HITN055 Proposal to add revision of IEC 62304, Health software – Software life cycle processes, to the work program of ISO/TC 215 and IEC/SC 62A with expanded scope THIS PROJECT AND THE DRAFT WILL BE BRIEFLY REVIEWED DURING THE 27-29 JUNE 2016 MEETINGS OF THE AAMI HEALTH IT COMMITTEE. THE COMMITTEE IS ALSO BEING ASKED VIA BALLOT WHETHER THE U.S. SHOULD SUPPORT THIS REVISION AND FOR COMMENTS ON THE ATTACHED DRAFT. Votes and comments should be submitted through AAMI Committee Central and are due by 29 July 2016. Comments may be submitted via the comment form to [email protected]. THIS DRAFT IS CONFIDENTIAL AND IS NOT FOR DISTRIBUTION OUTSIDE THE COMMITTEE—DO NOT SHARE THIS DRAFT WITH OTHERS. Background to the proposed revision (pages 3‐4) First working draft of IEC 62304, (pages 5‐94) 1 Association for the Advancement of Medical Instrumentation 4301 N. Fairfax Dr., Suite 301 Arlington, VA 22203‐1633 www.aami.org © 2016 by the Association for the Advancement of Medical Instrumentation All Rights Reserved Publication, reproduction, photocopying, storage, or transmission, electronically or otherwise, of all or any part of this document without the prior written permission of the Association for the Advancement of Medical Instrumentation is strictly prohibited by law. It is illegal under federal law (17 U.S.C. § 101, et seq.) to make copies of all or any part of this document (whether internally or externally) without the prior written permission of the Association for the Advancement of Medical Instrumentation. Violators risk legal action, including civil and criminal penalties, and damages of $100,000 per offense. For permission regarding the use of all or any part of this document, complete the reprint request form at www.aami.org or contact AAMI at 4301 N. Fairfax Drive, Suite 301, Arlington, VA 22203‐1633. Phone: +1‐703‐525‐4890; Fax: +1‐703‐525‐1067. Printed in the United States of America 2 Background on the 2nd Edition of IEC 62304 (Health software – Software life cycle processes) U.S. National Background AAMI administers the Secretariat of IEC/SC 62A, the lead committee for this revision, in collaboration with ISO/TC 215. AAMI also serves as the secretary of ISO/TC 215‐IEC/SC 62A Joint Working Group 7 (JWG7), which will develop the draft revision. U.S. experts on JWG7 participated in the preparation of the attached working draft and recommend that the U.S. vote to approve this new work to the work programme of JWG7. The scope of this new revision is expanded from medical device software to health software. The AAMI Health IT Committee is being asked to make a recommendation as to whether the U.S. should approve this new work and to provide comments on the attached first working draft. The response to this ballot and comments received will considered for submission with the U.S. positions on the ballot. The comments will be considered for submission as well. AAMI, under the auspices of ANSI, adopted the first version of IEC 62304, IEC 62304:2006, Medical device software ‐‐ Software life cycle processes, as an American National Standard (ASNI/AAMI/IEC 62304:2006) and anticipates adopting the results of this new work as a revision of that American National Standard. International Background In July 2010, IEC/SC 62A in consultation with its partner on IEC 62304 Ed. 1.0, ISO/TC 210, decided to initiate work on a 2nd edition of IEC 62304:2006. Work on the project began at the meeting of IEC/SC 62A in Seattle in October of that year. The project was initially intended to deal with certain issues that have arisen with the safety classification scheme and the handling of legacy software in IEC 62304 Ed. 1.0. However, during the preparation of the 1st CD of IEC 62304 Ed. 2.0, joint work had been initiated with ISO/TC 215 on developing a product‐level standard for stand‐alone medical device software (project IEC 82304‐1). This work was ongoing in IEC/SC 62A‐ISO/TC 215 JWG 7, and the FDIS of IEC 82304‐1 was submitted to IEC Central Office for processing in April 2016. The original intent in developing IEC 82304‐1 was to construct product level requirements for stand‐alone medical device software but to utilize the software development process in IEC 62304 much in the same way as is done in Clause 14 of IEC 60601‐1 for software incorporated into medical electrical equipment or systems. As the development of IEC 82304‐1 proceeded, the stakeholders in that project proposed that the scope of IEC 82304‐1 be expanded to deal with "health software" since "medical device software" has regulatory connotations. As a result, IEC/SC 62A‐ISO/TC 210 JWG 3 was requested to consider enlarging the scope of IEC 62304 to align with IEC 82304‐1. JWG 3 placed a Box Note in the 1CD of IEC 62304 Ed. 2.0 requesting NC input on the scope expansion question. A majority of the NCs 3 responding agreed in principle to the scope expansion as long as "medical device software" is fully included in "health software". By the time SC 62A met in Shanghai, China in April 2013, it was had become clear that expanding the scope of 62304 to health software was a complex task and there was some urgency in dealing with the original issues associated with the safety classification scheme and the handling of legacy software. As a result, SC 62A agreed to split the project into two phases (See 62A/877/RM, Resolution Shanghai 3). Phase 1 would be the preparation of Amendment 1 for IEC 62304:2006 relating to software safety classification and legacy