R-TF-012-041 Software Classification 62304

Change history

Product: Legit Health Plus Version: 1.1.0.0

Class Definition

The classification of software according to IEC 62304:2006/A1:2015 is based on the potential severity of harm that could result from a software failure, considering the residual risk after applying external mitigation measures.

Classification Definitions

• Class A: No injury or damage to health is possible
• Class B: Non-serious injury is possible
• Class C: Death or serious injury is possible

For Legit Health Plus, the classification takes into account:

1. The intended use: Decision support tool for dermatological condition assessment
2. The environment of use: Clinical settings with healthcare professional oversight
3. External mitigation measures: Clinical judgment, alternative assessment methods, user training
4. Risk evaluation: As documented in R-TF-013-002 Risk management record

Priority of Software Risk Control Options

Risk control measures for Legit Health Plus software are implemented following the priority order established in ISO 14971:2019 and IEC 62304:2006/A1:2015:

Inherent Safety by Design

Design changes to eliminate or reduce risks at the source:

• Robust algorithm validation and verification
• Multiple quality checks for image analysis
• Input validation and error handling
• Automated testing and continuous integration
• Secure coding practices

Examples implemented:

• Image quality assessment before processing
• Confidence scores provided with predictions
• Data validation at multiple layers
• Automated unit and integration tests

Protective Measures in the Software

Adding alerts, warnings, or error messages to inform users:

• Visual and textual warnings when image quality is insufficient
• Confidence indicators for predictions
• Error messages for system failures or connectivity issues
• User authentication and access control alerts

Examples implemented:

• Image quality rejection with clear feedback
• Low confidence warnings on predictions
• Session timeout warnings
• Data encryption status indicators

Information for Safety

User warnings, recommendations, and training materials:

• Instructions for Use (IFU) documentation
• User training materials and videos
• Clinical guidelines for result interpretation
• Limitations and contraindications clearly stated

Examples provided:

• Comprehensive IFU at ifu-mdr.legit.health
• Training documentation for healthcare professionals
• Clear labeling of device limitations
• Clinical decision-making guidelines

Organizational Measures

Procedures and protocols to reduce risk through organizational controls:

• Quality Management System procedures
• Post-market surveillance and vigilance
• Cybersecurity management
• Incident reporting and investigation

Examples implemented:

• GP-012 Design, redesign and development procedure
• GP-013 Risk management procedure
• GP-020 Corrective and preventive actions
• GP-030 Cybersecurity management

The rationale behind this prioritization is to eliminate risks at the design level whenever possible, before relying on user behavior or organizational measures.

Software Maintenance

Post-design risk management activities are performed according to [GP-012 Design, redesign and development] and [GP-013 Risk management]

Risk management during maintenance:

• New risks are assessed when implementing changes, new features, or addressing bugs
• Existing risks are re-evaluated when new information becomes available
• Risk analysis is updated in [R-TF-013-002 Risk management record]

Product design updates:

• All design changes are documented in [T-012-005 Design change control]
• Impact on risks is evaluated before implementation
• Verification and validation activities are performed as documented in [R-TF-012-038 Verified Version Released]

Traceability:

• Version control through GitHub repository
• Design History File (DHF) maintained in QMS
• Release documentation for each version

Information Provided to the User

Instructions for Use

Legit Health Plus provides comprehensive user documentation:

Document	Version	Format	Location
IFU MDR	v1.1.0.0	Electronic (Web)	https://ifu-mdr.legit.health/
IFU FDA	v1.1.0.0	Electronic (Web)	https://ifu-fda.legit.health/
User Manual	v1.1.0.0	Electronic (In-app)	Accessible through help menu

All documentation includes:

• Intended use and indications for use
• Target patient population
• Contraindications and limitations
• Operating instructions
• Warnings and precautions
• Technical specifications
• Troubleshooting guidance
• Contact information for support

