IEC Software Standards: What Is IEC 62304 & Its Use in Medical Device Compliance?

IEC 62304 is a functional safety standard for medical devices, and compliance with it is critical to software developers. Whether it’s a doctor, a specialist, or a nurse, healthcare providers depend on medical devices to treat their patients. Those safety-critical systems need to be secure and reliable to ensure everything has been done to prevent any catastrophic failure that could cause death or serious industry. To assess the risk, the US Food and Drug Administration (FDA) has created a classification system to help with the development of these safety-critical systems.

Medical devices can be sorted into three categories.

• Class I. Low-risk devices not intended to support or sustain life. This could include items like a bandage, a crutch, or a non-electric wheelchair.
• Class II. Intermediate-risk devices come into sustained contact with a patient and the practitioner needs training to use them. These devices could include catheters, blood pressure cuffs, or intravenous infusion pumps.
• Class III. High-risk devices designed to sustain or support life. Class III devices are life-saving tools like defibrillators, pacemakers, or high-frequency ventilators.

Of all the classifications, Class III devices account for only 10 percent of all the devices regulated by the FDA. That’s because of the risk involved. When healthcare providers depend on a specialized medical device to save lives, it needs to meet expectations every time. To do that, you need to satisfy compliance regulations from the ground up, and that’s what IEC 62304 was made for.

What Is IEC 62304?

Created by the International Organization for Standardization (ISO), IEC 62304 is the standard that specifies the process and needed objectives to safely develop medical device software. These guidelines touch every phase of the software development life cycle (SDLC), covering everything from initial planning and requirement analysis, all the way to software system testing and device deployment.

Although IEC 62304 is filled with highly detailed documentation that tells you what should be done to create compliant software, the caveat is that it doesn’t really tell you how it should be done. These guidelines were intentionally created that way to account for evolutionary changes in development practices or the introduction of new technologies. So, it doesn’t really deliver the “how” to accommodate flexibility and expansion.

Scope and Purpose of IEC Software Standards

The scope of IEC 62304 covers the entire software development life cycle of medical devices, encompassing processes such as risk management, software design, verification, validation, maintenance, documentation, and legacy software, with a primary focus on ensuring the safety and effectiveness of medical device software throughout its life cycle. Below are the core areas covered by IEC 62304.

1. Medical device software. IEC 62304 applies to software that is an integral part of a medical device or is intended for medical device software development. This may include software used for medical device control, monitoring, data processing, and patient management.
2. Software life cycle. The standard addresses the entire software development life cycle, from the initial concept to the end of software support. This encompasses processes like requirements management, software development, maintenance, and obsolescence management.
3. Risk management. IEC 62304 incorporates a risk-based approach to guide software development intended for use in the health industry. It mandates the identification, assessment, and mitigation of risks associated with the software to ensure patient safety and device effectiveness.
4. Software maintenance and changes. The standard provides guidelines for managing software maintenance and changes, including software updates, patches, and modifications, to maintain the software’s safety and performance over time.
5. Documentation. IEC 62304 mandates thorough documentation of the software development process. This documentation serves as a record of compliance and is crucial for regulatory submissions and audits.
6. Verification and validation. The standard outlines processes for the verification and validation of the software to confirm that it functions correctly, the right product was built, and complies with regulatory requirements.
7. Integration with hardware. The standard addresses the integration of software with hardware components within medical devices, ensuring that the software interacts safely and effectively with the device’s hardware.
8. Compliance with regulatory requirements. Adherence to IEC 62304 standards is essential for regulatory approval in various regions, including the United States FDA and the European Union (MDR). Compliance facilitates market access and reduces regulatory hurdles.

The primary purpose of IEC 62304 is to guarantee the safety and performance of medical device software throughout its life cycle. The purpose is key objectives are captured under the following caption:

1. To provide a common framework for medical device software life cycle processes.
2. To establish requirements for the development, verification, validation, maintenance, and risk management of medical device software.
3. To help ensure the safety and reliability of medical device software.

Key Requirements of IEC 62304

IEC 62304 outlines several key requirements that are crucial for the development of software for medical devices. These requirements provide a framework for ensuring the safety, effectiveness, and compliance of medical device software. Here, we will detail some of the most essential requirements.

1. Software Development Process

IEC 62304 mandates the establishment of a structured approach to software development, including clear documentation of processes, activities, and tasks. This requirement ensures that medical software is developed in a systematic manner, with a focus on patient safety and effectiveness. Under this requirement, each phase of the software development process, from requirements specification to design, coding, testing, and maintenance, must be well-documented and adhered to meticulously.