software, etc. Phase 2 would expand the scope of Ed 2 of IEC 62304 from "Medical Device Software" to "Health software", with the understanding that "medical device software" is fully included in "health software". Work on the two phases would proceed in parallel but were not linked from a timing perspective. JWG 3 completed work on Amendment 1 to IEC 62304:2006 and that amendment was published in June 2015. Because of the synergy between IEC 82304‐1 and the work on the 2nd edition of IEC 62304, it was decided to transfer the work from IEC/SC 62A‐ISO/TC 210 JWG 3 to IEC/SC 62A‐ISO/TC 215 JWG 7 while maintaining a close and active liaison with ISO/TC 210 including inviting TC 210 to nominate experts to work on the project. Work proceeded on both IEC 82304‐1 and the 2nd edition of IEC 62304 with a number of experts involved in both project teams. However, the transition of the ISO responsibility for IEC 62304 from ISO/TC 210 to ISO/TC 215 took longer than expected and the task of expanding the scope to encompass "health software" proved more challenging than anticipated. While work was progressing, in the fall of 2014 the project leader advised the 62A Secretariat that it was unlikely that the project would be able to reach the CDV stage before exceeding the five‐year project target in July 2015. Consequently the Chairman and Secretary of IEC/SC 62A, in consultation with the leadership of ISO/TC 215 and the project leader, respectfully requested the IEC Standards Management Board (SMB) return this project to the Preliminary Work Item Stage (stage 0). The project would be reactivated once the project team completed preparation of the next Committee Draft. The request was granted and the project was removed from the active work program in October 2014. The IEC/SC 62A Secretariat has received the next committee draft of IEC 62304 Ed. 2.0 from the project leader for circulation in IEC/SC 62A and ISO/TC 215 (62A/1101/CD and ISO/TC 215 N 2045). Therefore, following the agreement made at the time, this Review Report (RR) is being circulated to restart the project with the project plan detailed in the RR. 4 62A/1101/CD ISO/TC 215 N 2045 COMMITTEE DRAFT (CD) IEC/TC or SC: Project number IEC 62304 Ed. 2.0 62A Title of TC/SC: Date of circulation Closing date for comments Common aspects of electrical equipment used in 2016-06-10 2016-09-02 medical practice Also of interest to the following committees Supersedes document IEC/TC 62, IEC/SC 62B, IEC/SC 62C, IEC/SC 62D, 62A/1100/RR IEC/TC 65, IEC/TC 66, IEC/TC 76, IEC/TC 108 ISO/TC 106/SC 6, ISO/TC 121, ISO/TC 121/SC 1, ISO/TC 121/SC 3, ISO/TC 150/SC 6, ISO/TC 210, ISO/TC 212, ISO/TC 215, ISO/TC 299, ISO/JTC 1/SC 7, CENELEC/TC 62 Proposed horizontal standard Other TC/SCs are requested to indicate their interest, if any, in this CD to the TC/SC secretary Functions concerned: Safety EMC Environment Quality assurance Secretary: THIS DOCUMENT IS STILL UNDER STUDY AND SUBJECT Charles SIDEBOTTOM TO CHANGE. IT SHOULD NOT BE USED FOR REFERENCE [email protected] PURPOSES. RECIPIENTS OF THIS DOCUMENT ARE INVITED TO SUBMIT, WITH THEIR COMMENTS, NOTIFICATION OF ANY RELEVANT PATENT RIGHTS OF WHICH THEY ARE AWARE AND TO PROVIDE SUPPORTING DOCUMENTATION. Title: IEC 62304, Health software – Software life cycle processes (Titre) : Introductory note The starting point for this Committee Draft is the consolidated version of IEC 62304 consisting of the first edition (2006-05) [documents 62A/523/FDIS and 62A/528/RVD] and its amendment 1 (2015-06) [documents 62A/1007/FDIS and 62A/1014/RVD]. In a number of places, BOX NOTES have been placed in the text to draw National Committees to changes that the project team is still working to develop. National Committees are respectfully requested to provide comments to assist the project team develop the document. In addition to the line number, please indicate the BOX NOTE number in your comment. 5 62A/1101/CD – 2 – IEC/CD 62304 © IEC 2016 ISO/TC 215 N 2045 CONTENTS FOREWORD ........................................................................................................................ 4 INTRODUCTION .................................................................................................................. 2 1 Scope ............................................................................................................................ 6 1.1 * Purpose .............................................................................................................. 6 1.2 * Field of application .............................................................................................. 6 1.3 Relationship to other standards ............................................................................. 6 1.4 Compliance ........................................................................................................... 6 2 * Normative references ................................................................................................... 7 3 * Terms and definitions ................................................................................................... 7 4 * General requirements ................................................................................................ 13 4.1 * Legal and regulatory obligations ........................................................................ 13 4.2 * Quality management system ............................................................................. 