Navigating IEC 62304 Standard for Medical Software

By Nicolas Gauthier

The process of developing medical devices is intricate, and design errors can have significant consequences for patients. Therefore, it is crucial to implement processes that not only ensure high quality but also effectively manage risks for both patients and users.
Unfortunately, history is full of design errors that have led to serious injuries, which could have been avoided with proper development (or maintenance) according to the product’s potential risks.

A quick introduction to medical devices standards

To prevent such incidents from recurring, governments have introduced regulations and delegated responsibilities to agencies such as the Food and Drug Administration (FDA) in the United States and Health Canada for approving new medical products. These agencies have defined detailed instructions on how to apply these laws. While these regulations primarily outline requirements for manufacturers, many of them are derived from various international standards.
Standards are references that describe approved and recognized methods of operation. They have been developed by experts who understand the needs of the organizations they represent such as manufacturers, associations, and regulators. Although compliance with these standards is voluntary, many regulators view them as evidence of “good practice”. Furthermore, many regulations are explicitly based on industry-recognized standards.
In the specific context of medical device development, regulations and standards share a common objective: ensuring their safety, effectiveness, and security. They establish requirements and best practices for organizational structure, project management, risk management, design, implementation, verification and validation. One such standard is IEC 62304, which applies to medical software development.

What is the IEC 62304 standard?

IEC 62304, titled “Medical device software – Software life-cycle processes”, is an international standard that specifies the requirements for the life-cycle of medical device software, including development and maintenance. The processes, activities, and tasks outlined in this standard establish a common framework that extends from initial planning, through requirements analysis and software testing, to device development and maintenance.

The standard is widely recognized by many regulatory authorities as the reference for developing medical software or embedded software for medical devices.
Its aim is to produce compliant software, meaning it must not only function correctly but also meet users’ needs, prevent injury, and be secure in the cybersecurity sense.

Software classification determines the required activities

The activities required by IEC 62304 vary depending on the risk that the software poses to patients and users. Both the probability of a software error causing injury and the potential severity of that injury are taken into account.

The standard establishes a classification system that categorizes medical software into three safety classes:
The initial step is to assess the software classification to determine the expectations set by the standard. The higher the risk class, the more activities are required:
Software documentationClass AClass BClass C
Software development planning
Software requirement analysis
Software architectural design-
Software detailed design--
Software unit implementation
Software unit verification-
Software integration & testing-
Software system testing
Software release

IEC 62304 activities are tied to the Quality Management System (QMS)

IEC 62304 standard is not isolated; it aligns with other industry requirements and standards. For instance, ISO 13485 standard, titled “Medical devices – Quality management systems”, describes the requirements for quality management systems applicable to medical devices development, but is not limited to any specific discipline (mechanical, electronic, software, etc.). IEC 62304 complements ISO 13485 with specific requirements for software development.

In simple terms, a Quality Management System (QMS) is a structured framework serving as a guide. Organizations implement it to ensure consistent product quality and compliance with regulations. It encompasses a set of policies, processes, procedures, and resources necessary to plan, execute, and control the development of an organization’s products and services.

In the context of medical device development, establishing and applying a QMS is not optional but a mandatory requirement. It guarantees the production of safe, effective, and reliable devices.
The processes and activities outlined in IEC 62304 offer guidance for defining the QMS to be employed in designing a medical device containing or incorporating software.

The standard does not specify how the activities should be performed

IEC 62304 standard defines the necessary activities but doesn’t specify when or how they should be executed. Each organization must document its processes and activities, and outline them in the QMS Standard Operating Procedures (SOPs).
While IEC 62304 may appear to favor a “waterfall” approach, it doesn’t mandate or exclude any development model. It presents activities linearly for clarity. It is up to the organization or team to determine and define the approach to implement.
The organization’s level of expertise and maturity are valuable assets in making the right decisions. Additionally, various guides are available to help clarify your position.

The Software Development Plan: a crucial document

IEC 62304 standard requires every activity to be planned and documented. To this end, the Software Development Plan is an essential document that should be maintained as a reference throughout the process.
The Software Development Plan outlines and documents the planned development process for the project. It defines the development life cycle, delineates phases, associates activities and deliverables, specifies documentation requirements, defines roles and responsibilities, and outlines milestones and important dates. Creating this plan demonstrates that development planning has been carried out and provides guidance to the project team throughout the development process.
It’s important to note that proper document management is vital for regulatory authorities to approve a medical device. The absence of written records of activities is often regarded as if the activities never took place.

The standard must be supplemented with FDA recommendations

Following the recommendations of IEC 62304 standard simplifies compliance with FDA requirements, which also mandate documentation for each activity.

However, IEC 62304 doesn’t cover everything the FDA requires. For example, IEC 62304 lacks any consideration for cybersecurity, while the FDA now requires cybersecurity risk analysis and control activities, including documented deliverables.

Furthermore, IEC 62304 may employ different terminology than the FDA. Therefore, aligning certain terms between the two is necessary, such as customer needs, design inputs, software requirements, and software design specifications, or software item, software unit, function, module, and components. A guide from the organization facilitates this correspondence.

IEC 62304 standard has a minor impact on a developer's work

Although the standard may appear somewhat restrictive, particularly in terms of document management, it has minimal direct impact on a developer’s tasks. It merely highlights the crucial activities in software development (design, implementation, testing) that are well-known to developers.
On the other hand, technical leaders and project managers need to keep a close eye on how the various activities are carried out and documented.

Author & collaborators

Written by
Nicolas Gauthier

Newsletter & Monthly Digest

Subscribe to get our insights delivered to your email inbox.

Other posts you may like

2024 Wrap-Up: A Look Back at The Year

4 Essential Steps to Identify The Regulatory Pathway for Your Medical Device

Design as a Business Catalyst: How Empowering Design Early Amplifies Your Product’s Impact

2024 Wrap-Up: A Look Back at The Year

4 Essential Steps to Identify The Regulatory Pathway for Your Medical Device