The development of software for SaMD (Software As Medical Device) and SiMD (Software In Medical Device) is regulated through a specific standard named IEC 62304 – Medical device software — Software life cycle processes. With this article we want to give you an overview of the requirements for the documentation of the Software Development Plan, one of the key document for software embedded or associated to medical device.
The level of details of the software-related documentation depends from the class of risk associated two the medical device software. This is the reason why, before going through the requirements for the software development plan, we will talk about the methodology for software classification based on the risk.
Several topics strictly related to cybersecurity of medical devices have been addressed, such as cybersecurity risk assessment, threat model, patch management, cybersecurity testing, vulnerability disclosure and much more. In this post, we will specifically address the software development plan according to IEC 62304.
Software Risk Classification
The methodology for risk classification of software embedded or associated to medical device (or software as medical device) is described in the Amendment 1 published in 2015. The risk classification is constituted by three different software class:
- Class C : failure of the software can cause death or serious injury to the patient.
- Class B : the software can cause minor harm such as injuries
- Class A : the software cannot cause any harm
The risk class is given to a specific software based on the following scheme:
Be default the software is in class C and the following shall be evaluated:
- if any hazardous situation could arise from the software; if no, the software will be in class A.
- If yes, the evaluation of the acceptability of the risk shall be performed after the implementation of risk control measure external to the software. Of the risks are considered acceptable, the software is in class A. If the risk is not acceptable and the potential consequences are serious (serious injury or death) the class of risk is C. Otherwise, in case of potential non-serious harm, the class of risk is B.
What shall be included in the Software Development Plan?
According to the IEC 62304, the following elements shall be include in the software development plan:
- The processes which are going to be used in the development of the software
- The deliverables to be reached and meet during the development process
- The traceability between global system requirements, software requirements, verification tests and associated risk control measures. This is typically documented within a Risk Traceability Matrix.
- Software configurations and change management, including the management of SOUP (Software of Unknown Provenance).
- The process for resolutions of the software related problems (bugs)
An example of Software Development Plan
Having a Software Development Plan properly written is a key factor for the development of your software. QualityMedDev has published an example of Software Development Plan which can be downloaded from the website.
The Update of Software Development Plan
According to the IEC 62304, it is essential to keep updated the software development plan through all the stages of the design process. This means that it shall be constantly updated or a justification shall be mentioned if, during the design process, no modifications of the software development plan are deemed necessary.
The link between Software Development Plan and System Design and Development
It is necessary that high level system requirements are used (referenced) as input for the development of the software. Moreover, reference to the general procedure aimed at describing the process for validation of the device (including software) shall be clearly mentioned in the software development plan.
Standards, Methods and Tools for the Development of the Software
For Class C software (highest risks), standards, methods and tools associated to the development of the software shall be clearly defined in the software development plan.
Software Verification and Risk Management
The planning for the verification activities shall be clearly mentioned and discussed in the software development plan. For example, deliverables requiring verification and the related acceptance criteria for verification activities need to be referenced or discussed in the development plan.
Moreover, the risk management activities related to software development need to be defined; this includes the risk management associated to the software of unknown provenance.
Software Risk Management Process
Risk management activities shall be fully integrated in the software development process. Software items that could potentially trigger any harm to the user shall be clearly identified in the risk analysis.
Particular attention shall be considered for the Software of Unknown Provenance. Typically, it is necessary to evaluate the list of known anomalies for the specific version of the SOUP used within the medical device to determine if any of the known anomalies result in a sequence of events that could result in a hazardous situation.
The SOUP (Software of Unknown Provenance) shall be fully identified through the following information:
- the title
- the manufacturer
- and the version of the SOUP
Software Development and Validation Package
4EasyReg has made available a toolkit focused on the documentation related to Software Development and Validation according to IEC 62304. We have been discussing in different occasion in the blog the documentation linked to IEC 62304, such as Software Development Plan and Software Architecture. We have however decide to collect the main documentation needed for activities related to Software Development and made it available in our 4EasyReg DocShop.
This toolkit contains different fully editable templates that can be used to document medical device related software development and validation activities.
The toolkit contains the following documentation:
- Software Development Plan Template
- Software Architecture Template
- Software Release Record Template
- Software Verification Protocol Template
- Software Verification Protocol Template
Do not hesitate to download it the toolkit!
Conclusions
In conclusion, the software development plan is one of the key document for the development of software as medical device or in medical device. In this article, the main requirements associated to the software development plan according to IEC 62304 have been discussed.
Subscribe to 4EasyReg Newsletter
4EasyReg is an online platform dedicated to Regulatory matters within the medical device, information security and AI-Based business.
We offer a wide range of documentation kits to support your compliance efforts towards a wide range of standards and regulations, such as ISO 13485, EU MDR, ISO 27001, ISO 42001 and much more. . Specifically, in our webshop you will find:
- ISO 13485 Documentation / Compliance Kit
- ISO 27001 Documentation / Compliance Kit
- ISO 42001 Documentation / Compliance Kit
- FDA Cybersecurity Documentation
Within our sister platform QualityMedDev Academy, a wide range of online & self-paced training courses is available, such as for example:
- Complaint Handling and Vigilance Reporting
- Artificial Intelligence in Medical Device. Regulatory Requirements
- Unique Device Identification (UDI) Requirements according to EU MDR
- Clinical Evaluation Process According to EU MDR
- Medical Device SW Verification & Validation
- Risk Management for Medical Devices
- Usability Evaluation for Medical Devices
As one of the leading online platforms in the medical device sector, 4EasyReg offers extensive support for regulatory compliance. Our services cover a wide range of topics, from EU MDR & IVDR to ISO 13485, encompassing risk management, biocompatibility, usability, software verification and validation, and assistance in preparing technical documentation for MDR compliance.
Do not hesitate to subscribe to our Newsletter!
