Need help brushing up on your IEC 62304 standard knowledge?

You're in the right place.

In the fast-evolving world of medical technology, software now plays a critical role for diagnosis, treatment and patient care. And as the complexity and risks associated with medical software increase, so does the need for rigorous quality and safety standards. It's here that IEC 62304, the globally recognized framework for the lifecycle processes of medical device software, comes into play.

This comprehensive guide will walk you through everything you need to know about the IEC 62304 standard, from what it is and why it matters, to how to achieve certification and what practical steps you should follow.

Whether you're a medical device manufacturer, software engineer, regulatory affairs specialist or a project manager, understanding IEC 62304 is essential for your compliance and medical device software product development.

What is IEC 62304?

IEC 62304 is an international quality management standard developed by the International Electrotechnical Commission (IEC). Officially titled “Medical device software – Software life cycle processes”, it outlines the framework for the development and maintenance of medical software. This includes standalone software, as well as software that is an integral part of a medical device. (More on that later.)

IEC 62304 was first published in 2006 but, like many standards, has been tweaked and updated in subsequent years. IEC 62304 defines the minimum requirements for the software development lifecycle (SDLC) and applies to both manufacturers of software-based medical devices and developers of software used in medical applications.

As a medical device standard, IEC 62304 best practice is often pursued simultaneously with, and as part of, compliance with key medical device regulatory frameworks such as FDA 21 CFR Part 820 in the United States, or the MDR in the European Union.

Objectives of IEC 62304

Why do you need IEC 62304 for your business?

The main goals of IEC 62304 are to:

• Ensure the safety and effectiveness of your medical software

• Standardize your software development lifecycle process and its formulation

• Provide guidelines for risk management and software classification
  
  

• Like other international standards, support simultaneous regulatory compliance in different global markets

You don't, strictly speaking, need IEC 62304 adherence. But if you're developing medical software, there's no better standard to align with to ensure your product is developed in a controlled, compliant and risk-based way.

Scope and applicability

IEC 62304 is applicable to any software used in a medical device or used to create or maintain medical devices. That includes:

• Embedded software (SiMD)

• Standalone SaMD software (such as diagnostic or therapeutic platforms)

• Mobile apps and cloud-based solutions (if part of a medical device)

If you aren't sure where your device falls, here's a handy guide to how regulators typically categorize medical software and hardware products.

If your software sits in either of the two left columns, IEC 62304 is applicable to you. 

IEC 62304 should be seen as part of a broader 'ecosystem' of IEC standards which you should consider and work towards compliance with.

If IEC 62304 defines lifecycle process, then product-specific standards like IEC 60601-1, 61010-1 and 82304 offer more specific guidance on electrical safety and health software products respectively.

And, of course, the core ISO medical device standards of 13485 (quality) and 14971 (risk) should always interweave with your IEC 62304 work.

TOP TIP:

Many organizations seek certification to ISO 13485 at the same time as working towards IEC 62304 compliance, to provide a compliant, overarching medical device quality management system (QMS). 

Your IEC 62304 software lifecycle processes can then sit 'within' your ISO 13485 system.

IEC 62304 certification

Although IEC 62304 does not offer a formal certification for organizations in the same way as, say, ISO 13485 or ISO 9001, demonstrating compliance with the standard is a critical part of software-based medical device product approval in many markets.

Regulatory bodies like the FDA or your EU Notified Body will evaluate your software development practices based on their adherence to IEC 62304 during product submissions and audits.

Some bodies, like TÜV SÜD, do offer certificates for IEC 62304 adherence, but only if you already possess ISO 13485 certification.

This taxonomy is telling: you should treat IEC 62304 as a key ingredient within your broader medical device compliance activity.

You don't theoretically need to meet both IEC 62304 and ISO 13485 requirements, but in practical terms, if your company is developing a software-based medical device, IEC 62304 compliance should naturally form a key part of your overarching ISO 13485 quality and compliance processes.

How to demonstrate IEC 62304 compliance

To demonstrate compliance with IEC 62304, you'll need, first and foremost, comprehensive documentation of your software lifecycle processes.

Typical ingredients include:

• Software Development Plan (SDP)

• Software Requirements Specification (SRS)

• Software architecture design

• Risk management documentation (linked to ISO 14971)

• Verification & validation (V&V) reports

• Problem resolution process, such as a CAPA plan

• Maintenance plan

Consider a purpose-built, industry-specific document management software system to help you build, control and securely distribute these documents from the beginning to the end of their lifecycles.

