“IEC 62304 – medical device software – software life cycle processes”: a crucial MedTech standard. First released in 2006 and then updated in 2015, the IEC 62304 standard is related to both the development and maintenance of medical device software. But what are the actual requirements for Medical Device software to meet, in order to achieve IEC 62304 compliance? Let’s catch up on this standard: definition of medical device, software safety classification, IEC 62304 requirements and application to software lifecycle… all this and more, in the following article.
What’s considered as Medical Device?
According to the current regulation 2017/745, effective since 26 May 2021, a medical device is “any instrument, apparatus, implement, machine, appliance or other similar article including the software intended by the manufacturer to be used, alone or in combination, for human beings for diagnostic and/or therapeutic purposes human beings for one or more specific purpose(s) such as:
- diagnosis, prevention, monitoring, treatment or alleviation of disease,
- diagnosis, monitoring, treatment, alleviation of or compensation for an injury or a disability,
- investigation, replacement, modification or support of the anatomy or of a physiological process,
- control of conception,
- and which does not achieve its primary intended action in or on the human body by pharmacological, immunological or metabolic means, but which may be assisted in its intended function by such means.”
What’s qualified as a Medical Device software?
The “IEC 62304 – medical device software – software life cycle processes” standard is applied to medical devices as long as the product’s purpose matches to the definition of a medical device, hereafter:
- a software embedded in medical devices,
- a computer software,
- a smartphone application (such as HealthMap, mobile health applications).
For PC and smartphone software, the IEC 82304 standard comes in addition to the IEC 62304 one.
The IEC 62304 standard in a nutshell
The IEC 62304 standard is one of the medical industry’s norms. It deals with the development and the lifecycle of medical device software, and it is generally associated with other standards such as:
- IEC 13485 : Quality management system for medical devices
- IEC 82304 : Safety and reliability of healthcare software products
- ISO 14971 : Risk management of medical devices
- IEC 62366 : Usability requirements for medical devices
- ISO/TR 20416 : Post-marketing monitoring (under the manufacturers’ responsibility)
IEC 62304 software safety classification
The IEC 62304 standard introduces 3 software safety classes, from A (the least crucial) to C (the most crucial). Depending on the cruciality, the lifecycle of the medical device software to be implemented will have to be comprehensive accordingly.
Software safety classes are defined by the severity of the consequences brought about by software failure:
- Class A: no injury or damage to health is possible
- Class B: non-serious injury is possible
- Class C: death or serious injury is possible
As shown, the IEC 62304 standard requires the implementation of a software lifecycle encompassing several processes: risk management, development, maintenance, configuration, software-related problems solving; all this, right from class A.
The impact of security classification on software engineering
Medical device regulations set greater demands on the design and the development of medical device software when their potential failures are likely to have significant consequences.
The purpose of the safety classification is hence to index the software lifecycle management by the risk for the patient if any software failure or anomaly occurred. Consequently, this classification has an impact on both traceability and document management efforts, enabling you to prove risk management via medical device development.
How does the IEC 62304 standard impact Medical Devices manufacturers?
As a medical device manufacturer, it is fundamental to prove your software compliance with current standards; and in this case, with the “IEC 62304 – medical device software – software life cycle processes”standard. Actually, it is a sine qua non condition to market any of your medical devices. But that’s not all: your medical products’ sustainability and corporate image also depend on your products’ reliability and safety.
Applying the requirements of the IEC 62304 standard to software lifecycle
The IEC 62304 standard does not clearly make verification activities and specific tests processes mandatory. However, they are key to meeting its software lifecycle requirements and have to be integrated as part of a Software Quality Assurance Plan, specifying at least:
- Configuration management: the configuration management is a very important aspect for software lifecycle since it allows to stock and keep track of all the different versions and modifications that will be used by a system (hardware, software, documents, unit data, etc.)
- Change management
- Requirements traceability management: many manufacturers still use traceability systems which are manual, long, complex and, most of all, likely to be source of errors. It is hence advisable to rely on tools enabling automated traceability among project items and hence avoid risks
- Detection of bugs and software vulnerabilities
- Verification of software units: it can be done whether through unit, integration and system tests or through peer reviews
Even though the IEC 62304 does not provide specific guidelines, it is better to define a quality management system, as well as strict quality assurance and development methodology before launching the project. In fact, an upstream and rigorous strategy will ultimately prove your proficiency as a medical device software developer in designing high-quality software for compliance audits. To go further, here’s a complementary article to get some insights from Gartner® to choose the right software.