Webinar: From Paper to eIFU: Preparing for the Next Global Step in Medical Device Compliance
IEC 62304 Compliance for Medical Device Software: A Practical Guide
IEC 62304 is the international standard for medical device software lifecycle processes. If your medical device contains software, or if your device connects to a cloud platform that performs a clinical function, IEC 62304 almost certainly applies. The standard is referenced by the FDA, cited in EU MDR technical documentation requirements, and recognized by regulatory authorities in Canada, Japan, Australia, and most other major markets.
This guide explains what IEC 62304 requires, how safety class affects the scope of compliance activities, and what manufacturers need to document to satisfy auditors and regulators.
What Is IEC 62304?
IEC 62304, titled Medical device software — Software life cycle processes, defines requirements for the development, maintenance, risk management, and problem resolution of medical device software. The standard applies to:
Software embedded in physical medical devices (firmware)
Software that operates as a standalone medical device (SaMD)
Cloud-based software that performs a medical function connected to a medical device
Importantly, the standard applies to commercial off-the-shelf (COTS) software used in medical devices, including third-party cloud platforms that process medical device data. Manufacturers using a third-party connectivity platform must ensure that the platform's development processes are compatible with IEC 62304 requirements.
Software Safety Classes
IEC 62304 defines three safety classes based on the severity of harm that could result from a software failure:
Class A — No injury or damage to health
Software in Class A has no pathway to cause patient harm, either because it does not perform a clinical function or because other controls make patient harm impossible. The compliance burden for Class A software is minimal, primarily requiring basic version control and documentation.
Class B — Non-serious injury
Software in Class B could cause non-serious injury if it fails. It requires a software development lifecycle with defined requirements, architecture, detailed design, unit testing, integration testing, and system testing. Risk management activities must be linked to the software design.
Class C — Serious injury or death
Class C applies to software where a failure could result in serious injury or death. It carries the full compliance burden of IEC 62304, including rigorous requirements traceability, detailed design documentation down to the unit level, comprehensive testing including code coverage analysis, and formal software problem resolution processes.
For most connected medical devices, the device firmware and any clinical alert logic in the cloud platform will be classified as Class B or Class C. Administrative or configuration software may qualify for Class A.
Key IEC 62304 Requirements
Software development planning (5.1)
Manufacturers must document a software development plan that defines the processes, deliverables, tools, standards, and responsibilities for the software lifecycle. The plan must specify how the software development activities will satisfy the requirements of IEC 62304 and align with the device's risk management process under ISO 14971.
Software requirements (5.2)
All software requirements must be documented and traceable to the higher-level system requirements and the intended use of the device. Requirements must address functional, performance, interface, and security needs, and they must be verifiable — that is, it must be possible to determine through testing or analysis whether each requirement has been met.
Software architecture design (5.3)
The software architecture must be documented at a level of detail sufficient to identify all software items and their interfaces. The architecture document must identify which software items are safety-critical and demonstrate that the architecture supports the required safety class performance.
Software unit testing (5.6)
For Class B and C software, unit testing must verify that each software unit performs as specified. For Class C, additional requirements apply including code coverage thresholds and formal acceptance criteria for each test.
Software problem resolution (9)
IEC 62304 requires a formal process for receiving, evaluating, and resolving software problems discovered after release. This process is closely linked to post-market surveillance under ISO 13485 and must include criteria for determining whether a problem constitutes a field safety corrective action (FSCA) requiring regulatory notification.
IEC 62304 and Cloud-Connected Medical Devices
When a medical device connects to a cloud platform, the scope of IEC 62304 extends to cover the cloud software components that perform medical functions. This has several practical implications:
The cloud platform must be developed to an appropriate safety class
The cloud platform's software lifecycle documentation must be auditable
Any change to the cloud platform that affects clinical functionality requires a formal change management process under IEC 62304 section 6
The cloud platform's problem resolution process must integrate with the device manufacturer's post-market surveillance
Manufacturers using a third-party connectivity platform should request an IEC 62304 compliance documentation package from the vendor. This package should include evidence of the safety class classification, the development process followed, testing records, and the change management process.
Frequently Asked Questions
Does IEC 62304 apply to mobile apps?
Yes. If the mobile application performs a medical function, it is subject to IEC 62304 requirements. A patient-facing app that simply displays device data without providing clinical recommendations may qualify for Class A, while an app that provides dosing guidance or interprets diagnostic results will likely require Class B or C.
Is IEC 62304 certification available?
IEC 62304 is a process standard, not a product standard. There is no certification for a specific software product. However, audit evidence demonstrating conformance with the standard's processes is required for regulatory submissions and Notified Body assessments.
Related Resources
Explore related topics to deepen your understanding of medical device connectivity and compliance:
HIPAA-Compliant Medical Device Cloud
Medical Device Cybersecurity: A Complete Guide
Build vs. Buy: Medical Device Cloud Connectivity
Remote Patient Monitoring Platform
Why medical device manufacturers choose Matrix Connect
Building cloud connectivity from scratch for a medical device is a multi-year, multi-million dollar undertaking. Industry research shows that the total cost of building and maintaining a compliant medical device connectivity platform ranges from $250,000 to over $2,000,000, depending on the complexity of the device and the regulatory markets targeted. Matrix Connect eliminates that investment by providing a production-ready, pre-certified platform that your engineering team can integrate in weeks, not years.
