What is IEC 62304 and why we kill two birds with one stone with ISO 13485

You may have already noticed from our blog that we want to be certified according to ISO 13485.

ISO 13485 is a standard for requirements for the quality management system, specifically for the development of medical products. It serves to ensure the safety of the product and to ensure the safety of the patient and the user.

But this is just a little refresher. This blog article is about IEC 62304.

What is IEC 62304?

IEC stands for International Electrotechnical Commission. The IEC 62304 is therefore a collection of best practices in the development of medical software drawn up by this Commission. It is the successor to the American ANSI/AAMI SW68 and attaches more importance to the software in medical devices and the associated risks.

As the proportion of software in the medical sector is becoming ever larger and more important, it is now indispensable to set up guidelines for the development of such software in order to prevent possible risks. Therefore, IEC 62304 provides detailed requirements for the processes and activities carried out in the development of this software.


Particular attention is paid to the software life cycle, which consists of the following 3 phases:

  • Phase 1: Software development
  • Phase 2: Software maintenance
  • Phase 3: Software shutdown

You want to prevent the latter phases for as long as possible by executing phase 2 alternately. In order not to lag behind the constantly evolving state of the art after just a few years, a necessary structure must be taken into account during development.


The IEC 62304 therefore covers 5 subject areas:

  • Software development
  • Software Maintenance
  • Software risk management
  • Software configuration management
  • Solution of the software

The requirements for a work step under these processes are defined with attention to the security risk of the respective work step.


The basis for this is the safety classes defined according to ISO 14971:

  • A: no injury or damage to health
  • B: no serious injury possible
  • C: Death or serious injury possible

The risk is calculated according to ISO 14971 based on the probability of occurrence times the severity level. With software, it cannot be determined in advance whether an error will occur. Therefore, the probability is provisionally set to 100%, which means that only the question of how severe the error is if an error occurs is taken into account.


For Software development it is therefore recommended to use a clear method that supports the separation of individual work steps. These would be e.g. b the waterfall method, the incremental method or the evolutionary method.


Exemplary process models: waterfall, incremental, evolutionaryr.


They allow separate handling of work steps with higher security levels. This enables a better overview of the necessary requirements and their implementation.

During development, all fundamental aspects of Software Engineering must be covered, regardless of which security class is affected. However, risk countermeasures, system architecture and -integration, as well as integration tests only have to be used from security class B can be set up and applied.

From Security class C, Standards, Methods and Tools must be in a development plan in advance are recorded and documentation is kept about the work steps. More details are set out in ISO 61508.

If careful work is done in the work development process, it makes the other processes considerably easier. Exact procedures for these are also defined in IEC 62304. Software risk management e.g. b can be implemented according to ISO 14971. If the specified standards are observed, software for medical devices can be implemented efficiently and in accordance with the requirements. Incidentally, medical devices are not the only medical devices. Even software that only partially has to do with healthcare must have been developed according to the prescribed standards!

IEC 62304 certification and the matter of two birds

Of course, we want to be able to assure you that our products meet the standards. We would therefore like to point out that simple certification according to IEC 62304 is not enough!

Because everyone is entitled to issue such a certificate. Accordingly, it is not allowed to develop medical devices if you only have certification for IEC 62304!

That's why we are certified according to ISO 13485. Because the test for ISO 13485 is carried out by accredited bodies. Conformity with IEC 62304 is also checked.

This means that a company that is certified according to ISO 13485 is also tested according to IEC 62304!