FDA/CDRH 510(k), IEC 62304
This document answers some Frequently Asked Questions (FAQs) about the certification of computer software for medical applications. The answers to the questions are not intended to provide a definitive technical answer but rather to inform the reader in a general manner.
SAFETY CERTIFICATION STANDARDS
Validated Software Corporation’s Validation Suite
IEC is the acronym for the International Electrotechnical Commission, the international standards and conformity assessment body for electrotechnology; specifically, functional safety of electrical/electronic/programmable electronic (E/E/PE) systems.
Location: Geneva, Switzerland.
Web site: www.iec.ch
The FDA is the acronym for the U.S. Food and Drug Administration.
U.S. Food and Drug Administration
5600 Fishers Lane
Rockville, MD 20857-0001
Tel: 888-INFO-FDA (1-888-463-6332)
Web site: www.fda.gov
The CDRH is the acronym for the Center for Devices and Radiological Health. It is a sub-organization of the U.S. FDA, with the responsibility for all medical devices sold in the United States.
Web site: www.fda.gov/cdrh
SAFETY CERTIFICATION STANDARDS
FDA Section 510(k), or Premarket Notification (or PMN), of the Food, Drug and Cosmetic Act requires device manufacturers to register and/or notify the FDA at least 90 days in advance of their intent to market a medical device. Specifically, medical device manufacturers are required to submit 501(k) premarket notifications if they intend to introduce a device into commercial distribution for the first time or reintroduce a device that will be significantly changed or modified to the extent that its safety or effectiveness could be affected. The safety implications are similar to FAA requirements, where life- critical devices and/or safety-critical devices are required to have a prudent design, code, and test/QA strategy in order to produce a product that is safe to use.
IEC 61508 was developed to create a standard for the functional safety of electrical/electronic/programmable electronic safety-related systems. IEC 61508 allows for the standalone certification of a software component, unlike FDA/CDRH. The documentation requirements of IEC 61508 tend to lean more heavily on design, usage, and manufacturing, due to the standalone component aspects of this certification. One of the most critical documents is the Safety Manual, which contains the rules and guidelines on how to use the software component in a system that is certified.
The IEC standard is published in seven parts,as shown in the table below:
IEC 61508 Part References Reference Full Part Title 61508-1 IEC 61508-1:1998, Functional safety of E/E/PE safety-related systems - Part 1: General requirements 61508-2 IEC 61508-2:2000, Functional safety of E/E/PE safety-related systems - Part 2: Requirements for E/E/PE safety-related systems 61508-3 IEC 61508-3:1998, Functional safety of E/E/PE safety-related systems - Part 3: Software requirements 61508-4 IEC 61508-4:1998, Functional safety of E/E/PE safety-related systems - Part 4: Definitions and abbreviations 61508-5 IEC 61508-5:1998, Functional safety of E/E/PE safety-related systems - Part 5: Examples of methods for the determination of safety integrity levels 61508-6 IEC 61508-6:2000, Functional safety of E/E/PE safety-related systems - Part 6: Guidelines on the application of IEC 61508-2 and IEC 61508-3 61508-7 IEC 61508-7:2000, Functional safety of E/E/PE safety-related systems - Part 7: Overview of techniques and measures
The first four parts of IEC 61508 define the way to comply with the specification. IEC 61508 can be used in a broad variety of safety-critical systems, including emergency shutdown systems in power plants, turbine controls, railway signaling systems, and other electromechanical systems in safety-critical environments.
Medical product classes (I, II and III) are based on the potential of the software to cause safety-related failures identified in the system safety assessment. The FDA/CDRH has three general safety classes:
Class III: Software whose failure could cause or contribute to the death or serious injury to the patient or clinician.
Class II: Software whose failure could cause or contribute to the serious injury to the patient or clinician.
Class I: Software whose failure could cause or contribute to the injury to the patient or clinician.
The level to which a particular system must be certified is selected by a process of failure analysis and input from the device manufacturers and the certifying authority (FDA), with the final decision made by the certifying authority. Note that software does not need to be certified specifically at each designated level. Certification at any level automatically covers the lower-level requirement; but, obviously, the converse is not true. Software certified at Class III can be used in most medical devices.
