FDA medical device recalls are on the rise. An increasingly active FDA, coupled with the rise in software components for medical devices is adding up to new challenges for manufacturers. Given this reality, it’s important to understand how the FDA uses the IEC 62304, an international standard developed that, among other things, says product testing by itself is not enough to prove software is safe for patients using the medical device.
The standard provides a common framework for medical device manufacturers to develop software. Conformance with this standard provides evidence that there is a software development process in place that fulfills the requirements of the Medical Device Directive. Because it has been harmonized with the Medical Device Directive in the EU and recognized as a Consensus Standard by the FDA in the US, IEC 62304 can be used as a benchmark to comply with regulatory requirements in both markets. To date, this standard has been recognized in most countries that use compliance standards to fulfill regulatory requirements.
Complying with 62304 enhances the reliability of your device’s software by requiring attention to detail in design, testing and verification, ultimately improving the overall safety of the medical device.
Here’s the $64,000, or usually much higher, question: Does your device have to meet IEC 60601-1 requirements?
The EU has been using IEC 62304 since 2008, but it has gained even more traction with its incorporation into the third edition of IEC 60601-1’s Amendment 1. The inclusion of Amendment 1 shifted the standard from a recommendation to a requirement if your device utilizes software.
For those who design or manufacture electromedical equipment, 60601-1 is one of the most important safety and performance standards to meet. The standard addresses critical safety issues, including electrical shocks and mechanical hazards, such as pinching, crushing, and breaking. Devices that must meet IEC 60601-1 requirements include those which:
- Diagnose, treat, or monitor the patient under medical supervision
- Make physical or electrical contact with the patient
- Transfer energy to or from the patient; and/or
- Detect such energy transfer to or from the patient.
60601-1 Clause 14 requires manufacturers to comply with IEC 62304 unless the device’s software has no role in providing basic safety or essential performance or risk analysis demonstrates that a failure of any Programmable Electronic Safety System (PESS) does not lead to an unacceptable risk.
Basic safety is the main focus of IEC 60601-1. It’s important that you conduct a risk analysis to identify your device’s level of unacceptable risk and determine the role of software in risk mitigation. This analysis will determine the applicable basic safety requirements for your device, and, for some requirements, the test parameters that need to be used by the test laboratory.
The most common mistake that medical device manufacturers make is that they do not always assess which elements of risk their software mitigates. These are the elements that must be addressed by IEC 62304. For example, what would happen if the creator of a hoist didn’t properly vet the software that signaled the hoist to lower the patient at a certain speed? If a patient were lowered to quickly–or not at all –there would be a risk management nightmare. Since software plays a role in the Basic Safety functions of the hoist, it must comply with 62304’s requirements.
In conjunction with IEC 60601-1, 62304 is intended to minimize the occurrence of these situations. When device software is mitigating a known potential hazard, ensuring that the code is developed properly is critical for the management of patient safety, as well as liability to the manufacture.
It can be difficult to determine if a device’s software is tied to its Essential Performance (EP), especially because the definition of EP has been widely debated for years. Thankfully, the definition and requirements for Essential Performance changed with Amendment 1 of IEC 60601-1 to help provide more clarity.
Determining Essential Performance begins with a list of all functional aspects of your device, including accuracy, measurements and its capabilities. Once you identify these items, determine whether any of these are already covered by the Basic Safety requirements of IEC 60601-1 or whether any item is not part of the device’s intended use. Then, and this is key, every item remaining gets posed the question, “If this item degrades, will it create a risk for the patient?”If the answer is yes, you must identify how its functionality must be maintained so the risk is still acceptable. This is your Essential Performance.
A good example to help clarify the impact of Essential Performance on IEC 62304 is accuracy. Consider a device that claims its EP is accurate within 5%. If the device is relying on software to maintain that accuracy or provide an alert when outside of 5%, and that software fails, then the manufacturer will be unable to detect if the device’s Essential Performance is being met. This means the software is providing Essential Performance.
Once you know your device software is responsible for Essential Performance, you must comply with IEC 62304 to ensure there is no unacceptable risk to a patient.
There are several situations that manufacturers often don’t realize require compliance with IEC 62304. These product features can create major headaches and costly delays if they are not properly developed. These scenarios include:
Alarms & Alerts
Alarms are often an Essential Performance requirement because they are intended to detect abnormalities. If the alarm was removed, the device would no longer meet it’s performance requirements, making the risk unacceptable. Software is used to detect the issue, instigate the alarm and make the sound.
Speed & Position Sensors
These sensors are in place to address Basic Safety concerns. For example, a hospital bed has a position sensor to keep it from crushing the operator’s foot and mammography has sensors to gauge compression. Devices like these use software to limit range of motion, speed and force.
Algorithms are frequently used with physiological monitoring. If the software is removed, the device is no longer able to operate as intended, resulting in the algorithms being part of Essential Performance.
It is important to note that these situations apply to the patient, operator or service personnel.
Once you know you must comply with IEC 62304, how do you go about preparing for it? To start, know that compliance with this standard is defined as implementing all of the processes, activities and tasks identified in the standard in accordance with the software safety class. 62304 itself does not prescribe a particular organizational structure or specific format for documentation, however. Compliance is determined by a review of all required documentation, including the risk management file.
Editor’s Note: In Part Two, we’ll take a look at the best way to approach risk management.
About the author:
Russ King is President of MethodSense, a life science consulting firm with offices in the US and Europe. They guide medical device, biotech and pharmaceutical companies with quality, regulatory and technology solutions. Their services enable clients to operate more effectively during the commercialization process and beyond. As it relates to IEC 60601-1 and 62304, MethodSense provides expert guidance and interpretation, helping you with:
- Reviewing the standard you must comply with
- Conducting a gap analysis of your Risk Management Program against ISO 14971
- Updating your Risk Management Documentation
- Completing the IEC 60601-1 and other relevant tables
- Submitting your documentation for review
MethodSense offers special thanks for the input of Medical Equipment Compliance Associates, LLC for information that significantly contributed to the content of this article.
For questions and information, contact Russ King, firstname.lastname@example.org