OPENREGULATORY
Sign in Get started
Ask a question
Quality Management 1 answer

How should change control be applied to complementary software in medical device projects?

Anonymous · Published March 02, 2026 · 1 comment
How should change control be implemented for software that complements a medical device? Should the change evaluation apply only to the medical device software, or should it also cover complementary software (e.g., software that interacts with but is not part of the medical device)? If a change to the device requires changes to complementary software, what level of documentation or impact analysis is expected?

Join the discussion. Leave a comment. Guest comments are welcome — add your email to get reply notifications.

Anonymous 3 months ago
Are there specific regulatory requirements that address complementary software in change control?
 Reply to this comment

Discussion

1 Answer

Accepted answer Dr. Oliver Eidel · Founder & CEO, OpenRegulatory ·
Security Use Case Views are scenarios that describe how your system’s security controls would handle specific threats or risks. Basically, they illustrate what happens when the system faces a cybersecurity event, such as an attempted attack, and how it’s supposed to respond.
These views typically include:
  • Walkthroughs of the system’s response to attacks or incidents
  • Expected behavior under attack (for example, limiting functionality, logging alerts, or notifying users)
  • Details on mitigation strategies, fail-safe mechanisms, and incident response plans
Your approach of deriving scenarios from threat modeling and showing the normal vs. compromised data flows sounds like a good way to demonstrate how your controls work in practice. You probably don’t need a scenario for every single threat, but focusing on the highest-risk ones is both useful and illustrative.

Join the discussion. Leave a comment. Guest comments are welcome — add your email to get reply notifications.

No comments yet. Be the first to share your thoughts.
Want to add your answer to this question?
Write an answer under your name by logging in or signing up, or post anonymously.

Keep reading

All questions
A

Software as a Medical Device: What's a Significant Change?

Anonymous
about 2 years ago
We’ve got the first version of our software as a medical device certified and on the market. Now we’re working on the next version and wondering whether we have to involve our notified body. Apparentl
Accepted 1 answer

There is no short answer. It’s a mess and depends on your auditor, that is, if you can reach them. There’s the MDCG 2020-3 guidance document which c

Change Evaluation List

Change Evaluation List

Sven Piechottka

updated about 2 years ago
Intended Use (for Medical Devices Under MDD / MDR)

Intended Use (for Medical Devices Under MDD / MDR)

Dr. Oliver Eidel

updated about 2 years ago

Still have a question? Ask a question here publicly — for free.

Or talk to one of our consultants — first calls are free. Check out our services and prices.

Looking to automate your regulatory work? Check out our eQMS, Formwork. Built for lean, founder-led companies. There’s a free version too.