Skip to main content
QMSQMS
QMS
  • Welcome to your QMS
  • Quality Manual
  • Procedures
  • Records
  • Legit.Health Plus Version 1.1.0.0
    • CAPA Plan - BSI CE Mark Closeout
    • Index
    • Overview and Device Description
    • Information provided by the Manufacturer
    • Design and Manufacturing Information
      • R-TF-012-019 SOUPs
        • Aioboto3
        • Albumentations
        • Argon2-CFFI
        • Authlib
        • Boto3
        • Dependency Injector
        • Dill
        • FastAPI
        • PyTorch Grad-CAM
        • Httpx
        • NumPy
        • PyNVML
        • OpenCV
        • Pillow
        • Psutil
        • Pydantic
        • Pydantic Settings
        • PyYAML
        • Segmentation Models PyTorch
        • Starlette
        • Timm
        • PyTorch
        • TorchVision
        • Ultralytics YOLO
        • Uvicorn
      • R-TF-012-028 Software Requirement Specification
      • R-TF-012-029 Software Architecture Description
      • R-TF-012-030 Software Configuration Management Plan
      • R-TF-012-031 Product requirements specification
      • R-TF-012-037 Labeling and IFU Requirements
      • R-TF-012-040 Documentation level FDA
      • R-TF-012-041 Software Classification 62304
      • R-TF-012-043 Traceability Matrix
      • Review meetings
    • GSPR
    • Benefit-Risk Analysis and Risk Management
    • Product Verification and Validation
    • Post-Market Surveillance
  • Legit.Health Plus Version 1.1.0.1
  • Legit.Health version 2.1 (Legacy MDD)
  • Legit.Health Utilities
  • Licenses and accreditations
  • Applicable Standards and Regulations
  • BSI Non-Conformities
  • Pricing
  • Public tenders
  • Legit.Health Plus Version 1.1.0.0
  • Design and Manufacturing Information
  • R-TF-012-019 SOUPs
  • PyTorch Grad-CAM

PyTorch Grad-CAM

General Information​

FieldValue
Package Namegrad-cam (pytorch-grad-cam)
Manufacturer / VendorJacob Gildenblat and contributors
Software CategoryLibrary
Primary DocumentationDocumentation, GitHub
Programming Language(s)Python
LicenseMIT License
Deployed Version(s)>=1.5.0
Most Recent Available Version1.5.5
Last Review Date2026-01-26

Overview​

grad-cam (pytorch-grad-cam) is a Python library that provides state-of-the-art methods for Explainable AI (XAI) in computer vision applications. It implements various Class Activation Mapping (CAM) techniques that generate visual explanations of deep learning model predictions by highlighting the image regions that most influenced the model's decision.

Within the medical device software, this library is used exclusively in the Clinical Condition Classifier module to generate saliency maps that explain why the AI model predicts specific skin conditions. This explainability capability is essential for:

  • Regulatory compliance: Meeting requirements for AI/ML transparency in medical devices
  • Clinical trust: Enabling clinicians to understand and validate AI predictions
  • Quality assurance: Supporting verification that the model focuses on clinically relevant image features

The library was selected for its comprehensive support of multiple CAM methods, compatibility with various neural network architectures (including those used in the device), active maintenance, and permissive MIT licensing suitable for commercial medical device software.

Functional Requirements​

The following functional capabilities of this SOUP are relied upon by the medical device software.

Requirement IDDescriptionSource / Reference
FR-001Compute GradCAM++ activation maps for classification modelsGradCAMPlusPlus class
FR-002Generate overlay visualizations combining heatmaps with original imagesshow_cam_on_image() function
FR-003Support target-specific explanations for multi-class classifiersClassifierOutputTarget class
FR-004Automatic target layer detection for common neural network architecturesBuilt-in layer detection

Performance Requirements​

The following performance expectations are relevant to the medical device software.

Requirement IDDescriptionAcceptance Criteria
PR-001Saliency map computation shall complete within acceptable inference latencyComputation completes within the overall API timeout
PR-002Memory usage shall not cause GPU out-of-memory errors during normal operationSingle-image processing without batch accumulation

Hardware Requirements​

The following hardware dependencies or constraints are imposed by this SOUP component.

