Software medical devices are used to assist medical professionals. For example, radiologists use software with identifying areas of interest for medical imaging. Do you know how to audit a software company?
When I was trying to find a good song selection for a music video to pair with this blog topic, I thought that the “Digital Man” would be perfect. However, I wasn’t impressed with the selection of videos available. Therefore, I selected this perennial fan favorite:
As a 3rd party auditor, I have had the pleasure of auditing software companies for CE Marking. When you audit a software company for the first time, this forces you to re-learn the entire ISO 13485 Standard. For example, if a company only produces software there is very little to sample for incoming inspection and purchasing records. This is because the product is not physical—it’s software. Clauses of ISO 13485 related to sterility, implants, and servicing are also not applicable to software products. If the software is web-based, the shipping and distribution clauses (i.e. – 7.5.5) might present a challenge to an auditor as well.
The aspects of the ISO 13485 Standard that I found to be the most important to auditing software products were design controls and customer communication. Many auditors are trained on auditing the design and development of software, but very few auditors have experience auditing technical support call centers. When auditing a call center, most of the calls represent potential complaints related to the software “bugs”, system incompatibilities with the operating system or hardware, and use errors resulting from the design of the user interface.
In most technical support call centers, the support person tries to find a work-around for problems that are identified. The problem with a “work-around” is that it is the opposite approach to the CAPA process. In order to meet the requirements of ISO 13485, software companies must show evidence of monitoring and measuring these “bugs”. There must also be evidence of management identifying negative trends and implementing corrective actions when appropriate.
As an auditor, you should focus on how the company prioritizes “bugs” for corrective actions. Most software companies focus on the severity to software operation and the probability of occurrence. This is the wrong approach. Failure to operate is not the most severe result of medical device software failure. Medical device software can result in injury or death to patients. Therefore, it is critical to use a risk-based approach to prioritization of CAPAs. This risk-based approach should focus upon severity of effects upon patients—not users. This focus on safety and efficacy is an essential requirement of the Medical Device Directive (93/42/EEC as modified by 2007/47/EC) and it is a requirement of ISO 14971:2007.
13485cert
QC is Dead 