Updated: 20th June 2026
Reviewed by: David Small BSc (Hons), MSc, MTOPRA (Founder and CEO)
What Is IEC 62304 and Why Is It Mandatory?
IEC 62304 establishes a comprehensive framework of requirements for the safe development and maintenance of medical device software. The standard applies equally to two distinct deployment methods:
Embedded Software: Code integrated directly into physical hardware (e.g., firmware controlling a syringe pump).
Software as a Medical Device (SaMD): Standalone software running on general-purpose computing platforms or cloud infrastructure without being part of a hardware medical device.
Software as a Medical Device (SaMD)
Not all medical device software is embedded inside a physical device. Software as a Medical Device (SaMD) can run on general-purpose computers, mobile devices or cloud-based platforms while performing a medical purpose. Learn how SaMD is regulated, how it differs from embedded software, and what manufacturers need to consider when developing compliant medical software.
Explicit Regulatory Adoption
Failing to present an audit-ready IEC 62304 technical file is a primary cause of Notified Body delays. The standard is explicitly recognized across all major global frameworks:
United Kingdom: Recognized by the MHRA as the foundational standard to fulfill Essential Requirements under the UK MDR for software-driven devices.
European Union: Serves as the primary mechanism to demonstrate compliance with EU MDR Annex I (GSPR 17) regarding software safety and cybersecurity.
United States: Officially recognized as a consensus standard by the FDA. Compliance with IEC 62304 is a critical step to meeting software validation requirements under the Quality System Regulation (QSR / QMSR).
EU AI Act Omnibus for Medical Device Manufacturers
The EU AI Act is introducing new obligations for manufacturers developing AI-enabled medical devices and IVDs. Learn how the 2026 AI Act Omnibus simplifies compliance alongside the EU MDR and IVDR, key implementation timelines, and what AI software developers need to do to prepare for future regulatory requirements.
IEC 62304 Software Safety Classifications (Class A, B, C)
A core pillar of IEC 62304 compliance is the early assignment of a Software Safety Classification. This classification dictates the specific depth of documentation, code analysis, and testing rigour required for your technical file.
Crucial Distinction: Software Safety Classification under IEC 62304 is distinct from regulatory device classification (such as Class I, IIa, IIb, III). While a device might be a Class IIa device, its software subsystem could be classified as Class B or Class C depending on the clinical severity of a software failure.
IEC 62304 Software Safety Classification Breakdown
Before software development begins, manufacturers must determine the software's safety classification based on its potential to cause harm. This classification dictates the level of rigorous documentation required by regulators under MDR and FDA guidelines.
| Safety Class | Severity of Potential Injury | Required Documentation Focus |
|---|---|---|
| Class A | No injury or damage to health is possible. | Basic architecture, configuration management, and verified defect tracking. |
| Class B | Non-serious injury is possible. | Full requirements tracking, detailed software architecture design, detailed verification, and rigorous risk management. |
| Class C | Death or serious injury is possible. | Comprehensive design lifecycle tracking, exhaustive software unit testing, detailed code analysis, and deep-dive risk assessments. |
Understanding the IEC 62304 Software Lifecycle Processes
The standard mandates that developers structure their workflow across clear, traceable lifecycle phases. These phases do not require a rigid, traditional “Waterfall” development approach; they can be integrated into modern Agile, Scrum, or DevOps methodologies.
1. Software Development Planning
Every project must be guided by an active, device-specific Software Development Plan (SDP). This plan must define the development environment, the chosen tools, coding standards, configuration management strategies, and the specific milestones for lifecycle deliverables.
2. Software Requirements Analysis (SRS)
You must translate clinical system needs into specific, actionable Software Requirements Specifications (SRS). Each requirement must be given a unique identifier to ensure long-term traceability. Ambiguous, high-level requirements are a frequent point of failure during audited reviews.
3. Software Architectural Design
The software architecture maps out the structural layout of the code, detailing modules, data flows, and external interfaces. For systems handling varied degrees of risk, a robust architecture allows developers to separate high-risk Class C modules from lower-risk components, preventing unnecessary documentation overhead for safe subsystems.
