Understanding IEC 62304

Similar documents
The Risk Management + Design Controls Connection: What Device Makers Need to Know

10 Things You Should Do Before You Validate Your Next Package

WORKING WITH TEST DOCUMENTATION

The Third-Party Process: Waste of Resources or Added Value?

International Standards and EU regulation of medical device software an update

PERCEPTION IS REALITY : A RECRUITER S GUIDE TO GOING FROM ORDER TAKER TO TRUSTED ADVISOR

5 best (and worst) uses for Net Promoter Score

Q&A from the PSMJ Resources, Inc. / XL Group Webinar on September 18, 2012: Developing Satisfied Clients: 6 Steps That Can Save Your Assets

Validation of CDM Projects Real life examples of what a DOE looks for

HUD-US DEPT OF HOUSING & URBAN DEVELOPMENT: Understanding Internal Controls. Ladies and gentlemen, thank you for standing by and welcome to the

Getting Started with Risk in ISO 9001:2015

ISO 14001:2015 Whitepaper

Linda Carrington, Wessex Commercial Solutions

General Data Protection Regulation

A.I.S.E. Charter for Sustainable Cleaning

Software in Medical Devices

ISO 9001:2015 Expectations

David Linthicum, Managing Director, Chief Cloud Strategy Officer, Deloitte Consulting LLP

THE ZEN OF A CONNECTED BUSINESS. Why it makes sense to move your financial information to the cloud

WANT TO SPEED UP YOUR MEIDCAL DEVICE TIME-TO- MARKET? CONSIDER A PRE-SUBMISSION TECHNICAL FILE EVALUATION

ISO 13485:2016 Medical Devices-Quality Management Systems- Requirements for Regulatory Purposes. Theresa McCarthy

CONSOLIDATED VERSION IEC Medical device software Software life cycle processes. colour inside. Edition

White paper Audits in automated production

ISO 9001:2000 Transition

BY BETYE BAILEY, INTOXIMETERS, INC.

SQF Food Safety Code for Manufacturing Changes from Edition 7 to Edition 8

Sourcing In China. Beyond low cost possibility and realizing the hidden factors. Jonathan Zhang

EBOOK THE ULTIMATE GUIDE TO DESIGN CONTROLS FOR MEDICAL DEVICE COMPANIES JON SPEER, FOUNDER & VP QA/RA

ISO FDA QSR. ISO and FDA QSR: A Step by Step Guide to Complying with Medical Device QMS Requirements

WORK MANAGEMENT SURVEY Executive Summary and Full Report

This document is a preview generated by EVS

Proficy * Plant Applications. GE Intelligent Platforms. Plant Performance Analysis and Execution Software

Risk Mitigation in a Core Banking Conversion

Introduction to the Testing Maturity Model Enhanced TM (TMMe)

Choices IEC rd Edition and Component Selection

What is ISO 13485:2003?

INNOVATION IN THE MARKETPLACE A podcast with Irving Wladawsky-Berger

Guest Concepts, Inc. (702)

How to Choose the Right CMO for Your Pharmaceutical Product

Accessing A Training Contract In The Current Market. Information for People Hoping to Train to Become a Solicitor

ISO 9001:2015. October 5 th, Brad Fischer.

By: Aderatis Marketing

ALL APPS ARE NOT CREATED EQUAL BUILDING THE BUSINESS CASE FOR BUSINESS CONTINUITY & DISASTER RECOVERY IN SMALL & MID-SIZED ORGANIZATIONS

ROAD MAP. Leveraging Epic to Enhance Your Revenue Cycle: 3 Key Areas to Focus On

Regulations governing the application of medical accelerators

The04. of maintenance

The Legacy Automation Playbook. How to Proactively Manage Your Legacy Industrial Control System

CARBON ACCOUNTING AND ISO 14064: GETTING READY FOR CAP AND TRADE

Campaigns - 5 things you need to know. 27 Signs You Need A New Agency. What the AdWords Update Means for Your Paid Search Strategy

Design Like a Pro. Boost Your Skills in HMI / SCADA Project Development. Part 3: Designing HMI / SCADA Projects That Deliver Results

Could Poor Temperature Data Management be Putting Your GxP Facility at Risk for Data Integrity Violations? we prove it.

