Software in Medical Devices, by MD101 Consulting

The draft had been issued in 2022, and had been subject to a review in this article.

Amongst a long list of minor changes, the final version contains the following majors changes in the body text:

• IEC 81001-5-1 is know referenced as a possible Secure Product Development Framework, this is good news for manufacturers selling their devices in EU and the USA,
• AAMI TIR57 is recommended to document the security risk management activities for a medical device system. It's worth noting that AAMI SW96 isn't mentioned (yet),
• The above bullet is found in a new section V.A.2. Cybersecurity Risk Assessment. Its content is broadly aligned with AAMI SW96,
• A new section V.A.3 on Interoperability considerations. In short, security controls are required when exchanging information with other software or devices (MD or non-MD),
• Manufacturers should provide SBOM in machine readable format, something which is going to be made systematic for all software in the US in the coming years,

And the last major change is the Appendix 4 General Premarket Submission Documentation Elements and Scaling with Risk.
It summarizes in table 1 the documentation expected by the FDA in premarket submissions. The documentation should scale with the cyber risks of your devices.

Of course, we find the usual guidance warning: This table is not intended to serve as merely a deliverable checklist.
But, gosh, yes, you are going to use it as a checklist. I am going to use it as a checklist. FDA reviewers are going to use it as a checklist!


All in all, the message delivered by the FDA in this final guidance doesn’t change, compared to the draft version. Cybersecurity shall be taken seriously.

Prepare your security risk management files, your secure SDLC documents and your cyber PMS!