13 4.3 * RISK MANAGEMENT .............................................................................................. 13 4.4 * Security risk management ................................................................................. 14 4.5 * Usability engineering ......................................................................................... 14 4.6 * Software safety classification ............................................................................ 14 4.7 * LEGACY SOFTWARE ............................................................................................. 15 5 Software development PROCESS .................................................................................... 16 5.1 * Software development planning ......................................................................... 16 5.2 * Software requirements analysis ......................................................................... 19 5.3 * Software ARCHITECTURAL design......................................................................... 21 5.4 * Software detailed design ................................................................................... 22 5.5 * SOFTWARE UNIT implementation ......................................................................... 22 5.6 * Software integration and integration testing ....................................................... 23 5.7 * SOFTWARE SYSTEM testing .................................................................................. 24 5.8 * Software RELEASE for utilization at a SYSTEM level .............................................. 25 6 Software maintenance PROCESS .................................................................................... 26 6.1 * Establish software maintenance plan ................................................................. 26 6.2 * Problem and modification analysis ..................................................................... 27 6.3 * Modification implementation .............................................................................. 28 7 * Software SAFETY RISK MANAGEMENT PROCESS ............................................................... 28 7.1 * Analysis of software contributing to HAZARDOUS SITUATIONS ................................ 28 7.2 RISK CONTROL measures ...................................................................................... 29 7.3 VERIFICATION of RISK CONTROL measures .............................................................. 29 7.4 RISK MANAGEMENT of software changes ................................................................ 30 8 * Software configuration management PROCESS ............................................................ 30 8.1 * Configuration identification ................................................................................ 30 8.2 * Change control ................................................................................................. 31 8.3 * Configuration status accounting ........................................................................ 31 9 * Software problem resolution PROCESS ......................................................................... 31 9.1 Prepare PROBLEM REPORTS ................................................................................... 31 9.2 Investigate the problem ....................................................................................... 32 9.3 Advise relevant parties ........................................................................................ 32 9.4 Use change control process ................................................................................ 32 9.5 Maintain records .................................................................................................. 32 9.6 Analyse problems for trends ................................................................................ 32 6 IEC/CD 62304 © IEC 2016 – 3 – 62A/1101/CD ISO/TC 215 N 2045 9.7 Verify software problem resolution ....................................................................... 32 9.8 Test documentation contents ............................................................................... 33 Annex A (informative) Rationale for the requirements of this standard ................................ 34 Annex B (informative) Guidance on the provisions of this standard ..................................... 37 Annex C (informative) Relationship to other standards ....................................................... 62 Annex D (informative) Implementation ................................................................................ 81 Bibliography ....................................................................................................................... 83 Index of defined terms ...................................................................................................... 85 Figure 1 – Overview of software development PROCESSES and ACTIVITIES ............................... 3 Figure 2 – Overview of software maintenance PROCESSES and ACTIVITIES ............................... 3 Figure 3 – Assigning software safety classification .............................................................. 14 Figure B.1 – Pictorial representation of the relationship of HAZARD, sequence of events, HAZARDOUS SITUATION, and HARM – from ISO 14971:2007 Annex E ..................... 42 Figure B.2 – Pictorial representation of the relationship of RISK MANAGEMENT (ISO 14971:2012 Figure A) and software safety classification ....................................... 