Software vendors – How do you audit software developers?

Learn how to qualify and audit software vendors to develop software as a medical device (SaMD) and software in a medical device (SiMD).

How do you audit medical device software developers?

Software medical devices are used to assist medical professionals. For example, radiologists use software to identify areas of interest for medical imaging. Do you know how to audit software vendors?

As a third-party auditor, I have had the pleasure of auditing software companies for CE Marking. When you audit a software company for the first time, this forces you to re-learn the entire ISO 13485 Standard. For example, if a company only produces software (i.e., software as a medical device or SaMD), there is very little to sample for incoming inspection and purchasing records. This is because the product is not physical—it’s software. Clauses of ISO 13485 related to sterility, implants, and servicing are also not applicable to SaMD products. If the software is web-based, the shipping and distribution clauses (i.e., – 7.5.1) might also present a challenge to an auditor.

The aspects of the ISO 13485 Standard that I found to be the most important to auditing software products were design controls and customer communication. Many auditors are trained in auditing the design and development of software, but very few auditors have experience auditing technical support call centers. When auditing a call center, most calls represent potential complaints related to software “bugs,” system incompatibilities with the operating system or hardware, and use errors resulting from the design of the user interface.

In most technical support call centers, the support person tries to find a workaround for identified problems. The problem with a “workaround” is that it is the opposite approach to the CAPA process. To meet ISO 13485 requirements, software companies must show evidence of monitoring and measuring these “bugs.” There must also be evidence of management identifying negative trends and implementing corrective actions when appropriate.

As an auditor, you should focus on how the company prioritizes “bugs” for corrective actions. Most software companies focus on the severity of software operations and the probability of occurrence. This is the wrong approach. Failure to operate is not the most severe result of medical device software failure. Medical device software can result in injury or death to patients. Therefore, it is critical to use a risk-based approach to the prioritization of CAPAs. This risk-based approach should focus on the severity of effects upon patients—not users. This focus on safety and performance is emphasized throughout the EU Medical Device Regulations and it is a risk management requirement in ISO 14971.

Referral to one of our favorite software developers

There are many vendors to choose from worldwide, but we prefer to work with smaller companies because our clients are start-up companies. We also prefer to work with vendors focused on the medical device industry. We also look for vendors that complement Medical Device Academy’s quality and regulatory expertise. Bold Type is a perfect example. The video below showcases the President and Founder–Jose Bohorquez. Bold Type provides software development services, cybersecurity consulting services, and software consulting services. If you are interested in speaking with Jose direct, please schedule a meeting with him online.

PS – We do not receive compensation from Bold Type–we just prefer to partner with firms that are ideal for our customers.

Software vendors – How do you audit software developers? Read More »