Skip to content
8foldgovernance master
  • Services
    • AI Governance
    • Medical Devices
      • Regulatory Roadmap
      • ISO 13485 Design & Build your QMS
      • Quality Management as a Service
      • Technical File Creation & Registration
      • UK Responsible Person
      • Post Market Surveillance
    • International Standards
      • ISO 13485 Certification
      • ISO 42001 Certification
      • ISO 9001 Certification
      • ISO 27001 Certification
    • DTAC
      • DTAC Management
    • Information Governance
      • Data Security & Protection (DSPT)
      • DSPT Audit
      • HIPAA Compliance
    • Clinical Safety and Risk Management
      • DCB0129
      • DCB0160
      • Clinical Safety Officers (CSO)
    • CQC Services
      • CQC Compliance Assessment
      • CQC Registration Support
      • CQC-as-a-Service
      • CQC Regulatory Review & Strategy
    • Cyber Security
    • Governance, Risk & Compliance Advisory
    • 8foldTraining
  • About
    • Meet the Team
    • Partnerships
    • Join Us
  • Blog
  • Case Studies
  • Contact
  • Services
    • AI Governance
    • Medical Devices
      • Regulatory Roadmap
      • ISO 13485 Design & Build your QMS
      • Quality Management as a Service
      • Technical File Creation & Registration
      • UK Responsible Person
      • Post Market Surveillance
    • International Standards
      • ISO 13485 Certification
      • ISO 42001 Certification
      • ISO 9001 Certification
      • ISO 27001 Certification
    • DTAC
      • DTAC Management
    • Information Governance
      • Data Security & Protection (DSPT)
      • DSPT Audit
      • HIPAA Compliance
    • Clinical Safety and Risk Management
      • DCB0129
      • DCB0160
      • Clinical Safety Officers (CSO)
    • CQC Services
      • CQC Compliance Assessment
      • CQC Registration Support
      • CQC-as-a-Service
      • CQC Regulatory Review & Strategy
    • Cyber Security
    • Governance, Risk & Compliance Advisory
    • 8foldTraining
  • About
    • Meet the Team
    • Partnerships
    • Join Us
  • Blog
  • Case Studies
  • Contact
  • +44 (0)1273 569172
Book a Call

← From our blog

FAQ: What is IEC 62304?

  • Published: April 27, 2026
  • Category: Medical Devices

Share this post

Avatar photo
Lily Stevens

Share this post

IEC 62304

Key facts about IEC 62304

IEC 62304 is an international standard (a document drafted by a group of international experts) to describe best practice in the development and verification of medical device software – that is stand-alone Software as a Medical Device (SaMD) and software developed to be incorporated into Medical Devices (SiMD).

Who is IEC 62304 relevant for?

Need help complying with IEC 62304?

Schedule a Consultation

Who is IEC 62304 relevant for?

IEC 62304 is relevant for any company developing or testing medical device software (Software as a Medical Device or Software in a Medical Device). It is recognised or required by most international regulators, including the European Union, UK MHRA, US FDA, Health Canada, Japan PMDA, Australia TGA and Brazil ANVISA.

This is true regardless of the risk class of your medical device – it’s recommended and generally expected for even Class I medical devices.

A future version of IEC 62304 may be applicable to all healthtech software (not just medical devices), but this version has not yet been released.

What are the key principles of IEC 62304?

IEC 62304 provides detailed guidance on how to develop software, both for the initial development and future iterations. It includes requirements around requirements analysis, testing and release as well as for problem solving, risk management, configuration management and change management. It considers the whole lifecycle of the software and it takes a risk-based approach – the more risky your software, the more detailed processes and evidence needs to be.

Can you be certified to IEC 62304?

No – unlike standards such as ISO 13485, ISO 9001 and ISO 27001, you cannot be certified to IEC 62304; however, if you are developing medical device software and receive an inspection or a certification audit for ISO 13485, they will expect to see you following IEC 62304.

How does IEC 62304 relate to other standards?

IEC 62304 makes specific reference to the requirement to have a Quality Management System (referencing ISO 13485) and a Risk Management System (referencing ISO 14971).

IEC 82304 is also intended to work alongside IEC 62304 to address software requirements other than development and verification testing – such as establishing product requirements, software validation, labelling and documentation.

IEC 60601 for medical electrical equipment and IEC 61010 for laboratory equipment are also particularly relevant when making Software to be incorporated into a physical medical device.

What are BS EN 62304 and EN 62304?

When IEC standards are adopted by standards agencies in specific territories, the “IEC” is replaced by a different letter denoting the standards agency (BS for British Standard and EN for European Norm).

The contents of these documents are the same, but with some guidance related to the application of this standard to the regulations in that country (e.g. EN 62304 provides guidance on how IEC 62304 applies to the EU Medical Device Regulations).

Note: This mechanism has changed slightly, so a new version of IEC 62304 for the UK market would be BS EN IEC 62304 in future.

