Software in Medical Devices, by MD101 Consulting

To content | To menu | To search


Explanations on standards, howto's

My own experience on implementation of standards

Entries feed - Comments feed

Friday, 23 February 2024

IEC 81001-5-1 Right Here Right Now

IEC 81001-5-1 is now the standard for cybersecurity in medical devices. But is this standard asking too much for?

Continue reading...

Friday, 8 September 2023

AAMI SW96 2023 - The keystone of security risk management for medical devices

A new standard on security risk management for medical devices was published early 2023: AAMI SW96. Unlike AAMI TIR57 and TIR97, this is a standard, not a technical report.

Continue reading...

Monday, 20 February 2023

Maintained software, Supported software, Required software, and SOUP

These three concepts come from IEC 62443 and were adopted in IEC 80001-5-1. SOUP isn't present in IEC 81001-5-1.
What are the differences between SOUP and Maintained software, Supported software, and Required software?

Continue reading...

Friday, 8 July 2022

IEC/TR 60601-4-5 kicked out of harmonized standards

The 6th June 2022, a draft request has been published to update the list of EU MDR/IVDR harmonized standards. This request brings changes to the list presented in the draft list of April 2021.

Continue reading...

Thursday, 13 January 2022

IEC 81001-5-1, final version published

IEC 81001-5-1 was published in December 2021. We already talked about the draft version here. Combined with IEC/TR 60601-4-5, published in February 2021, these two standards constitute the state of the art in cybersecurity of medical devices in Europe.

The final version is very close to the draft version, apart from a few changes to the organizational requirements; formerly clause 10 present in the draft, but removed and copied to clause 4 in the final version.

Be prepared to apply these two standards for your MDR CE Mark submissions, when they are harmonized. Most probably by 2024.

Friday, 9 July 2021

Cybersecurity standards: IEC 81001-5-1 and IEC/TR 60601-4-5

The draft list of harmonized standards for the MDR regulation was published in May 2021. In this document, we find the references to the following cybersecurity standards:

  • IEC 80001-1: Safety, effectiveness and security in the implementation and use of connected medical devices or connected health software - Part 1: Application of risk management,
  • IEC 81001-5-1 (not published): Health Software and health IT systems safety, effectiveness and security - Part 5-1: Security - Activities in the product lifecycle,
  • IEC/TR 60601-4-5: Medical electrical equipment - Part 4-5: Guidance and interpretation - Safety-related technical security specifications.

Continue reading...

Friday, 19 February 2021

IEC 62304:2021 Committee Draft Version: Groundhog Day

That's a déjà-vu. The second version of IEC 62304 is still in draft. It has been in this state for five years, since the publication of the amendment 1. We already had a draft version in 2019. A new draft version is, again, in public review (or has been in public review in your country) under the name IEC CDV 62304:2021. Go to the website of your national standardization organization, to see if you can still download it for free!

Continue reading...

Friday, 22 November 2019

IEC 62304:2019 or 2020 - Next Generation

The second version of IEC 62304 is still in draft. It has been is this state for almost five years, since the publication of the amendment 1. It is now in public review (or has been in public review in your country) under the name IEC 62304:2019 CDV. Go to the website of your national standardization organization, to see if you can still download it for free!

Continue reading...

Friday, 16 August 2019

Cybersecurity in medical devices: a short review of UL 2900-1

We continue this series of articles on cybersecurity with a free and non-exhaustive review of UL 2900-1 standard.
What is UL 2900-1? This standard was published in 2017 by Underwriters Laboratory (UL). It contains technical requirements on cybersecurity for network connectable products. A collateral UL 2900-2-1 focuses on connectable healthcare and wellness systems. UL 2900-1 and UL 2900-2-1 are FDA recognized standards. Thus, applicable to medical devices.

Continue reading...

Wednesday, 20 September 2017

100% probability of software failure in IEC 62304 Amd1 2015

A reader of the post on IEC 62304 Amd1 2015 noticed in the comments that the sentence in section 4.3.a was removed:

If the HAZARD could arise from a failure of the SOFTWARE SYSTEM to behave as specified, the probability of such failure shall be assumed to be 100 percent.