43 Figure B.3 – Software classification in steps ....................................................................... 44 Figure B.4 – SOFTWARE SYSTEM contributing to hazardous situations ................................... 45 Figure B.5 – SOFTWARE SYSTEM contributing to hazardous situations with risk control measures ..................................................................................................................... 46 Figure B.6 – Risk acceptability matrix combined with software safety classification .............. 47 Figure B.7 – Example of partitioning of SOFTWARE ITEMS ...................................................... 54 Figure C.1 – Relationship of key MEDICAL DEVICE standards to IEC 62304 ............................ 63 Figure C.2 – Software as part of the V-model ...................................................................... 65 Figure C.3 – Application of IEC 62304 with IEC 61010-1 ..................................................... 73 Table A.1 – Summary of requirements by software safety class ........................................... 36 Table B.1 – Development (model) strategies as defined in ISO/IEC 12207 ........................... 38 Table B.2 – Evaluation of hazardous situations ................................................................... 44 Table B.3 – Identification of hazardous situations with external RCM ................................... 46 Table B.4 – Identification of hazardous situations with software safety classification ............ 48 Table C.1 – Relationship to ISO 13485:2016 ....................................................................... 63 Table C.2 – Relationship to ISO 14971:2007 ....................................................................... 64 Table C.3 – Relationship to IEC 60601-1 ............................................................................ 67 Table C.4 – Relationship to ISO/IEC 12207:2008 ................................................................ 75 Table D.1 – Checklist for small companies without a certified QMS ..................................... 82 7 62A/1101/CD – 4 – IEC/CD 62304 © IEC 2016 ISO/TC 215 N 2045 INTERNATIONAL ELECTROTECHNICAL COMMISSION ____________ HEALTH SOFTWARE – SOFTWARE LIFE CYCLE PROCESSES FOREWORD 1) The International Electrotechnical Commission (IEC) is a worldwide organization for standardization comprising all national electrotechnical committees (IEC National Committees). The object of IEC is to promote international co-operation on all questions concerning standardization in the electrical and electronic fields. To this end and in addition to other activities, IEC publishes International Standards, Technical Specifications, Technical Reports, Publicly Available Specifications (PAS) and Guides (hereafter referred to as “IEC Publication(s)”). Their preparation is entrusted to technical committees; any IEC National Committee interested in the subject dealt with may participate in this preparatory work. International, governmental and non- governmental organizations liaising with the IEC also participate in this preparation. IEC collaborates closely with the International Organization for Standardization (ISO) in accordance with conditions determined by agreement between the two organizations. 2) The formal decisions or agreements of IEC on technical matters express, as nearly as possible, an international consensus of opinion on the relevant subjects since each technical committee has representation from all interested IEC National Committees. 3) IEC Publications have the form of recommendations for international use and are accepted by IEC National Committees in that sense. While all reasonable efforts are made to ensure that the technical content of IEC Publications is accurate, IEC cannot be held responsible for the way in which they are used or for any misinterpretation by any end user. 4) In order to promote international uniformity, IEC National Committees undertake to apply IEC Publications transparently to the maximum extent possible in their national and regional publications. Any divergence between any IEC Publication and the corresponding national or regional publication shall be clearly indicated in the latter. 5) IEC itself does not provide any attestation of conformity. Independent certification bodies provide conformity assessment services and, in some areas, access to IEC marks of conformity. IEC is not responsible for any services carried out by independent certification bodies. 6) All users should ensure that they have the latest edition of this publication. 7) No liability shall attach to IEC or its directors, employees, servants or agents including individual experts and members of its technical committees and IEC National Committees for any personal injury, property damage or other damage of any nature whatsoever, whether direct or indirect, or for costs (including legal fees) and expenses arising out of the publication, use of, or reliance upon, this IEC Publication or any other IEC Publications. 8) Attention is drawn to the Normative references cited in this publication. Use of the referenced publications is indispensable for the correct application of this publication. 9) Attention is drawn to the possibility that some of the elements of this IEC Publication may be the subject of patent rights. IEC shall not be held responsible for identifying any or all such patent rights. 