As software becomes an ever more important component of medical devices, compliance with standards will become essential. This will require the establishment of a standards compliance program that will meet the demands of standards for operation and certification.
BY RITA KING, METHODSENSE, AND ALEX GROB, MEDICAL EQUIPMENT COMPLIANCE ASSOCIATES
What do hospital beds, blood pressure cuffs, dosimeters, and pacemakers all have in common? They are all medical devices with software that regulates their functionality in a way that contributes to Basic Safety or Essential Performance. With the FDA reporting that the rate of medical device recalls between 2002 and 2012 increased by 100% – where software design failures are the most common reason for the recalls – it’s no wonder IEC 62304 has been implemented. Its implementation, however, has medical device manufacturers asking questions about if, when and under what circumstances the standard is required.
For Starters, What is IEC 62304?
IEC 62304 is the international standard that defines software development lifecycle requirements for medical device software. The standard was developed from the perspective that product testing alone is insufficient to ensure patient safety when software is involved. The standard requires all aspects of the software development life cycle to be scrutinized, including:
• Risk management
• Problem resolution
The standard provides a common framework for medical device manufacturers to develop software. Conformance with this standard provides evidence that there is a software development process in place that fulfills the requirements of the Medical Device Directive. Because it has been harmonized with the Medical Device Directive in the EU and recognized as a Consensus Standard by the FDA in the US, IEC 62304 can be used as a benchmark to comply with regulatory requirements in both markets. To date, this standard has been recognized in most countries that use compliance standards to fulfill regulatory requirements.
One of the most commonly asked questions of test labs is, “Is compliance with this standard required?” Technically, the answer is “no” because compliance with the standard is voluntary. But, in practice, the answer is “yes.”
If your device falls into any of the above categories, you must have evidence that the software development process used is as good as, or better than, the process presented in IEC 62304. Complying with 62304 enhances the reliability of your device’s software by requiring attention to detail in design, testing and verification, ultimately improving the overall safety of the medical device.
Does your device have to meet IEC 60601-1 requirements?
The EU has been using IEC 62304 since 2008, but it has gained even more traction with its incorporation into the third edition of IEC 60601-1’s Amendment 1. The inclusion of Amendment 1 shifted the standard from a recommendation to a requirement if your device utilizes software.
For those who design or manufacture electromedical equipment, 60601-1 is one of the most important safety and performance standards to meet. The standard addresses critical safety issues, including electrical shocks and mechanical hazards, such as pinching, crushing, and breaking. Devices that must meet IEC 60601-1 requirements include those which:
• Diagnose, treat, or monitor the patient under medical supervision
• Make physical or electrical contact with the patient
• Transfer energy to or from the patient; and/or
• Detect such energy transfer to or from the patient.
60601-1 Clause 14 requires manufacturers to comply with IEC 62304 unless the device’s software has no role in providing basic safety or essential performance or risk analysis demonstrates that a failure of any Programmable Electronic Safety System (PESS) does not lead to an unacceptable risk.
Basic safety is the main focus of IEC 60601-1. It’s important that you conduct a risk analysis to identify your device’s level of unacceptable risk and determine the role of software in risk mitigation. This analysis will determine the applicable basic safety requirements for your device, and, for some requirements, the test parameters that might be required by the test laboratory. In conjunction with IEC 60601-1, 62304 is intended to minimize the occurrence of these situations. When device software is mitigating a known potential hazard, ensuring that the code is developed properly is critical for the management of patient safety, as well as liability to the manufacturer.
Does your Software Impact Essential Performance?
It can be difficult to determine if a device’s software is tied to its essential performance (EP), especially because the definition of EP has been widely debated for years. Thankfully, the definition and requirements for essential performance changed with Amendment 1 of IEC 60601-1 to help provide more clarity.
Determining essential performance begins with a list of all functional aspects of your device, including accuracy, measurements and its capabilities. Once you identify these items, determine whether any of these are already covered by the basic safety requirements of IEC 60601-1 or whether any item is not part of the device’s intended use. Then, and this is key, every item remaining gets posed the question, “If this item degrades, will it create a risk for the patient?” If the answer is yes, you must identify how its functionality must be maintained so the risk is still acceptable. This is your essential performance.
A good example to help clarify the impact of essential performance on IEC 62304 is accuracy. Consider a device that claims its EP is accurate within 5%. If the device is relying on software to maintain that accuracy or provide an alert when outside of 5%, and that software fails, then the manufacturer will be unable to detect if the device’s essential performance is being met. This means the software is providing essential performance. Once you know your device software is responsible for essential performance, you must comply with IEC 62304 to ensure there is no unacceptable risk to a patient.
What are Common Scenarios Manufacturers Miss?
There are several situations that manufacturers often don’t realize require compliance with IEC 62304. These product features can create major headaches and costly delays if they are not properly developed. These scenarios include:
Alarms & Alerts
Alarms are often an Essential Performance requirement because they are intended to detect abnormalities. If the alarm were removed, the device would no longer meet its performance requirements, making the risk unacceptable. Software is used to detect the issue, instigate the alarm and make the sound.