Leading systems like Qualio even provide pre-built SaMD document and process templates to accelerate your IEC 62304 compliance!

IEC 62304 medical device software

Like traditional devices, medical device software governed under IEC 62304 is categorized into three software safety classes based on potential risk to patients:

Class A

• No possibility of injury or damage to health

• Least stringent requirements - no unit verification required

Class B

• Non-serious injury is possible

• Medium stringency in documentation and testing: unit verification required

Class C

• Death or serious injury is possible

• Highest level of scrutiny and documentation required, including detailed design documentation and unit verification

Proper software classification is critical because it determines the depth of documentation, testing and risk management activities you must perform. Misclassifying software can lead to compliance failures and product recalls.

Start by identifying any hazardous situations which could arise from your software's day-to-day application.

Then apply proportionate and targeted risk controls, and evaluate their effectiveness.

If there are no hazardous conditions, or if any that could arise are treated to an acceptable level by your risk controls, your device can be classified as Class A.

If residual, unacceptable risk does remain after your controls have been applied, you then need to determine the severity of that risk.

Non-serious risk? Class B.

Serious risk for patients? Class C.

TOP TIP:

ISO 14971 contains some helpful guidance on determining the probability of occurrence of harm to patients, or Po.

Use this framework when classifying your software!

Lifecycle processes under IEC 62304

The standard outlines five key processes for software lifecycle management. 

You'll need to embed — and demonstrate — all of them to demonstrate compliance.

1. Development

   • The nuts and bolts of how your SDLC works: planning, requirements, design, implementation, testing and release

2. Maintenance

   • How you support and continuously improve your software product: updates, bug squashing, revisions and so on

3. Risk management

   • How you assess and treat your software's potential risk to patients: look to ISO 14971 for inspiration here

4. Configuration management

   • How different configurations of your software and its ingredients are developed and transitioned: think of things like version control, change tracking, and your audits of these processes. Configuration items include build files, settings, source code and libraries

5. Problem resolution

   • How you fix issues in your software: identifying, documenting and resolving defects, flaws and problems

Following these processes ensures your software is developed in a controlled, traceable and safe manner, from initial design through to retirement.

IEC 62304, however, is fairly flexible. You'll need to prove you have these processes in place, but exactly how you build and structure them is up to you.

In the words of the standard: you'll need to document this activity, but 'how you package' it is your choice.

IEC 62304 checklist

Want an IEC 62304 checklist to structure and order your compliance activity?

Follow this step-by-step structure to ensure you tick off the main requirements of the standard:

1. General requirements

• Define your software safety classification (A, B or C)

• Establish a software development plan

• Assign responsibilities and authorities

• Set up a quality management system (QMS), preferably aligned with ISO 13485

• Establish and document risk management processes, preferably aligned with ISO 14971 

2. Software development process

• Define and document your software requirements

• Design your software architecture and modules

• Implement source code based on specifications

• Conduct unit testing, integration testing and system testing

• Review and verify all development activities

• Document software release and installation procedures

3. Software maintenance process

• Document maintenance plan and procedures

• Track problem reports and corrections

• Assess impact of changes on safety and performance

• Retest and revalidate modified components

4. Risk management

• Perform hazard analysis specific to software

• Define risk control measures and link them to design

• Trace risk mitigations through testing

• Reassess risks after software updates

5. Configuration management

• Define configuration items and baselines

• Set up version control for source code and documentation

• Maintain records of changes and revisions

• Conduct configuration audits before release

6. Problem resolution

• Establish procedures for bug tracking and resolution

• Document root cause analysis and corrective actions

• Communicate known issues to users (if applicable)

5 top tips for implementing IEC 62304 compliance

Taking the time to thoroughly plan your IEC 62304 compliance process is the best way to avoid costly delays and rework.

Here are some best practices you should consider:

1. Integrate early with your medical device QMS

Don’t treat IEC 62304 as a standalone process. As we've already touched on, your software lifecycle processes should be closely connected with your overall quality management system, especially if you’re using ISO 13485. Align document formats (and some specific documents), as well as responsibilities and review cycles, across both standards.

