IEC 62304

IEC 62304:2006 (with Amendment 1:2015) defines the lifecycle requirements for medical device software — encompassing development, maintenance, and the processes necessary to ensure software safety and effectiveness throughout its useful life.

The standard is jointly published by IEC and ISO and is recognized by FDA (referenced in FDA software guidance), the EU MDR/IVDR framework, Health Canada, TGA Australia, and regulatory bodies worldwide. It is essentially the global lingua franca for medical device software development process documentation.

IEC 62304 applies to software that is itself a medical device (SaMD) and to software that is incorporated into a medical device (software in a medical device, or SiMD). The standard does not define specific software engineering techniques — instead it defines the processes and activities that must be planned, executed, and documented.

IEC 62304 organizes software obligations around three software safety classes based on the severity of harm that could result from software failures:

Class A — No injury or damage to health is possible. The minimum level of process rigor applies.

Class B — Non-serious injury is possible. A substantial set of IEC 62304 activities applies, including software requirements, design, implementation, testing, and maintenance.

Class C — Death or serious injury is possible. All IEC 62304 activities apply, including the most demanding requirements for unit testing and traceability.

Correct software safety classification is one of the most consequential decisions in medical device software development — it determines the scope of required documentation and testing.

Clause 4 — General Requirements: Establishes quality management system integration requirements and the risk management connection to ISO 14971.

Clause 5 — Software Development Process: The core of the standard. Covers planning, requirements, architecture, detailed design, implementation, integration, system testing, and release.

Clause 6 — Software Maintenance Process: Addresses modification management, problem and modification analysis, and the re-application of development processes for changes.

Clause 7 — Software Risk Management Process: Integrates IEC 62304 activities with ISO 14971, requiring software failure modes and their contributions to hazardous situations to be documented in the risk management file.

Clause 8 — Software Configuration Management Process: Covers identification, change control, and status accounting for all software items.

Clause 9 — Software Problem Resolution Process: Establishes requirements for detecting, recording, evaluating, resolving, and tracking software problems.

IEC 62304 Amendment 1:2015 introduced several important updates: expanded applicability to SOUP (Software of Unknown Provenance) — third-party components including open-source libraries — with new requirements for documenting SOUP items and their known anomalies.

Amendment 1 also clarified requirements for legacy software that was developed before IEC 62304 adoption, providing a pathway for manufacturers to bring existing products into compliance without full redevelopment.

The amendment aligned IEC 62304 more closely with ISO 14971:2012 risk management requirements, reinforcing the bidirectional connection between software failure modes and the risk management file.