What is IEC 62304? Ensuring safety in medical software.

8 min read


IEC 62304 is an international standard shaping the development and maintenance of medical device software. Preparing to build software? This article will give you an idea of how IEC 62304 ensures the creation of safe and high-quality software uncovering facts about the development life cycle, classification, risk management, and IEC 62304 interactions with other medical standards.


IEC 62304 is an internationally recognised quality standard for medical device software lifecycle processes. Its primary purpose is to ensure that software used within or as a medical device is developed and maintained in cooperation with the existing Quality and Risk Management System.

Although building software compliant with IEC 62304 may be challenging, the effects are worth the effort. IEC 62304 is crucial in developing MDR and FDA certification-ready medical software. The standard provides safety, quality, and reliability of medical device software and fosters entering a global market.

What is IEC 62304?

IEC 62304 is an internationally recognised quality standard that defines life cycle requirements for medical device software. It introduces a comprehensive list of requirements for the software development process for software as a medical device (SaMD) and software in a medical device (SiMD).

IEC 62304 has also its European adoption - EN 62304.

IEC 62304 classifies software into three safety classes (A, B, and C) based on the potential consequences of a software failure to the patient or the user. (These classes can be mapped to the MDR classes (I, IIa, IIb and III), but it’s not a direct relation). The standard describes what risk control measures are required at every stage of the software life cycle. Next to ISO 13485, it’s one of the most important standards ensuring the quality of medical device software.

What’s the purpose of IEC 62304?

The purpose of IEC 62304 is to ensure that software is developed and maintained in a way that helps reduce potential risks to an acceptable level.

To get familiar with the objectives of IEC 62304, it’s good to know the definition of a life cycle of medical software development. It’ll help you understand the further part of this article correctly.

The software life cycle begins with the definition of its requirements. It ends with implementing the product into production and maintenance. This involves identifying the development processes, tasks, and dependencies and verifying specific result elements at key stages.

Key requirements of IEC 62304

To ensure the safety of medical device software, IEC 62304 outlines specific requirements that manufacturers should meet and address, e.g. potential risks related to software failure, configuration, data protection, cybersecurity and many others.

Software development lifecycle processes (SDLC)

The Software Development Lifecycle (SDLC) is the process specified by IEC 62304 to provide a framework for developing and maintaining software for medical devices. These processes go as follows:

  1.  Software development planning 

  2. Requirements analysis 

  3. Architectural and detailed design 

  4. Implementation 

  5. Verification 

  6. Integration 

  7. Testing 

  8. Finalising the whole system testing 

  9. Software release 

  10. Maintenance activities (especially important for medical devices)

See the simplified graph below - it might give you an idea of what’s essential. For more detailed info, read the AWS Guide.


For your project, an example of activities throughout a development process might look like:

  • defining an intended use and classifying the software (A, B or C), 

  • describing software requirements specification (called "SRS"), 

  • designing a technical solution and software architecture, 

  • developing the software components with best practices for code quality, 

  • verifying every step of software development: unit tests, code review, integration tests, software tests, 

  • software deployment and its maintenance

As you can see, it’s a kind of guide that makes sure you don’t forget about anything important during planning your medical software solution. Let’s go to the next point.

Software risk management

IEC 62304 obliges medical software manufacturers to implement a risk management process. It refers in this matter to another standard, which is ISO 14971 - Medical devices - Application of risk management to medical devices.

IEC 62304 gives software development companies guidelines on identifying and managing associated risks, such as software failure, which could affect a patient or device operator. Based on the medical device risk classification according to ISO 14971, the IEC 62304 standard indicates certain risk control measures which must be implemented throughout the software’s life cycle.

The following risk control measures can support:

A. Safety ensured by the product design (e.g. changes in user-interface design, including warnings like message boxes),

B. Protective measures in the medical device itself or the production process,

C. Fault-tolerant software architecture aims to keep a software system running reliably even if there are hardware failures, software bugs, or unexpected issues.

Its primary goal is to minimise the impact of faults and errors on the system's performance.

By incorporating risk management into the software lifecycle processes, developers can systematically address and manage risks associated with the software. It helps to enhance safety and comply with regulatory requirements, which leads to the creation of safe and reliable medical device software.


According to IEC 62304, risk management is an essential component of software development for medical devices. The process involves identifying, analysing, evaluating, and controlling risks associated with the software.

