The Importance of IEC 62304 Compliance

August 15, 2018

IEC 62304 outlines the guiding principles for the development of medical software. It is the gold standards for medical device companies, but its importance goes beyond legal manufacturers and established medical software suppliers.

In the vast majority of cases, software embedded in a device (or a device itself) use abundant OTS (Off The Shelf) code, not to mention drivers, libraries or other content available for free on the web. All of these fall under the category of SOUP – Software Of Unknown Provenance (or Pedigree). Although the use of SOUP helps significantly the job of developers, it has the opposite effect on the risk management process. A comprehensive risk analysis has to be carried out for each SOUP item, ensuring its behavior poses no threat to the device; furthermore, published bug lists may not be available at all. A big headache.

If you develop software, standalone or embedded, that is used in Medical Devices but is not a device itself, you can decide to apply IEC 62304 on your process.

Yes, it will increase the overhead, the paperwork and possibly somehow slow down the development, but IEC 62304 compliance will give you a significant competitive advantage over other developers. Although the definition of SOUP is relatively high level, most corporations consider SOUP anything that is not developed per 62304. Finding a certified product may be the make-or-break in the selection of a supplier.

Let’s give a look at the main points regarding the application of IEC 62304 to these products:

1. You do not need ISO 13485 certification, nor other type of registrations or audits.

2. Compliance to IEC 62304 is self-certified, so you don’t need a Notified Body to verify it (although en external reviewer may be still a good idea)

3. You do not need to apply 62304 in its integrity. You can disregard some processes without compromising the compliance.

So, what is the bare minimum you have to do to certify your product? (The relevant section of IEC 62304 is in the brackets)

1. A Quality System. But it does not need to be 13485 compliant. ISO 9001 may suffice. (4.1)

2. A safety classification – You will likely not know the final application of your product as it depends on the customer. You will have to develop it per the class your customer requires. The higher the class the slower the process but the higher the reward. (4.3)

3. If you are working on a pre-existing software not IEC 62304 compliant, no panic: you can use the Legacy Software process to assess it. (4.4)

4. A Development Plan (5.1)

5. High level product requirements

6. Software Requirements (5.2)

7. A Software Architecture (5.3) – Class B and C only

8. A Detail Design (5.4) – Class C only

9. Records of the implementation process (5.5) – Class B and C only

10. Records of integration and integration tests (5.6) – Class B and C only

11. Protocols and records of system tests (5.7)

12. Software release documentation (5.8)

13. A risk management file per ISO 14971 (7)

14. Proper configuration records during development but especially at release.(8)

15. A method to collect, record, evaluate and dispose of bugs, especially the ones found post-launch. (9)

16. A method to communicate existing an new bugs to your customers (9)

17. A method to create and distribute patches and fixes (6)

Consider that paragraphs 6 and 9 of IEC62304 are important if you provide post-sale maintenance and support to your customers. Instead, if your product is off-the-shelf with no support, a published bug list on your website may be enough.

Table of Contents

Ready to get started?

Contact us to book a demo and learn how SoftComply can cover all your needs

Medical Device Compliance Guide
Picture of Marion Lepmets

Marion Lepmets

CEO
September 23, 2024

Introduction This medical device compliance guide focuses on the key requirements and strategies for navigating the regulatory landscape. We will cover the role of major regulatory bodies like the FDA, the classification of devices, and the importance of quality management. We will also discuss the challenges of global compliance and...

CVSS-FDA-cybersecurity-medical-devices-1712x599-c
Picture of Matteo Gubellini

Matteo Gubellini

Regulatory Affairs Manager
September 16, 2024

This case study describes the experience of a multinational medical device manufacturer meeting the FDA cybersecurity requirements. The company is operating in the MedTech sector developing a class 2/IIb device consisting of hardware and software. The company spent about 2 years working on the security risk management of the device....

Information Security Risk Management Guide
Picture of Marion Lepmets

Marion Lepmets

CEO
September 13, 2024

Keeping your data safe is vital for every business. One way to do this is by following ISO 27001. But how can we manage these information security risks with a tool like Jira? Let’s dive in! What is Information Security Risk Management Information Security Risk Management is all about identifying,...