ISO and IEC standards for software in medical devices in a nutshell
Here is a short description of ISO and IEC standards related to software and medical devices.
The starting point is legal. Government agencies give the authorizations to manufacturers to sell their devices. These agencies rely on standards to ensure that the device was designed and manufactured in a good and safe way. Given these regulations, medical device manufacturers have to adhere to these standards. Full stop.
Let's see what these standards are.
Two ISO standards are of high importance for software medical devices: ISO 13485 and ISO 14971. They can be seen as the topmost standards for medical devices. They are very generic and apply to every medical device, from the simplest plaster to the most complex surgical robot. As they are so generic, they don’t give a clue about software. Other standards do.
The main standard about software in medical devices are:
- IEC 62304. It deals with the software lifecycle, i.e. almost everything about what software engineers do. Three other standards apply to software:
- IEC 60601-1 is applicable to embedded software in a hardware medical device,
- IEC 82304-1 is applicable to standalone software, also known as Software as a Medical Device (SaMD),
- IEC 81001-5-1 adds requirements about cybersecurity,
- IEC 62366-1 adds requirements about man-machine interface ergonomics.
IEC 62304 is THE standard for software in medical devices.
If you are someone from quality assurance who knows ISO 13485 and ISO 14971, and you read IEC 62304, you will be lost at first. On the contrary, if you are someone from computer engineering who knows what software lifecycle is, and you read IEC 62304, you won’t feel comfortable with a few paragraphs about concepts you haven’t seen before.
IEC 62304 requires the knowledge of two worlds: the computer engineering industry, where people don’t give a clue of CAPA, vigilance and so on, and the medical device industry, where people consider software as a very convenient thing but don’t want to know how it is done.
Please, don’t get offended if you belong to one of these people, I caricature the situation! No medical device with software would work or would be certified if nobody had made the step to understand others’ job.
IEC 60601-1 is a standard about electro-medical devices. Medical devices with embedded software are included in this category, as chips containing the software are powered by electricity. They are called PEMS for “Programmable Electrical Medical Devices”.
Only section 14 of the standard deals with software. It is fortunately a very small part of this standard, which contains tons of instructions. Section 14 gives requirements about hardware and software interfaces, especially network interfaces.
In the past, when IEC 62304 didn’t exist, only IEC 60601-1 dealt with software. But as software became more prominent in PEMS, it was decided to add a standard only about software. It makes sense: software development is a very different way of doing things compared to other industries. There are often a lot of requirements to implement in design (sometimes thousands) and there is no production (I mean manufacturing).
IEC 82304-1 is a standard about SaMD. It is applicable to medical device software, which runs on a general-purpose hardware, like a PC, a smartphone or a tablet. It gives additional requirements on the lifecycle of standalone software, which are not present in IEC 62304. IEC 82304-1 also contains requirements on the content of the instructions for use and the monitoring activities to perform when the software is on the market.
IEC 81001-5-1 is about cybersecurity. It adds requirements on how to make secure software, on top of IEC 62304. It is quite a challenging standard for most of medical software editors. At the date of redaction of this post (2022), this standard is brand new and almost no editor has the capabilities internally to implement it without recruiting people with security background.
IEC 62366-1 is about ergonomics and the interaction of the user with the device. Ergonomics shall be considered for every medical device (it is a “cousin” of ISO 60601-1-6, another standard for electrical devices). Implementing this standard for software requires the same method as other devices. The good practice of software industry is to keep track of usability requirements with traceability matrixes between ergonomics and software design documents, as for other software requirements. A bit like cybersecurity, it also requires specialists on the field of usability engineering to correctly implement this standard.
To have a global view of medical devices with software, people should know 6 standards: ISO 13485 and ISO 14971 on one side, IEC 62304, IEC 60601-1, IEC 82304-1 and IEC 62366-1, on the other side. Add to that IEC 81001-5-1 about cybersecurity as at 7th standard.
The table below summarises the standards around software for medical devices and the responsibilities of people, from the point of view of a software project manager.
|Standard||What is it about?||Who shall master it?||Who shall know it?|
|ISO 13485||Quality System for medical devices industry||
Software project manager:
|ISO 14971||Risk Management for medical devices||
|Software project manager|
|IEC 62304||Software lifecycle for medical devices||
Software project manager.
|IEC 81001‑5‑1||Cybersecurity in medical devices||
Software project manager and software security specialist
|IEC 60601‑1||Programmable electrical medical systems (PEMS) in medical devices||
Software project manager (for section 14)
|IEC 82304‑1||Software as medical devices (SaMD)||
Software project manager
|IEC 62366‑1||Usability in medical devices||
Software project manager and usability engineering specialist
The good implementation of all the quality system is always the responsibility of the direction. The Quality Manager’s role is to ensure that all standards are well applied by people who should know them. What I want to put in emphasis is the fact that is it the software project manager’s role to implement the standards about software, with the help of the quality manager. The quality manager has a broader view of the device, in its conception (non-software parts) and in its lifecycle (other phases of the life of the medical device).
As a conclusion, if you design software, begin with IEC 62304, that's your most important standard. Continue with ISO 13485 and ISO 14971, with explanations of your quality manager, who knows how to deal with them better than anyone in your company. When you're comfortable with IEC 62304, continue with IEC 81001-5-1, security matters. Then continue with IEC 60601-1 section 14 or IEC 82304-1. And end with IEC 62366-1.
If you're quality manager, take the help of a software project manager to explain you what's at stakes inside IEC 62304 and other standards. Your main goal remains, of course, managing the two ISO standards at the company level.
First version on November 1st 2011
Updated on January 2022
Reason: added IEC 82304-1 and cybersecurity, not present in 2011.
Removed dead links.