Software safety classification (Class A, B, C)

In IEC 62304, software safety classification categorises medical device software into classes (Class A, Class B, or Class C). It’s based on the potential consequences to the patient or operator in the event of a software failure or malfunction. It’s worth noting that IEC 62304 risk classes are not synonymous with the risk classes described in Rule 11 MDR.

The classification determines what part of standard requirements must be applied during the software development process - for example, for class A, you don’t need to meet the software architectural design activity, while for classes B and C, it is necessary.

Go through the graph from the IEC standard guide to have an idea of what class (by IEC 62304) your medical device might be. To do so, you might need a definition of a “serious injury.”


There are three safety classes of medical device software according to IEC 62304:

Class A: There is no risk of injury or harm to health

Class B: There is a possibility of injury, but it is not severe

Class C: There is a potential for serious injury or even death

The classification supports overall risk management throughout the software's life cycle, promoting effective prevention. Assigning a specific safety class to medical device software based on the IEC 62304 should, therefore, take into account:

  • the potential harm that could result from a software failure, 

  • the likelihood of a dangerous situation caused by the software failure, and 

  • the probability of detecting or controlling a hazardous situation before it can cause harm.

Medical software standards: IEC 62304, IEC 82304, IEC 62366 and ISO 13485: supporters or enemies?

What is the relationship between IEC 62304 & ISO 13485?

IEC 62304 and ISO 13485 often complement each other during medical software development. While IEC 62304 focuses on safety and risk evaluation of the specific software development processes, ISO 13485 provides a broader framework for quality management in the organisation. By implementing both standards, medical software manufacturers can ensure that their software development processes align with quality management principles. IEC 62304 and ISO 13485 allow manufacturers to produce safe, reliable, highquality software products in the medical device industry.

IEC 62304 addresses the safety and effectiveness of software life cycle processes for medical device software and guides on developing, testing and maintaining SaMD and SiMD.

ISO 13485 is a quality management system (QMS) standard for organisations designing, developing, verifying, validating, producing, installing, and/or servicing medical devices. It covers various aspects of the organisation's operations, including management responsibility, resource management, design and development, production, and customer satisfaction.

What’s the difference between IEC 62304 & IEC 82304

IEC 62304 is sometimes confused with another medical regulation, IEC 82304, which is a standard focusing on the security and safety of health software.

While IEC 62304 applies to Software as a Medical Device (SaMD) and Software in a Medical Device (SiMD), IEC 82304 solely applies to medical software (in standard named as health software), including SaMD, but not SiMD.

In addition, IEC 82304:

  • describes in detail software validation stages, 

  • instructs post-marketing activities to be performed by the manufacturer, 

  • gives details about how to write instructions to ensure correct use, as well as the installation of the health software product.

The definition of software used in 82304 is broader than in 62304. For example, it refers to software that is not classified as a medical device, like prescription management systems (PMS), laboratory information management systems (LIMS) or radiology information systems (RIS).


IEC 62366 vs IEC 62304

IEC 62366 emphasises user-centred design, considering user needs and incorporating human factors and ergonomic principles into medical device design, which makes them intuitive, user-friendly and safe.

It’s also worth noting that another standard - IEC 62366 - covers applying usability engineering principles to the design and evaluation of medical devices to enhance their usability and user experience.

In contrast, IEC 62304 primarily addresses the software aspect of medical devices. By considering both standards, manufacturers can ensure functionally safe, reliable, userfriendly and optimised devices for effective use.

Does implementing IEC 62304 mean my software is compliant with MDR and FDA?

IEC 62304 is an international standard that guides the software life cycle processes for medical device software, but does it mean it’s automatically compliant with EU and US medical software regulations?

To legally sell medical software in the EU and the US, it is essential to meet the specific regulations of each region. While IEC 62304 compliance contributes to demonstrating software safety and effectiveness, the manufacturers must fulfil additional requirements and assessments to ensure lawful market access in the EU and the US.


Compliance with IEC 62304 doesn't automatically guarantee compliance with the MDR or FDA, as these regulations include broader requirements for medical device development, manufacturing and marketing.

In conclusion, embracing IEC 62304 standards isn’tt just a regulatory requirement but a strategic move towards ensuring the safety, quality, and reliability of your medical device software. While the journey may present challenges, the rewards are substantial.

Let us know what do you think about the possibilities of IEC 62304 compliant software. Maybe we can discuss it together?

Read more about developing medical software compliant with IEC 62304



You may also like