IEC 62304 medical device software support

SafeCode Consulting provides IEC 62304 software lifecycle support for medical device programs — from initial software classification and lifecycle planning through Class C development, verification, and the software documentation package that FDA submissions require. SafeCode's consulting staff have delivered regulated medical device software and bring direct production program experience in FDA-regulated environments to every engagement.

What IEC 62304 compliance actually requires

IEC 62304 defines the software lifecycle processes required for medical device software — not just what to build, but how to plan, develop, verify, maintain, and document it in a way that satisfies regulatory scrutiny. The standard is organized around software safety classes (A, B, and C), with Class C imposing the most rigorous requirements. In a US context, IEC 62304 does not operate in isolation — it sits inside a quality system governed by 21 CFR Part 820 and, as of February 2026, the updated Quality Management System Regulation (QMSR), which aligns FDA requirements with ISO 13485.

The most common failure points are software classification decisions that do not survive regulatory scrutiny, SOUP inventories that are incomplete or unverified, requirements that cannot support the verification evidence claimed, software risk management disconnected from the ISO 14971 device-level analysis, and design control records that satisfy 21 CFR 820 on paper but do not reflect actual development practices. SafeCode addresses each of these at the engineering level.

IEC 62304 support areas

  • Software classification — Establishing and defending software safety class assignments based on the device hazard analysis and intended use, consistent with ISO 14971 risk management outputs.
  • Lifecycle planning — Software Development Plan and supporting plans aligned to the program's actual development practices, 21 CFR 820 design control requirements, and QMSR expectations.
  • Requirements engineering — Software requirements specification with traceability to system requirements, risk controls, and verification evidence. See Requirements engineering services.
  • SOUP management — SOUP inventory, anomaly evaluation, and verification evidence for third-party software components under both IEC 62304 and 21 CFR 820 design controls.
  • Verification — Verification planning, test case development, and evidence documentation appropriate to the software safety class. See .
  • Software risk management — Integration of software risk controls with the device-level risk management process under ISO 14971 and design controls under 21 CFR 820.
  • CGMP alignment — Where software controls or is embedded in manufacturing equipment or processes subject to Current Good Manufacturing Practice, SafeCode supports alignment of software lifecycle practices with CGMP requirements.
  • FDA submission support — Software documentation packages for FDA 510(k), PMA, and De Novo submissions — including Software Description Document, level of concern determination, and lifecycle documentation summary.
  • Program recovery — Correcting classification, traceability, verification, and design control documentation gaps on programs already underway.

Software safety classes supported

  • Class A — Software whose failure cannot contribute to a hazardous situation
  • Class B — Software that could contribute to a hazardous situation that could not result in serious injury
  • Class C — Software that could contribute to a hazardous situation resulting in death or serious injury

Regulatory and standards context

  • IEC 62304:2006/AMD1:2015 — Medical device software lifecycle processes
  • 21 CFR Part 820 — FDA Quality System Regulation, design controls
  • FDA QMSR (2024) — Updated quality management system regulation aligning 21 CFR 820 with ISO 13485, effective February 2026
  • 21 CFR Parts 210/211 — Current Good Manufacturing Practice (CGMP)
  • ISO 14971 — Medical device risk management
  • ISO 13485 — Medical device quality management systems
  • IEC 61508 — Functional safety, referenced by IEC 62304 for techniques applicable to Class C software
  • FDA Section 524B (FDORA 2022) — Statutory cybersecurity requirements for cyber devices with connectivity capabilities
  • FDA Cybersecurity Guidance (2025/2026) — Secure Product Development Framework, SBOM requirements, and premarket submission documentation for cyber devices
  • ANSI/AAMI SW96 — Software security risk management standard recognized by FDA

Common questions

How does IEC 62304 relate to 21 CFR 820 design controls and the 2024 QMSR? IEC 62304 specifies what the software lifecycle processes must include. 21 CFR 820 design controls specify how development activities — including software — must be planned, executed, reviewed, and documented within a quality system. The 2024 QMSR aligns these FDA requirements more closely with ISO 13485, reducing but not eliminating the differences between US and international quality system expectations. In practice, a US medical device software program needs to satisfy both: IEC 62304 for the software lifecycle content and 21 CFR 820 / QMSR for the quality system framework that governs it.

What does CGMP require of software in a medical device context? CGMP (21 CFR Parts 210 and 211) applies primarily to pharmaceutical manufacturing, but its principles extend to software that controls or is embedded in manufacturing equipment used in device production. Where software governs a process that must be validated under CGMP, the software development and change control practices must support process validation evidence. SafeCode supports alignment of software lifecycle practices with CGMP requirements where manufacturing process software is involved.

What does FDA expect in a software documentation package for a 510(k)? FDA expects a software documentation package that demonstrates the software development lifecycle was followed at a level of rigor appropriate to the software's level of concern — minor, moderate, or major. For moderate and major concern software, this includes a Software Description Document covering the device hazard analysis, software safety class, architecture, SOUP items, verification approach, and unresolved anomalies. SafeCode supports the preparation of this documentation package to the standard that FDA reviewers apply.

How does IEC 62304 relate to IEC 61508 for high-risk medical device software? IEC 62304 explicitly references IEC 61508 as a source of techniques and measures appropriate for Class C software — the highest-risk medical device software category. For device programs where the software implements or contributes to a safety function, particularly in active implantable devices or devices that directly control a therapeutic intervention, the IEC 61508 techniques for software architecture, verification method selection, and systematic failure avoidance may be required or strongly recommended. SafeCode consultants have experience with both standards and the interface between them.

What is SOUP and why does it matter under FDA design controls? SOUP — software of unknown provenance — refers to software components incorporated into a medical device that were not developed under IEC 62304 lifecycle processes: open source libraries, commercial off-the-shelf components, legacy code. Under both IEC 62304 and 21 CFR 820 design controls, SOUP items must be identified, their known anomalies evaluated for device safety impact, and verification evidence established appropriate to the software safety class. Incomplete SOUP management is one of the most common gaps found during FDA review.

What are the new FDA cybersecurity requirements for medical device software? Section 524B of the FD&C Act, enacted in December 2022 as part of FDORA, established statutory cybersecurity requirements for "cyber devices" — any device containing software with connectivity capabilities such as Wi-Fi or Bluetooth. FDA's 2025/2026 cybersecurity guidance puts these requirements into full effect, requiring a Software Bill of Materials (SBOM) with traceability to known vulnerabilities, a Secure Product Development Framework (SPDF) aligned with ANSI/AAMI SW96, cybersecurity labeling disclosures, and postmarket vulnerability monitoring and patching obligations. Cybersecurity is now part of FDA's design control requirements — not a separate track — and failure to comply is a prohibited act under the FD&C Act with potential False Claims Act enforcement exposure for programs that receive federal reimbursement.

Can SafeCode join a medical device program that is already in development? Yes. SafeCode can join in-progress programs to assess the current state of IEC 62304 compliance and design control documentation, identify gaps before they surface in FDA review, and provide targeted support to close them. The safety-critical software gap scan is a practical starting point for programs that want a fast, structured assessment.

Contact SafeCode Consulting to discuss your IEC 62304 program.