Software in Medical Devices, by MD101 Consulting

To content | To menu | To search

Wait, but what of harmonized standards?

While the FDA continues to update periodically and reliably the list of recognized standards (last update in August 2017), the European Commission hasn't updated the list of harmonized standards since may 2016.

FDA recognized standards

The update of FDA recognized standards in August 2017 brought to the looong list of standards:

  • ANSI UL 2900-1 on cybersecurity (will be analyzed in a further post),
  • IEC 82304-1 on health software,

to say the least, just focusing on software as a medical device.
We can also check and verify on the FDA database of recognized standards that IEC 62304 amendment 1 2015 was recognized in April 2016, and IEC 62366-1 2015 was recognized in June 2016.

EU harmonized standards

On the other side of the Atlantic Ocean, things are less ... clear.
While standards published by the ISO, IEC or other international organizations continue to evolve, the list of harmonized standards still references "old" standards:

  • For software: IEC 62304:2006, no 62304 2015 or 82304 in sight,
  • For usability: IEC 62366:2008, no 2015 in sight,
  • For general standards ISO 13485:2012 (doh!),
  • Fortunately ISO 14971 hasn't evolved yet (phew!),
  • For embedded software, old versions of IEC 60601-1-x, and IEC 60601-2-x collateral still referencing IEC 60601-1 2nd version,

to say the least.
I heard that more than a hundred of standards wait for being harmonized (this sounds likely, but I don't have the source and hope I'm not spreading fake news).
The current list is getting older and older. The toughest element is that all manufacturers are switching or have already switched to ISO 13485:2016.

Hey, European Commission, this list passed its expiry date! What do we do now?

Recommendations of Notified Bodies

Fortunately (or strangely, or ironically, or ... choose your positive or negative adverb), Notified Bodies have the solution:

Disregard the current list of harmonized standards and consider the last versions of standards as state-of-the-art.

This recommendation was given by two different notified bodies to manufacturers I work with.

So, still focusing on standalone software, you can apply the following standards:

  • IEC 62304 Amd1:2015,
  • IEC 62366-1:2015,
  • and even IEC 82304-1:2016.

For embedded software, I can't imagine the confusion caused by the application of the latest versions not present in the list of harmonized standards. It's a very good idea to consult your notified body before applying the latest versions of the IEC 60601-x-y family.

Now, what?

Now, IEC 62304:2006 is getting old,
Now, ISO 13485:2003 is withdrawn,
Now, the new regulations 2017/745 and 2017/746 are there,
Now, the European Commission should do their homework.


1. On Tuesday, 14 November 2017, 22:50 by Frank Grube

Hi Mitch, thank you for the very good summary.
Coming back from some discussions in Germany, I have another possible interpretation of the situation.
That is, the EC is no longer focusing on harmonized standards, but instead is preparing for putting its weight on the newly introduced Common Specifications (MDR Article 9).
We will see in which fields those CS will emerge in the coming 2 years, but with the Article9 the EC has definitely a powerful tool in hand to add their own layer of rules on top of basically any standard - and add even more complexity.
Remarkable in this context also the obligations for the NBs in 4.5.
“The notified body shall, where relevant, take into consideration available CS, guidance and best practice documents and harmonised standards, even if the manufacturer does not claim to be in compliance”
One thing is sure, we are living in interesting times…
Take care!

2. On Friday, 17 November 2017, 22:21 by Mitch

Hi Frank,

Thanks for your update. Definitely interesting times!

3. On Friday, 8 December 2017, 16:30 by Mitch

The list of harmonized standards has been updated on the 17/11/2017.

ISO 13485:2016 and ISO 15223-1:2016 are in the list. But nothing on IEC 62304:2015 and IEC 62366-1:2015. Probably too hard a job to add them to the list...

Add a comment

Comments can be formatted using a simple wiki syntax.

This post's comments feed