What is IEC 62304?
IEC 62304 is an international harmonized standard that provides guidance to the manufacturer on the planning, development and post-market surveillance activities for medical device software to ensure that companies comply with the requirements of international regulatory agencies.
Its first version was published in 2006 and did not clarify important points about software security classification and implementation of this standard in legacy software. Amendment 1 of 2015 mainly clarified these points. At first, this standard was directed to software that integrated medical equipment including embedded software (firmware), however at the time the concept of software as a medical product, that is, software used for medical purposes (SaMD - Software as a Medical Device), did not was known.
The speed of software and application evolution in this period has encountered barriers in following this standard, which has delayed the publication of version 2 of the standard. Today, the third proposal of this version of the standard is under discussion, which proposes a software lifecycle process that encompasses software guided by the current IEC 62304 and allows these new software solutions to adhere to the standard's requirements. But that's a topic for another post. In this publication I will demonstrate the main points of the current standard.
Application field
The IEC 62304 standard applies to the development and maintenance of medical equipment software when the software is itself a medical device or when the software is an embedded or integral part of medical equipment
This standard does not cover validation of the final version of medical equipment.
Compliance is determined by inspection of all mandatory standard documents including the risk management file, and assessment of the processes, activities and tasks required for the security class of the software.
Software security rating
IEC 62304 identifies three security classes for medical device software:
Class A: No injury or damage to health is possible.
Class B: Injuries are possible, but not serious.
Class C: Possibility of death or serious injury.
This classification helps the manufacturer to identify the security-related processes required throughout the medical device software lifecycle. The applicable requirements are specific to the development and coding, release and maintenance of medical device software. They are encoded in the components of IEC 62304.
Composition of IEC 62304
IEC 62304 for medical device software development outlines the components in five clauses, numbered 5 to 9.
Clause 5: describes the software development process, from planning to launch.
Clause 6: describes the necessary maintenance of the released software.
Clause 7: Specifies the necessary risk management from the assessment of failures to the identification of potential risks and the implementation of resources to avoid them.
Clause 8: Establishes configuration management requirements on how to manage the development environment.
Clause 9: Explains the problem-solving processes in relation to tracking and evaluation to resolve problems as they arise.
Checklist da IEC 62304:2006 Amd1: 2015
I hope you enjoyed. Put it in the comments if you want to go deeper into this subject or suggest a subject that you would like to be presented for discussion in the posts.
Ask in the comments for the checklist of this standard, leave your name and email and we will send it to you free of charge.
Until the next post