What is IEC 62304 and why we hit two birds with one stone with ISO 13485

Perhaps you have already learned from our blog that we want to get certified according to ISO 13485.

ISO 13485 is a standard for requirements of the quality management system, specifically for the development of medical products. It serves to ensure the product, as well as the safety of the patient and the user.

But this is just a small refresher. This blog article is about the IEC 62304.

What is IEC 62304?

IEC stands for International Electrotechnical Commission. The IEC 62304 is therefore a collection of proven practices for the development of medical software established by this Commission.It is the successor to the American ANSI/AAMI SW68 and places more emphasis on the software in medical devices and the associated risks.

As the proportion of software in the medical field becomes increasingly larger and more significant, it is now indispensable to establish guidelines for its development to prevent potential risks. Therefore, the IEC 62304 sets detailed requirements for the processes and activities carried out in the development of this software.

 

Special attention is given to the software lifecycle, which consists of the following 3 phases:

• Phase 1: Software Development
• Phase 2: Software Maintenance
• Phase 3: Software Shutdown

The latter phase is to be prevented as long as possible by alternating execution of phase 2. However, in order not to fall behind the constantly evolving state of technology after just a few years, a necessary structure must be considered during development.

 

The IEC 62304 therefore covers 5 topic areas:

• Software Development
• Software Maintenance
• Software Risk Management
• Software Configuration Management
• Software Problem Solving

The requirements for a work step under these processes are defined with a focus on the safety risk of the respective work step.

 

The basis for this are the safety classes defined according to ISO 14971:

• A: no injury or harm to health
• B: no severe injury possible
• C: death or severe injury possible

The risk is calculated according to ISO 14971 based on the probability of occurrence times the severity. With software, it cannot be determined in advance whether an error will occur. Therefore, the probability is provisionally set at 100%, which means that only the question of how high the severity is when an error occurs is taken into account.

 

For software development, the use of a clear method that supports the separability of individual work steps is recommended. These would be, for example, the waterfall method, the incremental method, or the evolutionary method.

 

Exemplary process models: Waterfall, incremental, evolutionary.

 

They allow the separate handling of work steps with higher security levels. This provides a better overview of the necessary requirements and their implementation.

All fundamental aspects of software engineering must be covered in development, regardless of the security class involved.However, risk countermeasures, system architecture and integration, as well as integration tests must only be established and applied from safety class B onwards.

From safety class C onwards, standards, methods and tools must be recorded in advance in a development plan and a documentation of the work steps must be kept. More details are specified in ISO 61508.

If the process of work development is carried out carefully, it facilitates the other processes considerably. Precise procedures for these are also defined in the IEC 62304. The software risk management, for example, can be implemented according to the ISO 14971.If the given standards are adhered to, software for medical products can be implemented efficiently and in accordance with the requirements. Moreover, not only medical devices are considered medical products. Even software that is only partially related to the healthcare sector must have been developed according to the prescribed standards!

IEC 62304 Certification and the matter of killing two birds with one stone

Of course, we want to assure you that our products meet the standards. Therefore, we would like to point out here that a simple certification according to IEC 62304 is not sufficient!

Because everyone is entitled to issue such a certificate.Accordingly, it is not allowed to develop medical products if you only have a certification for IEC 62304!

That's why we are getting certified according to ISO 13485. Because the examination for ISO 13485 is carried out by accredited bodies. They also check for conformity with IEC 62304

This means that a company that is certified according to ISO 13485 is also tested according to IEC 62304 at the same time!