Is IEC 62304 changing?

IEC 62304 has been in an update and review process for quite a few years – we wrote a whole blog on the latest draft version, but the main proposed changes are:

  • Expanding the scope to all health software
  • Reduce from three safety classes to two rigor levels
  • Specific section with guidance on AI development

The new version of IEC 62304 is not slated for publication until mid-2027.

What is SOUP?

SOUP is an acronym for Software of Unknown Provenance. In IEC 62304, SOUP is the term used to define both:
  • a software item that has been developed by someone else, is available “off-the-shelf”, and is incorporated into medical device software. Think about libraries and third-party tools you might use in your software
  • a software item that was developed without keeping IEC 62304-compliant documentation.
SOUP has to be controlled in a different way to software you’ve created yourself with the appropriate records, so there are different mechanisms in place in IEC 62304 to address this.

What are the Safety Classes (Class A, Class B, Class C)?

IEC 62304 requires a specific type of risk analysis to be performed on the software – similar to that found in ISO 14971, but not exactly the same – to determine how much risk the software (or each portion of the software) presents to the patient/user. There’s a flow-chart in section 4.3 that shows whether your software would be Class A (lowest risk), Class B (medium risk) or Class C (highest risk).

Each requirement in IEC 62304 is marked with ABC, BC or C depending on whether that requirement applies to all software (ABC), just Class B and Class C (BC) or just Class C.

Are the Safety Classes mappable to the Regulatory Risk Classification?

While both the Safety Class and the Risk Class from relevant Medical Device Regulations are both attempting to present more stringent requirements to riskier medical devices, they don’t directly map to each other.

Software in a Medical Device (SiMD) may present significantly lower risk to the patient than the Medical Device itself, so you could in theory have Safety Class A software inside a Class III Medical Device.

Some people claim that Software as a Medical Device must be at least Safety Class B if it is a Class IIa Medical Device and Safety Class C if it is a Class IIb or III Medical Device, but the Regulatory rules and the IEC 62304 rules for classification do not align this cleanly – you should follow the process in section 4.3 of IEC 62304 to determine your Safety Class.

What is a Traceability Matrix?

A Traceability Matrix is a way of tracing requirements, risk controls and test requirements/results for a specific piece of software. Note that the term “Traceability Matrix” does not appear in the standard – the standard requires that you maintain traceability of these items, not that they appear in a particular format.

How do I handle Legacy Software?

Legacy software addresses software developed prior to the current version of the standard – this standard is nearly 20 years old now, so this has become quite a rare event.

Regardless, a risk assessment must be made about any missing evidence from the development of the software, a decision made about remediation and a justification given for any remediation work not carried out. This is addressed in section 4.4.

How does IEC 62304 handle AI Software?

IEC 62304 is over 20 years old – it doesn’t specifically address Artificial Intelligence in the standard, which is a key weakness and one of the main reasons that an update is important.

The draft version 2 of IEC 62304 does contain some useful guidance on AI; although it is not approved and published, it can still be a useful reference point for adapting IEC 62304 to software containing AI functions.

What about Agile Development?

While IEC 62304 is presented in a “Waterfall”-looking way, it does not specify the order of steps or project management approach that must be followed – it is absolutely adaptable to work in an Agile environment.

One of the key conflict points between Agile and IEC 62304 and Medical Device Regulations in general is that for Medical Device Software, the documentation (external facing and internal record keeping) must be kept up-to-date – the Agile Manifesto would need to be “Working Software with Comprehensive Documentation”.

Need help building controls to satisfy IEC 62304?

Whether you’re a startup building your first Medical Device or a global Enterprise building your first software based based, we’re here to help.

Schedule a Regulatory Consultation.

Other Articles​

Loading...
IEC 62304 vs EU MDR classification

Implementing IEC 62304: 5 Common Mistakes

Read More →

July 3, 2026
FAQ: What is a Technical File?

FAQ: What is a Technical File?

Read More →

May 9, 2026
qmsr

Expert Insights: What does QMSR mean for developers of SaMD?

Read More →

January 25, 2026
8foldgovernance master

+44 (0) 1273 569172

info@8foldgovernance.com

SERVICES

  • AI Governance
  • Medical Device Registration
  • ISO Compliance
  • Full DTAC Support
  • Information Governance
  • Clinical Safety
  • Data Security & Protection
  • CQC Services
  • Cyber Security
  • 8foldTraining

LINKS

  • Contact
  • About
  • Meet The Team
  • Blog
  • Join Us
  • Case Studies
  • Charity Work
  • Partnerships
  • FAQs
DSPT Data Security And protection Toolkit 8Fold
Information Governance Badge 8 Fold
NPSORE
ABHI Member

 © 2026 8fold | Privacy Policy | Cookie Policy | Terms & Conditions

X We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept”, you consent to the use of ALL the cookies. However you may visit Cookie Settings to provide a controlled consent.
Read More ACCEPT Cookie settings
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checkbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
Save & Accept