Innovative Marketing Ideas That Work

Control in an automated environment

5 Barriers to EHR Replacement

Creating Kick-Ass Engagement Plans for Your Key Accounts

CEPA Certified and European Standard EN 16636:2015

Clinical Telepharmacy

TABLE OF CONTENTS Case Studies for Group Discussion... 2 End of Module Quizzes: Answer Key... 8 Pre-Certification Exam: Answer Key...

Games Recognizing your home s achievements in Show-Me Quality: QAPI in Action

If the language of business is dollars, then the alphabet is numbers. - Jac Fitz-enz

ELECTROTECHNIQUE IEC INTERNATIONALE INTERNATIONAL ELECTROTECHNICAL

An EMS is a management tool to improve environmental performance by providing a systematic way of managing an organization s environmental affairs.

15 tips for managing negative reviews and difficult feedback. Wake up to Booking.yeah

Interviewing a Commercial Cleaner Checklist Free Site Assessments & Quotes We clean in ALL states!

WELCOME TO THE OU CAREERS AND EMPLOYABILITY SERVICES YOUR JOURNEY STARTS HERE

On the Path to ISO Accreditation

The Challenges of Life Science Software Validation: InfoStrength s Key Differentiator

Data Integrity for Your Laboratory Computerized Systems

4 Steps to Maximizing. Customer Lifetime

RETAIL COMPLIANCE PROGRAM 2016

Process validation in medical devices

Process validation in medical devices

IAH Temporary Revision Ed 9 / Section 6

Main changes to ISO 9001 from the 2000 version to the 2008 version

10 CLUES ABOUT CE. 3rd Parties Don t Want You To Know. And That Help You Find Your Way Out Of The CE Marking Maze. Han Zuyderwijk

A2LA Promotion of Accreditation Package

Roadblocks to Approving SIS Equipment by Prior Use. Joseph F. Siebert. exida. Prepared For. ISA EXPO 2006/Texas A&M Instrumentation Symposium

AN INTRODUCTION TO. What it is and why it makes a difference in your organization

HOW YOUR CAREER BACKGROUND CAN HELP YOU BECOME A BUSINESS ANALYST

Quality Manual. This manual complies with the requirements of the ISO 9001:2015 International Standard.

The Shipley 9.6 Step Process OR How to Tailor BIG Processes for Quick Turn Responses

AAMI Quality Systems White Paper

7 mistakes leaders make when introducing change How to break from the pack and navigate your own successful path

ISO Introduction and Background

Brian Tracy s SMART Goals. Cheat Sheet

At This Education Nonprofit, A Is for Analytics Social services agencies are turning to data to find the practices that get the best results.

ISO Risk Management Principles and Guidance

New Data Integrity Regulations and Practical Advice for Life Science Laboratories. we prove it.

Satisfaction Survey Checklist for Accounting Firms. What your firm needs to win at every stage of the survey process

UNIT 10 CLAUSE-WISE INTERPRETATION OF ISO 22000: 2005

Managing Your Audit. Effective Preparation to Successful Certification. John Kukoly BRC Global Standards. BRC Global Standards. Trust in Quality.

Customer Service Strategies That Will. from the Competition. Louis Feuer, MA, MSW

Where CRM Falls Short

Graduate. trainee scheme

Engineering World Health Senior Design Projects That Matter 2006/7

Chapter 12 Module 3. AMIS 310 Foundations of Accounting

Equipment In-house Calibration Requirements and use of Non-Accredited Calibration Service Providers

Best Practices Guide: OPTIMIZING YOUR CONSTRUCTION BUSINESS FOR PROFITABLE GROWTH

FAQ. Excellence. Assured.

