All you need to know about IEC 62304 compliant software development

Before you start reading

Like you, we have also read ebooks and online guides before. Sometimes you just want to skim the content and read about the guiding principles of what you’re reading about, so we made that part a bit easier for you!

Throughout the guide you’ll come across different coloured pop-ups that show you what’s really important:

Rather read the pdf version?

1. First of all, what is IEC 62304?
2. Versions of IEC 62304
3. Harmonisation of IEC 62304
4. Is IEC 62304 mandatory?
5. What are the steps for becoming IEC 62304 compliant?
6. The scope
7. Normative references
8. Terms and definitions
9. General requirements
10. Software Development Process
11. Software Maintenance Process
12. Software Risk Management Process
13. Software Configuration Management Process
14. Software Problem Resolution Process
15. To summarise
16. Attachments

“Any instrument, apparatus, implement, machine, appliance, implant, in vitro reagent or calibrator, software, material or other similar or related article, intended by the MANUFACTURER to be used, alone or in combination, for human beings for one or more of the specific purpose(s) of: diagnosis, prevention, monitoring, treatment or alleviation of a disease or injury; investigation, replacement, modification, or support of the anatomy or of a physiological process; supporting or sustaining life; control of conception; disinfection of medical devices; providing information for medical purposes by means of in vitro examination of specimens derived from the human body.”

“Natural or legal person with responsibility for designing, manufacturing, packaging, or labelling a MEDICAL DEVICE; assembling a SYSTEM; or adapting a MEDICAL DEVICE before it is placed on the market and/or put into service, regardless of whether these operations are carried out by that person or by a third party on that person’s behalf.”

“Medical device software refers to a software system that has been developed for the purpose of being incorporated into the medical device being developed, or that is intended for use as a medical device in its own right.”

4.1 QMS (Quality Management System)

It is essential to have a Quality Management System (QMS) in order for a device to be compliant with IEC 62304. Having a good QMS is proof that your company is quality-oriented, and therefore indicates that your product can be trusted in situations which may entail a risk to patients and/or users.

A company can demonstrate this ability by using a quality management system that complies with ISO 13485, a national quality management system standard, or a quality management system required by national regulation.

What is a QMS exactly?

A quality management system (QMS) is a formalised system that documents the relevant processes, procedures and responsibilities for meeting the regulatory and customer requirements related to a product.

A good QMS helps a company ensure that continuous improvements are made to their products, provides a baseline for training staff, and enables correction action to take place for any problems that arise. 

Want to learn more about the ISO13485 Quality Management System?

What are the risks of not having a QMS?

If you do not have a QMS in place, you increase the risk of your employees using the wrong requirements documents, outdated test plans, and unvalidated tools. Having a QMS is also a requirement under article 10 of the MDR, which means you must have a QMS in order to receive a CE marking. Read more about MDR requirements here.

This can lead to serious problems further down the line, such as decreased productivity, increase development costs, damage to brand reputation, and even being denied entrance to market. 

Ultimately, not having a QMS will have a negative impact on the quality of your software solution.

4.2 Risk Management

The manufacturer of the medical product must apply a risk management process that complies with ISO 14971.

The goal of risk management in IEC 62304 is to reduce harm to patients or users of the medical device. A risk can be defined as a combination of the probability of harm and the severity of that harm. Typically, a risk is the result of a harmful situation that needs some kind of risk control measure to be resolved or contained. In this case, the risk is caused by the software. Traceability is another important part of risk management, as it’s important to understand how risks originated.

Risk management does not only incorporate software. It can also include risk controls for things like hardware, or user error.

The ISO 14971 standard is a document that describes the terminology, principles and processes for the risk management of medical devices. Also including, importantly, software as a medical device and IVD medical devices.

4.3 Software Safety Class

The manufacturer must assign a software safety class to their product. These safety classes are according to possible side effects on the patient, resulting from a hazard that the software system can contribute to.

The three safety classes under IEC 62304 are:

•  Class A: No unacceptable risk to health
•  Class B: Injury is possible but not serious
•  Class C: Death or serious injury is possible

When a hazard can arise from the failure of your software system, you must assume the probability of the failure to be 100%.

Therefore, you must always assume the worst-case scenario. If you cannot 100% guarantee that your software cannot cause serious injury or death, your software will be either class B or class C.