Requirement IDDescriptionNotes / Limitations
HR-001CUDA-compatible GPU recommended for optimal performanceCPU execution supported but slower
HR-002Sufficient GPU memory for model + gradient computationMemory requirements scale with model size and input resolution

Software Requirements​

The following software dependencies and environmental assumptions are required by this SOUP component.

Requirement IDDescriptionDependency / Version Constraints
SR-001Python runtime environmentPython >=3.8
SR-002PyTorch deep learning frameworkCompatible with torch >=2.0.0
SR-003NumPy for array operationsRequired by pytorch-grad-cam
SR-004OpenCV for image processing (overlay generation)cv2 module
SR-005torchvision for image transformationsCompatible versions with torch

Known Anomalies Assessment​

This section evaluates publicly reported issues, defects, or security vulnerabilities associated with this SOUP component and their relevance to the medical device software.

Anomaly ReferenceStatusApplicableRationaleReviewed At
PyTorch CVE-2025-32434 (torch.load RCE)FixedNoThe device does not use torch.load() with untrusted model files; all models are pre-deployed2026-01-26
PyTorch CVE-2025-2953 (DoS)OpenNoAffects mkldnn_max_pool2d function not used by grad-cam or the device's explainability pipeline2026-01-26

No security vulnerabilities have been reported directly against the pytorch-grad-cam library itself. According to Snyk's security analysis, the package has been scanned and deemed safe to use. The library does not maintain a formal security policy (no SECURITY.md file), which is common for academic/research-originated open-source projects.

The vulnerabilities documented above are framework-level issues in PyTorch rather than in pytorch-grad-cam specifically. CVE-2025-32434 (critical RCE via torch.load()) was fixed in PyTorch 2.6.0; the device mitigates this by using only pre-deployed, trusted model files. CVE-2025-2953 affects a pooling function not utilized in the explainability pipeline.

Functional issues reported in the pytorch-grad-cam GitHub issue tracker include edge cases with two-class classifiers, 3D CNN shape mismatches, and specific architecture compatibility (CLIP, Swin Transformer). These do not affect the device's use case, which employs standard CNN architectures with multi-class classification using the GradCAM++ method.

Risk Control Measures​

The following risk control measures are implemented to mitigate potential security and operational risks associated with this SOUP component:

  • GPU memory management guards prevent resource exhaustion during saliency map computation
  • Only trusted, internally validated data is processed through the explainability pipeline
  • The explainability module is isolated from external inputs
  • Version locking ensures reproducible deployments with known-stable versions
  • All models are pre-deployed and verified; no external model loading occurs

Assessment Methodology​

The following methodology was used to identify and assess known anomalies:

  • Sources consulted: National Vulnerability Database (NVD), GitHub Security Advisories, PyPI security reports, and the pytorch-grad-cam GitHub repository issue tracker
  • Criteria for determining applicability: Vulnerabilities were assessed based on whether the affected functionality is used by the device, whether the attack vector is reachable in the deployment environment, and whether mitigating controls exist

Signature meaning

The signatures for the approval process of this document can be found in the verified commits at the repository for the QMS. As a reference, the team members who are expected to participate in this document and their roles in the approval process, as defined in Annex I Responsibility Matrix of the GP-001, are:

  • Author: Team members involved
  • Reviewer: JD-003 Design & Development Manager, JD-004 Quality Manager & PRRC
  • Approver: JD-001 General Manager
ㅤ

Previous
FastAPI
Next
Httpx
  • General Information
  • Overview
  • Functional Requirements
  • Performance Requirements
  • Hardware Requirements
  • Software Requirements
  • Known Anomalies Assessment
    • Risk Control Measures
    • Assessment Methodology
All the information contained in this QMS is confidential. The recipient agrees not to transmit or reproduce the information, neither by himself nor by third parties, through whichever means, without obtaining the prior written permission of Legit.Health (AI Labs Group S.L.)