Mind the gaps: Part 1 — Building a comprehensive set of use requirements

Many Software as a Medical Device (SaMD) teams document intended use, but overlook the full set of use requirements expected by IEC 82304-1.

IEC 82304-1 is an international standard that governs the safety and quality of health software products, including SaMD. One key concept this standard outlines is the determination and documentation of the medical device software’s use requirements. 

Use requirements are a set of high-level requirements that encompass a broad range of topics, including:

• The intended use and functionality of the medical device software
• The interfaces between the medical device and users or external systems 
• Security, data privacy, and IT standards and regulations
• Processes and documentation that support the operation and use of the medical device through its lifecycle from release to maintenance to retirement

Building a comprehensive set of use requirements is vital to inform the scope of subsequent medical device development activities and ensure the development of high-quality, safe medical device software.

Frequently missed categories

Whilst most manufacturers are very aware of the use requirements related to their medical device's intended use and core functionality, it is common to see the unintended omission of other less obvious requirement categories expected by IEC 82304-1. Gaps in the expected coverage of use requirements can lead to:

• Omissions of medical device development activities, software design, or regulatory documentation
• An increased risk of safety/security issues with the medical device 
• Delays in certification, as the Conformity Assessment Body raises questions related to the above aspects during technical assessments

To ensure a comprehensive set of use requirements, the following categories should all be considered during the determination of use requirements. If any categories do not apply to your medical device, it is highly beneficial to justify their exclusion to aid efficient assessment by a Conformity Assessment Body.

Accompanying document requirements 

This category focuses on requirements for documentation that accompanies the release of medical device software. This may include requirements to ensure that:

• Instructions for Use documentation that complies with IEC 82304 clause 7.2.2 and EU MDR Annex I, 23.1 is produced
• Documentation is produced to define the processes for installing, maintaining, updating, decommissioning, and disposing of the medical device software
• User training or information for safety documentation is produced to detail the safe use of the medical device software and its user interface
• The medical device software is appropriately labelled

Applicable regulation requirements

This category may include use requirements to ensure that:

• Regional or international data protection regulations are met
• Regional or international patient-health-information regulations are met
• Industry-standard information security regulations are met
• State-of-the-art software-development practices are adhered to

Installation, update, or decommission requirements

This category may include use requirements that cover:

• The software distribution mechanism
• The software installation process, including the verification of integrity
• The process of integrating the medical device with other software or hardware systems
• The methods and frequency of software updates
• The software rollback process
• The conditions for software recall and the process to achieve it
• The methods of decommissioning the software and the transfer, retention, and/or irreversible deletion of data

Intended purpose requirements

This category may include use requirements that address the features and functionality of the medical device that achieve its intended purpose.

Interface requirements

This category may include use requirements that describe:

• Human-to-machine user interface(s) of the medical device
• Machine-to-machine interface(s) between the medical device, accessory devices, and/or other external software or hardware systems

Note: The usability engineering processes defined in IEC 62366-1 should be utilised to establish the human-to-machine user interface requirements.

Further information on the importance of defining interfaces to your medical device software can be found here.

Security requirements

This category may include use requirements that describe:

• Authorised use and protections against unauthorised access
• Authentication mechanisms
• Health data integrity, privacy, and protection
• Protection against malicious intent
• Immunity from, or susceptibility to, unintended influence by other software using the same hardware resources
• Protection against unauthorised access and tampering of available documentation

Summary

This article provides a comprehensive overview of the categories of use requirements expected by IEC 82304-1. When defining your use requirements, you may find that some requirements overlap with the definitions given here and could be grouped within more than one category. This is perfectly acceptable.

Whilst this article encourages you to group your use requirements logically, the guidance here primarily focuses on avoiding unintended omissions of expected use requirements.

Gaps in the expected coverage of use requirements are commonly noted by Conformity Assessment Bodies during the software medical device technical documentation assessment. These gaps can lead to an incomplete technical file, an unsafe medical device, and delayed certification timelines.

Avoid this pitfall by defining a comprehensive set of use requirements early in the development process, and diligently refining them throughout the medical device's life cycle.

Pairing this with the guidance on how to craft proper requirements and how to make them testable will set you up for success in your journey to certification.