2. Risk Management

Risk management is a central requirement in IEC 62304. Medical device software must undergo a comprehensive hazard analysis and risk assessment. This means that manufacturers must identify and assess potential hazards and risks associated with the software’s use, including risks related to patient safety, software failures, and inadequate performance. These risks are then sorted through appropriate design, testing, and control measures to ensure that the software functions safely and effectively.

3. Software Maintenance

The standard also outlines specific requirements for software maintenance, as maintaining software in a medical device is just as critical as its initial development. Manufacturers must establish processes for monitoring, maintaining, and addressing issues related to software updates and patches.

4. Verification and Validation

IEC 62304 requires rigorous verification and validation processes. They go hand in hand.
Verification focuses on the process of ensuring that the software has been built according to its design and requirements. It’s about confirming that the software was developed in accordance with the mandate of the IEC 62304 standards. So, this checks whether the software development process followed systematic and thorough code reviews, inspections, and other design specifications and coding standards. It’s an essential step to prevent defects in the code and reduce the potential for errors and safety risks in the final software.

On the other hand, validation is about assessing whether the software performs its intended functions effectively and safely in the real-world healthcare environment. This means ensuring that the software meets the actual needs of users, including healthcare professionals and patients. In medical device software development, validation typically involves testing the software in conditions that simulate its intended use.

Both verification and validation processes can be conducted with medical device software testing tools like Parasoft’s C/C++test, Jtest, and dotTEST.

5. Documentation and Traceability

Detailed documentation is a fundamental requirement in the standard. All phases of the software development process must be thoroughly documented. Documentation provides transparency and traceability and allows regulatory bodies and manufacturers to understand the software’s history and confirm compliance. It also aids in the timely identification and resolution of issues or defects.

6. Labeling and Instructions

Medical device software must be accompanied by clear and accurate labeling and instructions (manual). The software’s intended use, limitations, and proper operating procedures should be well-documented and provided to users and maintainers. This requirement is essential for ensuring that healthcare professionals and patients can use the software safely and effectively.

7. Compliance With Regulatory Requirements

IEC 62304 also requires manufacturers to demonstrate compliance with relevant requirements to gain market access and regulatory approvals. This ensures that the software adheres to strict safety and performance standards and is suitable for use in the healthcare setting.

Why Are There Different ISO Standards for Medical Devices?

There isn’t a single ISO standard that covers all the needs and types of requirements to create all medical devices safely and securely. Instead, they’re often broken up into different standards to cover different aspects or needs of the device under development. For some standards, amendments are added to include updates and/or address emerging problems. Although there are a lot of labor costs and information to keep track of in satisfying compliance regulations, it is indeed in the best interest of medical companies to deliver safe products that help ensure the practitioner’s and the patient’s safety and security.

For example, ISO 9001 is a standard not necessarily built for the healthcare industry. It focuses on ensuring that companies have a quality management system (QMS) in place. With a QMS in place, organizations can ensure the satisfaction of stakeholders, fulfillment of regulatory and statutory requirements, and evidence-based decisions made through the product development life cycle with quality and value towards customers.

ISO 9001 helps improve quality control (QC) processes, lowers costs, and enables growth. ISO 13485, on the other hand, complements ISO 9001 by incorporating additional medical device requirements, but also by evaluating whether your QMS is appropriate and effective while emphasizing the safety and efficacy of medical devices.

With ISO 14001, medical device manufacturers have guidelines to build and maintain an environmental management system (EMS) to reduce waste, lower environmental impacts, and ensure legal compliance. To help with other sustainability savings, ISO 50001 helps reduce operating expenses by helping identify ways to improve energy efficiency. Having the tools and processes that allow a business to run is part of the quality management side of any organization, and these standards are all pieces of the puzzle.

What Is ISO 14971 & the Process of Risk Defined in It?

Made specifically for performing risk management of medical devices, ISO 14971 helps manufacturers and software developers identify all the hazards associated with a medical device and being able to control those risks. The processes in ISO 14971 are intended to mitigate risks, such as those associated with biocompatibility, data and systems security, electricity, radiation, and accessibility.

To manage these types of threats, an organization needs to identify, evaluate, analyze, and assess the potential safety issues throughout the entire product life cycle. With ISO 14971, you get a helpful standard to assist you with identifying the odds or probability of a problem happening and how severe that problem could be, including how to control the risks and monitor the effectiveness of the controls.

