• The Experience
  • Customer Stories
  • LLMs
  • Transfers
  • Mission
  • Company
  • Blog
  • Careers
  • Get in touch
    •
    / 2 Apr, 2026
    / Steven Byrne

    Beyond IEC 62304: Why IEC 82304-1 belongs in your state-of-the-art for SaMD

    Adherence to IEC 62304 alone is insufficient. It should be paired, at least, with another important, yet commonly overlooked standard, IEC 82304-1.

    Ask a medical device software manufacturer which state-of-the-art international standards they are applying to develop their devices and they will undoubtedly mention IEC 62304. This standard defines the lifecycle requirements for medical device software. Initially published in 2006, it has become a cornerstone of high-quality medical device software development and was harmonised with the EU MDD. Adherence to it is standard practice for EU MDR and UK MDR certification of SaMD.

    However, for SaMD, Scarlet maintains that as well as IEC 62304, you should also factor in IEC 82304-1.

    What is IEC 82304-1?

    IEC 82304-1 is an international standard that defines requirements for manufacturers when developing safe and secure health software products designed to operate on general computing platforms and intended to be placed on the market without dedicated hardware.

    It explicitly excludes software that is part of medical electrical equipment. The scope of the standard covers the entire lifecycle of health software products, including design, development, validation, installation, maintenance, and disposal.

    IEC 82304-1 & SaMD state of the art

    Why IEC 62304 alone is not enough for SaMD

    As IEC 62304 was initially published in 2006, it predates the revolutions of smartphone technology and cloud computing that have given rise to the SaMD industry. At that time, the most common application of IEC 62304 was to guide the development of software subsystems in electromechanical medical device development. For many regulatory affairs professionals, this remains their primary exposure to IEC 62304.

    In electromechanical medical device development, the IEC 60601-1 standard governs the overarching development of the medical device. It starts with user needs as input and defines system requirements and a system architecture containing subsystems, including software subsystems. Each subsystem requires its own decomposition of requirements, architecture, implementation, and subsystem verification. Finally, the electromechanical medical device is evaluated through system integration verification and validation activities.

    In this context, IEC 62304 is responsible only for managing software subsystems, from software requirements analysis to verification activities. The standard does not govern the development of a complete medical device system and has no direct relationship to user needs or validation activities.

    In SaMD development, where the target hardware is general computing platforms such as smartphones, personal computers, and servers, the IEC 60601-1 standard is not applicable. This creates a gap in system and validation activities for SaMD development, which IEC 82304-1 resolves.

    An update linking the two

    In the 2015 amendment to IEC 62304, Section 1.2 was updated to clarify the standard's field of application and to recommend its use alongside IEC 82304-1 for SaMD system-level development and validation.

    This standard applies to the development and maintenance of MEDICAL DEVICE SOFTWARE when software is itself a MEDICAL DEVICE or when software is an embedded or integral part of the final MEDICAL DEVICE…

    This standard can be used in the development and maintenance of software that is itself a medical device. However, additional development activities are needed at the system level before this type of software can be placed into service. These system activities are not covered by this standard, but can be found in IEC 82304-1....

    This standard does not cover validation and final release of the MEDICAL DEVICE, even when the MEDICAL DEVICE consists entirely of software....

    Validation and other development activities are needed at the system level before the software and medical device can be placed into service. These system activities are not covered by this standard, but can be found in related product standards (e.g., IEC 60601-1, IEC 82304-1, etc.).

    [IEC 62304, Section 1.2]

    With a new version of IEC 62304 expected to be published in the next few years, further clarification on its application alongside other important software development standards, such as the cybersecurity standard, IEC 81001-5-1, is expected.

    How to combine IEC 82304-1 and IEC 62304

    Here is a summary of the interplay between IEC 82304-1 and IEC 62304 and how to apply them within your SaMD development process.

    In general, one can say that IEC 82304-1 describes the entire development process for a SaMD and uses IEC 62304 for specific software lifecycle processes.

    1. Consider the use requirements of your SaMD (IEC 82304-1, section 4.2). These are a set of high-level requirements that originate from the device's intended purpose, user needs, and safety/security characteristics. They encompass a broad range of topics, including:
      • The intended use and functionality of the medical device software
      • The interfaces between the medical device and users or external systems
      • Security, data privacy, and IT standards and regulations
      • Processes and documentation that support the operation and use of the medical device through its lifecycle, from release to maintenance to retirement
      • Some of these use requirements will require software implementation, while others can be satisfied by processes, instructions for use, or other documentation accompanying the software. See our blog post on use requirement categories for more details
    2. Plan validation activities that aim to satisfy the use requirements. This may include system test protocols and leverage evidence from software verification, usability engineering, or clinical evaluation activities (IEC 82304-1, sections 6.1, 6.2)
    3. Decompose the use requirements into technical software requirements (IEC 62304, section 5.2)
    4. Per 62304, design, implement, and verify the software and generate a software release
    5. Collate the SaMD's identification details and accompanying documentation (IEC 82304-1, section 7)
    6. Conduct validation activities and demonstrate that the SaMD is safe, secure, and effective from the validation outcomes (IEC 82304-1, section 6.2, 6.3)
    7. Document the planned post-market activities (IEC 82304-1, section 8), including:
      • Software maintenance and change management (IEC 62304 sections 6 & 8)
      • Re-validation
      • Post-market communication
      • Decommissioning and disposal of the SaMD

    Conclusion

    IEC 62304 remains crucial as a state-of-the-art international standard for developing medical device software, but you'll need more. It was never designed to carry the full weight of cutting-edge products, and IEC 82304-1 closes that loop: connecting software to user needs, validation, and real-world use. It defines the lifecycle requirements and is the cornerstone of high-quality SaMD development.

          Related

          19 Mar, 2026
          Blog

          A recipe for good SOUP: Part 4 - Defining requirements for SOUP

          Read more
          5 Mar, 2026
          Blog

          Call my agent – What you need to know about getting agentic AI medical devices certified

          Read more
          20 Feb, 2026
          Blog

          Wellness or mental-health SaMD? How to know the difference

          Read more
          View all

          Want Scarlet news in your inbox?

          Sign up to receive updates from Scarlet, including our newsletter containing blog posts, sent straight to you by email.

          You can unsubscribe at any time by clicking the link in the footer of our emails. For more information, please visit our privacy policy.

          We use Mailchimp as our marketing platform. By clicking below to subscribe, you acknowledge that your information will be transferred to Mailchimp for processing. Learn more about Mailchimp's privacy practices.