4. Implementation and Unit Verification
This phase provides objective evidence that the software code is constructed in accordance with predefined coding standards. For Class B and Class C software, unit verification requires formal code reviews or automated static analysis to confirm that every module behaves safely and predictably under test conditions.
5. Software Integration and System Testing
Once components are integrated, the unified system must undergo rigorous validation testing. Tests must be planned, repeatable, and explicitly mapped to the software requirements. For advanced SaMD deployments, this may include testing via clinical datasets or simulated real-world environments.
6. Software Release and Post-Market Maintenance
IEC 62304 compliance extends long past the initial code release. Manufacturers must establish formal, controlled processes for software versioning, cybersecurity vulnerability tracking, field performance monitoring, and patching.
Predetermined Change Control Plans (PCCPs)
Modern medical device software rarely remains static. Predetermined Change Control Plans (PCCPs) allow manufacturers to define certain software modifications in advance, supporting agile development while maintaining regulatory compliance. Learn how PCCPs are shaping the future of Software as a Medical Device (SaMD), AI-enabled technologies and connected healthcare.
Read our guide to Predetermined Change Control Plans (PCCPs) →
Integration with ISO 14971 Risk Management
IEC 62304 cannot operate in a silo; it is tightly interwoven with ISO 14971 (Risk Management for Medical Devices). Software cannot fail in a traditional mechanical sense, so software risk management focuses entirely on the consequences of system anomalies, logic bugs, and unexpected input handling.
Hazard Identified
Software Requirement
Implementation
Unit Test Case
Every potential software anomaly that could lead to a hazard must be accounted for. For Class B and Class C systems, deeper technical risk analyses—including Fault-Tree Analysis (FTA) or Failure Modes and Effects Analysis (FMEA)—must be presented inside your regulatory file to address data preservation, algorithmic decision-making, and cybersecurity threats.
Cybersecurity and Secure Medical Device Software
Medical device software is no longer confined to standalone systems operating in isolation. Modern devices increasingly communicate with hospital networks, cloud platforms, mobile applications and other connected technologies. While this connectivity delivers significant clinical benefits, it also introduces new cybersecurity risks that have become a major focus for regulators worldwide.
Cybersecurity is no longer viewed solely as an information technology issue. Under the EU Medical Device Regulation (EU MDR), UK Medical Devices Regulations and FDA guidance, cybersecurity forms an essential component of device safety. A successful cyberattack has the potential to compromise software functionality, expose sensitive patient information, interrupt clinical services or, in the most serious cases, place patients at risk.
For this reason, manufacturers should consider cybersecurity throughout the entire software lifecycle rather than treating it as a final verification activity before product release.
Cybersecurity Throughout the Software Lifecycle
Although IEC 62304 does not prescribe specific cybersecurity controls, it provides the structured software lifecycle processes needed to implement them effectively. Security considerations should be incorporated into software planning, architecture, implementation, verification, maintenance and post-market surveillance.
For example, manufacturers should consider cybersecurity during:
- Software development planning by defining secure development processes and responsibilities.
- Software architecture by designing secure interfaces and limiting potential attack surfaces.
- Implementation through secure coding practices and code reviews.
- Verification by testing security functions alongside software functionality.
- Maintenance through vulnerability monitoring, software updates and security patch management.
Embedding cybersecurity into each stage of development helps ensure software remains resilient as new vulnerabilities and cyber threats emerge throughout the product lifecycle.
Cybersecurity and ISO 14971 Risk Management
Cybersecurity should form an integral part of the overall risk management process described within ISO 14971. Instead of considering only traditional software failures, manufacturers should also evaluate hazards resulting from malicious or unauthorised actions.
Examples of cybersecurity hazards may include:
- Unauthorised access to device settings.
- Modification of clinical data.
- Interruption of therapy delivery.
- Denial-of-service attacks.
- Loss of data integrity.
- Exposure of confidential patient information.
- Installation of malicious software.
- Exploitation of software vulnerabilities.
Each identified cybersecurity risk should be analysed, appropriate risk control measures implemented, and the effectiveness of those controls verified before the device is placed on the market.
