Skip to content
8foldgovernance master
  • Services
    • AI Governance
    • Medical Devices
      • Regulatory Roadmap
      • ISO 13485 Design & Build your QMS
      • Quality Management as a Service
      • Technical File Creation & Registration
      • UK Responsible Person
      • Post Market Surveillance
    • International Standards
      • ISO 13485 Certification
      • ISO 42001 Certification
      • ISO 9001 Certification
      • ISO 27001 Certification
    • DTAC
      • DTAC Management
    • Information Governance
      • Data Security & Protection (DSPT)
      • DSPT Audit
      • HIPAA Compliance
    • Clinical Safety and Risk Management
      • DCB0129
      • DCB0160
      • Clinical Safety Officers (CSO)
    • CQC Services
      • CQC Compliance Assessment
      • CQC Registration Support
      • CQC-as-a-Service
      • CQC Regulatory Review & Strategy
    • Cyber Security
    • Governance, Risk & Compliance Advisory
    • 8foldTraining
  • About
    • Meet the Team
    • Partnerships
    • Join Us
  • Blog
  • Case Studies
  • Contact
  • Services
    • AI Governance
    • Medical Devices
      • Regulatory Roadmap
      • ISO 13485 Design & Build your QMS
      • Quality Management as a Service
      • Technical File Creation & Registration
      • UK Responsible Person
      • Post Market Surveillance
    • International Standards
      • ISO 13485 Certification
      • ISO 42001 Certification
      • ISO 9001 Certification
      • ISO 27001 Certification
    • DTAC
      • DTAC Management
    • Information Governance
      • Data Security & Protection (DSPT)
      • DSPT Audit
      • HIPAA Compliance
    • Clinical Safety and Risk Management
      • DCB0129
      • DCB0160
      • Clinical Safety Officers (CSO)
    • CQC Services
      • CQC Compliance Assessment
      • CQC Registration Support
      • CQC-as-a-Service
      • CQC Regulatory Review & Strategy
    • Cyber Security
    • Governance, Risk & Compliance Advisory
    • 8foldTraining
  • About
    • Meet the Team
    • Partnerships
    • Join Us
  • Blog
  • Case Studies
  • Contact
  • +44 (0)1273 569172
Book a Call

← From our blog

Implementing IEC 62304: 5 Common Mistakes

  • Published: July 3, 2026
  • Category: Medical Devices

Share this post

Avatar photo
Dan York

Share this post

IEC 62304 is the international standard which describes best practice in the development and verification of medical device software – that is, stand-alone Software as a Medical Device (SaMD) and software developed to be incorporated into Medical Devices (SiMD). Compliance to IEC 62304 is not determined through certification against the standard itself, but is effectively mandatory for medical devices in the EU, UK and USA. 

Meeting the requirements of IEC 62304 is a structured and clear way to demonstrate that your medical device software is effectively planned and tested, and many of your technical file documents should reflect compliance with the standard. 

When implementing documentation and processes which meet the needs of IEC 62304 it can be easy to overlook some key details within the standard and end up with gaps in your system, which can open you up to compliance issues and safety risks. 

We’ve outlined some of the common areas that organisations miss or don’t fully implement below:

IEC 62304
Medical Device Regulation medical device consulting services

What do you need to do?

1. Understanding device safety classification

Application of IEC 62304 requirements is underpinned by a risk-based approach, which requires that you determine the safety classification of your software (or part of software) and apply at least the relevant level of control. 

There is a flowchart in Section 4 of the standard which outlines the key decision-making process needed to determine this classification (Class A, B or C) based on the risks associated with the failure of the software, but this does not tie perfectly with regulatory software classifications (e.g. I, IIa, IIb, III) in the EU MDR. Because the two methods of classification do not tie directly to one another, it’s important to consider both as inputs to your software design plans and requirements.

To help prevent falling into this potential gap, make sure that you do both a regulatory review of your product, based on its functionality and purpose, and assign a software safety classification based on the impact of software failure. It can be helpful to have an understanding of risk management concepts found in ISO 14971 and related standards to make this assessment most effective. 

Need help defining your Regulatory Strategy?

Book a Consultation

2. SOUP

Software of Unknown Provenance or SOUP is defined in the standard as software items that are either generally available but not developed with the intent of incorporation into a medical device, or software items which do not have adequate records relating to their development. It’s common to implement SOUP into many SaMD products; this includes code libraries from reputable sources, plugins or other tools that you incorporate into your product whole cloth. SOUP may also include software units that have been written by AI coding agents with minimal oversight.  While it’s absolutely acceptable to use SOUP and build your product using chunks of code not made by your organisation, it’s also mandatory to control and document their use carefully. 

