Skip to main content

Software Documentation (IEC 62304)

IEC 62304 in Japan

IEC 62304 (Medical device software — Software life cycle processes) is a recognised standard in Japan. PMDA expects software-enabled devices and Programme Medical Devices to have software lifecycle documentation that complies with IEC 62304.

Key IEC 62304 requirements that must be evidenced in the application dossier:

  • Software safety classification (Class A, B, or C) based on the severity of harm from software failure
  • Software requirements — documented requirements for the software system
  • Software architecture — documented architecture supporting risk-based design
  • Software testing — unit, integration, and system-level testing plans and reports
  • Software problem resolution process — how defects identified post-market are managed

Software lifecycle documentation in the dossier

The application does not require submission of the complete software lifecycle documentation (which may be thousands of pages). Instead, a summary is required that demonstrates:

  1. The software safety classification and rationale
  2. That the development lifecycle followed IEC 62304
  3. Key verification and validation testing results
  4. Any known software deficiencies and how they are managed

The full software lifecycle documentation is reviewed during QMS inspection, not application review.

Cybersecurity requirements

PMDA and MHLW have issued guidance on cybersecurity for networked and software-enabled devices, drawing from IMDRF's cybersecurity guidance (IMDRF/CYBER WG/N60). Required documentation includes:

  • Security risk assessment identifying cybersecurity threats and vulnerabilities
  • Security controls implemented in the device design
  • Plans for post-market cybersecurity monitoring and vulnerability management
  • Labelling information for users about cybersecurity requirements (e.g. minimum OS version, patch requirements)

Cybersecurity documentation is a relatively new requirement and PMDA's expectations are evolving. Check PMDA's latest guidance before finalising cybersecurity documentation.