Information regarding the software safety class of each software system must be documented in your risk management file. A risk management file (RMF) is a file where you keep records of all of your risk management activities, including all documents, files and records produced during the risk management process.

Figure: how to assign the correct safety classification

You can use the figure below to learn how to classify software correctly in accordance with the IEC 62304 standard. For a more detailed overview of the requirements for each safety class, see our page about the MDR.

What is SOUP?

SOUP stands for Software of Unknown Provenance. It is defined in the IEC 62304 documentation as follows:

An example of SOUP is any kind of third-party software that has already been developed and was not initially designed for use in medical applications. Examples include operating systems (e.g. Windows, MacOS, Android etc…), hardware drivers (e.g. Bluetooth drivers), software libraries (e.g. Tensorflow etc…), and more.

Why are we required to list SOUPs?

Not listing SOUP items can lead to dangerous and even fatal situations. If sufficient documentation is not produced for a SOUP item, this can mean critical issues can be missed by your development team.

An example of this is the Therac-25 disaster1. Therac-25 was a computer-controlled radiation therapy machine that was used to treat cancer in patients. Unlike previous Therac machines, such as Therac-20, which primarily relied on hardware locks as safety measures, Therac-25 relied primarily on software. Software from Therac-20 had been re-used for Therac-25. However, due to insufficient documentation, the development team were not aware that Therac-20 had hardware locks in place, which were able to prevent radiation exposure if the software malfunctioned.

Without these hardware locks in place, some patients received massive overdoses of radiation from Therac-25 machines, resulting in 4 deaths and 2 patients left with permanent damage. 

If sufficient documentation had been created for Therac-20, the development team would have noticed the missing hardware locks, which could have prevented these deaths and permanent physical damage. It is for this reason that listing and documenting SOUP items is essential.

As was the case in the previous chapter about the Software Development Planning, it is again the responsibility of the manufacturer to implement certain verifications. The full list of verifications can be found in chapter 5.3.6 of the IEC 62304 standard.

Setting out acceptance criteria

You are also responsible for setting out acceptance criteria for your software units. The acceptance criteria is the set of conditions that a software unit must meet in order to be accepted by the user. The acceptance criteria must be met before a product is considered “finished”.

Here are 3 examples of acceptance criteria that are provided in the IEC 62304 standard itself.

• Does the software code implement the desired requirements, including risk control measures?

• Is the software code free from contradiction with the interfaces documented in the detailed design of the software unit?

• Does the software code conform to programming procedures or coding standards?

Additionally, you must add additional acceptance criteria if any of these features are present in your software design, as stated in the IEC 62304 standard, chapter 5.5.4:

• Proper event sequence
• Planned resource allocation
• Data and control flow
• Fault handling
• Self-diagnostics
• Proper event sequence
• Initialisation of variables
• Memory management and memory overflows
• Boundary conditions

Finally, you must perform the software unit verification to make sure that there is sufficient evidence that your software units comply with the acceptance criteria. This evidence must be thoroughly documented.

Testing your integrated software items

When you go on to test your integrated software items, you will need to conduct this testing according to the integration plan, and document the results. The purpose of this testing process is to ensure that the software items perform properly. Here are a few examples of what to consider during the testing stage, taken directly from the standard itself, in chapter 5.6.4:

• The required functionality of the software
• Specified timing and other behaviour
• Implementation of risk control measures
• Specified functioning of internal and external
• interfaces
• Testing under abnormal conditions including
• foreseeable misuse

Regression testing

Just like in the last step, your testing procedures must be evaluated to ensure they are correct. You must also conduct another form of testing called regression testing.

Testing can never prove the absence of bugs. It can only prove that your test works. It does not make sure that no bugs were introduced. If the regression testing identifies any anomalies during the software integration and integration testing stage, you must put these anomalies into a software resolution process - something which we will explain later on in section 9.

Problem and modification analysis

At this stage, we monitor any feedback received about the released software product. This feedback may come from users, or from within your own organisation.

All feedback must be documented properly, and evaluated to determine whether there is a problem or not. If a problem is identified, this must be recorded in the form of a problem report.

Problem reports should also be evaluated to determine whether the problem affects the safety of your product or not, and therefore whether a change needs to be made to your released product to fix the issue. When evaluating problem reports, you should use the software problem resolution process.

