What is IEC 62304?
IEC 62304, Medical device software — Software life cycle processes is a standard that defines the life cycle requirements for software that is used in a medical device, including software as a medical device.
The standard provides a framework of life cycle processes that support the safe design and maintenance of medical device software. Each life cycle process has defined requirements that is specified as set of activities. Each activity is often defined as a set of tasks.
IEC 62304 assumes that the medical device software is developed and maintained within a quality management system (QMS) and a risk management system (RMS).
Note on the QMS and RMS
You should have a QMS that is compliant with ISO 13485 when developing medical software.
IEC 62304 simply refers to the risk management process defined by ISO 14971 and only specifies additional requirements for the identification of hazards contributed by software, so it is best if you are familiar with ISO 14971.
The software life cycle processes that are addressed by the standard are:
- Software development process
Describes the key development activities including, planning, requirements.
- Software maintenance process
Describes an abridged form of the software development process that is intended to manage changes to the software after release, e.g. for bug fixes, and upgrades.
Software risk management process
Describes activities to be performed during the software development process (to identify and mitigate risks posed by software failures, use error and other system failures) and during the software maintenance process (to identify and mitigate risks posed by changes).
Software configuration management process
Describes requirements for the source code control system and the development environment and how to manage builds and releases
Software problem resolution process
Describes requirements for the bug tracking system and activities for the evaluation and resolution of bugs
How does IEC 62304 describe the Software Development Process?
The standard separates the software development process into different activities. The activities themselves are then described in terms of tasks. The activities are:
Software development planning
Software requirements analysis
Software architectural design
Software detailed design
Software unit implementation and verification
Software integration and integration testing
Software system testing
Each activity describes the roles e.g. requirements engineers, programmers, software architects or testers) that need to perform the activity, what are the inputs to the activity (e.g. documents) and what are the outputs from the activity (e.g. documents, products or decisions), when the activity should be performed and what methods, tools and procedures should be used.
These activities should already be defined in the QMS (as e.g. standard operating procedures) and often the output of the activity is a document that captures the details of having executed the process.
IEC 62304 Software Safety Classification
The standard defines three safety classes for software:
Class C: death or serious injury is possible
Class B: no serious injury is possible
Class A: no injury or damage to health is possible
Different documentation and testing requirements apply to each safety class, with Class C needing the most effort. So, while you might think it is safest to classify your software as Class C, remember that this “over-classification” of your software does come with unnecessary overhead.
However, until a safety class has been determined, the requirements of Class C apply to your software.
Don’t forget about the Documentation
Generally, all medical devices must satisfy two main requirements:
The first is that the device must be safe. By definition, safety is the absence of unacceptable risks.
The second requirement is that the device must attain the performance and functionality as declared by its manufacturer.
These requirements also apply to medical software. So, IEC 62304 requires that you document everything that you do during the software development process.
The standard requires that specific documentation (depending on safety class) be created for different activities. The table shows whether documentation is required or not for a specific activity in the software development process.
|Software Development Process Activity|
|Software development planning|
|Software requirements analysis|
|Software architectural design|
|Software detailed design|
|Software unit implementation|
|Software unit verification|
|Software integration and integration testing|
|Software system testing|
IEC 62304 and SOUP
Software of unknown provenance (SOUP) describes software that has been included in medical devices or in medical software (including software as a medical device) that was not developed according to a known software development process or methodology, or which has unknown or no safety-related properties.
IEC 62304 specifically defines SOUP as:
Software that is already developed and generally available and that has not been developed for the purpose of being incorporated into the MEDICAL DEVICE (also known as “off the-shelf software”) or software previously developed for which adequate records of the development PROCESSES are not available.
IEC 62304:2006 does not prohibit the use of SOUP but additional controls are required and the risk of the SOUP needs to be assessed and taken into account.
For more information about SOUP and how to handle the inclusion of SOUP in your medical device, please read the article Reducing the Uncertainty of SOUP.
Which is the latest version of IEC 62304?
The latest version of this medical device standard is IEC 62304:2006. There was also an amendment in 2015.
Is IEC 62304 mandatory?
Compliance with a regulation is mandatory while compliance with a standard is voluntary. However, many countries around the world have regulatory requirements that are covered (to a greater extent) by applicable standards, so complying with the medical device standards is often in your favour as a medical device manufacturer.
Since IEC 62304 is a standard, its use is not mandatory. However, being compliant with IEC 62304 is a good start, because often specific markets have requirements that are only slightly different to IEC 62304.
If you would like more information about IEC 62304 or about how to integrate IEC 62304 into your existing processes then please contact us at firstname.lastname@example.org.