IEC 82304-1 Health Software Product Safety: Complete Compliance Guide (2026)
A comprehensive guide to IEC 82304-1 health software product safety — how it complements IEC 62304, product requirements, validation, cybersecurity, lifecycle management, regulatory alignment with FDA/EU MDR, and practical implementation for SaMD and health app manufacturers.
What Is IEC 82304-1?
IEC 82304-1 (Health software — Part 1: General requirements for product safety) is the international standard specifying safety and security requirements for health software products designed to operate on general computing platforms and intended to be placed on the market without dedicated hardware. Published in 2016 by the International Electrotechnical Commission (IEC) and reviewed and confirmed in 2021, it addresses the full product lifecycle including design, development, validation, installation, maintenance, and disposal of health software products.
IEC 82304-1 fills a critical gap in the standards landscape: while IEC 62304 governs the software development process, IEC 82304-1 governs the finished software product. For Software as a Medical Device (SaMD) manufacturers, both standards are essential and work together — IEC 62304 ensures the software is built correctly, while IEC 82304-1 ensures the product is safe and effective when deployed.
The standard's scope is broader than just medical devices. It defines health software as "software intended to be used specifically for managing, maintaining or improving the health of individual persons, or the delivery of care." This encompasses:
- Software as a Medical Device (SaMD)
- Health and wellness applications that may not be classified as medical devices
- Prescription management systems
- Laboratory information management systems
- Radiology information systems
- Telemedicine platforms
- Electronic health record systems
IEC 82304-1 vs. IEC 62304: The Critical Distinction
One of the most common and costly regulatory mistakes in SaMD submissions is confusing these two standards. Here is the fundamental difference:
| Aspect | IEC 62304 | IEC 82304-1 |
|---|---|---|
| Standard type | Process standard | Product standard |
| What it governs | Software lifecycle processes | Health software product safety |
| Level of focus | Code and development level | System and user level |
| Key objective | Verification (built correctly) | Validation (works correctly for users) |
| Applies to | All medical device software (SiMD + SaMD) | Standalone health software on general computing platforms |
| Covers labeling and IFU | No | Yes |
| Covers usability | Referenced but not detailed | Yes — product use requirements |
| Covers installation/maintenance | Maintenance process only | Full product lifecycle including deployment |
| Cybersecurity | Not directly addressed | Explicit requirements |
| Software safety classes | Class A, B, C | References IEC 62304 classes |
Think of it this way: IEC 62304 is the engine (how the software is built), while IEC 82304-1 is the vehicle (how the finished product performs in real-world conditions). You need both for a complete regulatory submission.
What IEC 82304-1 Does NOT Cover
The standard explicitly excludes:
- Medical electrical equipment and systems covered by the IEC 60601/IEC 80601 series (these have software embedded in dedicated hardware)
- In vitro diagnostic equipment covered by the IEC 61010 series
- Implantable devices covered by the ISO 14708 series
- Software embedded in dedicated health hardware — if the software is part of a physical medical device, it falls under IEC 62304, not IEC 82304-1
The distinction is important: if your software runs on general-purpose computers, smartphones, tablets, or cloud platforms without dedicated hardware, IEC 82304-1 applies. If your software is embedded in a medical device with custom hardware, IEC 62304 applies (and IEC 82304-1 does not).
IEC 82304-1 Requirements in Detail
Clause 4: Product Requirements
The heart of IEC 82304-1 is its product requirements. Manufacturers must define and document comprehensive requirements covering:
4.1 General Requirements
The manufacturer shall establish, document, and maintain requirements for the health software product throughout its lifecycle. Requirements must consider:
- Intended purpose and clinical context
- User population and use environment
- Hardware platforms and operating systems
- Interface requirements with other systems (interoperability)
- Applicable regulatory requirements
- Accompanying documentation requirements
4.2 Product Use Requirements
Manufacturers must specify clear product use requirements that define:
| Requirement Category | What to Document |
|---|---|
| Intended purpose | Clinical or health objectives, target conditions, patient population |
| User profiles | Who will use the software (clinicians, patients, caregivers, IT staff) |
| Use environment | Where and how the software will be used (clinical, home, mobile) |
| Hardware platform | Minimum hardware specifications, operating systems, network requirements |
| Installation requirements | Deployment methods, configuration, and setup procedures |
| Interface requirements | Integration with EHRs, medical devices, databases, APIs |
| Security requirements | Authentication, authorization, data protection, encryption |
| Performance requirements | Response times, throughput, accuracy, reliability |
4.3-4.7 Verification and System Testing
IEC 82304-1 requires systematic verification and validation at the product level:
- Software system requirements verification (Clause 4.6) — Verifying that system requirements are correctly implemented
- Software system testing (Clause 4.7) — Testing the integrated software product against its requirements
- Product validation (Clause 6.2) — Validating that the product meets user needs and intended use in the real-world environment
When anomalies are found during validation, they must be resolved through a problem resolution process according to IEC 62304 Clause 9.
