SOUP anomaly evaluation for MMA (Mobile Medical Application) IEC 62304 clause 7.1.3

PaulG

Starting to get Involved
#1
I'm working on an IEC 62304 compliant project for a mobile medical application with mostly class A and some class B elements. The standard requires in clause 7.1.3 that published SOUP anomaly lists be evaluated for contributing to potentially hazardous situations. In this project, many of the software components are open source, so we are looking at issues lists posted online. However some of the open source elements, such as Angular, have hundreds of issues posted online. Does anyone have experience on how to address this 62304 requirement on a practical basis for open source software? This is a startup company so developing an in-house alternative to some of the open source building blocks isn't practical and in my opinion may even introduce more risks since it wouldn't have the established history and user base. Any feedback much appreciated!
 
Elsmar Forum Sponsor

yodon

Leader
Super Moderator
#2
Those lists can certainly be painful to deal with. If you can export them, hopefully there is enough information to help you sort / filter. Many times you can exclude large chunks based on revision or functions (not) used or ...

Alternatively, look at trying to isolate SOUP use to non-critical functions. May not be possible but if so, may not require such a big development effort as completely re-writing the SOUP.

Interestingly (and slightly off topic), we have one client (large company) that has decided they will no longer allow SOUP in their applications and are requiring (outsourced) software development to basically copy the SOUP code and adapt to internal standards, etc. The benefits of this approach have been, um, questioned.
 

PaulG

Starting to get Involved
#3
This approach makes sense, but I can already anticipate the collective groan from the development team...

We also work with another (large) client that expressly forbids open source software. I can see their rationale. Thanks for the input.
 

pmg76

Starting to get Involved
#4
Hi PaulG, so what was your approach to solving this situation. We are dealing with the same problem and I don´t see a way around of listing all anomalies and analyze each one of them (which will be very time consuming).
Where did you put the list of anomalies?
How often do you check for new reported anomalies?
 

PaulG

Starting to get Involved
#5
It was a challenge to implement this in practice. Every single SOUP item (numbering in the thousands) is tracked through a version-controlled list of dependencies required by the software. Each dependency has a corresponding repository which tracks issues through open source collaboration. If required to provide the anomalies, we could scrape these issues from every single repository; a process that would have to be automated as the total number of issues likely number in tens of thousands if not more over the entire collection of dependencies/SOUP items. We could also comb through each of these dependencies' issues tabs to identify issues that likely directly impact the software, but we found it far more efficient to take a holistic approach and test the software using our QA system. If the app as a whole works and passes QA, then the issues of the sub-components (the SOUP) are not as irrelevant in my opinion. If required by a regulator to provide them with the list we would make the decision of either putting together a list of specific issues from the SOUP repositories (a time consuming process that produces a list of relevant issues that quickly becomes out of date) and providing our rationale as above, or scraping every single issue in some automated way and providing it to the regulator.
 
#6
Hi PaulG, thanks for you post, we are dealing with the same issue, and it was helpful to us. I like the idea of using QA to verify that your SOUP works, but isn't it too big of a risk if the regulator asks you to comb through tens of thousands of issues and analyze them? Have you passed your audit, with the provided QA rationale?
 

PaulG

Starting to get Involved
#7
We have passed our IEC 60601 audit including IEC 62304. This rationale was also provided to FDA in a 510k submission and no flags were raised.
 