Secure Software Development Principles
Developing secure medical device software requires more than simply adding encryption or antivirus software. Cybersecurity should be incorporated into the software design from the earliest stages of development.
Common secure software development practices include:
- Strong user authentication and role-based access control.
- Encryption of sensitive data during transmission and storage.
- Secure communication protocols between connected devices.
- Input validation to prevent malicious commands.
- Protection against unauthorised software modification.
- Secure configuration management.
- Audit logging and traceability.
- Secure software update mechanisms.
These controls help reduce the likelihood of security vulnerabilities while supporting compliance with modern regulatory expectations.
Managing Third-Party Software and Open-Source Components
Many medical device software products rely on commercial software libraries, operating systems or open-source components. While these accelerate development, they also introduce additional cybersecurity considerations.
Manufacturers should maintain an inventory of third-party software components, monitor newly disclosed vulnerabilities and assess whether security updates are required throughout the device lifecycle.
This complements the requirements for managing Software of Unknown Provenance (SOUP) under IEC 62304 and helps ensure external software dependencies remain suitable for their intended use.
Post-Market Cybersecurity Monitoring
Cybersecurity responsibilities do not end when software is released. New vulnerabilities are discovered continuously, making ongoing monitoring essential throughout the lifetime of the device.
Manufacturers should establish documented procedures for:
- Monitoring newly disclosed vulnerabilities.
- Assessing potential impacts on device safety.
- Deploying software security updates where appropriate.
- Communicating cybersecurity information to customers.
- Recording cybersecurity incidents within post-market surveillance activities.
- Reviewing security trends as part of continual improvement.
An effective vulnerability management process enables manufacturers to respond rapidly to emerging threats while maintaining regulatory compliance.
International Cybersecurity Expectations
Cybersecurity requirements continue to evolve across global markets. Manufacturers developing connected medical device software should consider guidance and standards including:
- EU MDR General Safety and Performance Requirements (Annex I).
- FDA Cybersecurity Guidance for Medical Devices.
- IEC 81001-5-1 (Health Software – Security Activities).
- ISO 14971 Risk Management.
- IEC 62304 Software Lifecycle Processes.
- ISO/IEC 27001 Information Security Management Systems.
Applying these standards together provides a comprehensive framework for developing software that is both safe and secure throughout its lifecycle.
ISO 27001 and Information Security
Cybersecurity is now a fundamental consideration throughout the medical device software lifecycle. Discover how ISO/IEC 27001 helps organisations establish robust information security management systems (ISMS), manage cyber risks and support compliance with IEC 62304, ISO 14971 and connected healthcare technologies.
Building Cybersecurity into Medical Device Software
As healthcare becomes increasingly connected, cybersecurity has become an essential element of medical device software development. Manufacturers that integrate security into their software lifecycle from the earliest planning stages are better positioned to protect patients, reduce regulatory risk and maintain long-term compliance.
At Patient Guard, we help manufacturers incorporate cybersecurity into software development, risk management and quality management systems, ensuring medical device software remains compliant with IEC 62304, ISO 14971 and evolving international regulatory expectations.
Managing SOUP (Software of Unknown Provenance)
One of the most heavily scrutinized sections of any software audit is the evaluation of SOUP (Software of Unknown Provenance). SOUP includes third-party operating systems, database engines, open-source libraries, or development frameworks where the design lifecycle cannot be directly audited.
Under IEC 62304, utilizing SOUP is permitted, provided you actively manage the risk:
Specify requirements: Define exactly what the third-party library is intended to do within your system.
Assess functional gaps: Analyze if known vulnerabilities or bugs in the SOUP component impact your device’s safety profile.
Continuous Monitoring: Establish an ongoing monitoring procedure to track newly disclosed security flaws or updates released by the SOUP vendor.
Common IEC 62304 Pitfalls to Avoid
Treating Software like Hardware Documentation: Hardware files often focus on physical properties and static manufacturing tolerances. Software documentation requires deeper, behavioral evidence, focusing on how data flows and how exceptions are handled.
Missing a Defect/Problem Resolution Procedure: Regulators expect a documented, formal mechanism for identifying, logging, triaging, and closing code anomalies.