Labeling

Warnings, precautions, and labeling content are documented in:

• Primary source: [R-TF-012-037 Labeling and IFU Requirements]
• Regulatory labels: Available in IFU documents (MDR and FDA versions)
• Compliance: MDR 2017/745 Annex I Chapter III, FDA 21 CFR Part 801

Key labeling elements:

• Device identification (UDI, model, version)
• Manufacturer information
• CE marking and regulatory approvals
• Warnings and precautions
• User qualifications required
• Technical requirements

Information Provided Only in Electronic Format

In compliance with Regulation (EU) 2021/2226 on the application of MDR to certain devices manufactured from human blood or plasma:

Electronic format information:

• Instructions for Use (IFU) - primary delivery format
• User manuals and training materials
• Technical documentation
• Update notifications and release notes

Paper copy availability:

• Users may request a paper copy of any electronically provided information
• Paper copies are provided within 7 calendar days of request
• Request procedure is documented in the IFU (contact information provided)
• No additional charge for paper copies

Justification for electronic format:

• Ensures users always have access to the most current version
• Allows for rapid updates and corrections
• Environmentally sustainable
• Consistent with typical digital health workflow
• Compliant with Regulation (EU) 2021/2226 Article 1(4)

---

Software Classification

Question	Answer
Can a hazardous situation arise from a failure of the software?	Yes (answer to next question)
After taking into consideration the risk control measures external to this software system (separate redundant and technologically different hardware or software system), does failure of the software result in an unacceptable risk?	No (Class A)
What severity of injury (worst case) that can result from this hazardous situation, is possible?	N/A - External mitigation reduces risk to acceptable level

Classification Rationale

Considering:

• The device description in [Description and Specifications]: Legit Health Plus is a Software as a Medical Device (SaMD) that provides objective scoring and monitoring of dermatological conditions using AI-based image analysis.

• The intended use and end users: Used by healthcare professionals as a decision support tool in clinical assessment of dermatological conditions. Not intended as a standalone diagnostic device.

• The environment of use: Clinical settings with trained healthcare professionals who maintain clinical oversight and make final treatment decisions.

• The risk management file [R-TF-013-002 Risk management record]: All hazardous situations identified have been mitigated through external risk control measures.

• The software requirements [R-TF-012-028 Software Requirement Specification]: Requirements include multiple layers of quality control and user verification.

• IEC/TR 80002-1 guidance: The software supports but does not replace clinical judgment.

• The answers to classification questions above: While hazardous situations can theoretically arise from software failure, external mitigation measures (clinical oversight, alternative assessment methods, user training) reduce the residual risk to an acceptable level.

The classification of Legit Health Plus against IEC 62304:2006/A1:2015 is: Class B

Security Class Rationale

The Class B classification is justified by:

1. External Mitigation Measures:

   • Healthcare professional oversight and clinical judgment
   • Alternative assessment methods available (traditional clinical examination)
   • User training and qualification requirements
   • Clear documentation of device limitations
   • Multiple quality checks before presenting results

2. Residual Risk Analysis:

   • Even in worst-case scenarios (algorithm failure, incorrect prediction), the healthcare professional reviews results
   • The device provides supporting information, not definitive diagnosis
   • Treatment decisions are made by qualified professionals considering multiple factors
   • No direct control of therapeutic interventions

3. Injury Severity Assessment:

   • Potential for non-serious injury if results are misinterpreted and lead to delayed or inappropriate treatment
   • Death or serious injury not reasonably foreseeable given external controls
   • Device used for chronic conditions where immediate life-or-death decisions are not required

Most Critical Risks

The following table presents the most critical risks identified in R-TF-013-002 Risk management record, showing their classification before and after external risk management measures according to IEC 62304:2006/A1:2015.