Thread starter Similar threads Forum Replies Date
K SOUP (Software of Unknown Provenance) Anomaly Documentation IEC 62304 - Medical Device Software Life Cycle Processes 2
K IEC 62304 - Functional and performance requirements for SOUP items IEC 62304 - Medical Device Software Life Cycle Processes 2
F Firmware as SOUP - Sensor with third party produced firmware IEC 62304 - Medical Device Software Life Cycle Processes 2
K SDK: SOUP or not? IEC 62304 - Medical Device Software Life Cycle Processes 8
A OTS and SOUP Software Documentation Requirements Other US Medical Device Regulations 9
J Custom Tools as SOUP? (Software of Unknown Provenance) IEC 62304 - Medical Device Software Life Cycle Processes 9
J Converting SOUP to "SOKP" ... IEC 62304 - Medical Device Software Life Cycle Processes 1
U The Importance of Correct Sample Size Calculation - Greek Alphabet Soup Book, Video, Blog and Web Site Reviews and Recommendations 7
S Software Risk Estimation: Probability of Medical Device Software Anomaly Occuring ISO 14971 - Medical Device Risk Management 9
P Level of Concern anomaly - FDA Guidance Document Conflicts 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 7
I The Anomaly of Calculating MTBF from Reliability Reliability Analysis - Predictions, Testing and Standards 1
J What is the right way to describe a failure? Anomaly? Nonconformance and Corrective Action 3
L Supplier performance evaluation Supplier Quality Assurance and other Supplier Issues 8
J Revamping Supplier Qualification, Re-evaluation, and Monitoring Requirements ISO 13485:2016 - Medical Device Quality Management Systems 6
J ISO 9001:2015 Is a Project Evaluation form necessary? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 5
I Clinical evaluation for legacy device EU Medical Device Regulations 16
M Clinical evaluation report training EU Medical Device Regulations 3
MaHoDie Summative Evaluation with Post-Market Data? Human Factors and Ergonomics in Engineering 2
K Continue to do clinical evaluation? or transfer to RA? or focus on clinical studies as MA? Career and Occupation Discussions 1
O CLINICAL EVALUATION - VACCUM PLANTS Other Medical Device Related Standards 4
B Evaluation of suppliers API Spec Q1 5.6.1.2c Oil and Gas Industry Standards and Regulations 2
B Creation and evaluation of new jobs Oil and Gas Industry Standards and Regulations 0
E DESIGN VALIDATION, USABILITY AND CLINICAL EVALUATION request Medical Device and FDA Regulations and Standards News 0
M Summative evaluation: how many sample per participant? IEC 62366 - Medical Device Usability Engineering 5
SANTHSH Consumables, Paints, End-covers, NDE Chemicals & Tools suppliers classification and evaluation Oil and Gas Industry Standards and Regulations 6
Aymaneh IVDR and Performance Evaluation Plan EU Medical Device Regulations 2
S Clinical Evaluation of equivalent device EU Medical Device Regulations 6
L Clinical evaluation plan EU Medical Device Regulations 17
C Biologic Evaluation based on ISO 10993-1 EU Medical Device Regulations 2
M Selling non-CE marked devices for evaluation EU Medical Device Regulations 4
M Procedure for clinical evaluation according to new MDR EU Medical Device Regulations 11
Q Process map Evaluation and Analysis Method Process Maps, Process Mapping and Turtle Diagrams 5
M Supplier evaluation Supplier Quality Assurance and other Supplier Issues 5
I QMS monitoring, measurement, analysis and evaluation requirement - Template ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 9
T Biological Evaluation (10993) & Risk Management ISO 14971 - Medical Device Risk Management 9
shimonv Clinical evaluation report for class I device EU Medical Device Regulations 18
A Applicability of Photobiological Safety Evaluation for LED used in medical devices Reliability Analysis - Predictions, Testing and Standards 2
P GSPRs / Clinical Evaluation EU Medical Device Regulations 3
silentmonkey Overall Benefit/Risk Analysis - Risk Management VS Clinical Evaluation ISO 14971 - Medical Device Risk Management 3
M NICE Medical Technology Evaluation Programme - Recommendations Service Industry Specific Topics 0
Q Summative Usability Evaluation Testing: prior or during Clinical Investigation? Human Factors and Ergonomics in Engineering 10
S Regular updates of clinical evaluation report EU Medical Device Regulations 6
K Surface finish (Evaluation Length) Inspection, Prints (Drawings), Testing, Sampling and Related Topics 3
M Clinical Evaluation Benchmark vs. Equivalent EU Medical Device Regulations 2
MaHoDie IVDR and Performance Evaluation Plan CE Marking (Conformité Européene) / CB Scheme 2
S User evaluation for self monitoring blood glucose test systems US Food and Drug Administration (FDA) 4
S Australia TGA Clinical Evaluation Report (CER) Other Medical Device Regulations World-Wide 0
SANTHSH API Spec. Q1 clause 5.6.1.2 On site evaluation Oil and Gas Industry Standards and Regulations 12
B Biological evaluation plan and report Other Medical Device Related Standards 7
F Biocompatibility evaluation for Hardware/Interface Components? Other Medical Device Related Standards 13

Similar threads

Top Bottom