January 09, 2024 IEC 62304: The Key to Medical Device Software Success Discover how complying with IEC 62304 ensures the delivery of a quality, safe product that meets the FDA’s requirements. Ben Wallace Enterprise Architect When planning for medical device software development, safety, security, and speed to market are among the primary concerns a new business must consider. However, submission for FDA approval can be difficult to navigate for newcomers to the industry and experienced enterprises alike and often slows the process down when not carefully planned for. Medical device software generally falls into two categories: software that functions as a medical device (SaMD) or software that is integrated into one (SiMD). In either case, it must comply with the high standards accompanying its development lifecycle and account for the collection of design history files, requirements traceability, and risk and threat modeling. That’s where specialized standards like IEC 62304 come into play. According to the official International Medical Device Regulators Forum (IMDRF) document, IEC 62304 specifies a risk-based decision model, defines testing requirements, and highlights three major principles that promote safety relevant to medical device software: Risk management Quality management Methodical and systematic systems engineering according to best industry practices MentorMate’s approach to medical software development follows the major established principles and focuses extra attention on product safety, security, and stability. Defining the Medical Device Software Life Cycle IEC 62304 defines the medical device software life cycle and establishes a common 8-step framework detailing the steps from development planning to the software’s release. Complying with IEC 62304 ensures the established software quality requirements are maintained throughout development. The development lifecycle should satisfy the strict set of processes, activities, and tasks identified in this standard in accordance with the software safety class. The safety classes, determined by the standard and FDA’s assessment of risk to a patient’s well-being, are viewed as follows: Class A: No injury or damage to health is possible. Class B: Injury is possible but not serious. Class C: Death or serious injury is possible. Successfully bringing a medical device software product to market depends on your organization’s ability to account for the FDA’s strict set of requirements. Your stakeholders all need to have the necessary know-how of all the specific requirements your teams need to comply with. If they don’t, they need to bring in a competent partner with healthcare security and compliance experience capable of providing design history files that IEC 62304 produces. MentorMate’s approach to IEC 62304 compliance considers the entire product lifecycle as established by the standard’s framework. We also add additional post-development services related to the maintenance and continuous security of the product required by the FDA. How the FDA Views Risk The FDA’s security and compliance requirements for medical device software differ from those of a standard IT product because of the unique way the governing body views risk. In most other software development cases, we view risk in terms of organizational vulnerability and financial loss. However, the FDA puts the potential risk to a patient’s health front and center when considering the interaction with SaMDs and SiMDs. The FDA views risk as potential harm to patients. This harm could be physical, emotional, or financial and includes the risk of a device failing to provide therapeutics due to malfunction or software issues. Security and Compliance Framework The best way to set yourself up for success is to kick off the project with a discovery phase of all patient hazards and risks that the FDA will be concerned with. Then, thoroughly threat model and test against the discovered risks throughout the development process to deliver a quality, safe product that passes the FDA’s requirements. At MentorMate, we’ve established a rigid framework that produces evidence throughout the entire development process to ensure that an IEC 62304 project is designed and delivered correctly. Combining a software development and maintenance plan with rich documentation standards ensures the consistent quality of a final product that matches the necessary requirements. Final Thoughts The success of any medical device software strictly depends on its ability to comply with the strict security standards established to protect its users. Although the development life cycle of medical software differs significantly from projects outside the healthcare domain, pitfalls can be avoided by focusing on risk discovery and streamlined threat modeling. Tags StrategyDevelopment Share Share on Facebook Share on LinkedIn Share on Twitter Medical Device Software Critical questions to ask before starting a medical device project. Download Share Share on Facebook Share on LinkedIn Share on Twitter Sign up for our monthly newsletter. Sign up for our monthly newsletter.