Risk evaluation follows the methodology defined in GP-013 Risk management, where:

• Severity (S): Scale 1-5 (Negligible, Minor, Major, Serious, Critical)
• Probability (P1): Scale 1-5 (Improbable, Remote, Occasional, Probable, Frequent)
• RPN = P1 × S (since P2 = 1 for diagnostic support software)
• Classification logic:
  • Before mitigation measures: RPN 6-12 with potential for non-serious injury → Class B
  • After mitigation measures: Further reduced RPN maintains Class B or reduces to Class A (no injury possible)

ID Risk	Risk Description	Severity Initial	P1 Initial	RPN Initial	Class Before Mitigation Measures	External Mitigation Measures	Severity Controlled	P1 Controlled	RPN Controlled	Risk Acceptability	Final Class
R-DAG	Incorrect diagnosis or follow up due to device outputting wrong result	3 (Major)	4 (Probable)	12	B	Clinical professional review, metadata output (explainability), interpretative distribution, AI retraining, IFU information	2 (Minor)	2 (Remote)	4	Acceptable	B
R-SKK	Incorrect results shown to patient without HCP supervision	3 (Major)	4 (Probable)	12	B	HCP supervision requirement in IFU, metadata output, interpretative distribution, AI retraining	2 (Minor)	1 (Improbable)	2	Acceptable	B
R-AGQ	Image artifacts or poor resolution affecting device performance	3 (Major)	4 (Probable)	12	B	Image quality assessment algorithm, quality score feedback, IFU guidelines on imaging, user training	2 (Minor)	2 (Remote)	4	Acceptable	B
R-5L4	Inadequate lighting conditions during image capture	3 (Major)	4 (Probable)	12	B	Image quality assessment algorithm, quality score feedback, IFU guidelines, user training	2 (Minor)	2 (Remote)	4	Acceptable	B
R-3YJ	Data breach or unauthorized access	3 (Major)	4 (Probable)	12	B	OAuth/JWT authentication, role-based access control, SSL/TLS encryption, API token with expiration, IFU security section	1 (Negligible)	1 (Improbable)	1	Acceptable	A
R-B63	Inconsistent or unreliable output (same image, different results)	3 (Major)	4 (Probable)	12	B	Algorithm V&V with representative datasets, clinical testing, GP-012 compliance, AI retraining procedures	2 (Minor)	1 (Improbable)	2	Acceptable	B
R-RAJ	Sensitivity to image variability (lighting/orientation)	3 (Major)	3 (Occasional)	9	B	Image augmentation in training, diverse training dataset, algorithm V&V	2 (Minor)	1 (Improbable)	2	Acceptable	B
R-T8Q	Data transmission failure from healthcare provider's system	3 (Major)	4 (Probable)	12	B	State-of-the-art security and software availability, meaningful error messages	1 (Negligible)	2 (Remote)	2	Acceptable	A
R-MWD	Interruption of service	3 (Major)	4 (Probable)	12	B	Elastic demand design, constant backups, REST protocol error codes	1 (Negligible)	1 (Improbable)	1	Acceptable	A

Key External Risk Management Measures:

• Clinical Oversight: Device used as support tool under HCP supervision, not standalone diagnosis
• Image Quality Controls: Automated quality assessment, rejection of inadequate images, user feedback
• Algorithm Safeguards: Confidence scores, interpretative distributions, explainability metadata
• Cybersecurity: State-of-the-art authentication, encryption, access controls
• User Training: Comprehensive IFU, training materials, imaging guidelines
• Infrastructure: Elastic scalability, automated backups, redundancy

Classification Rationale:

• Initial Assessment (Class B): Given the intended use as a decision support tool with HCP oversight, software failures can lead to non-serious injury (temporary delay or suboptimal treatment) but not death or serious injury
• After External Mitigation Measures: Additional safeguards either maintain Class B (clinical decision risks) or reduce to Class A (infrastructure/availability risks with no direct patient harm)

Software and Items Class

The following table maps software items to their associated risks and provides the IEC 62304 classification after external mitigation measures.