8 IEC/CD 62304 © IEC 2016 – 5 – 62A/1101/CD ISO/TC 215 N 2045 International Standard IEC 62304 has been prepared by a joint working group of subcommittee 62A: Common aspects of electrical equipment used in medical practice, of IEC technical committee 62: Electrical equipment in medical practice and ISO Technical Committee 215, Health Informatics. Table C.5 was prepared by ISO/IEC JTC 1/SC 7, Software and system engineering. It is published as a dual logo standard. This publication has been drafted in accordance with the ISO/IEC Directives, Part 2. In this standard the following print types are used: ‒ requirements and definitions: in roman type; ‒ informative material appearing outside of tables, such as notes, examples and references: in smaller type. Normative text of tables is also in a smaller type; ‒ terms used throughout this standard that have been defined in Clause 3 and also given in the index: in small capitals. An asterisk (*) as the first character of a title or at the beginning of a paragraph indicates that there is guidance related to that item in Annex B. The committee has decided that the contents of the base publication and its amendment will remain unchanged until the stability date indicated on the IEC web site under "http://webstore.iec.ch" in the data related to the specific publication. At this date, the publication will be  reconfirmed,  withdrawn,  replaced by a revised edition, or  amended. NOTE The attention of National Committees is drawn to the fact that equipment MANUFACTURERS and testing organizations may need a transitional period following publication of a new, amended or revised IEC or ISO publication in which to make products in accordance with the new requirements and to equip themselves for conducting new or revised tests. It is the recommendation of the committee that the content of this publication be adopted for mandatory implementation nationally not earlier than 3 years from the date of publication. IMPORTANT – The 'colour inside' logo on the cover page of this publication indicates that it contains colours which are considered to be useful for the correct understanding of its contents. Users should therefore print this document using a colour printer. 9 62A/1101/CD – 2 – IEC/CD 62304 © IEC 2016 ISO/TC 215 N 2045 1 INTRODUCTION 2 Software is becoming increasingly important in healthcare. The use of software can help 3 contribute to more efficient and safe care of patients. As a result, HEALTH SOFTWARE needs to 4 be developed with appropriate controls to ensure its safe and reliable use. 5 Previously, software had often been an integral part of a MEDICAL DEVICE and was used 6 primarily by professional users. Currently it is being used in many other ways and forms. 7 These various types of software products are also interacting in new ways which creates 8 additional requirements and RISK considerations. For these reasons, this standard has now 9 been expanded to include all HEALTH SOFTWARE used in managing, maintaining, or improving 10 the health of individual persons or with the delivery of care. As a result, these related types of 11 software should be developed with similar controls, as outlined in this standard. 12 As software become more dependent on network connectivity and integral to hospital 13 workflows, additional considerations need to be made for security and usability. HEALTH 14 SOFTWARE is being used more commonly in the home and outside of the hospital so it 15 becomes even more important to develop these products with the user and use environment 16 in mind. 17 Establishing the SAFETY and effectiveness of HEALTH SOFTWARE requires knowledge of what 18 the software is intended to do and demonstration that the use of the software fulfils those 19 intentions without causing any unacceptable RISKS. As a basic foundation it is assumed that 20 HEALTH SOFTWARE is developed and maintained within a quality management system (see 4.2) 21 and a RISK MANAGEMENT system (4.3). Since the RISK MANAGEMENT PROCESS is already very 22 well addressed by the International Standard ISO 14971, it is referenced in this standard as 23 being an appropriate approach. However, it is recognized that there are other methods 24 available to achieve this result. 25 HAZARDOUS SITUATIONS can result either directly or indirectly from the use of health software. 26 Whether software is a contributing factor to a HAZARDOUS SITUATION is determined during the 27 HAZARD identification ACTIVITY of the RISK MANAGEMENT PROCESS. The decision to use software 28 to control RISK is made during the RISK CONTROL ACTIVITY of the RISK MANAGEMENT PROCESS. 29 This standard provides a framework of life cycle PROCESSES with ACTIVITIES and TASKS 30 necessary for the safe design and maintenance of HEALTH SOFTWARE. It also provides 31 requirements for each life cycle PROCESS. Each life cycle PROCESS consists of a set of 32 ACTIVITIES, with most ACTIVITIES consisting of a set of TASKS. The life cycle ACTIVITIES are 33 shown in Figure 1 and described in Clause 5. Because many incidents in the field are related 34 to service or maintenance of HEALTH SOFTWARE SYSTEMS including inappropriate software 35 updates and upgrades, the software maintenance PROCESS is considered to be as important 36 as the software development PROCESS. The software maintenance PROCESS is very similar to 37 the software development PROCESS. It is shown in Figure 2 and described in Clause 6. 38 10