IEC 62304:2006 A1:2015 - Software from the early 1990s

patmelad

Starting to get Involved
#1
We currently have a Class 2a simple medical device, that has had a CE mark since 2009. I have already updated to ISO 13485:2016, but during a technical file review we were told that we did not comply with the addition to IEC 62304. The software is from the early 90s and none of the records are available as the original company went out of business. There have been zero incidents caused by the software since its inception.

Would anyone either explain to me what documents would I need to be compliant for Legacy software or possibly be able to provide examples. Creating the ISO Quality system and getting the CE mark I could figure out , but the software items have me lost.

Any advice or assistance would be greatly appreciated
Thank you
 
Elsmar Forum Sponsor

Ronen E

Problem Solver
Staff member
Moderator
#2
S. 4.4 specifically deals with legacy software. There's also a lot of guidance on this section in Annex B.

4.4 * LEGACY SOFTWARE
4.4.1 General
As an alternative to applying Clauses 5 through 9 of this standard, compliance of LEGACY SOFTWARE may be demonstrated as indicated in 4.4.2 to 4.4.5.
4.4.2 RISK MANAGEMENT ACTIVITIES
In accordance with 4.2 of this standard, the MANUFACTURER shall:
a) assess any feedback, including post-production information, on LEGACY SOFTWARE regarding incidents and / or near incidents, both from inside its own organization and / or from users;
b) perform RISK MANAGEMENT ACTIVITIES associated with continued use of the LEGACY SOFTWARE, considering the following aspects:
– integration of the LEGACY SOFTWARE in the overall MEDICAL DEVICE architecture;
– continuing validity of RISK CONTROL measures, implemented as part of the LEGACY SOFTWARE;
– identification of HAZARDOUS SITUATIONS associated with the continued use of the LEGACY SOFTWARE;
– identification of potential causes of the LEGACY SOFTWARE contributing to a HAZARDOUS SITUATION;
– definition of RISK CONTROL measures for each potential cause of the LEGACY SOFTWARE contributing to a HAZARDOUS SITUATION.
4.4.3 Gap analysis
Based on the software safety class of the LEGACY SOFTWARE (see 4.3), the MANUFACTURER shall perform a gap analysis of available DELIVERABLES against those required according to 5.2, 5.3, 5.7, and Clause 7.
a) The MANUFACTURER shall assess the continuing validity of available DELIVERABLES.
b) Where gaps are identified, the MANUFACTURER shall EVALUATE the potential reduction in RISK resulting from the generation of the missing DELIVERABLES and associated ACTIVITIES.
c) Based on this evaluation, the MANUFACTURER shall determine the DELIVERABLES to be created and associated ACTIVITIES to be performed. The minimum DELIVERABLE shall be SOFTWARE SYSTEM test records (see 5.7.5).
NOTE Such gap analysis should assure that RISK CONTROL measures, implemented in LEGACY SOFTWARE, are included in the software requirements.
4.4.5 Rationale for use of LEGACY SOFTWARE
The MANUFACTURER shall document the VERSION of the LEGACY SOFTWARE together with a rationale for the continued use of the LEGACY SOFTWARE based on the outputs of 4.4.
NOTE Fulfilling 4.4 enables further use of LEGACY SOFTWARE in accordance with IEC 62304.
 

yodon

Staff member
Super Moderator
#3
@Ronen E is right - the section on legacy was created for just this purpose. It's all very much risk-based. With no prior documentation, it's going to be a challenge. You need to understand what the software does and determine what can go wrong with the continued use of the software. You'll want to put together a good case for your assertion that no incidents have been due to software.

Just to make matters worse, if this is a networked device or has any kind of external communication (wired or wireless) you'll likely get called to the carpet on cybersecurity. Given the software was done in the 90s, it's likely that wasn't considered. The point is even if you plow through 62304, the work may not be over.
 

patmelad

Starting to get Involved
#4
@Ronen E is right - the section on legacy was created for just this purpose. It's all very much risk-based. With no prior documentation, it's going to be a challenge. You need to understand what the software does and determine what can go wrong with the continued use of the software. You'll want to put together a good case for your assertion that no incidents have been due to software.

