The increased validation requirements of MDR (EU 2017/745) bring new challenges to the manufacturers of devices utilizing a software and standalone software which are considered as medical device in line with the Article 2 of the MDR. EN/IEC 62304:2006/A1:2015 is a basis standard which defines requirements for Medical Device Software Life Cycle Processes. In addition to this standard, FDA Guidance document “General Principles of Software Validation” can be used as a state-of-the-art guidance document to define the depth of the medical device software validation.
Medical Device Software
Similar to other devices, devices utilizing software, or which are standalone software shall meet the definition of Article 2 (1) in order to be classified as a medical device. In short, they shall have an intended use for diagnosis, prevention, monitoring, prediction, prognosis, treatment or alleviation of a disease or similar clinical indication. As specified in Article 2(4) they shall be treated as active devices. For detailed information on this topic you can check the infographic issued by EU Commission or the MDCG Guidance 2019-11.
GSPR 17 (General Safety and Performance Requirement) of EU 2017/745 defines the main requirements for compliance.
Technical Documentation Requirements
On the other hand, according to Annex II of EU 2017/745, the technical documentation of such devices shall cover;
Software verification and validation (describing the software design and development process and evidence of the validation of the software, as used in the finished device. This information shall typically include the summary results of all verification, validation and testing performed both in-house and in a simulated or actual user environment prior to final release. It shall also address all of the different hardware configurations and, where applicable, operating systems identified in the information supplied by the manufacturer).
These main requirements increase the importance of software life cycle management and validation.
Medical Device Software Risk Classification (MDR)
One of the most confusing issues is the risk classification of a medical device according to Annex VIII of MDR and the risk classification of the software according to EN/IEC 62304.
EU MDR mentions clearly that software, which drives a device or influences the use of a device, shall fall within the same class as the device. If the software is independent of any other device, it shall be classified in its own right. Stand-alone software shall be treated as an active medical device as per article 2 and shall be classified according to rule 11 of Annex VIII.
On the other hand, EN/IEC 62304 defines 3 risk classes A, B, C as defined below. The two classification methods are technically independent from each other.
EN/IEC 62304 Requirements
For software life cycle management, EN/IEC 62304 should be used to ensure the compliance with the regulatory requirements stated above. The latest version of the standard includes a specific section for Legacy Software, where the software design is prior to the existence of the current version. This amendment enables useful tools for manufacturers who intend to show compliance to the standard to meet European Regulation.
The starting point of an effective EN/IEC 62304 implementation is definition of the software safety classification. The standard defines 3 risk classes (A, B, C) which shall be defined according to the intended use and possible hazards which could be caused by the medical device. A manufacturer should simply follow Figure 3 of the standard and define the risk class of his software to define applicable life cycle management requirements.
Life Cycle Management Process
Figures (1 & 2) of EN/IEC 62304, which give an overview of software development and maintenance related processes and activities. Each requirement of the standard is accompanied with a note, which indicates for which risk class, the requirement is applicable. (Table A.1 – Summary of requirements by software safety class)
In addition to this a risk management process in conformity with ISO 14971:2019 shall be implemented as defined on clause 4.2 of the standard.
Medical Device Software Validation
As defined on clause 1.2 of EN/IEC 62304, the standard does not cover validation and final release of the medical device, even when the medical device consists entirely of software. In that sense the FDA’s General Principles of Software Validation; Final Guidance for Industry and FDA Staff may be used as a state of the art guidance document. This document will help manufacturers a lot to comply with the regulatory requirements and establish a validation file including SRS (Software Requirements Specification), SDS (Software Design Specification), Traceability Matrix, Risk Analysis and Verification & Validation testing.
By applying the principles defined in this guidance document and ISO 13485, the design and validation requirements of regulatory requirements can be achieved easily.