March 2019 Standards Navigator Report

This content is only available to Standards Navigator subscribers.  See our Subscribe page for information on subscriptions.

Recent standards and regulatory activity overview

Medical device software

  • Following the failure of the DIS of 62304 to be approved, the IEC 62304 working group requested input from the ISO and IEC member countries. There was not a consensus on the approach to risk management for health software, but the working group discussed the replies and developed a new draft, which has been circulated as committee draft three of IEC 62304 second edition. If the new draft meets with approval by the member countries, a second DIS will be created and circulated.  Comments received on draft three will be addressed at a meeting in April, 2019.
  • AAMI has begun the process of updating TIR 45 Guidance on the use of AGILE practices in the development of medical device software. A TIR45 backlog has been created with the ideas that have been submitted for inclusion in the update. A TIR45 draft outline has also been developed.

Medical devices

  • ISO 20417, Medical devices — Information to be provided by the manufacturer, is a draft international standard. This standard provides the common, generic requirements for the design and implementation of labels on medical devices or their packaging, marking of medical devices or accompanying documentation. This document is intended to replace or supplement the often-repetitive labelling requirements that are common among the existing product standards of medical devices. The aim of this document is to serve as a central source of these common, generic requirements, allowing each specific product standard in the future to focus more concisely on the unique requirements for a specific medical device. This document includes the generally applicable requirements for identification, marking and documentation of a medical device or accessory.
  • The FDA has announced its intent to replace the Quality System Regulation with ISO 13485. In preparation for this change, AAMI has created a draft Technical Information Report, TIR102 to demonstrate alignment of regulatory requirements for quality management systems applicable to organizations involved in one or more stages of the life-cycle of a medical device. This TIR is a comparison of the requirements of 21 CFR 820 and ANSI/AAMI/ISO 13485:2016.  The AAMI Quality Management working group has completed an analysis to identify differences between the requirements of 21 CFR 820 and the clauses of 13485, as well as some key considerations in the evolution of global quality management system for the medical device industry.
  • AAMI has released the second edition of TIR 38 Medical device safety assurance case guidance. This TIR provides information useful to creating and maintaining safety assurance cases for medical devices. It does this in the context of ISO 14971 and ISO 15026-2. A safety assurance case serves as a detailed risk management report creating an overview document that provides a roadmap to product risk.

A safety assurance case serves to show that:

      1. Design requirements and specifications are adequate for the device’s intended use and have been adequately verified and validated.
      2. All reasonably foreseeable, worst-case hazards are identified and the associated risk is mitigated and/or controlled.
      3. The device’s reliability is established.


You can purchase TIR38 at

  • AAMI is developing a new TIR on considering risks associated with connectivity when design devices that interact via an electronic interface. TIR75 Factors to consider when multi-vendor devices interact via an electronic interface; Practical applications and examples, identifies a number of specific factors that should be considered as part of risk management activities. It also provides examples where these factors are used to identify causes, hazards, and hazardous situations related to interoperability.

Health IT

  • A committee draft of IEC 81001-1 Safety, effectiveness and security in the implementation and use of connected medical devices or connected health software – Part 1: Application of risk management has been circulated for comment. This edition includes the following significant technical changes with respect to the previous edition:
    1. Report structure changed to better align with ISO 31000;
    2. Establishment of requirements, guidance and criteria for responsible organisations in the application of risk management;
    3. Communication of the value, intention and purpose of risk management through principles that support preservation of the key properties during the implementation and use of connected medical devices and health software.
  • A new draft of AAMI HIT1000-3 Safety and effectiveness of health IT software and systems – Part 3: Application of risk management has been circulated for comment. This part of the AAMI HIT1000 series specifies a process to identify the patient safety hazards associated with health IT software and systems, to estimate and evaluate the associated risks, to control these risks, and to monitor the effectiveness of the controls.

SoftwareCPR Training Courses:

IEC 62304 and other emerging standards for Medical Device and HealthIT Software

Our flagship course for preparing regulatory, quality, engineering, operations, and others for the activities and documentation expected for IEC 62304 conformance and for FDA expectations. The goal is to educate on the intent and purpose so that the participants are able to make informed decisions in the future.  Focus is not simply what the standard says, but what is meant and discuss examples and approaches one might implement to comply.  Special deep discount pricing available to FDA attendees and other regulators.

3-days onsite with group exercises, quizzes, examples, Q&A.

Instructor: Brian Pate

Next public offering:  TBD

Email to request a special pre-registration discount.  Limited number of pre-registration coupons.

Registration Link:




Being Agile & Yet Compliant (Public or Private)

Our SoftwareCPR unique approach to incorporating agile and lean engineering to your medical device software process training course is now open for scheduling!

  • Agile principles that align well with medical
  • Backlog management
  • Agile risk management
  • Incremental and iterative software development lifecycle management
  •  Frequent release management
  • And more!

2-days onsite (4 days virtual) with group exercises, quizzes, examples, Q&A.

Instructors: Mike Russell, Ron Baerg

Next public offering: March 7 & 28, 2024

Virtual via Zoom

Registration Link:

Register Now



Medical Device Cybersecurity (Public or Private)

This course takes a deep dive into the US FDA expectations for cybersecurity activities in the product development process with central focus on the cybersecurity risk analysis process. Overall approach will be tied to relevant standards and FDA guidance documentation. The course will follow the ISO 14971:2019 framework for overall structure but utilize IEC 62304, IEC 81001-5-1, and AAMI TIR57 for specific details regarding cybersecurity planning, risk characterization, threat modeling, and control strategies.

2-days onsite with group exercises, quizzes, examples, Q&A.

Instructor: Dr Peter Rech, 2nd instructor (optional)

Next public offering:  TBD

Corporate Office

15148 Springview St.
Tampa, FL 33624
Partners located in the US (CA, FL, MA, MN, TX) and Canada.