UNE - EN 62304: in medical device software
In this article, we review the requirements of UNE – EN 62304, a standard that provides a safe framework for the processes performed during the development of medical device software. We analyze the requirements and the different stages of software development and maintenance.
UNE – EN 62304, approved in 2006, is a standard that provides a secure framework for lifecycle processes in the development of medical device software. It involves the necessary activities and tasks, from the design stage to the maintenance of the software.
The standard specifies the structure to perform the processes, activities or tasks, although it does not prescribe a specific life cycle.
UNE – EN 62304 for the development of medical device software
UNE – EN 62304 applies to the development of medical device software and its maintenance, when:
- The software is, in itself, a medical device.
- The software is used as a component, which is part or is a vital part of a medical device.
- The software is used in the production of a medical device.
A basic foundation, the standard specifies that medical device software must be developed and maintained within a quality management system (4.1) and a risk management system (4.2). As well as the designation of classification of software security.
Requirements on the quality management system
Medical device software manufacturing organizations will have to demonstrate the ability to offer a product that meets expectations and meets the needs of customers, as well as regulatory requirements.
The capacity mentioned in this requirement can be demonstrated using a quality management system that is in accordance with ISO 13485. But some generally accepted national quality management standard or an accepted and required quality management system can also be applied by national regulation.
Requirements on the risk management system
Regarding risk management, UNE – EN62304 is very precise. Only the application of a risk management system in accordance with ISO 14971 is accepted.
Classification of software security
Manufacturer´s organizations must assign to each of their products a safety class, whether it is A, B or C. This assignment must be based on the potential to generate a risk that could, eventually, result in injury to the user, the patient or other people.
The standard establishes three kinds of software security:
- Class A: no injuries or health effects can occur.
- Class B: will not result in serious injuries.
- Class C: Death or serious injury possible.
The classification assigned to a medical device software project has a significant impact on the development process. It acts from the planning, the own development, the tests, and the verification, until the launching and even later. Therefore, the manufacturers of medical devices have a special interest in doing it right from the start and avoid costly and prolonged revision work.
In practice, any organization that is dedicated to the development of medical device software will carry out the verification, integration, and testing of the system in all software, regardless of the security classification. But this will influence the depth to which each of these activities is carried out.
But, in addition, the manufacturer, among other actions described in point 4.3 of the standard, for any software system, or additional software elements or that are part of a larger device or system, must:
- Implement risk control measures for the development and maintenance of each software system they produce.
- Document the assignment of the security class for each product.
Activities for the development of medical device software
The manufacturer will establish a development plan. It will determine in it the activities of the development process, the field of application, the magnitude of such activities and the safety classifications that will be assigned to the products.
Next, the development of medical software is carried out in the following stages:
- Development plan
A software development plan appropriate to the scope, magnitude, and safety ratings of the system should be established. The methodology to be applied must be fully described: specifying personnel, tasks to be performed and acceptance criteria for each of the stages.
- Analysis of software requirements
The requirements must be reflected in the system at the functional, technological, computer, regulatory and security and data integrity levels.
- The architectural design of the software
It is necessary to specify the elements that make up the system to satisfy the process to be carried out. The definition will focus both on the level of industrial components, as hardware and software elements.
- Detailed design of the software
The detailed design must be developed and documented for each unit of a computerized system implemented.
- Implementation and verification of the software unit
According to the established development plan, each unit of the computerized system must be verified through a test in order to evaluate compliance with the requirements.
- Integration of software and integration tests
According to the development plan, each unit of the computerized system must be verified by means of tests. This stage will evaluate the integration of all system components according to the established architectural design and the integration of all industrial elements, hardware, and software with manual operations.
- Software system tests
According to the development plan, verification of the operation of the system. The verification strategy must establish and perform a set of tests, expressed as input stimuli, expected results, pass / fail procedure criteria.
- Software release
Ensures that the verification process has been completed and the results have been evaluated before releasing the software.
Software maintenance process
The manufacturer will design and implement a software maintenance plan (or various plans, if necessary), which will detail all activities, tasks, processes, and sub-processes that must be carried out. These maintenance activities will take place basically in three stages:
- Establishment of the maintenance plan.
- Analysis of problems and modifications.
- Implementations of modifications.
The details of each one of the activities to be carried out in these three stages can be found in chapter 6 of UNE – EN 62304.
In addition, two additional processes are identified for the safe development of medical devices software: software configuration management (point 8) and the software problem resolution process (point 9).
In Oqotech we have a technical team and experience of more than 10 years to support companies in the health sector that need to comply with UNE – EN 62304. You can contact us through our Contact Form or by phone at +34 902 995 129.