18 April 2013 – The NB-MED EN62304:2006 issues team released their first official version (V1.0) dated 5 April 2013 of this importnat implementation document in regards to EN 62304 with respect to the Medical Device Directive 93/42/EEC on the NB-MED website. EN 62304 is the standard for MEDICAL DEVICE software – Software life-cycle processes. The document is intended to cover all three of the EU Medical Devices Directives which also include the Active Implantable Medical Device Directive 90/385/EC and the In-Vitro Diagnostic Directive 98/79/EC (refer to Q & A 2.1.1). An initial request for input from industry, notified bodies, consultants, and other stakeholders was sent out back in May 2012. They were hoping to get the document released by September 2012 but with so much response to the request it took another 6 months to complete this first release of the document.
I (as a medical device consultant, US TAG member of IEC SC 62A & 62D & Convener of SC62D JWG9 {IEC/ISO/AAMI/CENELEC 80601-2-58} and a past Notified Body Auditor) am really pleased to see the extremely hard work that has gone into this document and also in the value that it will pass on to all the stakeholders. There are many stakeholders that were involved in this process including Notified Bodies, NB-MED EN 62304:2006 issues team (Thank you for your hard work.), NB-MED, COCIR (European Coordination Committee of the Radiological, Electromedical and Healthcare IT Industry), Manufacturers, OEMs, Standards Developers for EN & IEC & other national standards bodies, Test Houses, Consultants, other countries regulatory bodies (i.e. FDA, Health Canada, etc.) and more. By use of so many different stakeholders that submitted some of these and other questions this document has a much more consistent view on the implementation issues with the complexity of the topic of medical device software.
This document is good for learning about your specific implementation issue(s) or if you have the time I would highly recommend reading the whole document, as this will help you understand the intricacies of some of the situations of implementing EN 62304 with respect to the Medical Devices Directives (I’m sure there are more issues but a good portion have been captured by this first version). I believe this document would be of great help to implement similar guidance documents for many other national medical device regulatory agencies around the world for IEC 62304:2006 (or their national version of the standard).
The Table of Contents gives a good glimpse into the realm of the issues covered in this document and covers the following topics. I also provide a further glimpse into the document by summarizing some of the specific issues within those sections (these are the indents furthest to the right):
- Introduction (background of the purpose, rationale, the main team members, and how to provide more feedback on the document)
- Abbreviations (Section 1)
- Questions and Answers (Section 2 – Heading of sections 2.1 – 2.7)
- Scope of EN 62304 (Section 2.1)
- Goes into various different scenarios and discusses the implication and implementation issues around these scenarios: such as SAAS, Embedded software including FPGA’s (a hotly contested issue) with single chip computers, Hardware Description Languages specifying FPGAs, Stand alone software, Medical apps, Excel macros, Open & closed systems, Internet or cloud based, Server based systems, Network devices. In addition to this list of scenarios this section also goes into questions about certification; is Validation included in this standard & if not where does it get covered; what are the expectation of the Notified Bodies with regard to the standard; can you use only part of the standard; why do class A software to EN 62304; what is IEC 82304 about (software only products); among other questions.
- Placing Software as Medical Device on the Market (Section 2.2)
- Explain ‘placing medical device (in this case software or software {s/w} as part of a system) on the market’ in EU if EN 62304 is sufficient, by itself to do this; can I change my intended use and avoid these EU guidelines and regulations; Conformity Assessment routes of the MDD; other countries acceptance / requirement of the standard; can you sign-off on documents electronically; classification of software as a MEDICAL DEVICE; how do Notified Bodies (NB’s) confirm compliance to the standard; among other questions.
- Life-cycle Processes (Section 2.3)
- If s/w development is an outsourced activity what does NB expect; does this std have an equivalent expectation to requirements such as those addressed in FDA Part 11 (Electronic Records & Signatures) in the US; details on the review process at the end of each iteration when updated versions are available during the design and development of the software; does the std require a specific development process; how split up the requirements/responsibilities of the std between the manufacturer and s/w sub-contractor; how do the maintenance activities in the std relate to ISO 20000/ITIL; what are the artifacts (documents) required by EN 62304; at what level does the Problem Resolution Process apply; does software refactoring require a formal change request; what to include in the Technical File to show compliance with EN 62304; how can agile processes be EN 62304 compliant; among other questions.
- Risk Assessment and Risk Management (Section 2.4)
- How deal with risk control measures; when & why can the safety class of a s/w SYSTEM be reduced; how use ISO 14971 with EN 62304; explain Hazard, Cause, Sequence of Events in the context of software; when should we expect additional Software Hazard Analysis guidance within EN 62304; among other questions.
- Classification and Segregation (Section 2.5)
- What is segregation and how do I prove effective; use of a specific class(es) of s/w using COTS (commercial off-the-shelf) what criteria used; how does severity under intended use relate to s/w safety class; is s/w class optional; can you downgrade the classification of the system without a fully hardware protective system; does the compiler need to be classified under EN 62304; how are development platforms & tools related to s/w safety class; relation between Risk Analysis at System level & S/W Safety Classes; explain how the 3 safety classification in the std differ from the FDA’s 3 levels; correlate IEC 61508 SIL levels to EN 62304 safety classifications; s/w classification is a real issue with big implications; among other questions.
- Specifications, testing and tools (Section 2.6)
- I’m a manufacturer of medical devices – how do I document my requirements and tests; web-based medical s/w – does the std have specific requirements related to digital cert’s, (http or https) server requirements; in regard to the std how deal with risk analysis and functional specs; appropriate level of granularity of requirements as design input, design description; which (if any) of the tracing requirements are meant to be bi-directional; questions around deployment of the s/w; what is required of open source code from the std; among other questions.
- SOUP (Software of Unknown Provenance) and Legacy Software (Section 2.7)
- How assess & qualify suppliers of SOUP s/w, when the s/w hasn’t been developed for incorporating into a medical device; what testing & documentation does EN 62304 require for SOUP to meet the std; s/w that is either stand-alone or embedded which was designed prior to publication of EN 62304 but still being placed on the market (legacy product) – what needs to be done; if legacy s/w needs significant change, what processes & documents are required to achieve &/or maintain compliance with EN 62304 and when are changes considered significant;
- References (No Section Number – just after Section 2.7)
- Software Problem Resolution Process (Annex 1)
- Helpful diagram – There are several entry points to the problem resolution process, both during development and maintenance of the software (refer to question 2.3.12).
- SOUP selection, assessment & qualification (Annex 2)
- Flowchart & text to explain an example
- Traceability (Annex 3)
- The 3 flowcharts show an overview of the dependencies which need to be traced according to EN 62304 for all 3 classes – refer to note in bottom left corner of page to know which class the flowcharts apply to (refer to question 2.6.7).
- Position paper on direct diagnosis (COCIR, 2011) (Annex 4)
- As the different stakeholders may interpret this term differently, COCIR and EUROM VI wanted to share their understanding of the term “direct diagnosis”. (Refer to question 2.5.13)
Click on the weblink to see the initial request for questions that we posted on our website 26 May 2012. To see the posting please go to http://www.eisnersafety.com/do-you-know-how-to-use-en62304-med-dvc-sw-life-cycle-as-implemented-under-themdd-aimdd-doc/