Just to make matters worse, if this is a networked device or has any kind of external communication (wired or wireless) you'll likely get called to the carpet on cybersecurity. Given the software was done in the 90s, it's likely that wasn't considered. The point is even if you plow through 62304, the work may not be over.

Is there any standard format for a gap analysis that incorporates risk levels for when I Do the Gap Analysis against 5.2,5.3,5.7 and clause 7?
The software is being classified as class A
 

yodon

Staff member
Super Moderator
#5
I'm probably not understanding your question. Look at each clause. Based on the safety class, do you meet it (gap identification)?

Do recognize that the gap identification isn't the goal here; it's just a way to get you to the point of determining what you need to do about it (4.4.4).

For example, if, during your review, you determined that requirements definition missed 2 aspects:
  • security requirements
  • data definition
As part of your analysis, you conclude that not having requirements for the data definition brings no inherent risks to ongoing use and conclude to do nothing at this time. However, you determine that lack of security requirements (and thus not knowing if data / access is sufficiently protected) is an issue and determine that those do need to be defined. You then establish a plan for how to define and integrate security requirements. If this leads to changes to the software, those are done in accordance with Clause 6.

This is just a hypothetical example but hopefully demonstrates what I believe is the intent.
 
Thread starter Similar threads Forum Replies Date
B IEC 62304:2015 vs IEC 62304:2006 + AMD1 IEC 62304 - Medical Device Software Life Cycle Processes 4
P IEC 62304 AMD1:2015: What's new vs.the 2006 Edition? IEC 62304 - Medical Device Software Life Cycle Processes 4
B Clarification on interpretation of some EN ISO 14971:2012 & IEC 62304:2006 req's ISO 14971 - Medical Device Risk Management 46
B IEC 62304:2006/AMD1:2015 Changes for Class A Software IEC 62304 - Medical Device Software Life Cycle Processes 3
P IEC EN 60601-1-4 vs. IEC EN 62304:2006 Gap Analysis? IEC 62304 - Medical Device Software Life Cycle Processes 6
I IEC 62304:2006 Definitions - Software System, a Software Element and Software Unit IEC 62304 - Medical Device Software Life Cycle Processes 13
glork98 IEC 62304:2006/AMD1:2015 Checklist .xls file attached IEC 62304 - Medical Device Software Life Cycle Processes 6
T IEC 62304:2006: Medical device software SDLC- CE Vs. Fda 510(k) submission IEC 62304 - Medical Device Software Life Cycle Processes 16
W IEC 62304:2006 Medical device software - Software life cycle processes - Issued IEC 62304 - Medical Device Software Life Cycle Processes 10
D IEC 62304 Risk Classification - With and without hardware control IEC 62304 - Medical Device Software Life Cycle Processes 2
M IEC 62304 Class A Project IEC 62304 - Medical Device Software Life Cycle Processes 15
B Clause 5.1.12 of Technical Standard IEC 62304/A1 IEC 62304 - Medical Device Software Life Cycle Processes 4
P IEC 62304 - evaluation of integration and system testing IEC 62304 - Medical Device Software Life Cycle Processes 4
P Risk acceptability alignment between ISO 14971 and IEC 62304 IEC 62304 - Medical Device Software Life Cycle Processes 6
D Required Checklist Showing Compliance to IEC 62304 IEC 62304 - Medical Device Software Life Cycle Processes 11
P Proposed revision of IEC 62304 - 2019 IEC 62304 - Medical Device Software Life Cycle Processes 6
S Relationship between IEC 62304 problem resolution and ISO 13485 IEC 62304 - Medical Device Software Life Cycle Processes 8
F IEC 62304 - Segregation and communication between software items IEC 62304 - Medical Device Software Life Cycle Processes 1
