Regulatory Open Forum

This message was posted by a user wishing to remain anonymous

Hello everyone

What is the transition period for the standard  IEC 82304-1 Health software -- Part 1: General requirements for product safety?  It applies to SaMD such as mobile apps. However, I haven't heard much discussion about this standard or known of any company applying this standard yet. However, it is an FDA recognized consensus standard.  If a company only applies the IEC 62304 standard for health software, would it be out of compliance? 

Thanks.

The two standards IEC 62304 and IEC 82304 both refer to software and both look at minimizing risks, but have entirely different targets. 

IEC 62304:2006 - Medical device software – Software life cycle processes - focuses on the development elements (planning, requirements analysis, architectural design, verification, integration testing, etc.), and maintenance (updates and upgrades) aspects of software, as an embedded or integral part of a device, and relies on ISO 13485 (for activities and tasks managed through Quality system processes) and ISO 14971 (for management of product risks, based on software safety classification).

On the other hand, IEC 82304-1:2016 - Health software - Part 1: General requirements for product safety – focuses on the safety and security risks of stand-alone software (with no dedicated hardware), relying on IEC 62304 for the software development and maintenance processes, and using product validation to ensure the software performs as intended.

So, while software development is identified as a major area that may compromise patient safety, stand-alone health software has additional safety and security requirements, particularly around documentation.

Finally, under classification rules of the EU MDR (Rule 11 of Annex VIII, Chapter III) stand-alone software is classed solely on severity of potential risk, meaning certain health related software (including some mobile medical apps) could end up with a higher classification.  IMDRF Guidance (IMDRF/SaMD WG/N12FINAL:2014) helps address this situation by introducing a graded scale (i.e. Treat or Diagnose/ Drive Clinical Management / Inform Clinical Management) based on the significance of information provided by the SaMD to healthcare decision-making.

In answer to your query, application of IEC 62304 alone to stand-alone health software would not fully address the safety and security risks covered by IEC 82304.  Having said that, all standards are voluntary so manufacturers may adopt alternative means of demonstrating product safety and performance. 

See also:
http://media.qadvis.com.loopiadns.com/2016/11/QAdvis-SW-Validation-RMD2016-w-WM.pdf​

------------------------------
Homi Dalal RAC
Regulatory Affairs Leader
Christchurch
New Zealand
------------------------------

Original Message:
Sent: 04-Feb-2019 16:04
From: Anonymous Member
Subject: IEC 82304-1:2016 Health Software

This message was posted by a user wishing to remain anonymous

Hello everyone

What is the transition period for the standard  IEC 82304-1 Health software -- Part 1: General requirements for product safety?  It applies to SaMD such as mobile apps. However, I haven't heard much discussion about this standard or known of any company applying this standard yet. However, it is an FDA recognized consensus standard.  If a company only applies the IEC 62304 standard for health software, would it be out of compliance?

Thanks.

Agree with Homi.

For SaMD, think of 82304 as addressing the tips of the "V" and 62304 addressing the elements underneath.  The scope of the two standards create a Venn Diagram.  62304 applies to software in medical devices (including SaMD), and 82304 applies to software-only health systems (including SaMD).

The FDA does not impose either 62304 or 82304 on medical device manufacturers although recognized, so to Homi's point, they are voluntary.  For EU purposes, I know of no stated transition period.

It is more likely that compliance issues with the FDA will come from issues around use (or not) of the General Principles of Software Validation (GPSV) and the Guidance for the Content of Premarket Submissions for Software Contained in Medical Devices.  Fortunately, the latter guidance and 62304 have the same source document (AAMI SW-68), so there are many similarities.   There is really no FDA equivalent for 82304, so again to Homi's point, the general concepts of product design validation will apply more strictly.

In terms of risk management, the focus on severity did not begin with the EU MDR.  Section 4 of 62304:2006, as well as statements in IEC TR-80002-1 (2009) and AAMI TIR-32:2004, all speak to this same idea.  Although this wasn't at the core of your question, it is worth noting that there are ways to prevent the severity-only approach to determining risk acceptability from leading to over-mitigation of software-related risks.

------------------------------
Eric Henry
Washington DC
United States
------------------------------

Original Message:
Sent: 04-Feb-2019 16:04
From: Anonymous Member
Subject: IEC 82304-1:2016 Health Software

This message was posted by a user wishing to remain anonymous

Hello everyone

What is the transition period for the standard  IEC 82304-1 Health software -- Part 1: General requirements for product safety?  It applies to SaMD such as mobile apps. However, I haven't heard much discussion about this standard or known of any company applying this standard yet. However, it is an FDA recognized consensus standard.  If a company only applies the IEC 62304 standard for health software, would it be out of compliance?

Thanks.