IEC 62304

IEC 62304:2006+AMD1:2015 "Medical device software - Software life cycle processes" is the primary international standard that establishes requirements for the development, maintenance, and risk management of medical device software. It applies to both software that is part of a medical device and standalone Software as a Medical Device (SaMD).

Scope and applicability:
IEC 62304 applies to:
- Embedded software in medical devices
- Software as a Medical Device (SaMD)
- Software used to manufacture or maintain medical devices
- Off-the-shelf (OTS) software incorporated into medical devices

Software safety classification:
The standard requires manufacturers to classify software based on the severity of potential harm to patients or users:

Class A - No injury or damage possible:
- Software failure cannot result in any injury
- Lowest level of rigor required
- Minimal documentation
- Example: Administrative software with no patient impact

Class B - Non-serious injury possible:
- Software failure could result in non-serious injury
- Moderate rigor in development and testing
- Moderate documentation requirements
- Example: Diagnostic imaging viewing software

Class C - Death or serious injury possible:
- Software failure could result in death or serious injury
- Highest rigor in all lifecycle activities
- Comprehensive documentation and testing
- Example: Insulin pump control software, radiation therapy planning

Key software lifecycle processes:

1. Software development planning (5.1)
- Define software development lifecycle model (Waterfall, Agile, V-model)
- Identify deliverables and milestones
- Establish standards, methods, and tools
- Define responsibilities and resources

2. Software requirements analysis (5.2)
- Define and document software requirements
- Identify functional and performance requirements
- Define software system inputs and outputs
- Include risk control measures from ISO 14971
- Establish requirements traceability

3. Software architectural design (5.3)
- Transform requirements into architecture
- Define major software components and interfaces
- Identify software items to be developed vs. OTS
- Verify architecture implements requirements

4. Software detailed design (5.4)
- Refine architecture into detailed designs
- Design each software unit
- Specify interfaces between units
- Enable coding and testing at unit level

5. Software unit implementation and verification (5.5)
- Implement each software unit
- Verify units meet detailed design
- Establish coding standards
- Conduct unit testing

6. Software integration and integration testing (5.6)
- Integrate software units into larger items
- Verify integrated items work together
- Test interfaces and data flow
- Regression testing after integration

7. Software system testing (5.7)
- Test complete integrated software system
- Verify all software requirements are met
- Include worst-case and boundary testing
- Document test cases and results

8. Software release (5.8)
- Ensure all activities are complete
- Archive configuration items and documentation
- Create release notes and known anomalies list
- Obtain approval for release

Software maintenance process:
- Problem and modification analysis
- Modification implementation
- Maintenance review, approval, and release
- Migration to new environments
- Software retirement

Software risk management:
IEC 62304 requires integration with ISO 14971 risk management:
- Identify software hazards and hazardous situations
- Implement risk control measures in software
- Verify effectiveness of risk controls
- Document residual risks

Software configuration management:
- Configuration identification and baselines
- Change control procedures
- Version control systems
- Configuration status accounting
- Release management

Software problem resolution:
- Problem reporting system
- Problem analysis and evaluation
- Investigate impact on safety
- Implement solutions and verify effectiveness
- Trend analysis for systemic issues

Relationship to regulations:

FDA recognition:
- Recognized consensus standard
- Referenced in premarket guidance documents
- Acceptable approach for software development
- Used for 510(k), PMA, De Novo submissions

EU MDR/IVDR compliance:
- Harmonized standard supporting Annex I requirements
- Demonstrates conformity for CE marking
- Required by Notified Bodies for software-containing devices

Integration with ISO 13485:
Software development per IEC 62304 supports ISO 13485 design control requirements (Clause 7.3).

Documentation requirements:
Key documents required by IEC 62304:
- Software development plan
- Software requirements specification (SRS)
- Software architecture document
- Software detailed design document
- Software verification and validation plans and reports
- Risk management file (per ISO 14971)
- Software configuration management plan
- Problem resolution and maintenance records

Off-the-shelf (OTS) software:
Special requirements for commercial or open-source software:
- Validate OTS software for intended use
- Document OTS software identification and version
- Assess OTS software anomalies and risks
- Monitor OTS software updates and patches

Agile and modern methodologies:
IEC 62304 does not prescribe a specific development methodology:
- Compatible with Agile, DevOps, continuous integration
- Focus is on activities and deliverables, not process
- Risk-based approach allows flexibility
- Maintain traceability throughout iterations

Common compliance challenges:
- Maintaining traceability across all lifecycle phases
- Adequate testing coverage for Class C software
- Change control for rapid software updates
- Managing third-party and open-source components
- Balancing rigor with development efficiency

IEC 62304 compliance demonstrates that software development follows a systematic, risk-based approach appropriate for medical devices, providing confidence to regulators, notified bodies, and patients that the software is safe and effective.