Item ID	Software Item Description	Class Before Mitigation Measures	Associated Risk IDs	Severity After External Mitigation Measures	Risk Acceptability	Final Class	Justification
ITSW-001	AI/ML image analysis algorithm (condition classification)	B	R-DAG, R-SKK, R-B63, R-RAJ	2 (Minor) - Could lead to suboptimal treatment or delayed diagnosis	Acceptable after external mitigation measures	B	Non-serious injury possible; HCP supervision and confidence indicators maintain Class B classification
ITSW-002	Image quality assessment processor	B	R-AGQ, R-5L4	2 (Minor) - Poor quality images could lead to incorrect outputs	Acceptable after external mitigation measures	B	Non-serious injury possible; quality rejection allows correction before clinical impact, maintaining Class B
ITSW-003	API authentication and authorization module	B	R-3YJ, R-D1I	1 (Negligible) - Unauthorized access could lead to data breaches	Acceptable after external mitigation measures	A	External controls reduce to Class A; privacy breach does not directly cause physical injury
ITSW-004	Data transmission and communication layer (REST API)	B	R-T8Q, R-3N5, R-YF4, R-LRP	1 (Negligible) - Communication failures could delay diagnosis	Acceptable after external mitigation measures	A	External controls reduce to Class A; alternative assessment methods available, temporary unavailability does not cause physical harm
ITSW-005	FHIR interoperability interface	B	R-2TP, R-A96, R-HBD, R-BDR	2 (Minor) - Misinterpretation of data could lead to incorrect diagnosis	Acceptable after external mitigation measures	B	Non-serious injury possible; IFU guidance, FHIR standards, and HCP supervision maintain Class B
ITSW-006	User interface requirements and output presentation	B	R-HAX, R-4GG, R-ZFR, R-CGQ	2 (Minor) - Misinterpretation of outputs by HCP	Acceptable after external mitigation measures	B	Non-serious injury possible; IFU, user training, and minimum UI requirements ensure proper use but maintain Class B for clinical decision risks
ITSW-007	Infrastructure and availability management	B	R-MWD, R-VL1	1 (Negligible) - System unavailability or performance degradation	Acceptable after external mitigation measures	A	External controls reduce to Class A; elastic architecture ensures availability, temporary downtime does not cause harm

Overall Software Classification: Class B

According to IEC 62304:2006/A1:2015, the overall software system classification is determined by the highest classification of any software item within the system.

The software items in Legit Health Plus have the following final classifications:

• Class B items: ITSW-001, ITSW-002, ITSW-005, ITSW-006 (4 items)
• Class A items: ITSW-003, ITSW-004, ITSW-007 (3 items)

Since multiple software items maintain Class B classification after external risk management measures (those involving clinical decision support, image quality assessment, and data interpretation), the entire software system is classified as Class B.

Rationale: Even though some software items (authentication, communication layer, infrastructure) can be reduced to Class A through external controls, the core functionality items that directly support clinical decision-making maintain Class B classification. Therefore, the development and maintenance of Legit Health Plus must follow all IEC 62304 requirements applicable to Class B software.

Justification of the Effectiveness of Segregation (Not applicable for Class B)

Segregation analysis is not required for Class B software according to IEC 62304:2006/A1:2015. This section would be completed if any software items were classified as Class C.

For Legit Health Plus Class B classification, verification of proper implementation of risk control measures is documented in:

• [R-TF-012-022 Software Design Phase 2 Checklist]
• [R-TF-012-035 Software Test Report]
• Test cases in [R-TF-012-043 Traceability Matrix]

Signature meaning

The signatures for the approval process of this document can be found in the verified commits at the repository for the QMS. As a reference, the team members who are expected to participate in this document and their roles in the approval process, as defined in Annex I Responsibility Matrix of the GP-001, are:

• Author: Team members involved
• Reviewer: JD-003, JD-004
• Approver: JD-001