Deliverables for Software Configuration Management in IEC 62304

Published: Jul 20, 2023 by Yu-Wen (Weny)

Just share notes and thoughts about the Software Configuration Management in IEC 62304 (section 6 in the 2015 version).

Configuration Management

“Configuration management(CM)” is a generic concept in ISO, IEC, and IEEE (or the FDA Glossary). It applies to hardware & software, and products & services.

Tailor it for IEC 62304; in my language, it means your controls over your listed software items include

  • Identification of both the item level and the system level
  • Change Control Processes (map with ISO 13485:2016, §7.3.9)
  • Configuration status accounting, aka records of the history, including when and why — to ensure only authorized modifications will go into the product(s).

Deliverables:

CM procedure

Identifications: describe the versioning system and the naming system:

  • Versioning: Do you use the major.minor.patch, major.minor.build. revision, or the year and date? And better to explain your definition of “major” and “minor.”
    • Personally, I prefer to have a major and minor in the system, review the FDA 510(k) software change guidnace or anything similar from the regulatory authorities with the Engineering, and map the definition of “major” when we need to file a new submission.
  • Identifier: how do you name your software items
    • Please note here are the items, including source code, object code, control code, control data, or a collection of these items.
    • Think about if there is a need to have an internal identifier for SOUPs and OTSs, or you can use its original names.
    • Assets within the software will also be within the scope (e.g., any images, text…etc.)

Change control:

The process flow should be:

Initiative a Chagne Request -> Approve Chagne Request -> Implement changes -> Verification -> Release.

Several points:

  • I consider a “change request” as a “plan” — we document the scope, evaluate the impacts, and identify the applicable activities and tasks.
  • I think the term “implementation” in ISO 13485 differs slightly from IEC 62304 within this change control context. I believe this is due to the natural difference between standalone software and general manufacturing: “implementation” in IEC 62304 §8.2.2, to me, is making changes to the software configurable items prior to V&V. In ISO 13485:2016, §7.3.9, the implementation is when the design change has been approved and going to be transferred to the production.
  • IEC 62304 §8.2.4 makes it clear that a change request needs to serve traceability purposes: A Change request <-> a list of the product report (e.g., your bug tickets or open issues) <-> The approval that lists the changes on the configuration software items (§8.3).

CM Plan (62304, §5.1.9)

Requirements Sections in your Plan Notes
The classes, types, categories or lists of items to be controlled Refer to your SOP/WI and specify where will you document this information (e.g., release note, SBOM…etc) For both the system/product and all items involved
The configuration Management Activities and tasks A table of applicable activities and the owners is recommended. Besides, a checklist before product release (design tranfer) is recommended. See below Note 1
The organization(s) responsible for performing software configuration management activities This include storage, record keeping …etc. See below Note 1
When the items are to be placed under configuration control What is your criteria of baseline, and when your particular version(s) will be agreed upon and fixed. ISO definition
When the problem resolution process is to be used §5.6.8, §5.7.2, and §6.2.2  

Note 1: Several examles:

  • Your configuration management includes OTS and SOUP items within your device(s). Based on the situation, you could download and store your copies for your OTS/SOUP or update the item lists when your vendor updates the version (e.g., the item is a Saas) or in any other applicable manner.
  • You may have different teams controlling different type of items (e.g., have a designated team for media controls, or technical writers for the IFU page…etc.)
  • You may have an OEM for software development, and they are the one maintaining it.
  • You purchased a customized software component, and you will maintain it by yourself in the future.

 

Of course the rest of the deliverables will be the deliverables you mentioned in your CM plan.


I hope you find it more straightforward than you thought it would be. And I hope you think this article is helpful :smile:

IEC_62304 SaMD

Share

Latest Posts

Interoperability in Software as/in Medical Devices - Intro

What is interoperability?

In medical devices, “interoperable medical devices refer to the ability to exchange and use information through an electronic interface with another medical/non-medical product, system, or device. Interoperable medical devices can be involved in simple unidirectional data transmission to another device or product or in more complex interactions, such as exerting command and control over one or more medical devices. Interoperable medical devices can also be part of a complex system containing multiple medical devices.” [The US FDA, Design Considerations and Pre-market Submission Recommendations for Interoperable Medical Device, issued on September 6, 2017]. For example, a blood glucose meter that can send data to a smartphone app, an x-ray that can communicate with a picture archiving and communication system, or a ventilator that can adjust its settings based on the patient’s vital signs are all examples of interoperable medical devices.

When do you start to put your Software as Medical Device under design control?

A common query from entrepreneurs establishing a software as a medical device company is, “When should we start to implement a QMS system, especially design control?” In response, it’s suggested to initiate this process when you’re prepared to construct your Minimum Viable Product (MVP) (p.7).

To Convert An Existing Software Product to a SaMD

It has been more and more often that equipment and software companies providing their products to clinics and hospitals are, actively or passively, due to requests from the regulatory authorities, documenting/filing their products as medical devices. Such changes in the status of a product particularly often occur on software. This is [thankfully] due to the huge progress in the use of software in improving physical and mental health. Common scenarios that a company needs to consider converting an existing software product to a medical device or bringing a legacy software item into part of a Software as Medical Device (SaMD) include: