Get compliance tips for IEC 62304.
February 7, 2019

What Is IEC 62304? Compliance Tips For Medical Device Software Developers

Security & Compliance
Static Analysis

IEC 62304 is titled “medical device software — software lifecycle processes”. This is a functional safety standard derived from IEC 61508.

Complying with this standard is critical for medical device software developers.

Here, we give an overview of IEC 62304, software safety classifications, and compliance tips for software development teams.

IEC 62304 Overview

IEC 62304 applies to the development and maintenance of medical device software when:

  • The software is itself a medical device.
  • Or the software is an embedded or integral part of the final medical device.

What the Standard Covers

This standard covers safe design and maintenance of software. It provides processes, activities, and tasks to ensure safety.

There are nine parts of IEC 62304:

  • Part 1: Scope.
  • Part 2: Normative references.
  • Part 3: Terms and definitions.
  • Part 4: General requirements.
  • Part 5: Software development process.
  • Part 6: Software maintenance process.
  • Part 7: Software risk management process.
  • Part 8: Software configuration management process.
  • Part 9: Software problem resolution process.

It’s assumed that you use a quality management system and risk management system.

Other Regulatory Standards for Medical Devices

The medical device industry is highly regulated worldwide.

Key regulatory standards for medical devices include:

  • IEC 62304 — the subject of this blog.
  • ISO 13485 — quality management.
  • ISO 14971 — risk management.
  • EU Medical Device Regulation — EU standard which replaces Medical Devices Directive in 2020.
  • FDA regulations — U.S. standards for medical device compliance.

 

[Related Blog: How to Get FDA Approval for Medical Devices]

 

Annex C documents the relationship of IEC 62304 to other standards.

IEC 62304 also refers to IEC 61508 — the umbrella functional safety standard — as a source for good software development methods, techniques, and tools.

More on Functional Safety >>

IEC 62304 Software Safety Classification

It’s important to ensure safety from the start of development. Product testing isn’t enough to ensure patient safety. And patient safety is critical. Plus, building safety into your processes early on saves time and expense later.

Software safety classification in IEC 62304 determines the safety-related processes you’ll need to use. This impacts the entire software development lifecycle — from requirements and coding to release and maintenance.

IEC 62304 defines three safety classes for software:

  • Class A: No injury or damage to health is possible.
  • Class B: Injury is possible, but not serious.
  • Class C: Death or serious injury is possible.

Compliance Tips for Software Developers

Complying with IEC 62304 is important for medical device software developers. And complying with this international standard satisfies the requirements of other regional standards.

In the EU, it satisfies key requirements in the Medical Devices Directive (soon to be replaced by EU Medical Device Regulation). And in the U.S., the FDA accepts IEC 62304 compliance as proof that regulatory processes have been fulfilled, such as 501(k).

Accelerate Compliance With Software Development Tools

To comply with IEC 62304, processes need to be well-documented. And using software development tools can help you document and accelerate compliance.

Part 5 — Software Development Process

Part 5 of IEC 62304 describes processes for software development.

This includes:

  • 5.1: Development planning.
  • 5.2: Requirements analysis.
  • 5.3: Architectural design.
  • 5.4: Detailed design.
  • 5.5: Unit implementation and verification.
  • 5.6: Integration and integration testing.
  • 5.7: System testing.
  • 5.8: Release.

Each process includes activities and tasks that must be completed for each medical device class.

Examples

Using software development tools can help in fulfilling these requirements.

It’s required to establish tests for software requirements for Class B and Class C. You can fulfill this requirement by using an ALM tool, like Helix ALM. For example, you’ll be able to generate test cases based on requirements — and create a requirements traceability matrix.

Class B and Class C software also need to establish a software unit verification process. You can fulfill this requirement by using a static code analyzer, such as Helix QAC. For example, you’ll be able to verify code against a coding standard — and ensure safe, secure, and reliable software.

Part 6 — Software Maintenance Process

Part 6 of IEC 62304 describes processes for software maintenance.

This includes:

  • 6.1: Establish software maintenance plan.
  • 6.2: Problem and modification analysis.
  • 6.3: Implementation of modifications.