Future Trends & Developments for IEC 62304

Future trends aren’t easy to predict but from what’s happening in the medical software device landscape vis-a-vis other areas of technology, here are trends and potential updates that could bear on the IEC 62304 standard.

Cybersecurity & Data Protection

One of the most significant trends impacting medical device software is the increasing focus on cybersecurity and data protection. The growing connectivity of medical devices to networks and cloud services has introduced new vulnerabilities. In turn, this need has also provided new best practices for a secure software life cycle. FDA recently recognized standard IEC 81001-5 titled “Health software and health IT systems safety, effectiveness and security – Part 5-1: Security – Activities in the product life cycle.” The standard provides a specification of activities that are to be performed by the medical device company for software incorporated in medical devices as a part of a development life cycle.

Artificial Intelligence (AI) & Machine Learning

AI and machine learning are becoming increasingly prevalent in healthcare as they offer the potential for improved diagnostics and treatment. The FDA has approved several AI/ML software as medical device (SaMD) products. However, the FDA continues to solicit feedback as it advances its regulatory criteria in this area. Publications have been put out by the FDA, such as the “Proposed Regulatory Framework for Modifications to Artificial Intelligence/Machine Learning (AI/ML) – Base Software as a Medical Device (SaMD)” to provide guidance but also draw out feedback. Other FAQs around FDA AI/ML can be found in the FDA’s Science and Research Special Topics.

Human-Machine Interaction

Despite the surge and increased use of emerging technologies in medical devices, like wearables that capture and analyze data for study and diagnostics, robotics such as advanced limb prostheses, virtual reality (VR) for pre-surgical practice, and education/training, regulatory review and guidance are still lacking.

The rise of user-centric design and the increasing complexity of medical device software interfaces demand a focus on human-machine interaction (HMI) standards. Future updates to IEC 62304 may include more detailed recommendations for designing intuitive, user-friendly interfaces, especially in cases where software directly interacts with patients or healthcare providers.

More Emphasis on Interoperability Standards

The interoperability of medical devices with healthcare systems and electronic health records is on the rise. In 2023, the FDA officially recognized the following initial set of standards that manufacturers could use to improve patient care by ensuring that devices work well together.

• ANSI/AAMI 2700-1 (2019)
• AAMI/ANSI/UL 2800 (2022)
• ISO/IEEE 11073-20601 (2019)
• NEMA PS 3.1-3.20 (2022)

Risk-Based Approaches

IEC 62304 may evolve to incorporate more sophisticated risk-based approaches, allowing manufacturers to tailor their software development processes to the specific risks associated with their devices. However, IEC 62304 cannot by itself thoroughly accommodate this topic in detail. Complementing and international standard ISO 14971 specifies a process applicable to all stages of the life cycle of a medical device, for a manufacturer to identify the hazards associated with medical devices, estimate and evaluate the associated risks, control these risks, and monitor the effectiveness of the controls.

What Is Meant by Quality in Systems & Software Engineering?

When talking about building quality in medical software, we’re referring to the absence of defects, and that the product is reliable and robust. When testing software, we perform robustness testing. One form of this is to evaluate or test within the boundaries of the system and test outside the boundaries of the system as well.

Testing within the boundaries refers to feeding a range of inputs or data that the system would expect. Testing outside the boundaries refers to feeding a range of inputs to the system which would be very unlikely or never received. How the device or system handles such scenarios helps build robustness or quality into the system. With Parasoft, developers and testers go beyond the boundaries at every step of the SDLC with powerful, comprehensive, and robust software quality test solutions.

Parasoft Solutions for IEC 62304 Compliance Testing

The FDA recommends that any medical device company developing software include static analysis in their SDLC to ensure safe, secure, and reliable software. In fact, performing static analysis is the best first line of defense in identifying and remediating bugs or issues. Our customers have expressed that if their teams perform static analysis during the implementation phase, they substantially reduce the cost of quality assurance and maintenance. With Parasoft C/C++test, you get a comprehensive automated software testing solution that includes a broad scope of testing methodologies to help satisfy IEC 62304 compliance requirements.

C/C++test is TÜV certified for use on Class I, Class II, and Class III medical devices, and automates software testing methods defined in IEC 62304. Furthermore, our centralized dashboard reporting solution provides development teams with an easy way to expose, prevent, and correct errors in the design. It also aggregates test results making compliance with security, coding, and process safety standards easier by automatically generating the documents needed to demonstrate compliance.