Navigating IEC 62304 Standard for Medical Device Software

Written By Nicolas Gauthier

November 2023

The process of developing medical devices is intricate, and design errors can have significant consequences for patients. Therefore, it is crucial to implement processes that not only ensure high quality but also effectively manage risks for both patients and users.

Unfortunately, history is full of design errors that have led to serious injuries, which could have been avoided with proper development (or maintenance) according to the product’s potential risks.

By adhering to rigorous standards such as IEC 62304, which applies to medical device software, we can minimize risks and develop safer, more reliable medical devices.

Introduction to Medical Device Standards

To prevent incidents from recurring, governments have introduced regulations and delegated responsibilities to agencies such as the Food and Drug Administration (FDA) in the United States and Health Canada for approving new medical products. These agencies have defined detailed instructions on how to apply these laws. While these regulations primarily outline requirements for manufacturers, many of them are derived from various international standards.

Standards are references that describe approved and recognized methods of operation. They have been developed by experts who understand the needs of the organizations they represent such as manufacturers, associations, and regulators. Although compliance with these standards is voluntary, many regulators view them as evidence of “good practice”. Furthermore, many regulations are explicitly based on industry-recognized standards.

In the specific context of medical device development, regulations and standards share a common objective: ensuring their safety, effectiveness, and security. They establish requirements and best practices for organizational structure, project management, risk management, design, implementation, verification and validation. One such standard is IEC 62304, which applies to medical device software development.

Is Your Software Considered a Medical Device?

The first step is to determine whether your software qualifies as a medical device. This requires a clear definition of its intended use and indications for use. Once those are clarified, you can assess whether your software falls under the regulatory definition of a medical device.

Keep in mind that software used in healthcare environments doesn’t automatically qualify as a medical device. To meet the definition, it must be specifically intended for medical purposes.

What is a Medical Device?

The FDA defines a medical device as an instrument “intended for use in the diagnosis of disease or other conditions, or in the cure, mitigation, treatment, or prevention of disease, in man or other animals.“

To better understand whether your software fits this category, it can be useful to look up existing product classifications. If you find one that matches your software’s intended function, that’s a strong indicator that it may be considered a medical device.

Software is often embedded in a wide range of medical equipment, from advanced imaging systems to portable diagnostic tools, and can itself be subject to regulation.

Types of Medical Device Software

Medical device software is typically divided into two main types, based on how and where it operates: Software as a Medical Device (SaMD) and Software in a Medical Device (SiMD).

Software as a Medical Device (SaMD)

As defined by the International Medical Device Regulators Forum (IMDRF), SaMD refers to software intended for medical purposes that operates independently of any specific hardware medical device. These are standalone solutions, such as mobile apps, desktop programs, or cloud-based tools designed to support medical functions.

Examples of SaMD include apps that allow clinicians to view MRI scans on a smartphone or software that analyzes patient data and uses algorithms to recommend treatment options for a particular condition.

Software in a Medical Device (SiMD)

SiMD refers to software that is either embedded in or works alongside a physical medical device to support its operation. Unlike SaMD, it cannot function without the hardware it’s associated with.
This type of software plays a direct role in operating the device, such as managing dosage in an infusion pump, regulating pacemaker activity, or controlling radiation output in therapeutic equipment.

What is the IEC 62304 standard?

IEC 62304, titled “Medical device software – Software life-cycle processes”, is an international standard that specifies the requirements for the life-cycle of medical device software, including development and maintenance. The processes, activities, and tasks outlined in this standard establish a common framework that extends from initial planning, through requirements analysis and software testing, to device development and maintenance.

The standard is widely recognized by many regulatory authorities as the reference for developing medical software or embedded software for medical devices.

Its aim is to produce compliant software, meaning it must not only function correctly but also meet users’ needs, prevent injury, and be secure in the cybersecurity sense.

Software Classification and Its Impact on Development Activities

The activities required by IEC 62304 vary depending on the risk that the software poses to patients and users. Both the probability of a software error causing injury and the potential severity of that injury are taken into account.

The standard establishes a classification system that categorizes medical software into three safety classes:
The initial step is to assess the software classification to determine the expectations set by the standard. The higher the risk class, the more activities are required:
Software documentationClass AClass BClass C
Software development planning
Software requirement analysis
Software architectural design-
Software detailed design--
Software unit implementation
Software unit verification-
Software integration & testing-
Software system testing
Software release

Software Development Activities Required by IEC 62304

Establish a plan to conduct and document activities related to the various processes of software development.

Define the requirements for the software elements of the system, based on system requirements (for SiMD) or user needs (for SaMD).

Provide a high-level software design that shows how the requirements will be implemented by breaking down the software system into software elements (with defined responsibilities and interfaces).
Provide a detailed design of the software that is sufficient to enable implementation and testing, by decomposing software elements into detailed software units (algorithms, protocols, etc.).
Implement (code) the software units in accordance with the software design, and verify their correctness.
Combine software units together (as per the design) and demonstrate that the integrated components meet the defined requirements (on an operational platform, whether partial or complete).
Confirm that the fully integrated software system meets the specified requirements.
Ensure that the software is released in a controlled and systematic manner, including completion of verifications, documentation of the release version (release notes), and archiving of various artifacts (evidence).