It’s important to take user feedback and resolve issues in the maintenance phase.

Examples

Using software development tools can help you ensure safety in the maintenance process.

For instance, there’s a requirement to establish a software maintenance plan. You can use software, such as Helix ALM, to document that plan.

Managing change is key in the maintenance process. Using Helix ALM gives you visibility into change across the software development lifecycle. Especially when paired with a version control system, such as Helix Core.

You can reduce software maintenance by ensuring that code is written according to an established standard and by measuring code quality. Helix QAC can do this for you.

Part 7 — Software Risk Management Process

Part 7 of IEC 62304 describes processes for software risk management.

This includes:

  • 7.1: Analysis of software contributing to hazardous situations.
  • 7.2: Risk control measures.
  • 7.3: Verification of risk control measures.
  • 7.4: Risk management of software changes.
Examples

For IEC 62304, it’s important to show traceability from a hazardous situation to a risk control measure.

For example, you can use Helix ALM to identify hazards by doing a failure modes and effects analysis (FMEA). (This is also important for compliance with ISO 14971.)

You can then use the tool to connect the hazard to its appropriate risk control measure. And you can automate this by using a traceability matrix.

Part 8 — Software Configuration Management Process

Part 8 of IEC 62304 describes processes for software configuration management.

This includes:

  • 8.1: Configuration identification.
  • 8.2: Change control.
  • 8.3: Configuration status accounting.
Examples

IEC 62304 cautions against Software of Unknown Provenance (SOUP). SOUP is third party software. It includes open source libraries and operating systems. And Part 8 includes a requirement to identify SOUP (for all medical device classes). You can use a tool such as Helix QAC to check if the third-party software meets coding guidelines.

It’s also important to manage change. You can use software development tools — including Helix QAC and Helix ALM — to manage changes through the software development lifecycle. Helix QAC, for instance, can show differences in coding defects present between different versions of code.

Part 9 — Software Problem Resolution Process

Part 9 of IEC 62304 describes process for software problem resolution.

This includes:

  • 9.1: Prepare problem reports.
  • 9.2: Investigate the problem.
  • 9.3: Advise internal parties.
  • 9.4: Use change control process.
  • 9.5: Maintain records.
  • 9.6: Analyze problems for trends.
  • 9.7: Verify software problem resolution.
  • 9.8: Test documentation contents.
Examples

Software problem resolution needs to be well-documented.

One example is test documentation. Helix ALM documents all testing efforts. And tests can be traced to specific requirements or identified problems.

IEC 62304 Certification

It’s easier to get certified for compliance with IEC 62304 when you have the right development tools. And it’s even easier when those tools have already been certified by an independent organization.

Helix QAC, for instance, is certified by SGS-TÜV Saar for use in the development of safety-critical systems. It can be supplied with a tool certification kit, which makes the path to compliance much simpler.

Software Development Tools From Perforce

Here’s how software development tools from Perforce simplify and accelerate IEC 62304 compliance.

Application Lifecycle Management

Managing requirements, tests, and issues effectively is important for medical device software developers. These items need to be documented in order to comply with IEC 62304.

Using an application lifecycle management tool — like Helix ALM — helps you accelerate compliance by:

  • Managing risk with FMEA.
  • Creating a requirements traceability matrix.
  • Documenting testing efforts.

See how Helix ALM will help you prove compliance in record time. Try it free for 30 days.

Prove Compliance With Helix ALM

 

Static Code Analysis

Coding standards are a key part of software acceptance criteria in IEC 62304.

Annex B.5.5. states:

“To consistently achieve the desirable code characteristics, coding standards should be used to specify a preferred coding style. Examples of coding standards include requirements for understandability, language usage rules or restrictions, and complexity management.”

Coding standards, such as MISRA, are particularly effective in safety-critical development.

Using a static code analyzer — like Helix QAC — helps you accelerate compliance by:

  • Enforcing coding standards and detecting rule violations.
  • Detecting compliance issues earlier in development (and accelerating code reviews/manual testing efforts).
  • Reporting on compliance over time and across product versions.

See how Helix QAC will help you accelerate compliance. Request a trial to learn more.

Comply Faster With Helix QAC