Clause 5: Software Lifecycle Processes
IEC 82304-1 does not reinvent the software lifecycle — instead, it directly references specific clauses of IEC 62304. The requirements in IEC 62304 Clauses 4.2, 4.3, 5, 6, 7, 8, and 9 apply to health software in addition to IEC 82304-1's own requirements. This means:
- Follow IEC 62304's development process (planning, requirements, architecture, design, implementation, integration, testing)
- Apply IEC 62304's risk management process for software
- Use IEC 62304's configuration management and problem resolution processes
- Additionally meet IEC 82304-1's product-level requirements for validation, labeling, and lifecycle management
Clause 6: Product Validation
This is where IEC 82304-1 adds the most value beyond IEC 62304. Product validation ensures the finished health software product is fit for its intended purpose when used by real users in real environments. Key requirements:
- Validation planning — Document a validation plan that defines what will be validated, how, and the acceptance criteria
- Use-based testing — Test the product under conditions that simulate actual use, including edge cases and error scenarios
- Usability evaluation — Assess whether users can effectively, efficiently, and safely use the product (aligned with IEC 62366-1)
- User documentation verification — Verify that the IFU and accompanying documentation are accurate and understandable
- Clinical evaluation — For SaMD, clinical validation demonstrating that the software achieves its intended clinical purpose
- Anomaly resolution — Resolve any anomalies found during validation through IEC 62304's problem resolution process
Clause 7: Product Identification and Instructions for Use
IEC 82304-1 requires manufacturers to provide clear product identification and user documentation:
- Product identification — Software name, version, manufacturer identification, and unique device identification where applicable
- Instructions for Use (IFU) — Clear, comprehensive instructions covering installation, configuration, use, maintenance, and decommissioning
- Labeling — Product labeling that communicates essential safety and performance information
- User-oriented content — Documentation written for the target user population, not just technical staff
This clause is particularly important because IEC 62304 does not cover labeling, IFU, or user documentation — IEC 82304-1 fills this gap.
Clause 8: Security
IEC 82304-1 explicitly addresses cybersecurity, which is not directly covered by IEC 62304:
- Security risk assessment — Identify and assess security risks specific to the health software product
- Security controls — Implement appropriate security measures based on the risk assessment
- Data protection — Protect patient and user data throughout the product lifecycle
- Secure communications — Ensure data transmitted by the software is protected
- Security updates — Provide mechanisms for delivering security patches and updates
- Incident response — Establish procedures for responding to security incidents
In 2026, cybersecurity expectations are rising rapidly. The FDA's cybersecurity guidance, the EU Cyber Resilience Act (CRA), and NIS2 Directive all impose cybersecurity obligations on medical device manufacturers. IEC 82304-1 provides a foundational framework for meeting these expectations at the product level.