Transcription:

Understanding IEC 62304 Co-authored by MethodSense, Inc. and Medical Equipment Compliance Associates, LLC www.methodsense.com 919.313.3960

Understanding IEC 62304 By: Rita King, Chief Executive Officer, Methodsense, Inc. and Alex Grob, Chief Biomedical Engineer & Quality Manager, Medical Equipment Compliance Associates, LLC What do hospital beds, blood pressure cuffs, dosimeters, and pacemakers all have in common? They are all medical devices with software that regulates their functionality in a way that contributes to Basic Safety or Essential Performance. With the FDA reporting that the rate of medical device recalls between 2002 and 2012 increased by 100% where software design failures are the most common reason for the recalls it s no wonder IEC 62304 has been implemented. Its implementation, however, has medical device manufacturers asking questions about if, when and under what circumstances the standard is required. For starters, what is IEC 62304? IEC 62304 is the international standard that defines software development lifecycle requirements for medical device software. The standard was developed from the perspective that product testing alone is insufficient to ensure patient safety when software is involved. The standard requires all aspects of the software development life cycle to be scrutinized, including: Development Risk management Configuration Problem resolution Maintenance The standard provides a common framework for medical device manufacturers to develop software. Conformance with this standard provides evidence that there is a software development process in place that fulfills the requirements of the Medical Device Directive. Because it has been harmonized with the Medical Device Directive in the EU and Recognized as a Consensus Standard by the FDA in the US, IEC 62304 can be used as a benchmark to comply with regulatory requirements in both markets. To date, this standard has been recognized in most countries that use compliance standards to fulfill regulatory requirements. When is IEC 62304 compliance required? One of the most commonly asked questions of test labs is, Is compliance with this standard required? Technically, the answer is no because compliance with the standard is voluntary. But, in practice, the answer is yes. Read on for greater clarification.

Since most medical devices in today s market contain some type of software, manufacturers must determine under which circumstances IEC 62304 is required. These include: FDA regulatory compliance with IEC 60601-1 Amendment 1 Reliance upon software to perform Basic Safety functions Reliance upon software for Essential Performance If your device falls into any of the above categories, you must have evidence that the software development process used is as good as, or better than, the process presented in IEC 62304. Complying with 62304 enhances the reliability of your device s software by requiring attention to detail in design, testing and verification, ultimately improving the overall safety of the medical device. Does your device have to meet IEC 60601-1 requirements? The EU has been using IEC 62304 since 2008, but it has gained even more traction with its incorporation into the third edition of IEC 60601-1 s Amendment 1. The inclusion of Amendment 1 shifted the standard from a recommendation to a requirement if your device utilizes software. For those who design or manufacture electromedical equipment, 60601-1 is one of the most important safety and performance standards to meet. The standard addresses critical safety issues, including electrical shocks and mechanical hazards, such as pinching, crushing, and breaking. Devices that must meet IEC 60601-1 requirements include those which: Diagnose, treat, or monitor the patient under medical supervision Make physical or electrical contact with the patient Transfer energy to or from the patient; and/or Detect such energy transfer to or from the patient. 60601-1 Clause 14 requires manufacturers to comply with IEC 62304 unless the device s software has no role in providing basic safety or essential performance or risk analysis demonstrates that a failure of any Programmable Electronic Safety System (PESS) does not lead to an unacceptable risk. What role does Basic Safety play? Basic safety is the main focus of IEC 60601-1. It s important that you conduct a risk analysis to identify your device s level of unacceptable risk and determine the role of software in risk mitigation. This analysis will determine the applicable basic safety requirements for your device, and, for some requirements, the test parameters that need to be used by the test laboratory. A Common Mistake The most common mistake that medical device manufacturers make is that they do not always assess which elements of risk their software mitigates. These are the elements that must be addressed by IEC 62304. For example, what would happen if the creator of a hoist didn t properly vet the software that signaled the hoist to lower the patient at a certain speed? If a patient were lowered to quickly or not at all there would be a risk management nightmare. Since software plays a role in the Basic Safety functions of the hoist, it must comply with 62304 s requirements.

