Configuration Management.

Separately I have procedures dealing with defects before or after release (e.g. recall, complaints, CAPA, data analysis) that point to or reference the procedures above.
 
Thread starter Similar threads Forum Replies Date
0 How to interpret s and x bar control charts Statistical Analysis Tools, Techniques and SPC 5
S "Level of Control" over Suppliers - How do you Interpret and Accomplish Supplier Quality Assurance and other Supplier Issues 1
V How to interpret AQL sampling tables AQL - Acceptable Quality Level 5
Q How do you interpret this dimension in my drawing Gage R&R (GR&R) and MSA (Measurement Systems Analysis) 2
Q IATF 16949 Cl. 4.4.1.2 - Product Safety - How to interpret IATF 16949 - Automotive Quality Systems Standard 13
B How to interpret Grindometer Gage R&R Results Gage R&R (GR&R) and MSA (Measurement Systems Analysis) 1
L How to interpret the average R bar Value shown in the R Chart Gage R&R (GR&R) and MSA (Measurement Systems Analysis) 2
N How to interpret the definition of clinical and preclinical trials? Other US Medical Device Regulations 3
K How to interpret Clause 7.6 for a service company? Service Industry Specific Topics 11
G Guidance Document to interpret IEC 60601-1 EU Medical Device Regulations 2
P How to interpret statement like 'Maintain a Procedure' Miscellaneous Environmental Standards and EMS Related Discussions 1
S How to interpret a Linear Regression in Minitab? Using Minitab Software 3
Q How to read and interpret an SIPOC (Suppliers Inputs Process Outputs Customers) ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 5
M Transport Vehicle Thermal Regulation - How would you interpret this requirement? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 7
A How to interpret Minitab Results? What is difference in Cpk and Ppk values? Using Minitab Software 2
C How to interpret Measurement Uncertainty (MU) Measurement Uncertainty (MU) 3
T Please help me interpret my GR&R results Gage R&R (GR&R) and MSA (Measurement Systems Analysis) 2
T Gage Bias and Linearity - How to interpret the Minitab results Gage R&R (GR&R) and MSA (Measurement Systems Analysis) 6
F Gage R&R - How to interpret results? Gage R&R (GR&R) and MSA (Measurement Systems Analysis) 5
W MDR Reporting - How to interpret requirements for MDR Other US Medical Device Regulations 14
T SPC Data - Autocorrelation - How do I interpret this result? Statistical Analysis Tools, Techniques and SPC 17
S Could someone tell me what are the results of a Gage R&R & how to interpret it? Gage R&R (GR&R) and MSA (Measurement Systems Analysis) 7
D How to interpret TS Clause 7.5.1.4 Preventive and Predictive Maintenance? IATF 16949 - Automotive Quality Systems Standard 8
J How do you audit or interpret 'Where Appropriate' in ISO 9001 Clauses such as 7.4.2 ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 6
P How to Interpret Caliper GR&R (Gage R&R) Graphical Result Gage R&R (GR&R) and MSA (Measurement Systems Analysis) 5
D How do we interpret the following XmR Trend Chart data? Statistical Analysis Tools, Techniques and SPC 3
D How to interpret np chart data - Monitoring 6 medical records Statistical Analysis Tools, Techniques and SPC 6
Q Looking for Case Studies for How to interpret the requirements of ISO 13485 ISO 13485:2016 - Medical Device Quality Management Systems 2
C CUSUM Chart - Can some one throw some light on use and how to interpret? Statistical Analysis Tools, Techniques and SPC 8
Peter Fraser "Anither language" - I'll Interpret your 'Jargon' Misc. Quality Assurance and Business Systems Related Topics 1
K Gage R&R - How do I interpret the %PV & %TV results? Gage R&R (GR&R) and MSA (Measurement Systems Analysis) 9
N How should I interpret Voice of the Customer QS-9000 - American Automotive Manufacturers Standard 1
P IATF 16949 requirement - error-proofing in control plan IATF 16949 - Automotive Quality Systems Standard 2
C 8.5.1.1 Control of Equipment, Tools, and Software Programs - Questions about the extent of control of NC programs AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 5
Q Version/Revision Control of CAD files Document Control Systems, Procedures, Forms and Templates 2
earl62 What is the best way to control special characteristics in Control plan? Is it Mandatory to have SPC for IATF 16949? IATF 16949 - Automotive Quality Systems Standard 7
I Control Plan (Product/Process specification/ Tolerance) acceptance FMEA and Control Plans 27
Z Putting back excluded rows/data points in a control chart Using Minitab Software 0
J Control Plan use on the manufacturing floor FMEA and Control Plans 4
E Change in control plan - Do I have to do sampling? IATF 16949 - Automotive Quality Systems Standard 1
D All Dimensions listed on control plan FMEA and Control Plans 10
W Need for current design or process control FMEA and Control Plans 2
Q ISO 9001 8.5.1 - Control of production and service performance ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 5
A What is the difference between Design Process, Process Design and Design Control? 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 2
A Beginners help with ISO3951-2 Combined control s-method n>5 what is Phi ?? Inspection, Prints (Drawings), Testing, Sampling and Related Topics 0
C Corrective action for failure in documents control ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 10
B Control chart and sample time Statistical Analysis Tools, Techniques and SPC 1
DuncanGibbons Manufacturing Plan vs Material Specification vs Control Plan Manufacturing and Related Processes 4
J Control chart for huge sample size Statistical Analysis Tools, Techniques and SPC 9
K Contamination Control - Class Is medical devices (Clause 6.4.2 ISO 13485:2016 (E)) ISO 13485:2016 - Medical Device Quality Management Systems 12

Similar threads

Top Bottom