IEC 62304 Compliance for AI-Powered Diagnostic Software

Swiss MPC conducted an initial regulatory assessment to classify the software under EU MDR Rule 11 and determine the applicable conformity assessment pathway. Given the Class IIa classification and AI/ML components, we identified the specific requirements for algorithmic transparency, clinical validation methodology, and the emerging expectations from Notified Bodies regarding AI-based medical devices outlined in the MDCG 2021-24 guidance on machine learning.

Our IEC 62304 specialists worked alongside the client's development team to retrospectively document the existing software architecture and development history, then establish forward-looking lifecycle processes compliant with IEC 62304:2006/AMD1:2015. We classified the software as Safety Class B based on the severity analysis and implemented the corresponding documentation requirements, including software development plans, architecture documentation, detailed design specifications, unit and integration test protocols, and risk management files per ISO 14971.

For cybersecurity compliance, we developed a comprehensive security risk management framework aligned with IEC 81001-5-1 (Health software and health IT systems safety, effectiveness and security). This included threat modeling using STRIDE methodology tailored to the DICOM and HL7 FHIR interfaces, vulnerability assessments, secure software development lifecycle (SSDLC) integration into their CI/CD pipeline, and incident response planning. We also addressed the FDA's premarket cybersecurity guidance to ensure the documentation would support future US market entry.

The clinical evaluation strategy required particular attention given the AI/ML nature of the device. We designed a clinical validation protocol that demonstrated algorithmic performance across diverse patient populations, addressed potential bias in training data, and established ongoing performance monitoring requirements for post-market surveillance. The clinical evidence package was structured to meet both the EU MDR clinical evidence requirements and the IMDRF SaMD clinical evaluation framework (N41).

Throughout the engagement, we maintained a parallel workstream focused on establishing a lean but compliant Quality Management System proportionate to the startup's size and stage. This included core SOPs for design control, document management, CAPA, and post-market surveillance — sufficient to support a successful ISO 13485 certification audit while remaining practical for a 25-person engineering team.