B Class IIB Device - IEC 62304 Software Classification IEC 62304 - Medical Device Software Life Cycle Processes 13
B IEC 62304 - Update Checklist IEC 62304 - Medical Device Software Life Cycle Processes 2
L Connection between IEC 62304 and Chapter 14 of IEC 60601-1 IEC 60601 - Medical Electrical Equipment Safety Standards Series 2
M IEC 62304 - Develop an Architecture for the Interfaces of Software Items IEC 62304 - Medical Device Software Life Cycle Processes 8
S Does IEC 62304 require documenting unresolved anomalies for all safety classes? IEC 62304 - Medical Device Software Life Cycle Processes 4
A SOP for software validation of software in medical device IEC 62304 IEC 62304 - Medical Device Software Life Cycle Processes 5
T I need to make test reports according IEC 62304 & IEC 62366 IEC 62366 - Medical Device Usability Engineering 2
D Changing software classification via software - IEC 62304 IEC 62304 - Medical Device Software Life Cycle Processes 3
D Software as risk control - Confused on one aspect of IEC 62304 IEC 62304 - Medical Device Software Life Cycle Processes 20
K Trying to figure out what satisfies a few aspects of IEC 62304 IEC 62304 - Medical Device Software Life Cycle Processes 2
Y IEC 62304 Section 4.3(a) - 100% probability of failure IEC 62304 - Medical Device Software Life Cycle Processes 3
Y Application of IEC/EN 62304 at an advanced stage of software development IEC 62304 - Medical Device Software Life Cycle Processes 4
T Is there any requirement to be compliant with IEC 62304 while implementing ISO 13485 ISO 13485:2016 - Medical Device Quality Management Systems 5
L Documentation Planning - IEC 62304 Clause 5.1.8 IEC 62304 - Medical Device Software Life Cycle Processes 2
C Software for Medical Devices - Requirements Content for compliance with IEC 62304 IEC 62304 - Medical Device Software Life Cycle Processes 1
W CPU BIST IEC 62304 - Embedded code has CPU instruction tests IEC 62304 - Medical Device Software Life Cycle Processes 2
K IEC 62304 Amd 1 2015 - Figure 3 – Assigning Software Safety Classification IEC 62304 - Medical Device Software Life Cycle Processes 11
K Risk Reduction by Risk Control: IEC:62304-Class C ISO 14971 - Medical Device Risk Management 15
C Per IEC 62304, are DHF documents Configuration Items? IEC 62304 - Medical Device Software Life Cycle Processes 5
F FDA PMK 510(k) - IEC 62304 Software Components Segregation Other US Medical Device Regulations 3
M IEC 62304 Applicability - GUI Control Software IEC 62304 - Medical Device Software Life Cycle Processes 3
B Our NB says that IEC 62304 is an ISO 14971 Requirement ISO 14971 - Medical Device Risk Management 1
H ISO 14971 vs. IEC 62304 vs. 98/79/EC vs. ISO 13485 (Software Medical Device) ISO 14971 - Medical Device Risk Management 1
D A desperate call for help - IEC 62304 software IEC 62304 - Medical Device Software Life Cycle Processes 5
M IEC 62304, ISO 14971 and FDA Medical Device SW Guidance 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 5
K IEC 62304 - Compliance steps IEC 62304 - Medical Device Software Life Cycle Processes 2
K ISO 14971 and IEC 62304 - Medical Device Software House ISO 14971 - Medical Device Risk Management 9
S Software Test Report including IEC 62304 classification IEC 62304 - Medical Device Software Life Cycle Processes 4
A Mapping of IEC 62304 artefacts (SRS, SAD, etc) to the 820.30 phases IEC 62304 - Medical Device Software Life Cycle Processes 5
W IEC 62304 vs. IMDRF SaMD Guideline Risk Class IEC 62304 - Medical Device Software Life Cycle Processes 5
C New IEC/TR 80002-3 Guidance for IEC 62304 - June 2014 IEC 62304 - Medical Device Software Life Cycle Processes 2
R IEC 62304 was brought up during an FDA Inspection/Audit IEC 62304 - Medical Device Software Life Cycle Processes 6
Similar threads


















































Top Bottom