IEC 62304 Compliance for Medical Device Software: A Practical Guide
IEC 62304 is the international standard for medical device software lifecycle processes. If your medical device contains software, or if your device connects to a cloud platform that performs a clinical function, IEC 62304 almost certainly applies. The standard is referenced by the FDA, cited in EU MDR technical documentation requirements, and recognized by regulatory authorities in Canada, Japan, Australia, and most other major markets.
This guide explains what IEC 62304 requires, how safety class affects the scope of compliance activities, and what manufacturers need to document to satisfy auditors and regulators.
What Is IEC 62304?
IEC 62304, titled Medical device software — Software life cycle processes, defines requirements for the development, maintenance, risk management, and problem resolution of medical device software. The standard applies to:
Software embedded in physical medical devices (firmware)
Software that operates as a standalone medical device (SaMD)
Cloud-based software that performs a medical function connected to a medical device
Importantly, the standard applies to commercial off-the-shelf (COTS) software used in medical devices, including third-party cloud platforms that process medical device data. Manufacturers using a third-party connectivity platform must ensure that the platform's development processes are compatible with IEC 62304 requirements.
Software Safety Classes
IEC 62304 defines three safety classes based on the severity of harm that could result from a software failure:
Class A — No injury or damage to health
Software in Class A has no pathway to cause patient harm, either because it does not perform a clinical function or because other controls make patient harm impossible. The compliance burden for Class A software is minimal, primarily requiring basic version control and documentation.
Class B — Non-serious injury
Software in Class B could cause non-serious injury if it fails. It requires a software development lifecycle with defined requirements, architecture, detailed design, unit testing, integration testing, and system testing. Risk management activities must be linked to the software design.
Class C — Serious injury or death
Class C applies to software where a failure could result in serious injury or death. It carries the full compliance burden of IEC 62304, including rigorous requirements traceability, detailed design documentation down to the unit level, comprehensive testing including code coverage analysis, and formal software problem resolution processes.
For most connected medical devices, the device firmware and any clinical alert logic in the cloud platform will be classified as Class B or Class C. Administrative or configuration software may qualify for Class A.
Key IEC 62304 Requirements
Software development planning (5.1)
Manufacturers must document a software development plan that defines the processes, deliverables, tools, standards, and responsibilities for the software lifecycle. The plan must specify how the software development activities will satisfy the requirements of IEC 62304 and align with the device's risk management process under ISO 14971.
Software requirements (5.2)
All software requirements must be documented and traceable to the higher-level system requirements and the intended use of the device. Requirements must address functional, performance, interface, and security needs, and they must be verifiable — that is, it must be possible to determine through testing or analysis whether each requirement has been met.
Software architecture design (5.3)
The software architecture must be documented at a level of detail sufficient to identify all software items and their interfaces. The architecture document must identify which software items are safety-critical and demonstrate that the architecture supports the required safety class performance.
Software unit testing (5.6)
For Class B and C software, unit testing must verify that each software unit performs as specified. For Class C, additional requirements apply including code coverage thresholds and formal acceptance criteria for each test.
Software problem resolution (9)
IEC 62304 requires a formal process for receiving, evaluating, and resolving software problems discovered after release. This process is closely linked to post-market surveillance under ISO 13485 and must include criteria for determining whether a problem constitutes a field safety corrective action (FSCA) requiring regulatory notification.
IEC 62304 and Cloud-Connected Medical Devices
When a medical device connects to a cloud platform, the scope of IEC 62304 extends to cover the cloud software components that perform medical functions. This has several practical implications:
The cloud platform must be developed to an appropriate safety class
The cloud platform's software lifecycle documentation must be auditable
Any change to the cloud platform that affects clinical functionality requires a formal change management process under IEC 62304 section 6
The cloud platform's problem resolution process must integrate with the device manufacturer's post-market surveillance
Manufacturers using a third-party connectivity platform should request an IEC 62304 compliance documentation package from the vendor. This package should include evidence of the safety class classification, the development process followed, testing records, and the change management process.
Frequently Asked Questions
Does IEC 62304 apply to mobile apps?
Yes. If the mobile application performs a medical function, it is subject to IEC 62304 requirements. A patient-facing app that simply displays device data without providing clinical recommendations may qualify for Class A, while an app that provides dosing guidance or interprets diagnostic results will likely require Class B or C.
Is IEC 62304 certification available?
IEC 62304 is a process standard, not a product standard. There is no certification for a specific software product. However, audit evidence demonstrating conformance with the standard's processes is required for regulatory submissions and Notified Body assessments.
Related Resources
Explore related topics to deepen your understanding of medical device connectivity and compliance:
HIPAA-Compliant Medical Device Cloud
Medical Device Cybersecurity: A Complete Guide
Build vs. Buy: Medical Device Cloud Connectivity
Remote Patient Monitoring Platform
Why medical device manufacturers choose Matrix Connect
Building cloud connectivity from scratch for a medical device is a multi-year, multi-million dollar undertaking. Industry research shows that the total cost of building and maintaining a compliant medical device connectivity platform ranges from $250,000 to over $2,000,000, depending on the complexity of the device and the regulatory markets targeted. Matrix Connect eliminates that investment by providing a production-ready, pre-certified platform that your engineering team can integrate in weeks, not years.
Reduce time to market
Every month spent building cloud infrastructure is a month your device is not generating revenue. Matrix Connect gives you a fully operational connectivity layer on day one, with pre-built device APIs, data ingestion pipelines, and a secure patient data model. Teams that previously spent 12 to 18 months on connectivity infrastructure have reduced that phase to 4 to 12 weeks with Matrix Connect.
Reduce setup costs
A from-scratch build requires hiring cloud architects, security engineers, compliance specialists, and DevOps talent simultaneously. With Matrix Connect, those costs collapse to a predictable subscription. There is no need to staff a dedicated team to manage infrastructure, obtain your own HIPAA Business Associate Agreements, pursue HITRUST certification, or maintain IEC 62304 documentation independently.
Reduce run-rate costs
The ongoing cost of maintaining a homegrown platform grows every year: security patches, regulatory updates, cloud infrastructure management, and compliance audits. Matrix Connect shoulders all of those responsibilities. When the FDA issues new cybersecurity guidance or the EU updates MDR requirements, your platform stays compliant automatically, without additional engineering sprints.
What is included out of the box
HIPAA-compliant data storage and transmission
HITRUST r2 CSF certification
IEC 62304 and ISO 13485 documentation support
GDPR and CCPA compliance features
Near real-time device data ingestion and notifications
OTA firmware update management
REST and MQTT APIs for device integration
Support for BLE, Wi-Fi, cellular, and wired device connectivity
Thank you
A member of our team will be in contact within 48 hours.