In conjunction with IEC 60601-1, 62304 is intended to minimize the occurrence of these situations. When device software is mitigating a known potential hazard, ensuring that the code is developed properly is critical for the management of patient safety, as well as liability to the manufacturer. Does your software impact Essential Performance? It can be difficult to determine if a device s software is tied to its Essential Performance (EP), especially because the definition of EP has been widely debated for years. Thankfully, the definition and requirements for Essential Performance changed with Amendment 1 of IEC 60601-1 to help provide more clarity. Determining Essential Performance begins with a list of all functional aspects of your device, including accuracy, measurements and its capabilities. Once you identify these items, determine whether any of these are already covered by the Basic Safety requirements of IEC 60601-1 or whether any item is not part of the device s intended use. Then, and this is key, every item remaining gets posed the question, If this item degrades, will it create a risk for the patient? If the answer is yes, you must identify how its functionality must be maintained so the risk is still acceptable. This is your Essential Performance. A good example to help clarify the impact of Essential Performance on IEC 62304 is accuracy. Consider a device that claims its EP is accurate within 5%. If the device is relying on software to maintain that accuracy or provide an alert when outside of 5%, and that software fails, then the manufacturer will be unable to detect if the device s Essential Performance is being met. This means the software is providing Essential Performance. Once you know your device software is responsible for Essential Performance, you must comply with IEC 62304 to ensure there is no unacceptable risk to a patient. What are common scenarios manufacturers miss? There are several situations that manufacturers often don t realize require compliance with IEC 62304. These product features can create major headaches and costly delays if they are not properly developed. These scenarios include:

Alarms & Alerts, Speed & Position Sensors and Algorithms are components that are often missed by manufacturers. They all use software for Basic Safety and Essential Performance functions requiring IEC 63204 compliance. Alarms & Alerts Alarms are often an Essential Performance requirement because they are intended to detect abnormalities. If the alarm was removed, the device would no longer meet it s performance requirements, making the risk unacceptable. Software is used to detect the issue, instigate the alarm and make the sound. Speed & Position Sensors These sensors are in place to address Basic Safety concerns. For example, a hospital bed has a position sensor to keep it from crushing the operator s foot and mammography has sensors to gauge compression. Devices like these use software to limit range of motion, speed and force. Algorithms Algorithms are frequently used with physiological monitoring. If the software is removed, the device is no longer able to operate as intended, resulting in the algorithms being part of Essential Performance. It is important to note that these situations apply to the patient, operator or service personnel. How is compliance assessed? Once you know you must comply with IEC 62304, how do you go about preparing for it? To start, know that compliance with this standard is defined as implementing all of the processes, activities and tasks identified in the standard in accordance with the software safety class. 62304 itself does not prescribe a particular organizational structure or specific format for documentation, however. Compliance is determined by a review of all required documentation, including the risk management file. The logical first step toward achieving compliance is to assess risk management as seen in IEC 60601-1. This includes: Defining your operational and manufacturing processes Documenting and assessing operational risks Defining controls Once your risk management file is complete, your next step is to review the requirements for IEC 62304. Make sure all required elements are defined and met in your procedures. Then, you re ready to compile your documentation and submit it to your test lab. The test lab will review your documentation against a Test Report Form. They will comb through each step and verify you are including requirements in your procedures. If it has been decided that the software performs Basic Safety or Essential Performance for your device, the lab will conduct a product review.

