IEC standard on health software products nears completion

For several years, IEC Subcommittee 62A and ISO Technical Committee 215 have been collaborating on a new family of standards dealing with health software.  The first part of this series, which is designated IEC 82304-1, is about to enter the final approval stage leading to publication in the fourth quarter of 2016.

In the context of the ISO/IEC 82304 series of standards, health software refers to software that contributes to the health of individuals as observed and/or demonstrated using measurable health parameters or clinical expertise.  This is a subset of the World Health Organization’s (WHO) definition of health as “a state of complete physical, mental and social well-being and not merely the absence of disease or infirmity” (WHO, 1946).

IEC 82304-1 deals with general requirements for safety and security of ‘health software products’.  A health software product is the combination of the health software and the necessary accompanying documents, regardless if those documents are provided electronically or in hard copy.  To quality as a health software product, the health software must is intended to operate on any type of general computing hardware platform, which can include laptop computers, tablet computers and smartphones, and is placed on the market without dedicated hardware.  Such health software is sometimes referred to as ‘standalone software’.  This approach is congruent with the International Medical Device Regulators Forum’s (IMDRF) key definition of ‘Software as a Medical Device (SaMD)’.[1]

IEC 82304-1 does not apply to health software that is intended to run on dedicated hardware, which is sometimes referred to as ’embedded’ software.  Imbedded health software is considered to be a part of a physical device and not a product in its own right.  Therefore, IEC 82304-1 would not apply to the health software developed exclusively for medical electrical equipment or systems, or for in vitro diagnostic equipment.

Like Clause 14 of IEC 60601-1 for the software embedded in medical electrical equipment or systems, IEC 82304-1 addresses the product-level requirements for the health software products within its scope.  The manufacturer of a health software product is required to establish the product-level requirements.  These include the intended use, the user profile(s), and the requirements for the software and hardware platforms on which the health software product will execute.  Also included are privacy and security requirements addressing areas such as authorised use, person authentication, health data integrity and authenticity, and protection against malicious intent.  The product level requirements must be documented, verified and validated.

Similar to Clause 14 of IEC 60601-1, IEC 82304-1 applies the requirements in Subclauses 4.2, 4.3, Clause 5, Clause 6, Clause 7, Clause 8 and Clause 9 of IEC 62304 to the health software.  While IEC 62304 normatively references ISO 14971, IEC 82304-1 recognizes the manufacturer might not be able to follow all the process steps identified in ISO 14971 for each constituent component of the health software.  In this case, the manufacturer needs to take account of the residual risks and implement risk controls around those found to be unacceptable.

Also like IEC 60601-1, IEC 62366-1 specific extensive requirement for the contents of the accompanying documents including special consideration of the implication of using the health software on hardware that is connected to an IT-network.

Unlike IEC 60601-1, IEC 82304-1 is a lifecycle standard and includes requirement for post-market activities.  These include maintenance, re-validation and communication users of the health software product regarding security vulnerabilities that become known to the manufacturer.

The approval ballot on IEC 82304-1 began on September 2, 2016 and closed on October 14th.  The document was published by IEC on October 27, 2016.tl

Charles Sidebottom
Managing Partner
PPO Standards LLC.
Secretary, IEC/SC 62A

[1] International Medical Device Regulators Forum, Software as a Medical Device (SaMD): Key Definitions, 9 December 2013, http://www.imdrf.org/docs/imdrf/final/technical/imdrf-tech-131209-samd-key-definitions-140901.pdf