When drawing up your software documentation, it’s best practice to maintain a SOUP list, which contains a record of all your relevant SOUP units. This list should contain information about the external software, what its purpose is, how it’s used within the product and an assessment of risk related to using it. Along with the risk assessment should be information about any relevant risk mitigations for the item. Commonly, this may include only using the most recent versions and checking for vulnerabilities periodically.

3. Types of Verification

IEC 62304 clearly defines two levels of software complexity, which must both be scoped out with requirements and tested (verified) separately. These are Software Units and Software Systems. 

A software unit is a chunk of software or code which cannot usefully be divided further, whereas a Software System is a collection of multiple units integrated into a single entity which meet one or more overall software requirements. Verification tests should be run at both levels, and to test the integration of units into system blocks.  

Under the standard, it is mandatory to plan, document and perform verification on all levels of the software infrastructure. Commonly referred to as “System Testing”, “Unit Testing” and “Integration Testing”, the verification may take different forms depending on the case. While the exact nature of verification is up to you, it may be helpful to consider the following when planning:

Unit verification

Consider whether the code implements relevant risk control measures and think about documenting a code review process to make sure that the code itself meets your organisation’s standards.

System and Integration Testing

This might include manual or automated tests using one or more of the user-facing systems to ensure that functionality is as expected. These tests can be combined if its deemed appropriate to do so.

4. Development Planning

While all organisations will likely be doing some level of development planning to understand resource requirements and potential hurdles during a development project, IEC 62304 is clear that there must be documented evidence of this. A development plan should be written which outlines the goals and procedures for the development with the aim to reduce risks related to software.

Where organisations may slip up is that development planning should be an iterative process and the development plan should be revisited routinely during the development process. As the project progresses, it is common for the scope of the work to change, or for requirements to become more clearly defined which may ultimately adjust goals or procedure. On-going risk management activities may also update the safety classification of your device and the development plan should be updated to account for any new controls which should be in place. Initial creation and subsequent reviews of a software development plan at well-defined milestones during development will help prevent your final documentation not reflecting your objectives and make sure you’re applying the correct level of control.

 Need help educating your Development Team?

Get in Touch

5. Traceability

There should be a clear and understandable through-line which links your software requirements, regardless of their source, ultimately to your verification and validation activities before product release. This means you can trace hazards and risks to mitigations for those risks, and it means you can trace the origin of any given requirement through to how it was implemented and tested in the final product. While many organisations do a good job of analysing requirements or at effectively reviewing risks and proposing proportional mitigations, the interface between these processes and systems isn’t always clear.

Traceability can be done in many different ways. For small-scale projects or sets of activities, even a simple spreadsheet will aid compliance. Often this is called a “Traceability Matrix” which is essentially a large table or sheet that shows the relationship between each step of the process i.e. which hazards link to which requirements, which requirements link to which verification record and which records link to which product release version. This should be reviewed and kept up-to-date as the development progresses to make sure everything has been covered. For more complex software systems, it might be helpful to implement automations such as with a requirements tracking system, or a ticketing system which generates unique IDs for every activity. Regardless of approach, traceability should be at the core of your processes.

What should I do now?

With this in mind, it’s always good to review your software development lifecycle and documented procedures to make sure you don’t fall into any of the common gaps that auditors see. Having a well-maintained management system to underpin your software development is the best way to keep ahead of changing requirements and inputs from your customers, regulators and other stakeholders.

Looking for a Regulatory Partner?

Work with us to help register your Medical Device. shape your Technical Documentation and ensure compliance with IEC 62304 – without drowning you in complex or technical jargon.

Book a Consultation

Other Articles​

Loading...
FAQ: What is a Technical File?

FAQ: What is a Technical File?

Read More →

May 9, 2026
What is IEC 62304

FAQ: What is IEC 62304?

Read More →

April 27, 2026
qmsr

Expert Insights: What does QMSR mean for developers of SaMD?

Read More →

January 25, 2026
8foldgovernance master

+44 (0) 1273 569172

info@8foldgovernance.com

SERVICES

  • AI Governance
  • Medical Device Registration
  • ISO Compliance
  • Full DTAC Support
  • Information Governance
  • Clinical Safety
  • Data Security & Protection
  • CQC Services
  • Cyber Security
  • 8foldTraining

LINKS

  • Contact
  • About
  • Meet The Team
  • Blog
  • Join Us
  • Case Studies
  • Charity Work
  • Partnerships
  • FAQs
DSPT Data Security And protection Toolkit 8Fold
Information Governance Badge 8 Fold
NPSORE
ABHI Member

 © 2026 8fold | Privacy Policy | Cookie Policy | Terms & Conditions

X We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept”, you consent to the use of ALL the cookies. However you may visit Cookie Settings to provide a controlled consent.
Read More ACCEPT Cookie settings
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checkbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
Save & Accept