First released in 2006 and then updated in 2015, the IEC 62304 standard is related to both the development and maintenance of medical device software. Ensuring a software product’s IEC 62304 compliance requires the implementation of a rigorous process from the very beginning of the project: the purpose is to reduce software-related risks to a “tolerable” level. Let’s go through the key aspects of this standard.

The standards applied to medical device software

As for all industries where software quality is key, in the medical sector the software lifecycle is strictly managed and regulated by several standards:

medical device software standards

The IEC 62304 standard in a nutshell:

The IEC 62304 standard is one of the medical industry’s norms. It deals with the development and the lifecycle of a medical device software and it is generally associated with other standards such as:

  • IEC 13485 : Quality management system for medical devices
  • IEC 82304 : Safety and reliability of healthcare software products
  • ISO 14971 : Risk management of medical devices
  • IEC 62366 : Usability requirements for medical devices
  • ISO/TR 20416 : Post-marketing monitoring (under the manufacturers’ responsibility)

Medical Device: what are we talking about?

According to the current regulation 2017/745, effective since 26 May 2021, a medical device is “any instrument, apparatus, implement, machine, appliance or other similar article including the software intended by the manufacturer to be used, alone or in combination, for human beings for diagnostic and/or therapeutic purposes human beings for one or more specific purpose(s) such as:

  • diagnosis, prevention, monitoring, treatment or alleviation of disease,
  • diagnosis, monitoring, treatment, alleviation of or compensation for an injury or a disability,
  • investigation, replacement, modification or support of the anatomy or of a physiological process,
  • control of conception,
  • and which does not achieve its primary intended action in or on the human body by pharmacological, immunological or metabolic means, but which may be assisted in its intended function by such means.”

What about a Medical Device software?

The EN 62304 standard is applied to medical devices as long as the product’s purpose matches to the definition of a medical device, hereafter:

  • a software embedded in medical devices,
  • a computer software,
  • a smartphone application (such as mHealthapp, mobile health applications). To be noted: for PC and smartphone software, the IEC 82304 standard comes in addition to the IEC 62304 one.

IEC 62304 software safety classification

The IEC 62304 standard introduces 3 software safety classes, from A (the least crucial) to C (the most crucial). Depending on the cruciality, the lifecycle of the medical device software to be implemented will have to be comprehensive accordingly.

Software safety classes are defined by the severity of the consequences brought about by software failure:

  • Class A: no injury or damage to health is possible 
  • Class B: non-serious injury is possible 
  • Class C: death or serious injury is possible

As shown, the IEC 62304 standard requires the implementation of a software lifecycle encompassing several processes: risk management, development, maintenance, configuration, software-related problems solving; all this, right from class A.

The impact of security classification on software engineering

Medical device regulations set greater demands on the design and the development of medical device software when its potential failures are likely to have significant consequences.
The purpose of the safety classification is hence to index the software lifecycle management by the risk for the patient if any software failure or anomaly occurred. Consequently, this classification has an impact on both traceability and document management efforts, enabling you to prove risk management via the medical device development.

What does it suppose for Medical Devices manufacturers ?

As a medical device manufacturer, it is fundamental that your software comply with current standards. Actually, it is a sine qua non condition to market your medical device.
But that’s not all: your medical products’ sustainability and corporate image also depend on your products’ reliability.

Applying the requirements of the IEC 62304 standard to software lifecycle

The IEC 62304 standard does not clearly make verification activities and specific tests processes mandatory. However, they are key to meet its software lifecycle requirements and have to be integrated as part of a Software Quality Assurance Plan, specifying at least:

  • Configuration management: the configuration management is a very important aspect for software lifecycle since it allows to stock and keep track of all the different versions and modifications that will be used by a system (hardware, software, documents, unit data, etc.)
  • Change management
  • Requirements traceability management: many manufacturers still use traceability systems which are manual, long, complex and, most of all, likely to be source of errors. It is hence advisable to rely on tools enabling automated traceability among project items
  • Detection of bugs and software vulnerabilities 
  • Verification of software units: it can be done whether through unit, integration and system tests or through peer reviews

Even though the IEC 62304 does not provide specific guidelines, it is better to define both a strict quality assurance and development methodology before launching the project. In fact, an upstream and rigorous strategy will ultimately prove your proficiency as a medical device software developer in designing high-quality software for compliance audits.

Why relying on an ALM tool is so important?

Application Lifecycle Management is a key success lever for companies developing embedded software products. The implementation of a good ALM tool is hence fundamental for both the development and the quality control of software in the medical industry. In fact, it makes it possible to better manage the entire application lifecycle, facilitating both on site and remote audits since all data and processes are centralized under one roof, on a single platform.

Track every item, automatically

Proving traceability throughout the whole software development process is a major concern.

As soon as possible

Is it possible to check and adapt the process to meet the IEC 62304 standards even for developments that have already started? Well… the earlier it’s done, the smaller the risks of identifying last minute issues which would lead to mandatory adaptations, likely to delay the compliance process and ultimately the software release. This is why we suggest that you build good habits as soon as possible, from the start.

Embrace a more iterative, agile approach

Waterfall development approaches are widely used in the medical field, however it is important to bear in mind that the IEC 62304 standard does not impose the implementation of any precise development methodology. In fact, a more incremental approach is possible too, as long as all changes are tracked. And for this, agile methods are full of good practices that can definitely create a lot of value for medical device software projects.

How to achieve ISO 13485 & IEC 62304 Medical Device Compliance?