The lab will only review the segments of your software development process that apply to Basic Safety and Essential Performance. When the review is complete and approved, you ll receive a compliance report. If you ve failed any areas, they will be noted, allowing you to make corrections. If you passed, you are able to move forward with your other regulatory commitments, such as obtaining a 510(k) for the US market or CE Marking for Europe. What are some key pitfalls to look out for? Well-documented Processes When meeting the requirements of IEC 62304, there are areas you would benefit from paying close attention to. The most critical is making sure you have clearly defined processes for your company and your software development lifecycle in particular. IEC 62304 identifies several expectations related to the information that should be included in your software development lifecycle procedures. If your processes are not well documented, you will have a lengthy, costly process ahead of you. Document management is essential for meeting compliance goals. The SOUP Can The next most difficult issue is SOUP, and we re not talking about chowder or minestrone here. SOUP is an acronym for Software of Unknown Provenance (or Pedigree). This is software you did not develop and have limited knowledge as to how it was created. Think of when an operating system, such as Windows, sends you updates and how your device s software interacts with them. While test labs don t expect you to be able to explain the development process of your SOUP manufacturer, you will have to identify how your software relies on SOUP to function. You must identify if SOUP contributes to any unacceptable risk. In your software development process, you will need a plan for how you will handle the SOUP. It s recommended that you build your software around SOUP in a way that enables your device to operate properly in the event that it (the SOUP) causes your software to fail. Unfortunately, many developers and device manufactures neglect to consider the impact of SOUP. Software Partitioning The certifying body reviewing your device will only look at software partitioned around your Essential Performance and Basic Safety. However, if you ve not taken the time to partition the code well, they will have to apply the principles of IEC 62304 to your entire code. Partitioning makes for a faster review process and minimizes your compliance risks. This is something to consider at the onset of your development process, as well as when your software undergoes changes over time. Document Development While software developers know what they are doing when it comes to writing code, that doesn t mean they know what they are doing as it relates to medical devices. Documenting the software lifecycle as the code is created makes for a much smoother, more accurate process than trying to remember how the software was developed after the fact. All too often, software developers are unaware of the scope of documentation required for medical devices. This is particularly critical because over the last couple decades software development methodologies have been evolved and many of the emerging methodologies place less emphasis on documentation and more emphasis on rapid development. So, the key to the software development process is the management of a software development methodology that creates the efficiency the company is looking for with the accountability that the IEC 62304 is expecting.

Version Control & Updates The chance of your software requiring updates or version changes is pretty likely, and changes conducted after achieving compliance are often forgotten. When you create your software development lifecycle process, be sure to include how these are defined including how you maintain your software in a validated state. Keep in mind that when changes are made to your software, additional testing may be necessary. What about non-compliance? If you get caught in any of the abovementioned pitfalls, you can expect that you will not be in compliance. You will either not receive a report at all, or will receive a report that says you failed somewhere in IEC 60601-1 or IEC 62304. Because the standards are voluntary, you don t necessarily have to make product changes if you fail. You can choose to not comply. However, for each fail, you will be required to provide justification for each deviation. If you have valid justification, your device should still attain regulatory approval from the FDA or in the EU, although developing this justification can be a lengthy process in itself. The reality is these standards are here to stay, especially as software becomes an even more influential medical device component. Summation Based on our experience, when seeking CE Marking, Notified Bodies try to create a level of consistency with their reviews. Thus, it has become more and more difficult to convince a Notified Body that you don t have to comply with IEC 62304 when it is clear the role of software in your medical device contributes to Essential Performance. Attempting to take the path of justification will likely add more time to your process, and you may find yourself needing to complete IEC 62304 in the long run. Our recommendation is to avoid loopholes that don t really exist and to go through the process of meeting IEC 62304 requirements. Not only will this be more effective for meeting commercialization goals, but it will prove you stand behind the safety of your device.

About the authors MethodSense is a life science consulting firm with offices in the US and Europe. They guide medical device, biotech and pharmaceutical companies with quality, regulatory and technology solutions. Their services enable clients to operate more effectively during the commercialization process and beyond. As it relates to IEC 60601-1 and 62304, MethodSense provides expert guidance and interpretation, helping you with:! Reviewing the standard you must comply with! Conducting a gap analysis of your Risk Management Program against ISO 14971! Updating your Risk Management Documentation! Completing the IEC 60601-1 and other relevant tables! Submitting your documentation for review For more information about MethodSense, visit www.methodsense.com. MECA was formed in 2002, to assist medical device companies with their safety certification, compliance, and regulatory needs. They have grown their business and network of associates with the leaders in their respective fields, to offer the highest level of certification and regulatory support that you will find anywhere. MECA works to help bring the safest devices possible to market, especially as it relates to IEC 60601-1 and IEC 62304 compliance. To learn more about MECA s service, visit 60601-1.com.

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback