Software in Medical Devices, by MD101 Consulting - Comments

Proposal for MDR/IVDR changes and Rule 11 - software classification - David Grainger

David Grainger — Sat, 20 Dec 2025 06:37:12 +0100

I agree. It introduces a different level of confusion :-(

How to bring legacy software into line with IEC 62304? - part 1 - Mitch

Mitch — Mon, 07 Apr 2025 08:36:25 +0200

Hi Elily Your software isn't a legacy device, since you've applied IEC 62304 in an older version. Plan B is the plan to follow. Your software would be legacy if you didn't have any documentation.

How to bring legacy software into line with IEC 62304? - part 1 - Elily

Elily — Fri, 28 Mar 2025 04:07:41 +0100

Hi Mitch:

Our software is developmented under IEC 62304:2006 but not IEC 62304:2006+A1:2015, is it definied as legacy sw?
Which plan do you recommend if we want to comply with the IEC 62304:2006+A1:2015?

Plan A: Do gap analysis according to the IEC 62304 clause 4.4.2-4.4.5; or
Plan B: Review our development documents and modify them if needed to comply with clause 5 to clause 9 in IEC 62304:2006+A1:2015.

In plan A, we must define the SW as legacy, right? But in plan B, we can claim the SW does not appliy to clause 4.4, right?

Thanks.

When Web meets SOUP - Mitch

Mitch — Tue, 03 Sep 2024 20:23:41 +0200

Hi Solene
Thank-you for your comment and support.
To give a quick answer: this article is still applicable, event if new FDA guidances have been published since this article.
About solution 3: you may hear the sarcasm behind the wording I used in this solution. This is a quick way to park all SOUPs in the same "place" in the architecture. Something that may not be representative of the real architecture. Thus, I don't recommend it. This is a shortcut when you can't do otherwise.

When Web meets SOUP - Solenne

Solenne — Fri, 30 Aug 2024 13:11:02 +0200

Hi Mitch,
A few years later, but thanks for this very interesting article. For SOUP management, I am not sure to understand the third solution you propose here. Would you explain it a bit further please ?
Also, is this still applicable if we look at FDA guidelines (I read your more recent post about it as well) ?

Transition or not, your MDD SaMD may die in 2025, not 2028 - Rajesh

Rajesh — Sun, 02 Jun 2024 16:54:45 +0200

The end-of-support date for Windows Server 2019 depends on the type of support:

Mainstream Support: This phase includes regular updates, security patches, and feature enhancements. For Windows Server 2019, mainstream support ended on January 9, 2024.
Extended Support: During this phase, only security updates are provided. The extended support period for Windows Server 2019 extends until January 9, 2029.

Yet some claim that the extended support may end in October 2029.

Maintained software, Supported software, Required software, and SOUP - Mitch

Mitch — Thu, 23 May 2024 13:56:59 +0200

Hi Seb
I've seen both cases with some manufacturers including the OS in SOUP list and some others excluding it.
I think IEC 81001-5-1 sheds a new light on the concept of SOUP: supported software is a software not maintained by the manufacturer. Thus purchased / installed / maintained by the user of the SaMD. This is the case of the OS for a PC or mobile software.
The definition of SOUP includes the word being incorporated. This is not the case with a SaMD: it is installed on top of the OS. The OS isn't incorporated in the SaMD. It is a prerequisite provided by the user.

Thus, OS isn't SOUP, in the case on SaMD.
Remark: if the manufacturer provides the user with the PC / mobile hardware, and the OS preinstalled in the right version, then it is questionnable to exclude the OS from SOUP.

Maintained software, Supported software, Required software, and SOUP - Seb

Seb — Tue, 21 May 2024 17:36:53 +0200

Hi Mitch,
You say here that OS is a supported software for mobile app (or PC application) but is it also to be considered as a SOUP regarding the IEC 62304 ?

And second question : where do you place the database system (like SQL Server or other like that) ?

Final 2023 FDA Premarket Cybersecurity guidance released - Mitch

Mitch — Mon, 06 May 2024 11:19:55 +0200

Hi Jacopo,
Thanks for your feedback!
IEC 81001-5-1 is now the reference for cybersecurity in MD. But it is a bit short for the implementation on a cybersecurity risk management process.
My recommendation is to use IEC 81001-5-1 together with AAMI SW96:2023, if you want to have a topnotch cybersecurity risk management process. Otherwise, you can use AAMI TIR57 as s good source of info to implement a cybersecurity risk management process.
IEC 29119-1:2022 can be applied to have better infos on sw testing (compared to IEC 62304). And AAMI 2700-2-1:2022 can be applied to have better infos on interoperability. It's worth noting there's an interoperability section in the FDA eSTAR submission template.

Cybersecurity standards: IEC 81001-5-1 and IEC/TR 60601-4-5 - Mitch

Mitch — Mon, 06 May 2024 11:11:32 +0200

Hi Justine,
That should be ok, we're still in a transition phase.

Transition or not, your MDD SaMD may die in 2025, not 2028 - Mitch

Mitch — Mon, 06 May 2024 11:03:53 +0200

Hi Houssk,
You're absolutely right! I didn't catch that one.
In this case, the manufacturer shall notify their customers to purchase the extended support, in order to continue using their SaMD.

IEC 81001-5-1 Right Here Right Now - Mitch

Mitch — Mon, 06 May 2024 11:00:01 +0200

Hi Mohamed,
No official document has been published yet.
These are just feedbacks from people participating to the MDCG working groups on harmonization. Since we are close to the dealdline, it's probable that these rumors are true.

Medical Device lifetime and SaMD - Mitch

Mitch — Mon, 06 May 2024 10:56:34 +0200

Hi Amit,
Unfortunately not. If it were the case, I'd have mentioned it!

Transition or not, your MDD SaMD may die in 2025, not 2028 - Houssk

Houssk — Thu, 02 May 2024 15:10:15 +0200

You aren't taking into account the extended end date for Windows Server ? for example, Windows Server 2019 ending on January 9, 2029. https://learn.microsoft.com/en-us/l...

IEC 81001-5-1 Right Here Right Now - Mohamed

Mohamed — Sat, 27 Apr 2024 09:56:36 +0200

Hi,
Could you provide a link of the source stating that harmonization plans are postponed, please?

Medical Device lifetime and SaMD - Amit Pal

Amit Pal — Wed, 24 Apr 2024 17:53:08 +0200

Any one please guide how to calculate software lifetime?

IEC 81001-5-1 Right Here Right Now - Mitch

Mitch — Wed, 28 Feb 2024 17:30:06 +0100

HI Peter,
Thanks for your feedback.
Yes, it was supposed to be harmonized by May 2024. But the MDCG WG on standards held a meeting the 19 January 2024. This report states that it is being postponed to 2028. There is no official information. But you can find it on lnkn.

IEC 81001-5-1 Right Here Right Now - Peter Olsson

Peter Olsson — Mon, 26 Feb 2024 13:56:48 +0100

Hi,

Interesting article! I have a consideration about the harmonzation of 81001-5-1 during 2028. I thought that 81001-5-1 was supposed to be harminized May 27th this year (2024)?

Cybersecurity standards: IEC 81001-5-1 and IEC/TR 60601-4-5 - Justine PRADELS

Justine PRADELS — Thu, 07 Dec 2023 18:12:02 +0100

Hello,

If we have a software version on the market without implementation of specifications of these standards, but we have a software version in development that includes the specifications relative to these 2 standards at May 2024 is it OK?

Final 2023 FDA Premarket Cybersecurity guidance released - Jacopo

Jacopo — Thu, 09 Nov 2023 19:36:25 +0100

Hi Mitch, great post as always!
What's your take on the the latest Recognized Consensus Standards from the FDA in regards to the Premarket Cybersecurity guidance?
It looks like AAMI SW96:2023 is now in the recognized consensus table, as well as IEC 29119-1:2022 and AAMI 2700-2-1:2022.
Would this change your view on applying IEC 81001-5-1 for SDLC (as well as security risk management) to a medical device development process?
Thanks and keep up with the great blog!
J.