Regulatory Open Forum

John, I am surprised there have been no open replies in response to your post as yet - perhaps others have been put off (as I was) by the SME qualifier?

While I am no subject matter expert in software (amongst numerous other areas!), I trust the text below will serve some useful purpose.  Also, we have a few software engineers within the organization who certainly are experts in their chosen software field, and would be happy to spare some time to answer your specific queries – so feel free to contact me directly.

IEC 62304: 2006 – Amd. 1: 2015 - defines Legacy Software as "medical device software which was legally placed on the market and is still marketed today but for which there is insufficient objective evidence that it was developed in compliance with the current version of this standard (i.e. IEC 62304: 2006)".

Therefore, Legacy Software would not have followed the life-cycle processes and controls as required by IEC 62304: 2006 and one cannot claim retrospectively that the software was developed in compliance with the standard.  In other words, Chapter 5 - Software Development process would not apply, and one cannot claim compliance with the standard.  However, and this is critically important, all other processes and controls of IEC 62304 (namely Chapters 6 through 9 – i.e. maintenance, risk management, configuration, problem resolution) apply to legacy software, just as applied for newly developed software. 

IEC 62304: 2006 – Amd. 1: 2015 allows the manufacturer to adopt a smaller process for maintenance than the full software development process, to modify released software while preserving its integrity.

To do new work on Legacy Software a Software Development Plan (SDP) must be in place at the start.  The plan will detail the specific software processes adopted for that product, in line with the general description/contents as detailed in IEC 62304.  

Any new work will entail:

- performing a design overview of the existing software – from the viewpoint of evaluating and implementing upgrades, bug fixes, patches, and obsolescence in OTS software, problem resolution, unresolved anomalies, risk evaluation, etc.

- specifying requirements

- constructing the software unit and identifying system integration, configuration, etc. needed for the change/s

- assessment/ analysis of risks associated with the change/s

- reclassifying Software Safety Classification (Class A/B/C) of the entire software

- implementation of change/s

- testing per the SDP, in line with IEC 62304

- software release per the SDP, in line with IEC 62304.

My colleague has directed me to this FDA training module presentation that is an excellent resource in clarifying IEC 62304 concepts and implementation: http://www.ontovigilance.org/sites/default/files/fdatraining-module7iec62304-becsconferencepresentation-jmurray110409.pdf

John, I am surprised there have been no open replies in response to your post as yet - perhaps others have been put off (as I was) by the SME qualifier?

While I am no subject matter expert in software (amongst numerous other areas!), I trust the text below will serve some useful purpose.  Also, we have a few software engineers within the organization who certainly are experts in their chosen software field, and would be happy to spare some time to answer your specific queries – so feel free to contact me directly.

IEC 62304: 2006 – Amd. 1: 2015 - defines Legacy Software as "medical device software which was legally placed on the market and is still marketed today but for which there is insufficient objective evidence that it was developed in compliance with the current version of this standard (i.e. IEC 62304: 2006)".

Therefore, Legacy Software would not have followed the life-cycle processes and controls as required by IEC 62304: 2006 and one cannot claim retrospectively that the software was developed in compliance with the standard.  In other words, Chapter 5 - Software Development process would not apply, and one cannot claim compliance with the standard.  However, and this is critically important, all other processes and controls of IEC 62304 (namely Chapters 6 through 9 – i.e. maintenance, risk management, configuration, problem resolution) apply to legacy software, just as applied for newly developed software.

IEC 62304: 2006 – Amd. 1: 2015 allows the manufacturer to adopt a smaller process for maintenance than the full software development process, to modify released software while preserving its integrity.

To do new work on Legacy Software a Software Development Plan (SDP) must be in place at the start.  The plan will detail the specific software processes adopted for that product, in line with the general description/contents as detailed in IEC 62304.  

Any new work will entail:

- performing a design overview of the existing software – from the viewpoint of evaluating and implementing upgrades, bug fixes, patches, and obsolescence in OTS software, problem resolution, unresolved anomalies, risk evaluation, etc.

- specifying requirements

- constructing the software unit and identifying system integration, configuration, etc. needed for the change/s

- assessment/ analysis of risks associated with the change/s

- reclassifying Software Safety Classification (Class A/B/C) of the entire software

- implementation of change/s

- testing per the SDP, in line with IEC 62304

- software release per the SDP, in line with IEC 62304.

My colleague has directed me to this FDA training module presentation that is an excellent resource in clarifying IEC 62304 concepts and implementation: http://www.ontovigilance.org/sites/default/files/fdatraining-module7iec62304-becsconferencepresentation-jmurray110409.pdf

Happy New Year Community,

Anyone a subject matter expert (SME) for demonstrating legacy software compliance with requirements of IEC 62304?  If yes, and you have some time, I would like to chat with you.

Thanks!

John Beasley, RAC (US)
Founding Member and Senior Consultant
MedTech Review, LLC
www.medtechreview.com
www.linkedin.com/in/medtechreview





257 Garnet Garden Street
Henderson, NV 89015

USA:  +1 612-889-5168
SKYPE:   medtechreview

All views given by MedTech Review consultants on the interpretation of medical device regulations represent our best judgment at the time. Such views are not meant to be a definitive statement of law and we would advise you to seek the views of your own professional advisors. 

This electronic transmission is strictly confidential between the sender and the intended addressee.  It may contain information which is covered by legal, professional or other privilege. If you are not the intended addressee, or someone authorized by the intended addressee to receive transmissions on their behalf, you must not retain, disclose in any form, copy or take any action in reliance on this transmission. If you have received this transmission in error, please notify MedTech Review, LLC as soon as possible and destroy this message.