Explanations on standards, howto's
My own experience on implementation of standards
- Comments feed
Thursday 13 January 2022
By Mitch on Thursday 13 January 2022, 13:54
IEC 81001-5-1 was published in December 2021. We already talked about the draft version here. Combined with IEC/TR 60601-4-5, published in February 2021, these two standards constitute the state of the art in cybersecurity of medical devices in Europe.
The final version is very close to the draft version, apart from a few changes to the organizational requirements; formerly clause 10 present in the draft, but removed and copied to clause 4 in the final version.
Be prepared to apply these two standards for your MDR CE Mark submissions, when they are harmonized. Most probably by 2024.
Friday 9 July 2021
By Mitch on Friday 9 July 2021, 13:37
The draft list of harmonized standards for the MDR regulation was published in May 2021. In this document, we find the references to the following cybersecurity standards:
- IEC 80001-1: Safety, effectiveness and security in the implementation and use of connected medical devices or connected health software - Part 1: Application of risk management,
- IEC 81001-5-1 (not published): Health Software and health IT systems safety, effectiveness and security - Part 5-1: Security - Activities in the product lifecycle,
- IEC/TR 60601-4-5: Medical electrical equipment - Part 4-5: Guidance and interpretation - Safety-related technical security specifications.
Friday 19 February 2021
By Mitch on Friday 19 February 2021, 13:43
That's a déjà-vu. The second version of IEC 62304 is still in draft. It has been in this state for five years, since the publication of the amendment 1. We already had a draft version in 2019. A new draft version is, again, in public review (or has been in public review in your country) under the name IEC CDV 62304:2021. Go to the website of your national standardization organization, to see if you can still download it for free!
Friday 22 November 2019
By Mitch on Friday 22 November 2019, 14:16
The second version of IEC 62304 is still in draft. It has been is this state for almost five years, since the publication of the amendment 1. It is now in public review (or has been in public review in your country) under the name IEC 62304:2019 CDV. Go to the website of your national standardization organization, to see if you can still download it for free!
Friday 16 August 2019
By Mitch on Friday 16 August 2019, 13:44
We continue this series of articles on cybersecurity with a free and non-exhaustive review of UL 2900-1 standard.
What is UL 2900-1? This standard was published in 2017 by Underwriters Laboratory (UL). It contains technical requirements on cybersecurity for network connectable products. A collateral UL 2900-2-1 focuses on connectable healthcare and wellness systems. UL 2900-1 and UL 2900-2-1 are FDA recognized standards. Thus, applicable to medical devices.
Wednesday 20 September 2017
By Mitch on Wednesday 20 September 2017, 17:48
A reader of the post on IEC 62304 Amd1 2015 noticed in the comments that the sentence in section 4.3.a was removed:
If the HAZARD could arise from a failure of the SOFTWARE SYSTEM to behave as specified, the probability of such failure shall be assumed to be 100 percent.
Don't be too quick to scratch the 100 percent thing!
The dreadful 100 percent is still present in the informative Annex B.4.3.
Even if it is no more in the normative part, you shall continue to bear in mind this assumption when assessing software risks. The underlying concept is that it's not possible to assess probability of software failure, thus the worst case shall be considered.
This is the state-of-the-art, present in ISO 14971, in IEC 80002-1, in IEC 62304, and in the FDA Guidance for the Content of Premarket Submissions for Software Contained in Medical Devices.
100% probability is not dead!
By Mitch on Wednesday 20 September 2017, 14:18
While the FDA continues to update periodically and reliably the list of recognized standards (last update in August 2017), the European Commission hasn't updated the list of harmonized standards since may 2016.
Tuesday 16 May 2017
By Mitch on Tuesday 16 May 2017, 21:53
After a long pause, we continue this series about cybersecurity in medical devices with a discussion on AAMI TIR57:2016 Principles for medical device security — Risk management.