Broken Traceability Chains: If a risk mitigation requirement exists within your ISO 14971 file, there must be a matching software requirement in your SRS, which must then map to an isolated code section and a documented verification test. If any link is broken, the file is non-compliant.
The Future of Medical Device Software
Software development within the medical device industry is evolving at an unprecedented pace. While IEC 62304 continues to provide the internationally recognised framework for software lifecycle processes, today’s manufacturers are increasingly developing technologies that extend far beyond traditional embedded software.
Artificial intelligence, cloud computing, connected healthcare ecosystems and high-speed communications are transforming how medical devices are designed, validated and maintained. These technologies offer enormous opportunities to improve patient outcomes, but they also introduce new regulatory expectations relating to cybersecurity, software updates, interoperability, data privacy and continuous lifecycle management.
Whether developing embedded firmware for an infusion pump, Software as a Medical Device (SaMD), or AI-powered diagnostic software hosted in the cloud, manufacturers must still demonstrate a structured software development process that satisfies the principles of IEC 62304. The following emerging technologies are reshaping the future of medical device software and should be considered during product development.
Artificial Intelligence and Machine Learning
Artificial intelligence is becoming one of the fastest-growing areas of medical technology. AI algorithms are already supporting clinicians by analysing medical images, predicting disease progression, identifying abnormalities and assisting with clinical decision-making.
Unlike conventional software, AI systems introduce additional challenges surrounding algorithm transparency, bias, model validation, continuous learning and post-market monitoring. Manufacturers must demonstrate that AI systems remain safe and effective throughout their lifecycle while complying with emerging legislation such as the EU Artificial Intelligence Act alongside existing medical device regulations.
Fortunately, the core principles of IEC 62304 remain highly relevant. Software planning, risk management, verification, validation and maintenance all continue to form the foundation of compliant AI software development.
Artificial Intelligence in Medical Devices
Artificial intelligence is transforming healthcare, from AI-assisted diagnosis to predictive analytics and clinical decision support. Discover how AI is changing medical device development and the regulatory considerations manufacturers must address alongside IEC 62304.
The Internet of Medical Things (IoMT)
Medical devices are becoming increasingly connected. Wearable technologies, remote patient monitoring systems, implantable devices and hospital equipment now exchange data continuously across healthcare networks.
This growing ecosystem, known as the Internet of Medical Things (IoMT), enables healthcare providers to monitor patients remotely, improve treatment decisions and respond more rapidly to changing clinical conditions.
However, increased connectivity also introduces additional responsibilities. Manufacturers must address cybersecurity, software maintenance, secure communications and interoperability while ensuring software updates do not compromise patient safety.
A well-implemented IEC 62304 lifecycle provides the structured development and maintenance processes needed to support these connected technologies.
The Internet of Medical Things (IoMT)
Connected medical devices are reshaping healthcare through remote monitoring, wearable technologies and cloud-based clinical systems. Learn how the Internet of Medical Things is improving patient care while introducing new software and cybersecurity challenges.
5G and Connected Healthcare
The expansion of 5G communications is enabling entirely new healthcare applications. Ultra-low latency networks now support remote diagnostics, connected ambulances, wearable monitoring devices and even robotic-assisted procedures.
For software developers, greater connectivity also creates higher expectations around software reliability, resilience and cybersecurity. Medical device software must continue operating safely even when communication networks are interrupted, degraded or unavailable.
As connected healthcare continues to evolve, manufacturers should ensure their software architecture and lifecycle processes remain aligned with IEC 62304 while incorporating modern cybersecurity principles and secure software engineering practices.
5G Connectivity and Medical Devices
Ultra-fast 5G networks are enabling the next generation of connected healthcare, from remote patient monitoring to advanced digital health solutions. Discover how 5G is influencing medical device software development and future regulatory considerations.
Building Software That Is Ready for Tomorrow
Medical device software will continue to evolve as artificial intelligence, connected healthcare and digital technologies become increasingly integrated into clinical practice. Although these innovations introduce new technical and regulatory challenges, the underlying principles established by IEC 62304 remain unchanged: structured planning, effective risk management, rigorous verification, controlled change management and continual software maintenance.
