IEC 62304:2006 A1:2015 - Software from the early 1990s


Starting to get Involved
We currently have a Class 2a simple medical device, that has had a CE mark since 2009. I have already updated to ISO 13485:2016, but during a technical file review we were told that we did not comply with the addition to IEC 62304. The software is from the early 90s and none of the records are available as the original company went out of business. There have been zero incidents caused by the software since its inception.

Would anyone either explain to me what documents would I need to be compliant for Legacy software or possibly be able to provide examples. Creating the ISO Quality system and getting the CE mark I could figure out , but the software items have me lost.

Any advice or assistance would be greatly appreciated
Thank you

Ronen E

Problem Solver
Staff member
Super Moderator
S. 4.4 specifically deals with legacy software. There's also a lot of guidance on this section in Annex B.

4.4.1 General
As an alternative to applying Clauses 5 through 9 of this standard, compliance of LEGACY SOFTWARE may be demonstrated as indicated in 4.4.2 to 4.4.5.
In accordance with 4.2 of this standard, the MANUFACTURER shall:
a) assess any feedback, including post-production information, on LEGACY SOFTWARE regarding incidents and / or near incidents, both from inside its own organization and / or from users;
b) perform RISK MANAGEMENT ACTIVITIES associated with continued use of the LEGACY SOFTWARE, considering the following aspects:
– integration of the LEGACY SOFTWARE in the overall MEDICAL DEVICE architecture;
– continuing validity of RISK CONTROL measures, implemented as part of the LEGACY SOFTWARE;
– identification of HAZARDOUS SITUATIONS associated with the continued use of the LEGACY SOFTWARE;
– identification of potential causes of the LEGACY SOFTWARE contributing to a HAZARDOUS SITUATION;
– definition of RISK CONTROL measures for each potential cause of the LEGACY SOFTWARE contributing to a HAZARDOUS SITUATION.
4.4.3 Gap analysis
Based on the software safety class of the LEGACY SOFTWARE (see 4.3), the MANUFACTURER shall perform a gap analysis of available DELIVERABLES against those required according to 5.2, 5.3, 5.7, and Clause 7.
a) The MANUFACTURER shall assess the continuing validity of available DELIVERABLES.
b) Where gaps are identified, the MANUFACTURER shall EVALUATE the potential reduction in RISK resulting from the generation of the missing DELIVERABLES and associated ACTIVITIES.
c) Based on this evaluation, the MANUFACTURER shall determine the DELIVERABLES to be created and associated ACTIVITIES to be performed. The minimum DELIVERABLE shall be SOFTWARE SYSTEM test records (see 5.7.5).
NOTE Such gap analysis should assure that RISK CONTROL measures, implemented in LEGACY SOFTWARE, are included in the software requirements.
4.4.5 Rationale for use of LEGACY SOFTWARE
The MANUFACTURER shall document the VERSION of the LEGACY SOFTWARE together with a rationale for the continued use of the LEGACY SOFTWARE based on the outputs of 4.4.
NOTE Fulfilling 4.4 enables further use of LEGACY SOFTWARE in accordance with IEC 62304.


Staff member
Super Moderator
@Ronen E is right - the section on legacy was created for just this purpose. It's all very much risk-based. With no prior documentation, it's going to be a challenge. You need to understand what the software does and determine what can go wrong with the continued use of the software. You'll want to put together a good case for your assertion that no incidents have been due to software.

Just to make matters worse, if this is a networked device or has any kind of external communication (wired or wireless) you'll likely get called to the carpet on cybersecurity. Given the software was done in the 90s, it's likely that wasn't considered. The point is even if you plow through 62304, the work may not be over.

Top Bottom