In the realm of medical software development, one guiding light stands tall – IEC 62304. Titled “Medical device software — Software life cycle processes,” this standard helps navigate the intricacies of creating software solutions tailored for the most important industry of healthcare.
In our new interview with Elinext experts, we are going to explore the impact and nuances of adhering to IEC 62304, and what this standard means from the perspective of healthcare software development. Without further ado, let’s dive right in.
What is IEC 62304?
At its core, IEC 62304 outlines a detailed roadmap for the entire life cycle of medical software development, from the initial stages of planning and requirement analysis to testing and deployment. This ensures that developers follow a set of processes designed to guarantee both the efficacy and safety of medical software. The standard provides a well-structured approach to the software development processes, incorporating essential tasks crucial for the secure design and maintenance of medical solutions.
Initially, IEC 62304 was adopted and put into operation in 2006. Amendments — that are still in effect — were made only once in 2015.
This standard is non-mandatory in nature, and it is the software itself, not the company, that undergoes certification according to it. To get the software solution certified, one can turn to over 20 recognized certifying organizations within the European Union and worldwide. The standard is harmonized with the legislation of the EU, the USA, Canada, and beyond.
It is worth noting that IEC 62304 serves as more than just a set of rigid instructions. Rather, it offers a dynamic framework, outlining what needs to be accomplished while leaving the “how” to the discretion of individual companies. This adaptability accommodates the dynamic shifts in technology, allowing companies to chart their paths toward achieving the standard’s objectives.
As for the standard’s structure, it comprises 9 sections, each intricately detailing the stages of the software solution development life cycle. Within each section, the standard outlines what documents need to be prepared and maintained, providing a comprehensive guide on how to assert that the developed software aligns with the requirements set by this standard.
What organization is responsible for IEC62304?
The task of preparing the standard falls under the purview of the International Electrotechnical Commission (IEC), a paramount global organization dedicated to formulating and publishing international standards across the spectrum of electrical, electronic, and related technologies. Established in 1906, the commission boasts a membership of 88 countries, with 62 holding full membership and 22 as associate members. Belarus, having joined in 1993, is an integral part of this international collaboration.
IEC operates on the principle of consensus among experts from participating nations. This approach ensures that standards, particularly those like IEC 62304, reflect the diverse expertise and perspectives of its member states.
What does safety classification entail in IEC 62304?
Safety classification is a crucial aspect of the standard as it helps define the extent of rigor and documentation needed for software development. Under IEC 62304, developers themselves or together with the client must assign a safety class to the software. This classification is rooted in the potential risks the software might introduce — risks that could result in harm to users, patients, or others.
Within this standard, three safety classes are distinguished:
- Class A: Software failures in this class are unlikely to cause harm to patients or operators. These are considered low-risk and do not directly impact the safety of the patient or user.
- Class B: Software failures in this class may cause non-serious injury to a patient or operator but are not life-threatening. The impact is moderate, and the risk is considered medium.
- Class C: Software failures falling into this category carry the potential for causing severe harm or fatality. These situations pose high risks, necessitating the software to undergo more rigorous development processes, verification, and validation.
A basic flow of decision-making regarding the software safety class is provided below.
Source: Extra Horizon
Why is the software safety class important?
Based on the safety class assigned to a medical solution, the standard outlines specific documentation requirements. The higher the safety class, the more rigorous and comprehensive the documentation and development processes are expected to be.
| Software documentation | Class A | Class B | Class C |
| Development plan | X | X | X |
| Requirements analysis | X | X | X |
| Architecture design | X | X | |
| Development | X | ||
| Module implementation | X | X | X |
| Module verification | X | X | |
| Module integration and integration testing | X | X | |
| Testing and QA | X | X | X |
| Software release | X | X | X |
But as projects kick-off, it’s common for clients to be uncertain about the eventual safety class their software will fall into. Therefore, the standard provides the flexibility to decompose the software into its components, provided that a proper level of separation and isolation is maintained.
In this scenario, even a higher safety class can be broken down into lower ones, reducing the need for extensive preparation and documentation. This not only streamlines the process but also trims down the labor and financial costs associated with ensuring that everything aligns seamlessly with the standard.
IEC 62304 also mentions SOUP — what is it?
Indeed, within the standard, there is a distinct mention of a concept known as SOUP, or Software of Unknown Provenance. Essentially, this refers to software that hasn’t been developed using a recognized software development process or methodology, or it carries properties that are either unknown or not directly related to security.
Now, the standard takes a proactive stance on dealing with this uncertainty. It calls for a risk assessment of using SOUP and lays out clear requirements for conducting the necessary testing. This ensures that even in the realm of unknowns, a robust evaluation process is in place to maintain the integrity and safety of the software under consideration.
How exactly does IEC impact the software development process?
The influence of IEC 62304 on the day-to-day operations of software developers is substantial and multifaceted. Let’s break down the key aspects:
- Conducting final validation. This entails verifying the consistency of project input parameters with the output data at every phase of the software development process. Ensuring the software adheres to the standard necessitates careful and thorough execution of these validation criteria.
- Preparing a software technical support plan. This involves creating protocols and methods for analyzing problems, implementing modifications, and managing changes. This encompasses evaluating the software and its modifications to identify potential risks that could lead to hazardous situations. It also involves assessing the necessity for additional risk control measures and documenting these risk management measures in alignment with ISO 14971.
- Developing a software configuration plan that should encompass the types and versions of configuration elements.
- Generating reports on software issues. Developers need to prepare reports for each identified problem in the software, detailing how the issue impacted performance, safety, or security.
- Maintaining testing documentation. This includes documenting anomalies discovered during testing, specifying the tested version, and testing tools used, and identifying the tester.
- Communicating issues to stakeholders. Keeping all relevant parties informed, including end-users and regulatory authorities, about identified issues is a crucial part of adhering to IEC 62304.
Summing it up
In the ever-evolving world of medical technology, adherence to industry standards is not just a recommendation, it’s a necessity. IEC 62304 dives deep into the complexities, ensuring that from inception to delivery and deployment, there’s a clear map of every step, all backed up by proper documentation. This meticulous approach not only enhances the safety of a healthcare application but also makes it more appealing in markets where aligning with this standard is a gold standard.
With over two decades of accumulated knowledge in the healthcare domain, Elinext approaches each healthcare project with the highest level of diligence. Our business analysts and engineers are well-versed in the most important industry standards, including HIPAA, PHIPA, GDPR, and more to help our clients navigate the complex regulatory landscape and ensure that solutions exceed expectations.