Manufacturers that build these principles into their development process from the outset are better positioned to achieve regulatory approval, adapt to future technologies and deliver safe, effective software throughout the product lifecycle.
Aligning IEC 62304 with Your Business Operations
Achieving compliance efficiently means integrating these processes directly into your modern tools. Our teams specialize in establishing audit-ready traceability directly inside everyday environments like Jira, Azure DevOps, and Helix ALM, ensuring that developers don’t have to break their active sprint rhythms to satisfy regulatory demands.
Leverage Patient Guard’s Regulatory Expertise
Navigating the line between high-speed software development and rigid medical compliance requires hands-on experience. Patient Guard provides complete, end-to-end support for software-driven medical devices:
Comprehensive IEC 62304 / IEC 82304 Gap Assessments
Software Safety Classification Definition and Strategy
Full Technical File Compilation for MHRA, FDA, and Notified Bodies
QMS Integration (ISO 13485 + ISO 14971 + IEC 62304)
Ready to secure smooth regulatory market access for your software or SaMD?
Frequently Asked Questions About Medical Device Software and IEC 62304 Compliance
IEC 62304 is the global harmonized standard defining lifecycle requirements for medical device software. Compliance is mandatory for any manufacturer whose medical device incorporates software (embedded firmware) or is itself standalone software acting as a medical device (SaMD) entering the UK, EU, or US healthcare markets.
Yes. Standalone Software as a Medical Device (SaMD) must comply fully with IEC 62304. Global regulators, including the MHRA, FDA, and EU Notified Bodies, use IEC 62304 as the benchmark to verify that your software product was engineered under strict quality controls and will perform safely in clinical environments.
Software safety classes are assigned based on the severity of risk the software poses to the patient or operator if a failure occurs:
Class A: No possibility of injury or health damage.
Class B: Non-serious injury is possible.
Class C: Death or serious injury is possible.
Your classification dictates the depth of documentation required; Class B and C require significantly more rigorous architectural design, unit testing evidence, and risk analysis than Class A.
They work together as an integrated compliance ecosystem. ISO 13485 sets the corporate Quality Management System framework for design controls, while IEC 62304 supplies the technical, software-specific lifecycle processes. Crucially, IEC 62304 mandates strict integration with ISO 14971, requiring every potential software anomaly or failure mode to directly link to an identified risk control and a verification test case.
A standard audit-ready software compliance file must contain:
Software Development Plan (SDP)
Software Requirements Specifications (SRS)
Software Architecture and Detailed Design Documentation
Verification and Validation (V&V) protocols and execution logs
Software Risk Management File (linked to ISO 14971)
SOUP (Software of Unknown Provenance) Assessment Records
A complete Traceability Matrix mapping requirements to tests
David Small BSc (Hons), MSc, MTOPRA
Reviewed by
David Small, BSc (Hons), MSc, MTOPRA
Founder & CEO |
20+ years in medical device regulatory affairs, MDR/IVDR compliance and quality systems.
Patient Guards Recent Posts

EU Authorised Representative Services for Medical Device & IVD Manufacturers
Selling medical devices or IVDs in Europe? If your company is based outside the EU, appointing an EU Authorised Representative (EC Rep) is a legal requirement under EU MDR 2017/745 and IVDR 2017/746. Patient Guard provides expert EU Authorised Representative services, EUDAMED support, regulatory guidance, and ongoing compliance management to help manufacturers access and maintain the European market with confidence.

Predetermined Change Control Plans (PCCPs): The Future of Agile Compliance for Medical Device Software
Learn how PCCPs help medical device software manufacturers manage updates, support AI systems, and enable agile compliance under evolving MDR and UKCA frameworks.

The AI Act Omnibus Explained: What the 2026 EU Rules Mean for Medical Device and IVD Manufacturers
Discover how the EU AI Act Omnibus affects AI medical devices and IVD manufacturers. Learn about the No Duplication principle, transparency rules, key 2026 and 2028 deadlines, and how MDR and IVDR compliance are converging with AI regulation.
Need Training?
Do you need training on Quality Management Systems or EU MDR/ EU IVDR? then check out our training courses.