Speed & Position Sensors
These sensors are in place to address basic safety concerns. For example, a hospital bed has a position sensor to keep it from crushing the operator’s foot and mammography has sensors to gauge compression. Devices like these use software to limit range of motion, speed and force.
Algorithms are frequently used with physiological monitoring. If the software is removed, the device is no longer able to operate as intended, resulting in the algorithms being part of essential performance.
It is important to note that these situations apply to the patient, operator or service personnel.
How is Compliance Assessed?
Once you know you must comply with IEC 62304, how do you go about preparing for it? To start, know that compliance with this standard is defined as implementing all of the processes, activities and tasks identified in the standard in accordance with the software safety class. IEC 62304 itself does not prescribe a particular organizational structure or specific format for documentation, however. Compliance is determined by a review of all required documentation, including the risk management file.
Once your risk management file is complete, your next step is to review the requirements for IEC 62304. Make sure all required elements are defined and met in your procedures. Then, you’re ready to compile your documentation and submit it to your test lab.
The test lab will review your documentation against a test report form. They will comb through each step and verify you are including requirements in your procedures. If it has been decided that the software performs basic safety or essential performance for your device, the lab will conduct a product review.
The lab will only review the segments of your software development process that apply to basic safety and essential performance. When the review is c omplete and approved, you’ll receive a compliance report. If you’ve failed any areas, they will be noted, allowing you to make corrections. If you passed, you are able to move forward with your other regulatory commitments, such as obtaining a 510(k) for the US market or CE Marking for Europe.
What are Some Key Pitfalls to Look Out For?
Well-documented Processes: When meeting the requirements of IEC 62304, there are areas you would benefit from paying close attention to. The most critical is making sure you have clearly defined processes for your company and your software development lifecycle in particular. IEC 62304 identifies several expectations related to the information that should be included in your software development lifecycle procedures. If your processes are not well documented, you will have a lengthy, costly process ahead of you. Document management is essential for meeting compliance goals.
The SOUP Can: The next most difficult issue is SOUP, and we’re not talking about chowder or minestrone here. SOUP is an acronym for software of unknown provenance (or pedigree). This is software you did not develop and have limited knowledge as to how it was created. Think of when an operating system, such as Windows, sends you updates and how your device’s software interacts with them.
While test labs don’t expect you to be able to explain the development process of your SOUP manufacturer, you will have to identify how your software relies on SOUP to function. You must identify if SOUP contributes to any unacceptable risk. In your software development process, you will need a plan for how you will handle the SOUP. It’s recommended that you build your software around SOUP in a way that enables your device to operate properly in the event that it (the SOUP) causes your software to fail. Unfortunately, many developers and device manufactures neglect to consider the impact of SOUP.
Software Partitioning: The certifying body reviewing your device will only look at software partitioned around your Essential Performance and Basic Safety. However, if you’ve not taken the time to partition the code well, they will have to apply the principles of IEC 62304 to your entire code. Partitioning makes for a faster review process and minimizes your compliance risks. This is something to consider at the onset of your development process, as well as when your software undergoes changes over time.
Document Development: While software developers know what they are doing when it comes to writing code, that doesn’t mean they know what they are doing as it relates to medical devices. Documenting the software lifecycle as the code is created makes for a much smoother, more accurate process than trying to remember how the software was developed after the fact. All too often, software developers are unaware of the scope of documentation required for medical devices. This is particularly critical because over the last couple decades software development methodologies have evolved and many of the emerging methodologies place less emphasis on documentation and more emphasis on rapid development. So, the key to the software development process is the management of a software development methodology that creates the efficiency the company is looking for with the accountability that the IEC 62304 is expecting.
Version Control & Updates: The chance of your software requiring updates or version changes is pretty likely, and changes conducted after achieving compliance are often forgotten. When you create your software development lifecycle process, be sure to include how these are defined including how you maintain your software in a validated state. Keep in mind that when changes are made to your software, additional testing may be necessary.
What about Non-Compliance?
If you get caught in any of the abovementioned pitfalls, you can expect that you will not be in compliance. You will either not receive a report at all, or will receive a report that says you failed somewhere in IEC 60601-1 or IEC 62304.
Because the standards are voluntary, you don’t necessarily have to make product changes if you fail. ¬You can choose to not comply. However, for each “fail,” you will be required to provide justification for each deviation. If you have valid justification, your device should still attain regulatory approval from the FDA or in the EU, although developing this justification can be a lengthy process in itself. The reality is these standards are here to stay, especially as software becomes an even more influential component in medical devices.
Based on our experience, when seeking CE Marking, notified bodies try to create a level of consistency with their reviews. Thus, it has become more and more difficult to convince a notified body that you don’t have to comply with IEC 62304 when it is clear the role of software in your medical device contributes to essential performance. Attempting to take the path of “justification” will likely add more time to your process, and you may find yourself needing to complete IEC 62304 in the long run. Our recommendation is to avoid loopholes that don’t really exist and to go through the process of meeting IEC 62304 requirements. Not only will this be more effective for meeting commercialization goals, but it will prove you stand behind the safety of your device.
Research Triangle Park, NC
Medical Equipment Compliance Associates