IEC 62304: the current standard on medical device software
Amendment 1:2015 to the IEC 62304 “Medical device software – software life cycle processes” standard was published on 15 June, 2015. Since then, a risk-based approach has become the standard for the classification of medical device software. Compared to the 1st edition of 2006, the IEC 62304 now also includes requirements for dealing with legacy software.
Risk-based safety classification
IEC 62304 no longer assumes that the safety class of a medical device software, which is based on the severity of possible consequences, can be downgraded from C to B or B to A on the basis of external, hardware-based risk-minimization measures. Instead, safety classification is effected as shown in the decision tree flowchart below (see figure).
Safety classification according to IEC 62304 – Amendment 1:2015
Amendment 1: 2015 defines the following safety classes
The software system cannot contribute to a hazardous situation or the software system can contribute to a hazardous situation which does not result in unacceptable risk after consideration of risk control measures external to the software system.
The software system can contribute to a hazardous situation which results in unacceptable risk after consideration of risk control measures external to the software system but the resulting possible harm is non-serious injury.
The software system can contribute to a hazardous situation which results in unacceptable risk after consideration of risk control measures external to the software system, and the resulting possible harm is death or serious injury.
Processes for legacy software
Amendment 1:2015 also includes requirements for dealing with software already in use, prior to the existence of the IEC 62304 standard for which manufacturers are unable to furnish sufficient evidence of compliance with the current standard. Previously, these software products were covered under the heading of “Software of Unknown Provenance” (SOUP). The current version, by contrast, now includes various detailed requirements for dealing with legacy software, based on precise risk assessment.
In addition, work on the second, updated edition of IEC 62304, which may be published in 2018, is ongoing. It can be assumed that the changes included in Amendment 1:2015 will be integrated into the updated edition.