Software updates considered servicing (7.5.4)

yodon

Staff member
Super Moderator
#1
In a recent ISO 13485 audit of a company who is only marketing a stand-alone software application, the auditor said that software updates must be considered service activities per 7.5.4. I had never a) previously considered software updates as a service activity; or b) heard another auditor make such an assertion.

In several respects, software updates are not typical of a service activity in that instead of operating on an individual device, the entire application is re-built and re-distributed (even if only patching ... unless you have something like with antivirus software where you update definitions periodically without updating the entire application). Also, instead of being a specific service activity, in many cases, software updates may contain numerous changes, including new design. Finally, updates are done by the design and development team (and all the work effectively falls under design controls).

This was not written up as a finding, just a discussion. I'm curious what others' opinions / experiences are on this.
 
Elsmar Forum Sponsor

Tidge

Trusted Information Resource
#2
This is a good topic for discussion. This feels like an area where some appeal to standards could be useful, but good luck finding appropriate ones. As far as my thoughts complying with 13485 clause 7.5.4, I will circle back, after a slight detour...

I believe (I have no sources immediately on had) that in the USA, for medical devices, there is a distinction made between:
  • "Fast Patches"
  • "Software Fixes"
My assessment is that a "Software Fix" would not be considered a Service Activity, per se... even if the "fix" is applied during some sort of service activity. Software fixes are supposed to have the full suite of supporting information based on the FDA's Level of Concern (similar to 62304's Software System Safety Classification, but not identical). This strikes me a a classic "development/design change" issue.

The "Fast Patches" are allowed (tolerated?) for cybersecurity reasons when the fast patch specifically (and only) targets identified defects and does not change any of the other functionality. I believe that in order to proceed with 'fast patches' it is necessary to belong to/participate in an "information sharing organization".

Now as far as clause 7.5.4 goes...

Applying "software fixes" ought to already be integrated within service activities. Presumably the fixes have been developed within a 62304-compliant process, and implemented through a deployment process compliant with other parts of 13485... so I doubt that this is where the auditor's interest was (assuming that good records of deploying software fixes are kept, analyzed, etc.)

The "Fast Patches" for cybersecurity are a little trickier... as near as I can tell, the FDA has a compromise/balance that hinges on (a) specifically identifying the vulnerability being fixed and (b) not touching other elements of the software system... so the "verifying that (product requirements are met" after a fast patch is not supposed to be burdensome. Another dimension of the need for a "fast patch" is almost certainly NOT coming from a customer (remember: your company was supposed to be participating in an "information sharing org") so ties to the 'complaint process' can be... different than the a more classic complaint generated from a service activity.

If there is any good (where in this instance good = 'less burdensome") news: The servicing clause presumably only applies to the activities that the organization actually undertakes. I don't mean to write that risks of un-patched software could be unacceptable, just that such an assessment is presumably in a different part of 13485.

I am also curious to read others thoughts.
 

shimonv

Trusted Information Resource
#3
servicing is a pre-planned routine maintenance activity and in the case of stand-alone software it's rare.
I guess you could include under 'servicing activity' checking/ cleaning up of log files, verifying that the software files have not been deleted or modified etc. Note: the software can do all that automatically during start-up.
Nearly all software relating activities are development activities - enhancements, responses to complaints and new features.

Shimon
 

somashekar

Staff member
Super Moderator
#4
This activity is to be supported with how the controls are in place for post-delivery activities as in clause 7.5.1 f) of the ISO 13485:2016.
This activity does not fall into the servicing activities. The intent in 7.5.4 is about on site / service centre activity of servicing a medical device depending upon the type of medical device. Very typically, if 7.5.3. is applicable, then 7.5.4 is applicable, but some medical devices having no installation activities can also be covered by the company under its warranty and post warranty servicing.
 

yodon

Staff member
Super Moderator
#5
Follow-up... I had an email chat with the auditor to see if he would provide more insight. He agreed that not all software updates would / should be considered a service activity. He suggested there are cases for service, like I mentioned above (definition updates, etc. that don't change the build). At least he and I are, I think, on the same page now. :) We'll see.
 
Thread starter Similar threads Forum Replies Date
K Software Updates in the Field and ISO scope ISO 13485:2016 - Medical Device Quality Management Systems 2
K Unique Device Identifier for updates to legacy standalone software Other US Medical Device Regulations 1
M FDA's expectation for validating OTS software updates Other US Medical Device Regulations 8
BradM Class action lawsuit against Apple - iPod Software updates - 2006 thru 2009 After Work and Weekend Discussion Topics 2
S Predicate Device Requirements - Firmware vs. Software Updates 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 3
H Paper based DHF (Design History File) updates for Software Updates 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 4
H Class II a vs "software safety class A" IEC 62304 - Medical Device Software Life Cycle Processes 3
Z Software for design control ISO 13485:2016 - Medical Device Quality Management Systems 3
V Medical Device Literature Translation Software ISO 13485:2016 - Medical Device Quality Management Systems 1
D FDA Guidance on Computer Software Assurance versus 21 CFR Part 11 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 2
P Software verification and validation procedure IEC 62304 - Medical Device Software Life Cycle Processes 6
Aymaneh UDI-PI Software CE Marking (Conformité Européene) / CB Scheme 0
Q Software as a medical device vs software not sold as medical device: local regulations for sale? EU Medical Device Regulations 4
S How to perform verification of the Statistical Analysis Software? Qualification and Validation (including 21 CFR Part 11) 3
I Document Control Software Document Control Systems, Procedures, Forms and Templates 2
E Software maintenance Process Software maintenance Process to IEC 6204? IEC 62304 - Medical Device Software Life Cycle Processes 3
L Micro-Vu InSpec Software Program Qualification and Validation (including 21 CFR Part 11) 6
A For software change - New Channel of interoperability CE Marking (Conformité Européene) / CB Scheme 4
T IVDR Medical device software CE Marking (Conformité Européene) / CB Scheme 8
N ISO 13485 7.3.9 Change control in medical device software ISO 13485:2016 - Medical Device Quality Management Systems 6
C SharePoint Contract Management Software General Information Resources 0
gramps What do you think about automated QA testing For software app industry? Misc. Quality Assurance and Business Systems Related Topics 5
V Software as medical device (SaMD) replicated for multiple clients through APIs IEC 62304 - Medical Device Software Life Cycle Processes 5
U API Spec Q1 - 5.6.1.2 C (3) - Design software Oil and Gas Industry Standards and Regulations 3
B Complaint Records - Accessing records on Easy Track Software Records and Data - Quality, Legal and Other Evidence 3
GreatNate Master Control QMS software Quality Tools, Improvement and Analysis 0
GreatNate Anyone using the Intellect QMS software? Quality Assurance and Compliance Software Tools and Solutions 1
S DHF/DMR/MDF for a software-only, cloud-based, single-instance device Medical Information Technology, Medical Software and Health Informatics 2
H Software Validation for FFS Packaging Machine Qualification and Validation (including 21 CFR Part 11) 1
E Any sample of a full software life cycle IEC 62304 report ( any class )? IEC 62304 - Medical Device Software Life Cycle Processes 1
Q ISO 13485 7.5.6 Validation - Off the shelf Software ISO 13485:2016 - Medical Device Quality Management Systems 3
M ERP / QMS related software standards for Validation IEC 62304 - Medical Device Software Life Cycle Processes 6
J Do Software Subcontractors need to be ISO13485 compliant in the EU? EU Medical Device Regulations 3
D Safety data sheets software REACH and RoHS Conversations 2
N What are the software audit and control steps Reliability Analysis - Predictions, Testing and Standards 2
N Validating Software before getting approved as Class 2 device US Food and Drug Administration (FDA) 5
M Clinical Decision Support Software Question 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 2
P Missing 1m visual alarm signal in case of software/display failure, mitigation? ISO 14971 - Medical Device Risk Management 3
B Software service provider as critical supplier ISO 13485:2016 - Medical Device Quality Management Systems 5
S Asterisk in DOE minitab software Using Minitab Software 23
M Surgical angle measurement guide device with an application software Medical Device and FDA Regulations and Standards News 1
M Advice needed for SEH Compliance Software and ISNETWord Compatabiliy Occupational Health & Safety Management Standards 2
bruceian Software Quality Metrics Software Quality Assurance 11
optomist1 How Secure Are Our Software Systems Software Quality Assurance 7
M 'Active' device? Software/laptop with attached camera 'looking' at passive metal probe EU Medical Device Regulations 3
D Software validation team Misc. Quality Assurance and Business Systems Related Topics 3
O Any info on release date of FDA “Computer Software Assurance for Manufacturing and Quality System Software” document? 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 0
L Radiology software Class I exemption Medical Device and FDA Regulations and Standards News 3
O Software for comparing text of PDF files Contract Review Process 2
J Implementing an ISO 13485 QMS Software ISO 13485:2016 - Medical Device Quality Management Systems 6

Similar threads

Top Bottom