July 2019 Standards Navigator Report

This content is only available to Standards Navigator subscribers.  See our Subscribe page for information on subscriptions.

SoftwareCPR Standards Navigator provides information and tools related to standards that play a significant role in health software and software intensive medical devices. In addition to information on existing standards, SoftwareCPR Standards Navigator keeps you up to date on new standards activity and gives you expert insight into future changes to existing standards.

Recent standards and regulatory activity overview

Medical devices

  • The third edition of ISO 14971 has been approved and will be published after final editing. The associated guidance document, TR ISO 24971 has also been approved and will be published by the end of 2019. Some key changes to ISO 14971 include:
    • Changes to defined terms to align them with ISO/IEC Guide 63.
    • Addition of defined terms benefit, reasonably foreseeable misuse and state of the art.
    • The method that was used for the evaluation of overall residual risk is required to be defined in the risk management plan.
    • Clarification that the criteria for the acceptability of the overall residual risk can be different from the criteria for the acceptability of individual risks.
    • The review before commercial distribution of the medical device concerns the execution of the risk management plan. The results of the review are documented as the risk management report.
    • The requirements for production and post-production activities have been clarified.
    • Several informative annexes have been moved to TR 24971.
  • TR 24971 has been greatly expanded and restructured. It now includes informative annexes formerly in 14971. Guidance in 24971 is now aligned with 14971 in structure and numbering of clauses and gives additional examples. Additional guidance is provided on specific aspects of risk management, including guidance on risks related to security and guidance on the use of components designed without using 14971.
  • AAMI has produced a Consensus Report on Basic Introduction to the IEC 60601 Series. This document covers the structure of the IEC 60601 Series and provides basic information on the concepts and principles that the standards are built upon. It also covers U.S. national deviations from the IEC 60601 standards.


Medical Device Software

  • A new international Technical Specification has been proposed for health and wellness apps. IEC 82304-2 Health and wellness apps – quality criteria across the life cycle – code of practice, will include a set of requirements for developers of health and wellness apps. It will include a set of quality criteria and cover the app project life cycle, through the development, testing, releasing and updating of an app. The new Technical Specification will be based on BSI PAS 277:2015, and is expected to become an International Standard sometime in the future.
  • The FDA is continuing to pilot its Software Precertification Program for Software as a Medical Device. It recently released a mid-year update on its progress on evaluating the proposed Pre-Cert pathway against its traditional review process.



  • An initial working draft of IEC 80001-5-1 Security Activities in the Product Lifecycle has been circulated for comment. This document specifies activities that the manufacturer of health software shall perform towards the information security of the health software product. These activities extend the processes required by IEC 62304.
  • A committee draft of IEC TR 60601-4-5 Safety related security specifications has been circulated for comment. This document provides IT security specifications for medical devices connectable to medical IT networks. The intent of this document is to specify security capabilities that enable a medical device to be integrated into a medical IT network at a given security level.

While health apps and security continue to get the most discussion and debate regarding regulation and standards, a new topic is gaining attention, Regulation and standards for Artificial Intelligence are just beginning to be discussed. Both national and international standards groups have task forces currently investigating how AI impacts existing standards and what standards might be needed for use of AI in health applications and medical devices. This is likely to be an area of increasing activity in the next few years.

  • FDA has released a discussion paper that proposes a framework for regulation of medical devices that incorporate AI that utilizes adaptive machine learning techniques. They are seeking feedback on a number of topics related to machine learning and regulation of modifications to a medical device based on machine learning.
  • AAMI and BSI have published a set of recommendations for determining the role of standards in the regulation of Artificial Intelligence in medical devices.
  • AAMI is developing a white paper on the use of AI in medical devices and health applications. The white paper will discuss:
    • What is different about AI and why the differences are important
    • Clarify AI concepts and terms related to medical devices
    • Discuss potential regulatory approaches
    • Propose development of specific consensus standards

AAMI’s timeline is to have a draft of this white paper this summer, with a final version by the end of the year.

SoftwareCPR Training Courses:

IEC 62304 and other emerging standards for Medical Device and HealthIT Software

Our flagship course for preparing regulatory, quality, engineering, operations, and others for the activities and documentation expected for IEC 62304 conformance and for FDA expectations. The goal is to educate on the intent and purpose so that the participants are able to make informed decisions in the future.  Focus is not simply what the standard says, but what is meant and discuss examples and approaches one might implement to comply.  Special deep discount pricing available to FDA attendees and other regulators.

3-days onsite with group exercises, quizzes, examples, Q&A.

Instructor: Brian Pate

Next public offering:  TBD

Email training@softwarecpr.com to request a special pre-registration discount.  Limited number of pre-registration coupons.

Registration Link:




Being Agile & Yet Compliant (Public or Private)

Our SoftwareCPR unique approach to incorporating agile and lean engineering to your medical device software process training course is now open for scheduling!

  • Agile principles that align well with medical
  • Backlog management
  • Agile risk management
  • Incremental and iterative software development lifecycle management
  •  Frequent release management
  • And more!

2-days onsite (4 days virtual) with group exercises, quizzes, examples, Q&A.

Instructors: Mike Russell, Ron Baerg

Next public offering: March 7 & 28, 2024

Virtual via Zoom

Registration Link:

Register Now



Medical Device Cybersecurity (Public or Private)

This course takes a deep dive into the US FDA expectations for cybersecurity activities in the product development process with central focus on the cybersecurity risk analysis process. Overall approach will be tied to relevant standards and FDA guidance documentation. The course will follow the ISO 14971:2019 framework for overall structure but utilize IEC 62304, IEC 81001-5-1, and AAMI TIR57 for specific details regarding cybersecurity planning, risk characterization, threat modeling, and control strategies.

2-days onsite with group exercises, quizzes, examples, Q&A.

Instructor: Dr Peter Rech, 2nd instructor (optional)

Next public offering:  TBD

Corporate Office

15148 Springview St.
Tampa, FL 33624
Partners located in the US (CA, FL, MA, MN, TX) and Canada.