Our experts always got your back

With extensive cross-industry experience, we’re always ready to tackle product development complexities and propel your success.

IEC 62304 and the Quality Management System (QMS)

IEC 62304 standard is not isolated; it aligns with other industry requirements and standards. For instance, ISO 13485 standard, titled “Medical devices – Quality management systems”, describes the requirements for quality management systems applicable to medical devices development, but is not limited to any specific discipline (mechanical, electronic, software, etc.). IEC 62304 complements ISO 13485 with specific requirements for software development.

In simple terms, a Quality Management System (QMS) is a structured framework serving as a guide. Organizations implement it to ensure consistent product quality and compliance with regulations. It encompasses a set of policies, processes, procedures, and resources necessary to plan, execute, and control the development of products and services.

In the context of medical device development, establishing and applying a QMS is not optional but a mandatory requirement. It guarantees the production of safe, effective, and reliable devices.
The processes and activities outlined in IEC 62304 offer guidance for defining the QMS to be employed in designing a medical device containing or incorporating software.

Software Risk Management Under IEC 62304

The software risk management process under IEC 62304 is closely aligned with the principles outlined in ISO 14971.

While ISO 14971 provides the general framework for managing risks associated with medical devices, IEC 62304 extends this approach by adding specific requirements for software.

These additions focus on identifying software-related factors that may contribute to hazards or hazardous situations, ensuring that software risks are systematically assessed and controlled throughout the development lifecycle.

Implementing IEC 62304 Activities in The Software Development Process

IEC 62304 standard defines the necessary activities but doesn’t specify when or how they should be executed. Each organization must document its processes and activities, and outline them in the QMS Standard Operating Procedures (SOPs).
While IEC 62304 may appear to favor a “waterfall” approach, it doesn’t mandate or exclude any development model. It presents activities linearly for clarity. It is up to the organization or team to determine and define the approach to implement.
The organization’s level of expertise and maturity are valuable assets in making the right decisions. Additionally, various guides are available to help clarify your position.

The Software Development Plan: A Key Deliverable

IEC 62304 standard requires every activity to be planned and documented. To this end, the Software Development Plan is an essential document that should be maintained as a reference throughout the process.
The Software Development Plan outlines and documents the planned development process for the project. It defines the development life cycle, delineates phases, associates activities and deliverables, specifies documentation requirements, defines roles and responsibilities, and outlines milestones and important dates. Creating this plan demonstrates that development planning has been carried out and provides guidance to the project team throughout the development process.
It’s important to note that proper document management is vital for regulatory authorities to approve a medical device. The absence of written records of activities is often regarded as if the activities never took place.

Complementing IEC 62304 with FDA Guidance

Following the recommendations of IEC 62304 standard simplifies compliance with FDA requirements, which also mandate documentation for each activity.

However, IEC 62304 doesn’t cover everything the FDA requires. For example, IEC 62304 lacks any consideration for cybersecurity, while the FDA now requires cybersecurity risk analysis and control activities, including documented deliverables.

Furthermore, IEC 62304 may employ different terminology than the FDA. Therefore, aligning certain terms between the two is necessary, such as customer needs, design inputs, software requirements, and software design specifications, or software item, software unit, function, module, and components. A guide from the organization facilitates this correspondence.

How IEC 62304 Affects Developers in Practice

Although the standard may appear somewhat restrictive, particularly in terms of document management, it has minimal direct impact on a developer’s tasks. It merely highlights the crucial activities in software development (design, implementation, testing) that are well-known to developers.
On the other hand, technical leaders and project managers need to keep a close eye on how the various activities are carried out and documented.

Frequently Asked Questions About IEC 62304

Quality and regulatory teams define the framework, but technical leaders ensure implementation, documentation, and audits are fulfilled. Developers contribute by following defined processes and providing traceability.
What are the consequences of not adhering to the IEC 62304 standard? Non-compliance can result in regulatory rejection, market access delays, or product recalls. It also increases the risk of software failures that could harm users, leading to liability and reputational damage.
Misjudging harm probability or overlooking indirect hazards often leads to under-classification. Proper use scenarios, risk analysis, and regulatory consultation reduce misclassification risks.
Yes, Agile can be used if deliverables are clearly documented and mapped to IEC 62304 processes. This includes defining increments, maintaining traceability, and updating the software development plan iteratively.
IEC 82304-1 addresses the safety and quality of standalone health software (SaMD), emphasizing usability, performance, and clinical benefit. Unlike IEC 62304, which focuses on lifecycle processes, IEC 82304-1 ensures that the software as a finished product is safe and effective.
ISO 13485 is a general quality management system standard for medical devices, covering organizational processes across disciplines. IEC 62304 focuses specifically on the software development lifecycle within that broader system, detailing required activities for medical software safety and performance.

Author & Collaborators

Written by
Nicolas Gauthier

Newsletter & Monthly Digest

Subscribe to get our insights delivered to your email inbox.