ISO13485 for Non-Device Medical Image Storage Software

[rjwelty]

Hello- I am performing an internal audit for a client in preparation for their 13485 surveillance audit. The product listed on their ISO cert is registered with FDA as a Class 1 device, BUT the regulation involved is one of the 8 that were modified by the Software Provisions for the 21st Century Cures Act and subsequent Software Functions/MDDS guidance. This product is very clearly no longer considered a device, and meets the definition of Non-Device MDDS. I also reviewed the 13485 device definitions, and this software does not meet those either. I'm not sure how to proceed with this audit. With no DEVICE, it seems that 13485 is not applicable to any process, and would be overkill to maintain. Should I stop the audit and bring this to their attention? Should I recommend that they contact the Registrar/Notified Body about a change to 9001? If they elect to continue with 13485 because of their customer base, how to determine exemptions, or is that even a possibility with no device activities? Their 13485 audit is 2 weeks out and they do have gaps for both 13485 and 14971. Any advice as to the best approach here would be greatly appreciated.

 

[LUFAN]

You don't need to manufacture a medical device to certify to ISO 13485. Lots of organizations have it do not make anything tangible, service centers, design houses, 3PLs, et cetera, and others make tangible consumables or subassemblies which are not medical devices. That alone is definitely not a reason to stop an audit.

You are auditing their QMS system which as described, claims to confirm to ISO 13485 and it's applicable sections to the organization. The organization must have gone through their Quality Manual and marked which of those sections are not applicable. I'm not sure if you're performing this internal audit from the perspective of a consultant to prepare them for certification or a third party hired to perform an internal audit, but if it's the later, its not really your decision to make. Audit them in alignment with the scope of the audit and the SCOPE of their QMS.

If it's the former, and you are now recommending to them to alter their QMS to say it's non-medical device software, then you can use your audit to create a gap analysis of your proposed changes. However, consulting and auditing are never meant to go together so you should not "count" that as an internal audit. Since this is a surveillance audit and clearly they are certified, I'd leave it as is until after the audit and you can make a significant change notice to the NB and give yourself time to update documents.

Section 1 of 13485 says:

This International Standard specifies requirements for a quality management system where an organization needs to demonstrate its ability to provide medical devices and related services that consistently meet customer and applicable regulatory requirements. Such organizations can be involved in one or more stages of the life-cycle, including design and development, production, storage and distribution, installation, or servicing of a medical device and design and development or provision of associated activities (e.g. technical support).

If any requirement in Clauses 6, 7 or 8 of this International Standard is not applicable due to the activities undertaken by the organization or the nature of the medical device for which the quality management system is applied, the organization does not need to include such a requirement in its quality management system.​

 

[rjwelty]

Thanks for the quick response. I was getting really hung up on the "provide medical devices and related services" part because they do neither. This usually makes more sense to me, such as in the case of an injection molding company making components intended for use in devices or a company providing technical service for a device.