ISO 13485 software provider– is it really crucial?

And there it is! A brilliant idea for a product which is meant to help people but requires help from ISO 13485 software provider.

Maybe it’s a physical device which requires incorporating some software. To make it work in the first place, or to increase its capabilities. Or maybe this product is basically all software (e.g. to analyze MRI data and assist the doctor in their diagnosis). Especially the latter group of products is growing in strength due to the dynamic development of artificial intelligence and access (easier or more difficult) to data and the possibility of a new look at it. Therefore, the term SaMD – Software as a Medical Device – is also becoming more and more common.  Or maybe this product is basically all software (e.g. to analyze MRI data and assist the doctor in their diagnosis). Especially the latter group of products is growing in strength due to the dynamic development of artificial intelligence and access (easier or more difficult) to data and the possibility of a new look at it. Therefore, the term SaMD – Software as a Medical Device – is also becoming more and more common.

And this is where we get to the gist of this post. Software is also a medical device. We all know that there are additional requirements involved when it comes to a medical device.  The same applies to software – we can’t treat it any less seriously.

Therefore, if we are going to outsource this part of the project, maybe it is worth thinking about entrusting it to an entity that understands what it involves?


Software development is a process. Without getting into methodical discussions (should it be Agile or Waterfall, or still something else) – we must keep in mind the completeness of our product. And this is not just about source code.

One of the most important concepts that emerges during work on a product (not only software) is the so-called traceability matrix, which shows the connections: from requirements, through solution design, its implementation, to testing. All these elements must be reflected in our actions.

We must understand that skipping several phases, even if sometimes tempting, is impossible with a medical device. Remember to always keep risk issues in the back of your mind. And that during the audit we support the whole manufacturing process of our product with evidence – that is, documentation.


Documentation – perhaps the most disliked word among programmers. However, as a product manufacturer, we cannot escape documentation. If we outsource some of the work, our software ISO 13485 provider must supply us with complete documentation. With the right quality.

They will bear in mind that the final confirmation of success is a positive audit and product launch, rather than signing an acceptance protocol.

If it is so important, how do we know what we need to document? And is our documentation good?

ISO 13485 software provider and its knowledge of regulations

Software development is a specialist domain. ISO 13485, usually associated with the manufacture of medical devices, is not the only standard in the medical field.

For sure, the IEC 62304 standard is the basis. It defines the life cycle of our medical software.

Important note: while IEC 62304 concerns software as such, bearing in mind that SaMD (software as a medical device), which often does not require dedicated hardware and can even work on a regular computer, it is worth taking a look at IEC 82304 standard, which is dedicated to such solutions.

Whether a product will be used willingly and in a safe manner depends on how it is designed to interact with the user. Are there any elements of the interface that mislead the user? Are there any messages that are incomprehensible? To think about all this right from the development stage of our product we are helped by the IEC 62366-1 standard.

Isn’t that too much for the “piece of software” we need? That’s quite a reasonable question. A good supplier will help us in this and similar dilemmas. He will be able to tell us which documents are necessary, and which will not really contribute anything. Moreover, which elements are the same for our product/process and which we can separate.

Just as every effect has its cause, these requirements often result from the past events, such as negligence in designing the Therac-25, which caused the death of five patients due to too much radiation. These faults have also had a direct impact on the preparation of IEC 62304.


Since everything we have talked about requires a process approach and quite a lot of documentation, it would be of use if our supplier had the tools to support him in this. On the one hand, we may not care how he works. On the other hand, maybe we want to be more involved in the project, so it would be nice if our supplier could involve us in his process. The tools will not do the work for us, but they can help us. A good supplier will know his tools, their limitations and their capabilities. He will offer us an optimal process for their use, adapted to our product. Moreover, will keep in mind the most important requirements.


It seems obvious that our supplier/partner should support us. From the stage of adjusting the process, tools, scope to assistance in preparing for the audit. Let’s also remember that the more our product depends on our supplier, the more attention should be paid to choosing the right partner and getting along with it. During the analysis it may even turn out that our supplier is critical for us. The auditors pay attention to such things, and it happens that before they grant us a certificate of conformity, they will want to audit such a partner as well. Is our supplier ready for this?

text on a role of ISO 13485 software provider during an certification audit
Conclusion: is ISO 13485 software provider worth choosing?

Does it follow from the above considerations that the choice of our software supplier should be limited only to companies with ISO 13485 certification? In my opinion, not at all. The most important conclusions are that our supplier should be reliable, have appropriate experience, guarantee appropriate quality of solutions. These requirements are the same for practically every project we care about. However, it is worth choosing a partner that maximizes our chances of success. ISO 13485 certification is definitely a premise worth considering when choosing. Hence it guarantees that our potential partner has already had to work quite a lot on all the points mentioned above. Now we can benefit from this experience.

Contact us if you have any questions!

See the previous post by Mateusz: ISO 13485 certification – how to prepare?