The process of developing medical devices is intricate, and design errors can have significant consequences for patients. Therefore, it is crucial to implement processes that not only ensure high quality but also effectively manage risks for both patients and users.
By adhering to rigorous standards such as IEC 62304, which applies to medical device software, we can minimize risks and develop safer, more reliable medical devices.
Introduction to Medical Device Standards
To prevent incidents from recurring, governments have introduced regulations and delegated responsibilities to agencies such as the Food and Drug Administration (FDA) in the United States and Health Canada for approving new medical products. These agencies have defined detailed instructions on how to apply these laws. While these regulations primarily outline requirements for manufacturers, many of them are derived from various international standards.
Standards are references that describe approved and recognized methods of operation. They have been developed by experts who understand the needs of the organizations they represent such as manufacturers, associations, and regulators. Although compliance with these standards is voluntary, many regulators view them as evidence of “good practice”. Furthermore, many regulations are explicitly based on industry-recognized standards.
In the specific context of medical device development, regulations and standards share a common objective: ensuring their safety, effectiveness, and security. They establish requirements and best practices for organizational structure, project management, risk management, design, implementation, verification and validation. One such standard is IEC 62304, which applies to medical device software development.
Is Your Software Considered a Medical Device?
The first step is to determine whether your software qualifies as a medical device. This requires a clear definition of its intended use and indications for use. Once those are clarified, you can assess whether your software falls under the regulatory definition of a medical device.
Keep in mind that software used in healthcare environments doesn’t automatically qualify as a medical device. To meet the definition, it must be specifically intended for medical purposes.
What is a Medical Device?
To better understand whether your software fits this category, it can be useful to look up existing product classifications. If you find one that matches your software’s intended function, that’s a strong indicator that it may be considered a medical device.
Types of Medical Device Software
Medical device software is typically divided into two main types, based on how and where it operates: Software as a Medical Device (SaMD) and Software in a Medical Device (SiMD).
Software as a Medical Device (SaMD)
As defined by the International Medical Device Regulators Forum (IMDRF), SaMD refers to software intended for medical purposes that operates independently of any specific hardware medical device. These are standalone solutions, such as mobile apps, desktop programs, or cloud-based tools designed to support medical functions.
Software in a Medical Device (SiMD)
What is the IEC 62304 standard?
IEC 62304, titled “Medical device software – Software life-cycle processes”, is an international standard that specifies the requirements for the life-cycle of medical device software, including development and maintenance. The processes, activities, and tasks outlined in this standard establish a common framework that extends from initial planning, through requirements analysis and software testing, to device development and maintenance.
The standard is widely recognized by many regulatory authorities as the reference for developing medical software or embedded software for medical devices.
Software Classification and Its Impact on Development Activities
The activities required by IEC 62304 vary depending on the risk that the software poses to patients and users. Both the probability of a software error causing injury and the potential severity of that injury are taken into account.
- Class A: No possibility of injury or damage to the patient.
- Class B: Potential for injury, but not severe.
- Class C: Potential for severe harm or death.
| Software documentation | Class A | Class B | Class C |
|---|---|---|---|
| Software development planning | ✅ | ✅ | ✅ |
| Software requirement analysis | ✅ | ✅ | ✅ |
| Software architectural design | - | ✅ | ✅ |
| Software detailed design | - | - | ✅ |
| Software unit implementation | ✅ | ✅ | ✅ |
| Software unit verification | - | ✅ | ✅ |
| Software integration & testing | - | ✅ | ✅ |
| Software system testing | ✅ | ✅ | ✅ |
| Software release | ✅ | ✅ | ✅ |
Software Development Activities Required by IEC 62304
- Software Development planning
- Software Requirements Analysis
Define the requirements for the software elements of the system, based on system requirements (for SiMD) or user needs (for SaMD).
- Software Architectural Design
- Software Detailed Design
- Software Unit Implementation and Verification
- Software Integration and Integration Testing
- Software System Testing
- Software Release
Our experts always got your back
IEC 62304 and the Quality Management System (QMS)
IEC 62304 standard is not isolated; it aligns with other industry requirements and standards. For instance, ISO 13485 standard, titled “Medical devices – Quality management systems”, describes the requirements for quality management systems applicable to medical devices development, but is not limited to any specific discipline (mechanical, electronic, software, etc.). IEC 62304 complements ISO 13485 with specific requirements for software development.
In simple terms, a Quality Management System (QMS) is a structured framework serving as a guide. Organizations implement it to ensure consistent product quality and compliance with regulations. It encompasses a set of policies, processes, procedures, and resources necessary to plan, execute, and control the development of products and services.
Software Risk Management Under IEC 62304
While ISO 14971 provides the general framework for managing risks associated with medical devices, IEC 62304 extends this approach by adding specific requirements for software.
Implementing IEC 62304 Activities in The Software Development Process
The Software Development Plan: A Key Deliverable
Complementing IEC 62304 with FDA Guidance
Following the recommendations of IEC 62304 standard simplifies compliance with FDA requirements, which also mandate documentation for each activity.
However, IEC 62304 doesn’t cover everything the FDA requires. For example, IEC 62304 lacks any consideration for cybersecurity, while the FDA now requires cybersecurity risk analysis and control activities, including documented deliverables.
Furthermore, IEC 62304 may employ different terminology than the FDA. Therefore, aligning certain terms between the two is necessary, such as customer needs, design inputs, software requirements, and software design specifications, or software item, software unit, function, module, and components. A guide from the organization facilitates this correspondence.
