IEC 62304 standard; It defines software as a medical device (SaMD - Software As Medical Device) or software in a medical device (SiMD Software In Medical Device) life cycle processes. This standard is the internationally accepted standard that provides a framework for the development, testing and maintenance of software. It is a fundamental standard, especially considering the development of new software-based technologies in the medical device world.

The purpose of this standard; is to ensure that software is implemented securely, is fully functional, and maintains its security and performance throughout its lifecycle after it is released to the market.

This standard divides software into internal different classes, taking into account the harm it may cause to the end user.

CLASS A – Your software; not likely to cause injury or damage to health (in case of fault)
CLASS B – Software may cause minor damage or injury that does not result in long-term or permanent health damage (when fault occurs)
CLASS C – Software; can cause serious health problems, serious injury or even death (when an error occurs)

It should be noted that the above classes are special classifications defined by the IEC 62304 standard and are not related to the product class of MDR. (According to MDR, medical devices are classified as Class I, IIa, IIb and III.) Another important point to remember is that a scenario where the software may not work properly, cannot be used or can be hacked is taken into account while classifying the security.

After selecting the appropriate security class of the software, the processes defined for each class within the IEC 62304 standard must be carried out by the manufacturer. This security classification; It affects all stages from software development planning to coding, the features of the architectural structure of the software and the testing process. Class A software contains the minimum requirements as it poses no risk to human health or life. The requirements for classes B and C are very similar, but extra details are required for the requirements for class C, which is the riskiest class. The difference between class A and class B and C is huge in terms of application.

According to IEC 62304, the software development process can be summarized as the conversion of design input into design output. To achieve the appropriate design output, IEC 62304 specifies detailed requirements for each stage of the software development process. It should be noted that the processes listed below do not apply to all software security classes. Different requirements for different software security classes are specified by the standard;

1.Software Development Planning
IEC 62304 should document a software development plan according to the scope, complexity and software security classification of the software that manufacturers will develop. The plan should be kept up to date.

2.Software Requirements Analysis
Software requirements; functional and capability requirements such as the purpose of the software, as well as security requirements, risk control measures, interfaces between the software system and other systems, etc. must analyze many requirements. (IEC 62304 part 5.2.2)

3.Software Architecture Design
Manufacturers should document their software architecture in accordance with their chosen software security class. software architecture; is the description of all the different software elements (including their interconnections). If software items are created by SOUP (Software of Unknown Provenance), the functional and performance requirements of SOUP must be defined.

4.Software Detailed Design

In order to develop a detailed design, the software must be divided into units and these units must be defined.

5.Software Implementation and Unit Testing
A validation process and acceptance criteria must be established for each identified software unit.

6.Software Integration and Integration Testing
While performing the integration of the verified software units, it should be proven by tests that this integration is effective and does not cause any problems. (integration test, regression test, etc.) This process must first be planned meticulously.

7.Software System Testing
Integrated and finalized software should be tested. For these tests; requirements, procedures, criteria should be established and recorded.

8.Software Version
Before software is released, a manufacturer needs to ensure that all validation processes are completed and potential issues are documented. It is also the manufacturer's duty to ensure that the software is released without any corruption or unauthorized modification.

In addition, according to the traceability requirement of IEC 62304; Manufacturers must demonstrate that all system and software requirements, as well as the risk control measures contained in the documentation, have been correctly implemented, tested and verified. Special care should be taken to ensure that appropriate risk control measures are in place for each class throughout the entire software development lifecycle.

9.Software Maintenance
After the software is released; Periodic software maintenance is required to fix detected bugs, security vulnerabilities, and performance issues. Any changes made to the software should be subject to appropriate change control processes and re-validated if necessary.

10.After Market Inspection:
When medical device software is released; It helps monitor post-market surveillance performance, safety and reported issues. Feedback from users and adverse event reporting should be collected and analyzed to identify necessary software updates or fixes.

According to IEC 62304, medical device software validation is a complex and rigorous process established to ensure the safe and correct operation of medical devices. It requires a multidisciplinary approach involving software engineers, quality assurance professionals, regulatory experts and domain experts to ensure regulatory compliance and deliver quality software.

Software engineers within Infigen Consultancy will be happy to take part in the process of validating the IEC 62304 standard for the software in question. It can assist you in choosing the right security class of the software and examining the necessary processes based on this class.