IEC 62304 is a safety standard for medical devices, and compliance with it is critical to software developers. Whether it’s a doctor, a specialist, or a nurse, healthcare providers depend on medical devices to treat their patients. Those safety-critical systems need to be secure and reliable to ensure everything has been done to prevent any catastrophic failure that could cause death or serious industry. To assess the risk, the US Food and Drug Administration (FDA) has created a classification system to help with the development of these safety-critical systems.
Medical devices can be sorted into three categories.
Of all the classifications, Class III devices account for only 10 percent of all the devices regulated by the FDA. That’s because of the risk involved. When healthcare providers depend on a specialized medical device to save lives, it needs to meet expectations every time. To do that, you need to satisfy compliance regulations from the ground up, and that’s what IEC 62304 was made for.
Created by the International Organization for Standardization (ISO), IEC 62304 is the standard that specifies the process and needed objectives to safely develop medical device software. These guidelines touch every phase of the software development life cycle (SDLC), covering everything from initial planning and requirement analysis, all the way to software system testing and device deployment.
Although IEC 62304 is filled with highly detailed documentation that tells you what should be done to create compliant software, the caveat is that it doesn’t really tell you how it should be done. These guidelines were intentionally created that way to account for evolutionary changes in development practices or introduction of new technologies. So, it doesn’t really deliver the “how”, in order to accommodate flexibility and expansion.
There isn’t a single ISO standard that covers all the needs and types of requirements to safely and securely create all medical devices. Instead, they’re often broken up into different standards to cover different aspects or needs of the device under development. For some standards, amendments are added to include updates and/or address emerging problems. And although there’s a lot of labor costs and information to keep track of in satisfying compliance regulations, it is indeed in the best interest for medical companies to deliver safe products that help ensure the practitioner’s and the patient’s safety and security.
For example, ISO 9001 is a standard not necessarily built for the healthcare industry, focuses on ensuring that companies have a quality management system (QMS) in place. With a QMS in place, organizations can ensure that not just all stakeholder, as well as regulatory and statutory requirements are fulfilled, but that evidence-based decisions through the product development lifecycle, with quality and value towards customers have been made. ISO 9001 actually helps improve quality control (QC) processes, lowers costs, and enables growth. ISO 13485, on the other hand, complements ISO 9001 by incorporating additional medical device requirements, but also by evaluating whether your QMS is appropriate and effective while emphasizing the safety and efficacy of medical devices.
With ISO 14001, medical device manufacturers have guidelines to build and maintain an environmental management system (EMS) to reduce waste, lower environmental impacts, and ensure legal compliance. To help with other sustainability savings, ISO 50001 helps reduce operating expenses by helping identify ways to improve energy efficiency. Having the tools and processes that allow a business to run are part of the quality management side of any organization, and these standards are all a piece of the puzzle.
Made specifically for performing risk management of medical devices, ISO 14971 helps manufacturers and software developers identify all the hazards associated with a medical device and being able to control those risks. The processes in ISO 14971 are intended to mitigate risks, such as those that can be associated in biocompatibility, data and systems security, electricity, radiation, and accessibility.
To manage these types of threats, an organization needs to identify, evaluate, analyze, and assess the potential safety issues throughout the entire product lifecycle. And with ISO 14971, you get a helpful standard to assist you with identifying the odds or probability of a problem happening, and how severe that problem could be, including how to control these risks, and monitor the effectiveness of the controls.
When talking about building “quality” in medical software, we’re referring to the absence of defects, and that the product is reliable and robust. When testing software, we perform “robustness testing”, which one form of this, is to evaluate or test within the boundaries of the system and test outside the boundaries of the systems as well.
Testing within the boundaries refers to feeding a range of inputs or data that the system would expect. Testing outside the boundaries refers to feeding a range of inputs to the system which would be very unlikely or never receive. How the device or system handles such scenarios helps build robustness or quality into the system. With Parasoft, we can help developers and testers go beyond the boundaries at every step of the SDLC with powerful, comprehensive, and robust software quality test solutions.
The FDA recommends that any medical device company developing software include static analysis into their SDLC to ensure safe, secure, and reliable software. In fact, performing static analysis is the best first line of defense in identifying and remediating bugs or issues. And our customers have expressed that if performed during the implementation phase, their cost in performing quality assurance and maintenance has been substantially reduced. With Parasoft C/C++test, you get a comprehensive automated software testing solution that includes a broad scope of testing methodologies to help satisfy IEC 62304 compliance requirements.
C/C++test is TÜV certified for use on Class I, Class II, and Class III medical devices, and automates software testing methods defined in IEC 62304. Furthermore, our centralized dashboard reporting solution provides development teams with an easy way to expose, prevent, and correct errors in the design. It also aggregates test results making compliance with security, coding, and process safety standards easier by automatically generating the documents needed to demonstrate compliance.
A Sr. Technical Product Marketing Manager for Parasoft’s embedded testing solutions, Ricardo has expertise in the SDLC and test automation of embedded real time, safety, and security-critical applications, and software compliance to industry standards.