2. Use agile — but properly

Agile methods are hugely popular in modern software development, and they can be compatible with IEC 62304, as long as you maintain traceability, verification and the right levels of documentation.

Use tools like Jira with custom workflows, traceability matrices and integrated testing to bridge the gap between agility and compliance — then consider a quality system, like Qualio, that integrates with your product tools and centralizes your product quality and risk information into a compliant, audit-ready platform.

3. Look to other standards

Borrow inspiration from adjacent IEC standards to buttress your IEC 62304 work.

We've already mentioned IEC 60601-1, 61010-1 and 82304 for electrical safety and health software guidance.

IEC 81001-5-1 delves deeper into security and cybersecurity, and even helpfully follows the 62304 structure to act as an 'add-on' standard.

4. Train far and wide

All stakeholders — including developers, testers, quality personnel and project managers — should understand the requirements of IEC 62304 and how they impact their roles. Embed regular training and process reviews to keep your processes sharp and compliant.

5. Audit readiness at the forefront

As you prepare for an audit, well-organized documentation, audit trails, change logs and — perhaps most importantly — strong risk management processes will all be invaluable.

Medical software can be an exciting, high-value industry, and it's easy to get swept up developing eye-catching functionality at speed to impress investors. 

Don't put off your critical quality and risk management activity to the last minute as you prepare for marketization. IEC 62304 is all about weaving compliance into the lifecycle of your software from its first days, so consider early how you'll get repeatable, consistent processes in place that safeguard your software's integrity and get you audit-ready.

IEC 62304 FAQs

Understanding the IEC 62304 standard can be challenging, especially if you're new to medical device software development, or quality and compliance more generally.

We tackled some of the most frequently asked questions about IEC 62304.

Is IEC 62304 mandatory?

IEC 62304 is not technically mandatory, but its requirements are now widely recognized and expected by regulatory bodies, and you'll need to have a good reason why you're not following the standard.

If you're bringing a software device to market and you don't have a well-formed and well-documented development lifecycle in place, you can expect raised eyebrows from your auditor — and your chance of securing market clearance will be much thinner.

Does IEC 62304 apply to mobile apps?

Yes! If your app qualifies as a medical device under regulatory definitions (if it performs diagnosis, treatment, monitoring, and so on), then IEC 62304 applies to you.

How is IEC 62304 different from ISO 13485?

IEC 62304 focuses specifically on software development lifecycle processes, while ISO 13485 is a broader quality management system standard for all types of medical devices.

However, as we've seen, the two standards are complementary: IEC 62304 offers guidance on the technical processes, while ISO 13485 supports them with organizational controls and a overarching quality and compliance structure.

What tools can help with IEC 62304 compliance?

You're developing software, so you shouldn't be shy about leaning on digital tools to accelerate and simplify your IEC 62304 activity!

There are a few key software tools that can support your IEC 62304 compliance, including:

• Application lifecycle management (ALM) tools like Azure DevOps or Jama

• Requirement and test management tools like Jira or TestRail

• Medical device quality management systems like Qualio, which integrate with these systems and centralize all your software design information and activity

Can agile development be used with IEC 62304?

Yes. Agile development can align with IEC 62304 as long as it includes:

• Clear documentation of requirements and design decisions

• Formal verification and validation

• Comprehensive traceability from user needs to test cases

• Version control and configuration management

At Qualio, we recommend an agile approach for several reasons.

The agile focus on incremental deliverables with repeated testing naturally encourages good communication and alignment, allowing risks and design weaknesses to be spotted and fixed early with frequent documentation and review cycles throughout.

AAMI TR45:2023 is a great resource to help you get an agile approach in place.

Getting IEC 62304 in place at your business

The IEC 62304 standard is now a cornerstone of regulatory compliance and risk management for medical device software.

As the medical device industry continues to pivot increasingly towards AI, cloud platform and digital health tools, mastering standards like IEC 62304 to bring these tools to future patients and customers isn’t just a regulatory necessity — it’s a competitive advantage and a huge area of potential growth.

Need help implementing IEC 62304 in your organization?

Consider a demo of Qualio, the leading medical device quality management platform for both hardware and software developers.

From pre-built content and flexible workflows to plug-and-play integration with software tools like Jira and Azure DevOps, Qualio is purpose-built to give your organization everything it needs to sail through audits, unlock markets and scale successfully long into the future.