Reduce time to market
Every month spent building cloud infrastructure is a month your device is not generating revenue. Matrix Connect gives you a fully operational connectivity layer on day one, with pre-built device APIs, data ingestion pipelines, and a secure patient data model. Teams that previously spent 12 to 18 months on connectivity infrastructure have reduced that phase to 4 to 12 weeks with Matrix Connect.
Reduce setup costs
A from-scratch build requires hiring cloud architects, security engineers, compliance specialists, and DevOps talent simultaneously. With Matrix Connect, those costs collapse to a predictable subscription. There is no need to staff a dedicated team to manage infrastructure, obtain your own HIPAA Business Associate Agreements, pursue HITRUST certification, or maintain IEC 62304 documentation independently.
Reduce run-rate costs
The ongoing cost of maintaining a homegrown platform grows every year: security patches, regulatory updates, cloud infrastructure management, and compliance audits. Matrix Connect shoulders all of those responsibilities. When the FDA issues new cybersecurity guidance or the EU updates MDR requirements, your platform stays compliant automatically, without additional engineering sprints.
What is included out of the box
HIPAA-compliant data storage and transmission
HITRUST r2 CSF certification
IEC 62304 and ISO 13485 documentation support
GDPR and CCPA compliance features
Near real-time device data ingestion and notifications
OTA firmware update management
REST and MQTT APIs for device integration
Support for BLE, Wi-Fi, cellular, and wired device connectivity
United States
United Kingdom
France
AustraliaGermany
Spain
Afghanistan
Albania
Algeria
American Samoa
Andorra
Angola
Anguilla
Antigua and Barbuda
Argentina
Armenia
Aruba
Austria
Azerbaijan
Bahamas
Bahrain
Bangladesh
Barbados
Belarus
Belgium
Belize
Benin
Bermuda
Bhutan
Bolivia
Bosnia and Herzegovina
Botswana
Brazil
British Indian Ocean Territory
British Virgin Islands
Brunei Darussalam
Bulgaria
Burkina Faso
Burundi
Cambodia
Cameroon
Canada
Cape Verde
Cayman Islands
Central African Republic
Chad
Chile
China
Christmas Island
Cocos (Keeling) Islands
Colombia
Comoros
Congo
The Democratic Republic of the Congo
Cook Islands
Costa Rica
Cote d'Ivoire
Croatia
Cuba
Cyprus
Czech Republic
Denmark
Djibouti
Dominica
Dominican Republic
Ecuador
Egypt
El Salvador
Equatorial Guinea
Eritrea
Estonia
Ethiopia
Falkland Islands
Faroe Islands
Fiji
Finland
French Guiana
French Polynesia
Gabon
Gambia
Georgia
Ghana
Gibraltar
Greece
Greenland
Grenada
Guadeloupe
Guam
Guatemala
Guernsey
Guinea
Guinea-Bissau
Guyana
Haiti
Honduras
Hong Kong
Hungary
Iceland
India
Indonesia
Iran
Iraq
Ireland
Isle of Man
Israel
Italy
Jamaica
Japan
Jersey
Jordan
Kazakhstan
Kenya
Kiribati
Kuwait
Kyrgyzstan
Lao People’s Democratic Republic
Latvia
Lebanon
Lesotho
Liberia
Libya
Liechtenstein
Lithuania
Luxembourg
Macau
Macedonia
Madagascar
Malawi
Malaysia
Maldives
Mali
Malta
Marshall Islands
Martinique
Mauritania
Mauritius
Mayotte
Mexico
Micronesia
Moldova
Monaco
Mongolia
Montenegro
Montserrat
Morocco
Mozambique
Myanmar
Namibia
Nauru
Nepal
Netherlands
New Caledonia
New Zealand
Nicaragua
Niger
Nigeria
Niue
Norfolk Island
North Korea
Northern Mariana Islands
Norway
Oman
Pakistan
Palau
Palestine
Panama
Papua New Guinea
Paraguay
Peru
Philippines
Poland
Portugal
Puerto Rico
Qatar
Reunion
Romania
Russia
Rwanda
Saint Barthelemy
Saint Helena
Saint Kitts and Nevis
Saint Lucia
Saint Martin
Saint Pierre and Miquelon
Saint Vincent and the Grenadines
Samoa
San Marino
Sao Tome and Principe
Saudi Arabia
Senegal
Serbia
Seychelles
Sierra Leone
Singapore
Slovakia
Slovenia
Solomon Islands
Somalia
South Africa
South Korea
Sri Lanka
Sudan
Suriname
Svalbard and Jan Mayen
Swaziland
Sweden
Switzerland
Syria
Taiwan
Tajikistan
Tanzania
Thailand
Timor-Leste
Togo
Tokelau
Tonga
Trinidad and Tobago
Tunisia
Turkey
Turkmenistan
Turks and Caicos Islands
Tuvalu
U.S. irgin Islands
Uganda
Ukraine
United Arab Emirates
Uruguay
Uzbekistan
Vanuatu
Holy See (Vatican City State)
Venezuela
Vietnam
Wallis and Futuna
Yemen
Zambia
ZimbabweThank you
A member of our team will be in contact within 48 hours.