The IEC 62304 standard [1] specifies life cycle requirements for the development of medical software and software within medical devices. It is a standard that is harmonized between the European Union (EU) and the United States (US). This standard spells out a risk-based decision model on when the use of Software Of Unknown Pedigree (SOUP) is acceptable. The standard was developed from the perspective that product testing alone is insufficient to ensure patient safety when software is involved.
The standard requires all aspects of the software development life cycle to be scrutinized, including: 1) development, 2) risk management, 3) configuration, 4) problem resolution, and 5) maintenance.
So, when do you have to comply with the standard? The good news is that this standard is voluntary. Unfortunately, however, the answer is really not that simple. For example, if the medical device falls into any of the following categories, you likely will be subject to at least the IEC 62304 standard: FDA regulatory compliance with IEC 60601-1 Amendment 1 [2], 2) reliance upon software to perform basic safety functions (BSF), or 3) reliance upon software for essential performance (EP).
Unfortunately, almost all medical devices utilizing software will be subject to one of these categories. In particular, the “basic safety functions” is a trap that may capture more than one would expect under the traditional view of patient safety, i.e., it is not merely limited to the operation of the device.
Common missed features that are subject to IEC 62304 include alarms/alerts, speed and position sensors, and algorithms that may be used for physiological monitoring. One mechanism for compliance with IEC 62304 is the development of a risk management file. One drawback to this approach is the potential discoverability of these documents since these studies tend to be conducted by third-party providers. In addition, this file will be disclosed to a test lab and could be a public disclosure of these features. This public disclosure may put potentially patentable software at risk. Thus, it is essential to involve counsel early in this process.
[1] “Medical device software – Software life cycle processes.” INTERNATIONAL IEC STANDARD 62304 First edition 2006-05. International Electrotechnical Commission. Retrieved 2 June 2012.
[2] IEC 60601-1 addresses critical safety issues, including electrical shocks and mechanical hazards.
Opinions and conclusions in this post are solely those of the author unless otherwise indicated. The information contained in this blog is general in nature and is not offered and cannot be considered as legal advice for any particular situation. Accessing this blog and reading its content does not create an attorney-client relationship with the author or with Miles & Stockbridge. Any federal tax advice provided in this communication is not intended or written by the author to be used, and cannot be used by the recipient, for the purpose of avoiding penalties which may be imposed on the recipient by the IRS. Please contact the author if you would like to receive written advice in a format which complies with IRS rules and may be relied upon to avoid penalties.
[View source.]