Clause 9: Post-Market Activities
IEC 82304-1 extends beyond initial product release to cover post-market lifecycle management:
- Post-market surveillance — Monitor the health software product's performance in real-world use
- Feedback collection — Gather and analyze user feedback, complaints, and adverse events
- Update management — Manage software updates, patches, and new versions through a controlled process
- Version management — Maintain version control and configuration management throughout the product lifecycle
- Decommissioning — Plan for and execute orderly decommissioning of the software product
How IEC 82304-1 Works with Other Standards
IEC 82304-1 is part of an interconnected framework of standards for health software and medical devices:
The Standards Stack for SaMD
| Standard | Role | Relationship to IEC 82304-1 |
|---|---|---|
| ISO 13485 | Quality Management System | Foundation; IEC 82304-1 requirements feed into the QMS |
| ISO 14971 | Risk Management | IEC 82304-1 requires risk management per ISO 14971 at the product level |
| IEC 62304 | Software Lifecycle | Directly referenced; IEC 82304-1 builds on IEC 62304's processes |
| IEC 62366-1 | Usability Engineering | Referenced for usability evaluation and validation |
| IEC 82304-1 | Product Safety | The standard itself — product-level requirements |
| IEC 81001-5-1 | Health IT Security | Complements security requirements in IEC 82304-1 |
| ISO 20417 / ISO 15223-1 | Labeling | Supports the product identification and IFU requirements |
Practical Integration: Using IEC 62304 + IEC 82304-1 Together
For a SaMD product, the standards work together as follows:
- Define product use requirements (IEC 82304-1 Clause 4.2) — What the product must do for users
- Perform product risk management (ISO 14971) — What can go wrong at the product level
- Develop software per IEC 62304 — Build the software following lifecycle processes
- Classify software safety (IEC 62304 Clause 4.3) — Determine Class A, B, or C
- Verify software requirements (IEC 62304) — Verify each development output
- Perform system testing (IEC 82304-1 Clause 4.7) — Test the integrated product
- Validate the product (IEC 82304-1 Clause 6.2) — Validate against user needs in the real-world
- Create labeling and IFU (IEC 82304-1 Clause 7) — Provide user documentation
- Implement security controls (IEC 82304-1 Clause 8) — Address cybersecurity
- Establish post-market processes (IEC 82304-1 Clause 9) — Monitor and maintain the product
Regulatory Expectations in 2026
FDA Position
The FDA recognizes IEC 82304-1 as a consensus standard for health software products. Key FDA references:
- The standard is listed in the FDA's Recognized Consensus Standards database
- FDA expects clear separation between software verification (IEC 62304) and product validation (IEC 82304-1) for SaMD submissions
- The FDA's General Principles of Software Validation (GPSV) guidance aligns with IEC 82304-1's validation requirements
- For premarket submissions, documentation showing compliance with both IEC 62304 and IEC 82304-1 strengthens the application
EU MDR Alignment
Under the EU MDR, SaMD is classified and regulated as a medical device. Notified Bodies expect:
- IEC 62304 compliance for the software development process
- IEC 82304-1 compliance for the product-level safety and validation requirements
- ISO 14971 risk management covering both software and product-level risks
- IEC 62366-1 usability engineering for user interface design and evaluation
The EU AI Act (effective 2025-2027) adds additional requirements for AI-based SaMD, but IEC 82304-1 provides the foundational product safety framework.
Global Regulators
| Regulator | IEC 82304-1 Expectation |
|---|---|
| FDA (US) | Recognized consensus standard; expected for SaMD submissions |
| EU Notified Bodies | Expected as part of conformity assessment for standalone software |
| MHRA (UK) | Aligned with EU expectations post-Brexit |
| TGA (Australia) | References IEC 82304-1 in software guidance |
| Health Canada | Expects validation evidence per IEC 82304-1 principles |
| PMDA (Japan) | References the standard in SaMD review guidance |
| SFDA (Saudi Arabia) | Recognizes IEC standards for software devices |
Common Compliance Mistakes
Many SaMD manufacturers make avoidable errors when applying IEC 82304-1. Based on industry experience:
| Mistake | Consequence | Correct Approach |
|---|---|---|
| Treating IEC 62304 as sufficient for SaMD | Missing product validation, labeling, and security requirements | Apply both IEC 62304 and IEC 82304-1 |
| Confusing verification with validation | Regulatory questions, delayed approvals | IEC 62304 = verification; IEC 82304-1 = validation |
| Skipping usability evaluation | Non-conformities during Notified Body audit | Include IEC 62366-1 usability engineering |
| Incomplete traceability | Gaps between software risks and user risks | Maintain full traceability from user needs through requirements, risks, and tests |
| Missing cybersecurity documentation | FDA refuse-to-accept, EU MDR non-conformities | Address IEC 82304-1 Clause 8 security requirements and IEC 81001-5-1 |
| Using IEC 62304 safety classes for product validation | Wrong level of validation effort | Product validation is separate from software safety classification |
| Neglecting IFU and labeling | Regulatory deficiencies in documentation | Follow IEC 82304-1 Clause 7 requirements |
