Quality Management Systems
Safety classes consolidating to rigor levels (Edition 2)
Medical device recalls linked to software failures
Core lifecycle clauses requiring full documentation
Regulation Overview
IEC 62304 is the international standard defining software lifecycle processes for medical device software and the foundation of global medical device software compliance. For supply chain and compliance teams, the primary obligation is ensuring that every software component—including Software of Unknown Provenance (SOUP) such as third-party libraries, open-source modules, and commercial off-the-shelf components—is documented, risk-assessed, and traceable across the entire development and maintenance lifecycle.
The current edition (IEC 62304:2006+AMD1:2015) classifies software into three safety classes—A, B, and C—based on potential patient harm from software failure. Edition 2, expected August 2026, consolidates these into two rigor levels, expands scope to all health software including SaMD and AI/ML applications, and integrates cybersecurity as a core design control. Compliance requires supplier-level evidence—SOUP identification, version tracking, CVE assessments, and functional requirements—from every component provider. When new software versions ship or SOUP components update, your entire documentation set requires reassessment.
Medical device manufacturers developing software (embedded or standalone)
SaMD developers placing software on regulated markets
Suppliers of software components integrated into medical devices
Contract software development organizations (CSDOs) working on behalf of device manufacturers
Companies assembling multi-component medical systems with third-party software
AI/ML developers building diagnostic or therapeutic algorithms for clinical use
Key Thresholds
Every modern medical device uses dozens of third-party software components—operating systems, libraries, frameworks, encryption modules. IEC 62304 requires documented requirements, risk assessments, and anomaly reviews for each. Your team tracks 80 SOUP items in spreadsheets. A critical library updates. Three months later, an auditor finds the SOUP list still references the old version. The gap cascades into your risk file.
A Notified Body questions your Class A classification during audit. The software implements a risk control measure—that should be Class C. Every downstream document—development plan, verification strategy, test reports—was scoped to Class A rigor. Reclassification means rebuilding months of documentation against higher-rigor requirements under audit pressure.
FDA reviewers request requirement-to-test traceability for a 510(k) submission. Your requirements live in a Word document. Test results sit in a separate QA system. SOUP records are in a spreadsheet. Architecture diagrams are in a design tool. No single thread connects a patient safety requirement through architecture, implementation, and verification. Manual reconstruction takes weeks and still produces gaps.
Your device integrates software from four component suppliers—each with their own development practices, documentation formats, and release cadences. IEC 62304 requires you to demonstrate lifecycle control for every supplier component. One supplier delivers a PDF. Another sends an Excel matrix. A third provides nothing. Consolidating multi-tier supply chain transparency for a single technical file becomes a full-time project.
Certivo In Action
Certivo in Action — IEC 62304 Workflow
Features Tabs
From Manual Compilation to Exception Management
CORA extracts SOUP data and generates traceability matrices automatically. Your team focuses on risk decisions that need engineering judgment—not manual evidence assembly across spreadsheets and email chains.
Technical File Assembly Acceleration
Generate complete, validated IEC 62304 documentation packages in hours—not the 4–6 weeks of manual compilation across siloed systems.
Proactive Compliance Monitoring
When Edition 2 publishes, new CVEs surface, or supplier components update, Certivo reassesses your portfolio instantly. Know which products require documentation updates before auditors ask.
Frequently Asked Questions
What products and companies are subject to IEC 62304 obligations?
Any company developing or maintaining software that is a medical device (SaMD) or part of a medical device must comply. This includes device manufacturers, contract software developers, and suppliers of software components integrated into regulated devices. The standard applies globally—it is harmonized under EU MDR, recognized by the FDA as a consensus standard, and referenced by regulators in Japan, Canada, Australia, and emerging markets. CORA helps teams manage IEC 62304 evidence collection regardless of which regulatory pathway the device follows.
What are the consequences of IEC 62304 non-compliance?
Non-compliance with IEC 62304 can result in rejection of FDA 510(k) or PMA submissions, CE marking refusal by Notified Bodies under EU MDR, and field action requirements for marketed devices. Software-related issues contribute to 12–33% of medical device recalls. In the EU, failure to demonstrate conformity with harmonized software lifecycle standards can result in fines and market withdrawal under national enforcement laws. Certivo's continuous compliance monitoring ensures documentation stays current between audits.
How does Certivo track changes to IEC 62304 and related regulatory requirements?
Certivo maintains continuous regulatory intelligence and horizon scanning aligned with IEC publications, FDA guidance updates, and EU MDR harmonized standard revisions. When Edition 2 publishes—introducing rigor levels, AI/ML requirements, and expanded health software scope—CORA reassesses your portfolio and maps existing safety classifications to the new framework, triggering updated documentation workflows automatically.
What documentation formats does Certivo accept from software suppliers?
Certivo accepts any format: PDF declarations, Excel spreadsheets, SBOM exports, XML files, structured quality documentation packages, and freeform responses. CORA's AI document parsing extracts component data regardless of format or language, eliminating the need to standardize supplier inputs across your multi-tier supply chain. This format-agnostic approach is critical for IEC 62304 compliance because SOUP suppliers rarely deliver evidence in a single standardized template.
Does Certivo support both IEC 62304 and related medical device standards simultaneously?
Yes. Certivo validates supplier evidence against IEC 62304, EU MDR GSPR requirements, FDA 21 CFR Part 820 design controls, ISO 14971 risk management, and IEC 81001-5-1 cybersecurity requirements simultaneously. The same supplier submission feeds validation across all applicable frameworks through a centralized compliance data backbone—eliminating duplicate collection campaigns and ensuring consistency across regulatory filings for multiple markets.