Inventory Listing and ISO 13485:2016

[Shadee CA]

My company manufactures "Software as a Medical Device" and I am trying to verify the extent of equipment that should be listed in our inventory/asset lists. Currently, we maintain a listing of hardware and software inventory used for design and development, but not sure how comprehensive the list for equipment used to control work environment needs to be. Should infrastructure that supports back-up and restore and, preventative maintenance processes also be listed? Can't really find anything that speaks to that. Would like to ensure that the scope in our inventory procedure is adequate and that only items that are necessary to be listed are maintained on that list. So for example, should laptops/desktops/monitors used by individuals involved in production be included? Any supporting reference would be appreciated?

 

[Tagin]

6.3: "The organization shall document the requirements for the infrastructure needed to achieve conformity to product requirements, prevent product mix-up and ensure orderly handling of product. Infrastructure includes, as appropriate"

Just my opinion - for SaMD, to me that includes things like:

• O/S versions
• Compiler versions
• Library revisions
• Antivirus/antimalware
• Firewalls
• SIEM monitoring software
• Software integrity monitoring
• Custom development tools
• Backups H/W & S/W - onsite & offsite. Backups encrypted?
• Developers working remotely? Remote access s/w, remote access protections.
• Network authentication (e.g., active directory)
• etc.

Is you development network segmented from you business network?
Is your software distribution network likewise segmented from other networks?

• What hardware/software does this segmentation?

Do you sell this as downloadable software, or hosted software? You don't want to be the next Solarwinds!

• Web server software (O/S & web s/w, e.g., IIS or Apache)
• Web server security monitoring software
• Download integrity monitoring
• Onsite? HVAC/environmental controls? Physical security?
• Hosting service - what review/controls did you document?
• Backups H/W & S/W - onsite & offsite. Backups encrypted?
• etc.

That's a start.

 

[Tidge]

My company manufactures "Software as a Medical Device" and I am trying to verify the extent of equipment that should be listed in our inventory/asset lists. Currently, we maintain a listing of hardware and software inventory used for design and development, but not sure how comprehensive the list for equipment used to control work environment needs to be. Should infrastructure that supports back-up and restore and, preventative maintenance processes also be listed? Can't really find anything that speaks to that. Would like to ensure that the scope in our inventory procedure is adequate and that only items that are necessary to be listed are maintained on that list. So for example, should laptops/desktops/monitors used by individuals involved in production be included? Any supporting reference would be appreciated?

My suggestion is that you consider these three "R" when deciding on documenting the tools used in SaMD development:

1. Do you have sufficient documentation about the tools & methods such that you can repeat the development process? (if challenged)
2. Do you have sufficient documentation about the tools & methods such that you can rebuild the application?
3. Do you have sufficient documentation about the tools & methods such that you can repair the application? (in the event of a defect or anomaly)

If you are using software tools to manage requirements, you may want to know that such tools can help you to replace the software (with an upgrade) as well.

 

[Shadee CA]

Thanks for the feedback. We do have a lot of this information included. One concern was that maybe the listing was too comprehensive but I think, to accurately address the requirements, there may not be a lot that we can remove. Thanks again.

6.3: "The organization shall document the requirements for the infrastructure needed to achieve conformity to product requirements, prevent product mix-up and ensure orderly handling of product. Infrastructure includes, as appropriate"

Just my opinion - for SaMD, to me that includes things like:

• O/S versions
• Compiler versions
• Library revisions
• Antivirus/antimalware
• Firewalls
• SIEM monitoring software
• Software integrity monitoring
• Custom development tools
• Backups H/W & S/W - onsite & offsite. Backups encrypted?
• Developers working remotely? Remote access s/w, remote access protections.
• Network authentication (e.g., active directory)
• etc.

Is you development network segmented from you business network?
Is your software distribution network likewise segmented from other networks?

• What hardware/software does this segmentation?

Do you sell this as downloadable software, or hosted software? You don't want to be the next Solarwinds!

• Web server software (O/S & web s/w, e.g., IIS or Apache)
• Web server security monitoring software
• Download integrity monitoring
• Onsite? HVAC/environmental controls? Physical security?
• Hosting service - what review/controls did you document?
• Backups H/W & S/W - onsite & offsite. Backups encrypted?
• etc.

That's a start.

My suggestion is that you consider these three "R" when deciding on documenting the tools used in SaMD development:

1. Do you have sufficient documentation about the tools & methods such that you can repeat the development process? (if challenged)
2. Do you have sufficient documentation about the tools & methods such that you can rebuild the application?
3. Do you have sufficient documentation about the tools & methods such that you can repair the application? (in the event of a defect or anomaly)

If you are using software tools to manage requirements, you may want to know that such tools can help you to replace the software (with an upgrade) as well.