IT provider with ISO 13485 – is it really crucial?

Software as a Medical Device requirements
  • By: Mateusz Knyć

And there it is! A brilliant idea for a product which is meant to help people.  

Maybe it’s a physical device which requires incorporating some software (to make it work in the first place, or to increase its capabilities). Or maybe this product is basically all software (e.g. to analyze MRI data and assist the doctor in their diagnosis). Especially the latter group of products is growing in strength due to the dynamic development of artificial intelligence and access (easier or more difficult) to data and the possibility of a new look at it. Therefore, the term SaMD – Software as a Medical Device – is also becoming more and more common. 

And this is where we get to the gist of this post – software is also treated as a medical device. We all know that there are additional requirements involved when it comes to a medical device.  The same applies to software – we can’t treat it any less seriously. 

iso 13485 sofwtare as a medical device outsourcing company custom software

Therefore, if we are going to outsource this part of the project, maybe it is worth thinking about entrusting it to an entity that understands what it involves? 

Process 

Software development is a process. Without getting into methodical discussions (should it be Agile or Waterfall, or still something else) – we must keep in mind the completeness of our product. And this is not just about source code. 

One of the most important concepts that emerges during work on a product (not only software) is the so-called traceability matrix, which shows the connections: from requirements, through solution design, its implementation, to testing. All these elements must be reflected in our actions. 

We must understand that skipping several phases, even if sometimes tempting, is impossible with a medical device. Remember to always keep risk issues in the back of your mind. And that during the audit we support the whole manufacturing process of our product with evidence – that is, documentation. 

Documentation

Documentation – perhaps the most disliked word among programmers. However, as a product manufacturer, we cannot escape documentation. If we outsource some of the work, it is important that our supplier provides us with complete documentation of the right quality.

A good supplier will know that documenting the process is very important, and it usually cannot be done effectively 'retrospectively'. Click To Tweet

They will bear in mind that the final confirmation of success is measured by a positive audit and product launch, rather than signing an acceptance protocol.  

If it is so important, how do we know what we need to document? And is our documentation good? 

Knowledge of regulations

Software development is a specialist domain. ISO 13485, usually associated with the manufacture of medical devices, is not the only standard to be considered.

ISO 13485 alone does not solve much of the software development issue. There are more detailed standards that define the requirements to be met. Click To Tweet

For sure, what should be mentioned here is the IEC 62304 standard, which will be our basis. It defines the life cycle of our medical software. 

Important note: while IEC 62304 concerns software as such, bearing in mind that SaMD (software as a medical device), which often does not require dedicated hardware and can even work on a regular computer, it is worth taking a look at IEC 82304 standard, which is dedicated to such solutions. 

Whether a product will be used willingly and in a safe manner depends on how it is designed to interact with the user. Are there any elements of the interface that mislead the user? Are there any messages that are incomprehensible? To think about all this right from the development stage of our product we are helped by the IEC 62366-1 standard. 

Isn’t that too much for the „piece of software” we need? That’s quite a reasonable question. A good supplier will help us in this and similar dilemmas – he will be able to tell us which documents will be necessary, and which will not really contribute anything; which elements are the same for our product/process and which should be definitely separated.

Just as every effect has its cause, these requirements often result from the past events, such as negligence in designing the Therac-25, which caused the death of five patients due to too much radiation. These faults have also had a direct impact on the preparation of IEC 62304. 

Tools

Since everything we have talked about requires a process approach and quite a lot of documentation, it would be of use if our supplier had the tools to support him in this. On the one hand, we may not care how he works. On the other hand, maybe we want to be more involved in the project, so it would be nice if our supplier could involve us in his process. The tools will not do the work for us, but they can help us. A good supplier will know his tools, their limitations and their capabilities – he will offer us an optimal process for their use, adapted to our product, while keeping in mind the requirements that absolutely must be met

Support

It seems obvious that our supplier/partner should support us. From the stage of adjusting the process, tools, scope to assistance in preparing for the audit. Let’s also remember that the more our product depends on our supplier, the more attention should be paid to choosing the right partner and getting along with it. During the analysis it may even turn out that our supplier is critical for us. The auditors pay attention to such things, and it happens that before they grant us a certificate of conformity, they will want to audit such a partner as well. Is our supplier ready for this? 

iso 13485 software provider quality management system required

Conclusion

Does it follow from the above considerations that the choice of our software supplier should be limited only to companies with ISO 13485 certification? In my opinion, not at all. The most important conclusions are that our supplier should be reliable, have appropriate experience, guarantee appropriate quality of solutions. These requirements are the same for practically every project we care about. However, it is worth choosing a partner that maximizes our chances of success – ISO 13485 certification is definitely a premise worth considering when choosing, because it guarantees that our potential partner has already had to work quite a lot on all the points mentioned above, and we can now benefit from this experience. 

See the previous post by Mateusz: ISO 13485 certification – how to prepare?

healthcare innovation #healthcare technology #innovation #R&D #regulatory

Share:

About The Author

Mateusz Knyć
Mateusz is a manager responsible for quality and compliance with ISO 13485 and also internal auditor due to ISO 27001 norm regulations. Beside impressive knowledge of law regulations, quality and QMS related procedures he has got a very strong technical background.