The following table lists the documents and records you may need to provide for a 510(k) submission:
Software Life Cycle Data List Document Title Type SRS Safety Requirements Specification Document SSVP Software Safety Validation Plan Document SDP Software Development Plan Document SVP Software Verification Plan Document SCMP Software Configuration Management Plan Document SQAP Software Quality Assurance Plan Document SRS Software Requirements Standards Document SDS Software Design Standards Document SCS Software Code Standards Document SRD Software Requirements Data Document SDD Software Design Description Document Source Code Software Executable Object Code Software SVCP Software Verification Cases and Procedures Document SVR Software Verification Results Records SECI Software Life Cycle Environment Configuration Index Document SCI Software Configuration Index Document PRs Problem Reports Records Software Configuration Management Records Records Software Quality Assurance Records Records SAS Software Accomplishment Summary Document SM Safety Manual Document
FDA 501(k) defines specific verification objectives that must be satisfied; these include:
Verification of software development processes
Review of software development life cycle artifacts
Functional Verification of software
a. Requirements-based testing and analysis
b. Robustness testing
Structural Coverage Analysis
Structural Coverage Analysis is generally perceived to be the most difficult task to undertake by people unfamiliar with rigorous code development and testing. Furthermore, an operating system is tightly integrated with the hardware, cache, interrupts, memory management, and process/task management, thereby making structural testing even more difficult. These low-level aspects create a significant challenge to the verification process. For example, Class III certified applications should address:
Modified Condition/Decision Coverage
and from the code coverage table above along with:
Identification of dead or deactivated code
Traceability from source to object code
Fortunately, a variety of commercial tools are available to assist in this challenging task.
See our Code Coverage Tools page for a list of known vendors in this space.
Validated Software Corporation’s Validation Suite
Validated’s Validation Suites are packages of standards, plans, requirements, designs, and tests to address manufacturers requiring safety certification documentation for projects. Validation Suites are typically developed for software products widely used in safety-critical products. The use of our Validation Suites allows developers to concentrate on their core product and lower their costs by purchasing an essentially off-the-shelf Validation Suite as a component.
Due to different requirements for different certification levels, the amount of documentation will differ, but, in general, the following documentation will be provided in Level A through Level C Validation Suites.
Validation Suite Component Safety Requirements Specification (SRS) Software Safety Validation Plan (SSVP) Software Development Plan (SDP) Software Verification Plan (SVP) Software Configuration Management Plan (SCMP) Software Quality Assurance Plan Software Requirements Standard Software Design Standard C Language Coding Standard Software Requirements Document (SRD) Microprocessor Port Requirements and Design Documents Software Design Document Software Source Code, Test Code and Build Code Software Port Image Software Unit Test Plans and Procedures Software Integration Test Plans and Procedures Software Unit Test Reports Software Integration Test Report Software Test Coverage Report Software Life Cycle Environment Configuration Index Software Configuration Index Software Problem Report History Software Change History Software Quality Assurance Data Software Accomplishment Summary (SAS) Safety Manual
In addition, Validated also offers port-specific documentation to provide all the board support package (BSP) documentation, for example:
Port Software Design Description, Special I/O
Port Software Design Description, Special 80x86 Protected Mode Port
Q. Do I also have to pay another manufacturer for a production license when I purchase a Validation Suite?
Yes. The Validated Suite does not include a production license for the software.
Yes. The Validation Suite contains all source code to the product and all source code to test files, all test scripts, and all build/make files. Please note however that all of the products we validate are licensed by another manufacturer. As such we can not ship source code to a product until we receive confirmation from the manufacturer that you have a valid license in place with them.
No. The source code we provide is functionally identical to the manufacturers original code. In some cases the code may belong to a "safety-critical" version of the manufacturers product, but this is the exception not the rule.
Yes. Depending upon the system changes between projects, the Validation Suite can be used for multiple projects. (Note that additional license fees for both MicroC/OS-II and the Validation Suite may apply, regardless of re-use.)
MicroC/OS-II was chosen for many reasons:
MicroC/OS-II is a very stable operating system that has been used in tens of thousands of systems and hundreds of commercial applications. It has been in use for over 10 years, with minor modifications made periodically.
MicroC/OS-II has been “open source” since its creation. Therefore, it has been reviewed by thousands of individuals. But, unlike some open source projects, revisions are tightly controlled and reviewed by Micrium, and then openly reviewed by the MicroC/OS-II community.
MicroC/OS-II was written against a very strict coding standard, which improves readability, understandability, and maintainability – all key aspects of creating software used in critical systems.
Every line of MicroC/OS-II is well documented. This is extremely rare in the software industry and is ideal for safety certification where the mapping of requirements to source code to test for every line of code is required.
All Validated Software products can be ordered from the Validated Software Sales office.