Don't be too quick to scratch the 100 percent thing!

The dreadful 100 percent is still present in the informative Annex B.4.3.

Even if it is no more in the normative part, you shall continue to bear in mind this assumption when assessing software risks. The underlying concept is that it's not possible to assess probability of software failure, thus the worst case shall be considered.
This is the state-of-the-art, present in ISO 14971, in IEC 80002-1, in IEC 62304, and in the FDA Guidance for the Content of Premarket Submissions for Software Contained in Medical Devices.

100% probability is not dead!

Wait, but what of harmonized standards?

While the FDA continues to update periodically and reliably the list of recognized standards (last update in August 2017), the European Commission hasn't updated the list of harmonized standards since may 2016.

Continue reading...

Tuesday, 16 May 2017

Cybersecurity in medical devices - Part 3 AAMI TIR57:2016

After a long pause, we continue this series about cybersecurity in medical devices with a discussion on AAMI TIR57:2016 Principles for medical device security — Risk management.

Continue reading...

Tuesday, 1 November 2016

IEC 82304-1:2016 Health software - Part 1: General requirements for product safety

IEC 82304-1:2016, the missing link on standalone medical device software validation has been published!
See the official version on IEC webstore, and comments made on the FDIS (the final version shouldn't have changed).

Now we wait for the FDA to recognize it and the EU to harmonize it!

Friday, 10 June 2016

ISO/TR 80002-2: latest news on Validation of software for medical device quality systems

ISO/TR 80002-2 is the future technical report on the validation of software used in regulated processed. The last version of this document, a Draft Technical Report (ISO/DTR 80002-2:2016), was released to the members of the standard committee for comments in May 2016.
This document is still a draft and is to be released by the end of 2016 or early 2017. There are high expectations on this document, since the introduction of requirements on validation of software used in the QMS in section 4.1.6 of ISO 13485:2016.

Continue reading...

Friday, 6 May 2016

Is my software in class A, B or C? - 2015 reloaded

Almost four years since I wrote in 2012 the post Is my software in class A, B or C?.
In 2015, IEC 62304 Amendment 1 was published, changing a bit the game about software safety class.

Continue reading...

Friday, 8 April 2016

IEC 82304-1 - Consequences on agile software development processes

Continuing our series about IEC 82304-1, let's see the consequences of this standard on agile software development processes.

Continue reading...

Friday, 11 March 2016

IEC 82304-1 - Overview of requirements

We had in a previous article an overview of IEC 82304-1 Health software -- Part 1: General requirements for product safety, its scope and its relationships with other standards like IEC 62304.
This article presents more in details (but not too much, we're not going to rephrase the standard) the requirements of IEC 82304-1.

Continue reading...

Friday, 15 January 2016

IEC 82304-1 - latest news about the standard on Health Software

IEC 82304-1 Health software -- Part 1: General requirements for product safety standard is still under development. Its status is visible on the page of ISO website, dedicated to IEC 82304-1. There is even a preview of the first three pages of this draft standard.

Continue reading...

Wednesday, 23 September 2015

IEC 62366-1 becomes recognized by the FDA

Long time no see. For those of you guys who have been following this blog for a long time.
Today I have time to write a short article on the new version of IEC 62366 standard: IEC 62366-1:2105 Application of usability engineering to medical devices.

Continue reading...

Friday, 10 July 2015

IEC 62304 Amendment 1 published

The new version of IEC 62304, also known as IEC 62304:2015 or amendment 1 of IEC 62304 was published by the IEC at the end of June 2015.
There were no major changes compared to the drafts that were circulated earlier this year.

The two major new requirements, compared to IEC 62304:2006 are:

  • Requirements about legacy software,
  • Changes in the definition of the security classes, based on risk assessment.

IEC 62304:2015 is available on IEC website at the astounding / amazing / appealing / astonishing (delete as appropriate) price of 650 swiss francs (approx. US$700) for the consolidated version.

Now we need to wait for this version to be harmonized by EU and recognized by the USA.

- page 1 of 3