| Poor validation rationale in submissions | Additional questions from regulators | Document clear, structured validation rationale |
Implementation Roadmap
For New SaMD Products
- Establish the quality framework — Implement ISO 13485 QMS with software-specific procedures
- Define product use requirements — Per IEC 82304-1 Clause 4.2, document intended purpose, users, environment, and hardware
- Conduct product risk management — Apply ISO 14971 at the product level, identifying user risks and clinical risks
- Plan software development — Per IEC 62304, classify safety class and plan development activities
- Develop and verify — Follow IEC 62304 lifecycle; verify at each stage
- Validate the product — Per IEC 82304-1 Clause 6.2, validate against user needs in realistic conditions
- Create labeling and IFU — Per IEC 82304-1 Clause 7, with symbols per ISO 15223-1
- Implement security — Per IEC 82304-1 Clause 8, with alignment to IEC 81001-5-1
- Establish post-market processes — Per IEC 82304-1 Clause 9
- Compile regulatory submission — Document full traceability from user needs through validation
For Existing SaMD Products
If you have an existing SaMD product that was developed using only IEC 62304:
- Conduct a gap analysis — Compare current documentation against IEC 82304-1 requirements
- Identify product validation gaps — Most likely the biggest gap; plan retrospective validation
- Document product use requirements — If not already documented, create them based on current product capabilities
- Address security documentation — Ensure cybersecurity risk assessment and controls are documented
- Review labeling and IFU — Verify compliance with IEC 82304-1 Clause 7
- Establish lifecycle processes — Ensure post-market monitoring aligns with Clause 9
FAQ
Is IEC 82304-1 mandatory for SaMD? Yes, in practice. While IEC 82304-1 is a voluntary standard, regulators globally expect system-level validation beyond code verification for standalone software. FDA recognizes it as a consensus standard, EU Notified Bodies expect it for conformity assessment, and other regulators reference it in their guidance. Non-compliance creates significant regulatory risk for SaMD manufacturers.
What is the difference between IEC 62304 and IEC 82304-1? IEC 62304 is a process standard that governs how medical device software is developed — it focuses on verification (ensuring the software is built correctly). IEC 82304-1 is a product standard that governs the safety of the finished health software product — it focuses on validation (ensuring the product works correctly for users). IEC 62304 covers the code level; IEC 82304-1 covers the system and user level. Both are needed for SaMD compliance.
Does IEC 82304-1 apply to health apps that are not medical devices? Yes. IEC 82304-1's scope includes health software products regardless of whether they are classified as medical devices. This is intentional — the standard addresses safety for any software used for health purposes, including fitness apps, wellness trackers, telemedicine platforms, and clinical decision support tools. However, the depth of compliance expected by regulators depends on the software's classification and risk level.
Can I use IEC 82304-1 without IEC 62304? No. IEC 82304-1 explicitly references and requires compliance with specific clauses of IEC 62304. The standard states that the requirements in IEC 62304 Clauses 4.2, 4.3, 5, 6, 7, 8, and 9 apply to health software. IEC 82304-1 builds on IEC 62304, it does not replace it.
Does IEC 82304-1 address cybersecurity? Yes. Clause 8 of IEC 82304-1 explicitly addresses security requirements for health software products, including security risk assessment, security controls, data protection, secure communications, and security update mechanisms. In 2026, cybersecurity is a top regulatory priority, and IEC 82304-1's security requirements are complemented by IEC 81001-5-1 for more detailed health IT security guidance.
Is IEC 82304-1 being revised? IEC 82304-1 was published in 2016 and confirmed in 2021. IEC 62304, the closely related standard, is undergoing a major revision expected to be published as a second edition in August 2026, with enhanced guidance on AI, ML, and health software. Any future revision of IEC 82304-1 is likely to align with the updated IEC 62304 and address emerging topics like AI/ML-based health software and enhanced cybersecurity requirements.
How does IEC 82304-1 relate to the FDA's Computer Software Assurance (CSA) guidance? The FDA's CSA guidance focuses on a risk-based approach to testing production and quality system software — software used in manufacturing and QMS processes. IEC 82304-1 applies to health software products placed on the market for use by healthcare providers and patients. These are different contexts: CSA is for internal manufacturing/QMS software; IEC 82304-1 is for product software. Both share the principle of risk-based testing.
What documentation do I need to demonstrate IEC 82304-1 compliance? Key documentation includes: product use requirements specification, product risk management file, validation plan and report, system test plan and reports, IFU and labeling documentation, security risk assessment and controls documentation, post-market surveillance plan, and traceability matrix linking user needs through requirements, risks, tests, and validation results. All documentation should be maintained within your ISO 13485 QMS.