What is IEC 62304 and why are we killing two birds with one stone with ISO 13485

Perhaps you have already heard from our blog that we want to be certified according to ISO 13485.

ISO 13485 is a standard for requirements of the quality management system, especially for the development of medical devices. It serves to safeguard the product and to ensure the safety of the patient and the user.

But this is just a little refresher. This blog article is about the IEC 62304.

What is IEC 62304?

IEC stands for International Electrotechnical Commission. The IEC 62304 is thus a collection of best practices in the development of medical software compiled by this commission. It is the successor to the American ANSI/AAMI SW68 and attaches more importance to the software in medical devices and the associated risks.

Since the proportion of software in the medical field is becoming ever larger and more important, it is now essential to draw up guidelines for the development of such in order to prevent possible risks. Therefore, IEC 62304 provides detailed requirements for the processes and activities that are performed during the development of this software.

Particular attention is paid to the software lifecycle, which consists of the following 3 phases:

  • Phase 1: Software development
  • Phase 2: Software Maintenance
  • Phase 3: Software shutdown

One would like to prevent the latter of the phases for as long as possible by alternating the execution of phase 2. In order not to lag behind the constantly evolving state of the art after just a few years, a necessary structure must be observed during the development phase.

The IEC 62304 therefore comprises 5 subject areas:

  • Software development
  • Software Maintenance
  • Software risk management
  • Software configuration management
  • Troubleshooting the software

The requirements for a work step under these processes are defined with a focus on the security risk of the respective work step.

This is based on the security classes defined according to ISO 14971:

  • A: no injury or damage to health
  • B: no serious injury possible
  • C: Possible death or serious injury

The risk is calculated according to ISO 14971 using the probability of occurrence times the severity. With software, it cannot be determined in advance whether an error will occur. Therefore, the probability is provisionally set to 100%, which means that only the question of how high the severity is when an error occurs is taken into account.

For software development, it is therefore recommended to use a clear method that supports the separability of individual work steps. These would be e.g. B. the waterfall method, the incremental method or the evolutionary method.

Exemplary process models: waterfall, incremental, evolutionär.

They allow the separate treatment of work steps with higher security levels. This enables a better overview of the necessary requirements and their implementation.

During development, all fundamental aspects of software engineering must be covered, no matter which security class is affected However, risk countermeasures, system architecture and -integration, as well as integration tests can only be set up and used from security class B.

From security class C, standards, methods and tools must be defined in advance in a development plan are recorded and a documentation is kept about the work steps. More details can be found in ISO 61508.

If careful work is carried out in the process of work development, it makes the other processes considerably easier. Precise procedures are also defined for these in IEC 62304. The software risk management e.g. B. can be implemented according to ISO 14971. If the specified standards are observed, software for medical devices can be implemented efficiently and in accordance with the requirements. Incidentally, not only medical equipment counts among medical products. Even software that is only partially related to healthcare must have been developed according to the prescribed standards!

IEC 62304 certification and the thing with the two birds

Of course we want to be able to assure you that our products meet the standards. Therefore we would like to point out that a simple certification according to IEC 62304 is not enough!

Because everyone is entitled to issue such a certificate. Accordingly, it is not allowed to develop medical devices if you only have a certification for IEC 62304!

That is why we are certified according to ISO 13485. Because the test for ISO 13485 is carried out by accredited bodies. Conformity with IEC 62304 is also checked.

This means that a company that is certified according to ISO 13485 is also checked according to IEC 62304!