#436: Do ISO 13485's Production Controls apply to SaMD?

This episode tackles the complex challenge of applying the hardware-centric clauses of ISO 13485 to Software as a Medical Device (SaMD). Adnan Ashfaq, founder of Simply Medica, joins Etienne Nichols to dissect how traditional standards intended for physical manufacturing must be creatively interpreted for the virtual world of software development, where apps update weekly and cloud-based systems evolve in real-time. The conversation zeroes in on the often-muddy areas of production and service provision (Clause 7.5), emphasizing that these clauses are far from non-applicable, requiring a "virtual manufacturing space" mindset.

A significant focus is placed on the Software of Unknown Provenance (SOUP), treating these building blocks as purchased components that require robust supplier evaluation and validation, bridging Clause 7.5 (production) with Clause 7.4 (purchasing). The discussion extends to crucial concepts like the Software Bill of Materials (SBoM), the complexity of Agile vs. Waterfall approaches within the standard's framework, and the essential role of the new FDA Computer Software Assurance (CSA) guidance in risk assessment.

Beyond production, the experts explore the application of resource management (Clause 6), specifically addressing infrastructure, contamination control (malware/ransomware), and the critical need for a well-documented Design Transfer to Production (Clause 7.3.8) evidenced by a complete software release package, including all 62304 requirements. The episode provides actionable insights for quality and compliance professionals struggling to maintain speed and innovation while strictly adhering to regulatory requirements.

Key Timestamps

• 01:45 - The changing landscape: Why traditional MedTech rules struggle with modern software updates.
• 03:50 - Historical context of ISO 13485 and its non-distinction between hardware/software.
• 05:05 - Starting Point: Clause 7.5 (Production and Service Provision) and the "Virtual Manufacturing Space" concept.
• 06:20 - Unpacking Software of Unknown Provenance (SOUP) and its link to Clause 7.4 (Purchasing).
• 08:35 - The necessity of validating the development environment (GitHub/GitLab) and building blocks.
• 11:10 - Applying Clause 4.1.6 (Software Validation) to SOUP items and master validation plans.
• 12:20 - Applicable vs. Non-Applicable Clauses: Sterilization/Cleanliness vs. Installation.
• 13:55 - Clause 4.2.3 (Medical Device File) for SaMD: E-labels, UDI, System Architecture, and SBoM.
• 16:30 - Cybersecurity controls and the manufacturer's responsibility for identifying state-of-the-art standards.
• 17:35 - Defining "Production" for continuously updating software and managing significant vs. non-significant changes.
• 20:15 - Clash of Standards: Agile development, ISO 13485, and the missing documentation for version control risk assessment.
• 21:30 - Clause 6.3 & 6.4 (Resource & Work Environment): Looking at data security, access controls, and contamination (malware/ransomware).
• 24:45 - Clause 7.3.8 (Design Transfer to Production): The need for a formal software release package and the importance of the Software Design Trace Matrix.
• 26:00 - The 16 essential documents needed to meet IEC 62304 requirements.
• 27:10 - Production controls when the user influences the outcome (customizable features,...