Software updates considered servicing (7.5.4)

yodon

Staff member
Super Moderator
#1
In a recent ISO 13485 audit of a company who is only marketing a stand-alone software application, the auditor said that software updates must be considered service activities per 7.5.4. I had never a) previously considered software updates as a service activity; or b) heard another auditor make such an assertion.

In several respects, software updates are not typical of a service activity in that instead of operating on an individual device, the entire application is re-built and re-distributed (even if only patching ... unless you have something like with antivirus software where you update definitions periodically without updating the entire application). Also, instead of being a specific service activity, in many cases, software updates may contain numerous changes, including new design. Finally, updates are done by the design and development team (and all the work effectively falls under design controls).

This was not written up as a finding, just a discussion. I'm curious what others' opinions / experiences are on this.
 
Elsmar Forum Sponsor

Tidge

Trusted Information Resource
#2
This is a good topic for discussion. This feels like an area where some appeal to standards could be useful, but good luck finding appropriate ones. As far as my thoughts complying with 13485 clause 7.5.4, I will circle back, after a slight detour...

I believe (I have no sources immediately on had) that in the USA, for medical devices, there is a distinction made between:
  • "Fast Patches"
  • "Software Fixes"
My assessment is that a "Software Fix" would not be considered a Service Activity, per se... even if the "fix" is applied during some sort of service activity. Software fixes are supposed to have the full suite of supporting information based on the FDA's Level of Concern (similar to 62304's Software System Safety Classification, but not identical). This strikes me a a classic "development/design change" issue.

The "Fast Patches" are allowed (tolerated?) for cybersecurity reasons when the fast patch specifically (and only) targets identified defects and does not change any of the other functionality. I believe that in order to proceed with 'fast patches' it is necessary to belong to/participate in an "information sharing organization".

Now as far as clause 7.5.4 goes...

Applying "software fixes" ought to already be integrated within service activities. Presumably the fixes have been developed within a 62304-compliant process, and implemented through a deployment process compliant with other parts of 13485... so I doubt that this is where the auditor's interest was (assuming that good records of deploying software fixes are kept, analyzed, etc.)

The "Fast Patches" for cybersecurity are a little trickier... as near as I can tell, the FDA has a compromise/balance that hinges on (a) specifically identifying the vulnerability being fixed and (b) not touching other elements of the software system... so the "verifying that (product requirements are met" after a fast patch is not supposed to be burdensome. Another dimension of the need for a "fast patch" is almost certainly NOT coming from a customer (remember: your company was supposed to be participating in an "information sharing org") so ties to the 'complaint process' can be... different than the a more classic complaint generated from a service activity.

If there is any good (where in this instance good = 'less burdensome") news: The servicing clause presumably only applies to the activities that the organization actually undertakes. I don't mean to write that risks of un-patched software could be unacceptable, just that such an assessment is presumably in a different part of 13485.

I am also curious to read others thoughts.
 

shimonv

Trusted Information Resource
#3
servicing is a pre-planned routine maintenance activity and in the case of stand-alone software it's rare.
I guess you could include under 'servicing activity' checking/ cleaning up of log files, verifying that the software files have not been deleted or modified etc. Note: the software can do all that automatically during start-up.
Nearly all software relating activities are development activities - enhancements, responses to complaints and new features.

Shimon
 

somashekar

Staff member
Super Moderator
#4
This activity is to be supported with how the controls are in place for post-delivery activities as in clause 7.5.1 f) of the ISO 13485:2016.
This activity does not fall into the servicing activities. The intent in 7.5.4 is about on site / service centre activity of servicing a medical device depending upon the type of medical device. Very typically, if 7.5.3. is applicable, then 7.5.4 is applicable, but some medical devices having no installation activities can also be covered by the company under its warranty and post warranty servicing.
 

yodon

Staff member
Super Moderator
#5
Follow-up... I had an email chat with the auditor to see if he would provide more insight. He agreed that not all software updates would / should be considered a service activity. He suggested there are cases for service, like I mentioned above (definition updates, etc. that don't change the build). At least he and I are, I think, on the same page now. :) We'll see.
 