Tuesday 1 November 2016
By Mitch on Tuesday 1 November 2016, 21:09
IEC 82304-1:2016, the missing link on standalone medical device software validation has been published!
See the official version on IEC webstore, and comments made on the FDIS (the final version shouldn't have changed).
Now we wait for the FDA to recognize it and the EU to harmonize it!
Friday 10 June 2016
By Mitch on Friday 10 June 2016, 13:56
ISO/TR 80002-2 is the future technical report on the validation of software used in regulated processed. The last version of this document, a Draft Technical Report (ISO/DTR 80002-2:2016), was released to the members of the standard committee for comments in May 2016.
This document is still a draft and is to be released by the end of 2016 or early 2017. There are high expectations on this document, since the introduction of requirements on validation of software used in the QMS in section 4.1.6 of ISO 13485:2016.
Friday 6 May 2016
By Mitch on Friday 6 May 2016, 13:33
Almost four years since I wrote in 2012 the post Is my software in class A, B or C?.
In 2015, IEC 62304 Amendment 1 was published, changing a bit the game about software safety class.
Friday 8 April 2016
By Mitch on Friday 8 April 2016, 14:25
Continuing our series about IEC 82304-1, let's see the consequences of this standard on agile software development processes.
Friday 11 March 2016
By Mitch on Friday 11 March 2016, 14:53
We had in a previous article an overview of IEC 82304-1 Health software -- Part 1: General requirements for product safety, its scope and its relationships with other standards like IEC 62304.
This article presents more in details (but not too much, we're not going to rephrase the standard) the requirements of IEC 82304-1.
Friday 15 January 2016
By Mitch on Friday 15 January 2016, 14:30
IEC 82304-1 Health software -- Part 1: General requirements for product safety standard is still under development. Its status is visible on the page of ISO website, dedicated to IEC 82304-1. There is even a preview of the first three pages of this draft standard.
Wednesday 23 September 2015
By Mitch on Wednesday 23 September 2015, 09:57
Long time no see. For those of you guys who have been following this blog for a long time.
Today I have time to write a short article on the new version of IEC 62366 standard: IEC 62366-1:2105 Application of usability engineering to medical devices.
Friday 10 July 2015
By Mitch on Friday 10 July 2015, 11:52
The new version of IEC 62304, also known as IEC 62304:2015 or amendment 1 of IEC 62304 was published by the IEC at the end of June 2015.
There were no major changes compared to the drafts that were circulated earlier this year.
The two major new requirements, compared to IEC 62304:2006 are:
- Requirements about legacy software,
- Changes in the definition of the security classes, based on risk assessment.
IEC 62304:2015 is available on IEC website at the astounding / amazing / appealing / astonishing (delete as appropriate) price of 650 swiss francs (approx. US$700) for the consolidated version.
Now we need to wait for this version to be harmonized by EU and recognized by the USA.
Friday 24 April 2015
By Mitch on Friday 24 April 2015, 15:48
Georg Heidenreich, one of the author of the Frequently Asked Questions on IEC 62304 published on the Team NB website, posted two weeks ago an article about the upcoming updates in the first amendment of IEC 62304.
Wednesday 4 March 2015
By Mitch on Wednesday 4 March 2015, 16:17
The DIS2 (2nd draft version) of the next ISO 13485 was released in february.
It is published for comments on BSI draft review system website. Go to this website and search for 13485 to have a look at this draft.
Friday 30 January 2015
By Mitch on Friday 30 January 2015, 16:44
To continue with the last article about FDIS IEC 62366-1 standard, let's see now the consequences of this standard on software design.
Friday 9 January 2015
By Mitch on Friday 9 January 2015, 14:16
The FDIS (final draft version) of IEC 62366-1 was released in November 2014. This version, also known as IEC 62366 2nd edition, is on the right track to be officially released in Q1 2015. It will supersede the IEC 62366:2007 + Amendment 1:2014.