Change requests

If it is determined that a change is needed to address the problem, then a change request will be made. Change requests are strongly linked to the change control element of ISO 13485:2016.

If the medical device software is released with the intent of use, these change requests need to be analysed. This is to determine the potential effects of such changes on the organisation, the released software product, and to any systems which have interfaces with the released product.

Based on this analysis, manufacturers will need to approve or reject the change request. If approved, you must inform the users of the consequences of unchanged use e.g. not updating the software to a new version.

You also have some obligations as the “manufacturer” of the medical device software. According to the IEC 62304 standard, in chapter 6.5.2, you need to inform the users of your device and regulators about:

• Any problems in released software products and the consequences of continued unchanged use
• The nature of any available changes to released software products and how to obtain and install the changes

Now, you must make the modifications as indicated in your change request. Your software maintenance process can help you identify which activities need to be done to implement the change, and what activities can be skipped.

After the necessary modifications have been made, your software must be re-released. This can either be a full re-release of your software product, or in the form of a modification kit, containing the changed software items and the tools needed to install the changes into the existing software system.

Identifying a hazardous situation

First of all, the potential causes of software items contributing to a hazardous situation must be identified.

You should consider potential causes (taken directly from the standard itself):

• Incorrect or incomplete specification of functionality;
• software defects in the identified software item functionality;
• failure or unexpected results from SOUP;
• hardware failures or other software defects that could result in unpredictable software operation; and
• reasonably foreseeable misuse.

Verify and document risk control measures

You must also verify your risk control measures, and document this properly. 

When a risk control measure is implemented as a software item, you must evaluate the risk control measure in order to identify any possible new sequences of events that could lead to a hazardous situation. These events should be documented in your risk management file.

It also applies to your SOUP items

You must also apply this same process to any SOUP items you may have used.

If a hazardous situation is identified to be caused by SOUP, you must then evaluate the anomaly list published by the SOUP item supplier to determine whether any anomalies have led to a chain of events that has resulted in a hazardous situation. You must make sure that the anomaly list corresponds to the correct software version of the SOUP item. 

Any potential cause of a software item contributing to a hazardous situation, as well as the sequence of events (see below) that can lead to the hazardous situation, must be documented in your risk management file.

Consider your risk control measures

After identifying and documenting the potential causes and events that can lead to a hazardous situation, you must now consider your risk control measures.

First of all, you must define and document your risk control measures. This should be done for each potential cause of a hazardous situation.

If a risk control measure is then implemented as part of the functions of a software item, you are obliged to do the following:

• Include the risk control measure in the software requirements
• Assign a software safety class to the software item based on the possible effects of the hazard that the risk control measure is controlling (see below)
• Develop the software item in accordance with Clause 5 of the standard

Perform risk management procedures

Now, you must perform risk management procedures for the software changes. For any change to your medical device software, you must perform an analysis to determine if:

• additional potential causes are introduced contributing to a hazardous situation; and
• additional software risk control measures are required

You must also assess the impact of any software change on your existing risk control measures, including any change to SOUP. This will help you determine if the change interferes with your current risk control measures or not.

Change control

Configuration items must only be changed in response to an approved change request. The change should be made exactly as specified in the change request, and this may include performing activities that need to be repeated as part of the change. 

This can include things such as changes to the software safety classification of software systems and software items.

Controlling your changes

Changes must then be verified. You must also repeat any verifications that have been invalidated by the change.

With changes, there must always be traceability. You must produce an audit trail for any changes, including the following information:

• change request
• relevant problem report
• approval of the change request

Why is it important to adhere to IEC 62304?

IEC 62304 is the gold standard for medical software development, covering the safe design and maintenance of medical device software. Being IEC 62304 certified helps you gain the trust of your customers, as it reassures them that your product meets the highest safety standards - something that is extremely important in the medical device software field.

The stringent QMS requirements of IEC 62304 also reassure customers that you are committed to making continuous improvements to your products, and that any problems will be dealt with quickly. Likewise, the risk management aspect of IEC 62304 reassures users that any risks are dealt with in a timely manner.

Also, as IEC 62304 is harmonised internationally, it means your product will be recognised by regulatory authorities worldwide. This vastly improves the overall marketability of your medical device software product, and makes it easier to enter international markets.

Attachment 1: figure 1