Thread starter Similar threads Forum Replies Date
K Software Updates in the Field and ISO scope ISO 13485:2016 - Medical Device Quality Management Systems 2
K Unique Device Identifier for updates to legacy standalone software Other US Medical Device Regulations 1
M FDA's expectation for validating OTS software updates Other US Medical Device Regulations 8
BradM Class action lawsuit against Apple - iPod Software updates - 2006 thru 2009 After Work and Weekend Discussion Topics 2
S Predicate Device Requirements - Firmware vs. Software Updates 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 3
H Paper based DHF (Design History File) updates for Software Updates 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 4
dgrainger Informational MHRA's Software and AI as a Medical Device Change Programme UK Medical Device Regulations 0
S Do you follow your QMS for non-device software features? Medical Information Technology, Medical Software and Health Informatics 4
J Can we register non-device clinical decision support software under draft guidance? Other US Medical Device Regulations 5
I Software (SaMD) mobile application verification testing: objective evidence Medical Information Technology, Medical Software and Health Informatics 2
J EU equivalent to Clinical Decision Support Software EU Medical Device Regulations 3
Y ISO 13485:2015 Software Validation IQ/OQ/PQ ISO 13485:2016 - Medical Device Quality Management Systems 12
S Recommended software to send Quality scorecards to suppliers (external providers) Supplier Quality Assurance and other Supplier Issues 3
J Software as a Medical Device - SaMD IEC 62304 - Medical Device Software Life Cycle Processes 3
BeaBea QMS/ Training Management Software Service Industry Specific Topics 4
shimonv Working with a software developer who is not setup for IEC 62304 IEC 62304 - Medical Device Software Life Cycle Processes 9
R Debug mode in software/device validation IEC 62304 - Medical Device Software Life Cycle Processes 2
Q Gage calibration / tracking software General Measurement Device and Calibration Topics 5
M Software verification and validation AS9100 AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 4
Y RT-qPCR Software result EU Medical Device Regulations 0
B A.I diagnostic software is considered as medical device in FDA? US Food and Drug Administration (FDA) 5
F WANTED Senior Software engineer Career and Occupation Discussions 2
P Blood establishment computer software EU classification EU Medical Device Regulations 0
S Examples of FDA acceptable Software Design Specification (SDS) Medical Device and FDA Regulations and Standards News 6
D Integrated Management System Software Quality Manager and Management Related Issues 2
B Sampling strategies/techniques for software QA Software Quality Assurance 2
K MDCG-2020-3 (about the software of UI) EU Medical Device Regulations 3
D PFMEA Software search IATF 16949 - Automotive Quality Systems Standard 7
C MDR software classification EU Medical Device Regulations 12
H Class II a vs "software safety class A" IEC 62304 - Medical Device Software Life Cycle Processes 3
Z Software for design control ISO 13485:2016 - Medical Device Quality Management Systems 5
V Medical Device Literature Translation Software ISO 13485:2016 - Medical Device Quality Management Systems 1
D FDA Guidance on Computer Software Assurance versus 21 CFR Part 11 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 2
P Software verification and validation procedure IEC 62304 - Medical Device Software Life Cycle Processes 6
Aymaneh UDI-PI Software CE Marking (Conformité Européene) / CB Scheme 0
Q Software as a medical device vs software not sold as medical device: local regulations for sale? EU Medical Device Regulations 4
S How to perform verification of the Statistical Analysis Software? Qualification and Validation (including 21 CFR Part 11) 7
I Document Control Software Document Control Systems, Procedures, Forms and Templates 2
E Software maintenance Process Software maintenance Process to IEC 6204? IEC 62304 - Medical Device Software Life Cycle Processes 3
L Micro-Vu InSpec Software Program Qualification and Validation (including 21 CFR Part 11) 6
A For software change - New Channel of interoperability CE Marking (Conformité Européene) / CB Scheme 5
T IVDR Medical device software CE Marking (Conformité Européene) / CB Scheme 8
N ISO 13485 7.3.9 Change control in medical device software ISO 13485:2016 - Medical Device Quality Management Systems 6
C SharePoint Contract Management Software General Information Resources 0
gramps What do you think about automated QA testing For software app industry? Misc. Quality Assurance and Business Systems Related Topics 5
V Software as medical device (SaMD) replicated for multiple clients through APIs IEC 62304 - Medical Device Software Life Cycle Processes 5
U API Spec Q1 - 5.6.1.2 C (3) - Design software Oil and Gas Industry Standards and Regulations 3
B Complaint Records - Accessing records on Easy Track Software Records and Data - Quality, Legal and Other Evidence 3
GreatNate Master Control QMS software Quality Tools, Improvement and Analysis 1
GreatNate Anyone using the Intellect QMS software? Quality Assurance and Compliance Software Tools and Solutions 1

Similar threads

Top Bottom