December 2019 Standards Navigator Report

This content is only available to Standards Navigator subscribers.  See our Subscribe page for information on subscriptions.

SoftwareCPR Standards Navigator Report provides information and tools related to standards that play a significant role in health software and software intensive medical devices. In addition to information on existing standards, SoftwareCPR Standards Navigator keeps you up to date on new standards activity and gives you expert insight into future changes to existing standards.

Recent standards and regulatory activity

Medical device software

  • The future of IEC 62304 Edition 2 is uncertain following the ballot on a second Draft International Standard. The draft was approved to move forward in IEC, but was not approved in ISO. The rules that standards development operate under allow flexibility in such cases, which rarely occur. It will be up to the two technical committees that voted on the draft to decide next steps. It may be that the proposed standard is withdrawn, or another draft is prepared, or the standard moves forward in IEC but not in ISO. The last option seems unlikely since the first edition of 62304 was a joint effort and the result of just moving forward in IEC would be a version of IEC 62304 that would be different from that of ISO 62304. An important consideration will be determining how the European standards bodies will progress on the EU mandate to harmonize 62304 for the MDR and IVDR by 2024?
  • A Committee Draft for Vote of the second edition of IEC 80001-1 Safety, effectiveness and security in the implementation and use of connected medical devices or connected health software – Part 1: Application of risk management has been circulated. If this draft is approved, it will be the last opportunity for technical comments on this revision of the standard. This edition includes the following significant technical changes with respect to the previous edition:
    1. Structure changed to better align with ISO 31000;
    2. Establishment of requirements and guidance for an organization in the application of risk management;
    3. Communication of the value, intention and purpose of risk management through principles that support preservation of the key properties of safety, effectiveness and security during the implementation and use of connected health software and/or health it systems.

  • Work has been started on a new technical specification, ISO TS 82304-2 Health software – Part 2: Health and wellness apps – Quality criteria across the life cycle – Code of practice. This International Technical Specification will provide a set of requirements for developers of health and wellness apps, intending to meet the needs of health care professionals, patients, caregivers and the wider public. It will include a set of quality criteria and cover the app project life cycle, through the development, testing, releasing and updating of an app, including native, hybrid and web-based apps, those apps associated with wearable, ambient and other health equipment and apps that are linked to other apps. It will also address fitness for purpose and the monitoring of usage. The specification will inform the development of health and wellness apps irrespective of whether they are placed in the market or provided including free of charge. An initial draft is planned for mid-2020 and a published document by mid-2021.
  • AAMI HIT1000-3 Safety and Effectiveness of health IT software and systems – Part 3: Application of risk management has been published in the AAMI store. The AAMI HIT1000 series is intended to address the need for standards that are specific to health IT and address the full lifecycle of health software and systems. This standard (HIT1000-3) defines the points in the health IT lifecycle where different roles–Top Management, Business Owner, Developer, Integrator, Implementer, Operator, and User–assume primary responsibility for managing risks and identifies the communication necessary among the different roles at those points. It provides guidance for managing risk, including best practices for assessing, classifying and prioritizing the relative risks and includes examples of means for controlling these risks.
  • The EU has released guidance on qualification and classification of software in the MDR and IVDR. The guidance defines the criteria for the qualification of software falling within the scope of the new medical devices regulations and provides guidance on the application of classification criteria for software under the new regulations. The guidance also provides information related to placing on the market. The criteria also applies to applications (commonly referred to as apps), whether they are operating on a mobile phone, in the cloud or on other platforms.

Medical devices

  • The third edition of ISO 14971 has been published as ISO 14971:2019. It is expected to be published as a European Norm and to be harmonized under the MDR and IVDR by May 2020.
  • The second amendment of the current IEC 60601-1 and its collateral standards has been approved at the Committee Draft for Vote (CDV) level and will now proceed to a Final Draft.  The amendments are expected to be published in mid-2020.
  • The EU has published a draft list of standards to be revised to support the MDR and IVDR. The list includes deadlines for when the harmonized standards will be available. A few standards are expected to be harmonized by 5/2020 when the MDR becomes mandatory. These are broad standards like ISO 13485 and ISO 14971 that apply to all medical devices. Additional standards, including IEC 62304 for software, are not expected to be harmonized until 5/2024, 4 years after the MDR takes effect. Until then, notified bodies will use “state of the art” to determine if software complies with the MDR. It will be important for manufacturers to understand what their notified body expects.


  • Work to create a second committee draft of IEC 80001-5-1 Security Activities in the Product Lifecycle is underway with a working document available. This standard specifies activities that the manufacturer of health software shall perform towards the information security of the health software product. These activities extend the processes required by IEC 62304. This new standard draws heavily on the practices in IEC 62443-4-1:2018 Security for industrial automation and control systems – Part 4-1: Secure product development lifecycle requirements. After it has been completed and adopted, it is expected to be used in regulatory activities.

Looking ahead – New standards activity expected in 2020

  • New areas for standardization in medical devices that are emerging include artificial intelligence and robotics. IEC technical committee 62 that develops standards for medical electrical equipment has established advisory groups on each, and added liaisons with other standards committees that are working in these areas.
  • The Internet of Things applied to health care will get some attention to determine if new standards are necessary for connected health care.
  • More standards on cybersecurity are likely. This area currently has high visibility and that is likely to continue during the next year. There is an ongoing discussion about whether security risk management can be adequately done with the 14971 process. Three new standards will continue to be developed, 80001-5-1 Security – Activities in the product lifecycle, 60601-4-5 Safety related technical security specifications for medical devices and AAMI SW96 Application of security risk management for medical devices.
  • AAMI has begun revising TIR45 Guidance on the use of AGILE practices in the development of medical device software.
  • Now that IEC 60601-1 is finishing a second amendment to the version initially published in 2005, work will begin on a fourth edition of this basic safety standard for medical electric equipment. The last revision took 10 years to complete; will there be a new structure that will allow more rapid updates to areas where technology is changing? Discussions will begin in 2020.

Drafts referenced in this Standards Navigator Report are for temporary review and feedback.  All comments or feedback on these drafts or on this post should be directed to

Download a PDF copy of the report SoftwareCPR FDA Guidance List for Software-October2019.

SoftwareCPR Training Courses:

IEC 62304 and other emerging standards for Medical Device and HealthIT Software

Our flagship course for preparing regulatory, quality, engineering, operations, and others for the activities and documentation expected for IEC 62304 conformance and for FDA expectations. The goal is to educate on the intent and purpose so that the participants are able to make informed decisions in the future.  Focus is not simply what the standard says, but what is meant and discuss examples and approaches one might implement to comply.  Special deep discount pricing available to FDA attendees and other regulators.

3-days onsite with group exercises, quizzes, examples, Q&A.

Instructor: Brian Pate

Next public offering:  TBD

Email to request a special pre-registration discount.  Limited number of pre-registration coupons.

Registration Link:




Being Agile & Yet Compliant (Public or Private)

Our SoftwareCPR unique approach to incorporating agile and lean engineering to your medical device software process training course is now open for scheduling!

  • Agile principles that align well with medical
  • Backlog management
  • Agile risk management
  • Incremental and iterative software development lifecycle management
  •  Frequent release management
  • And more!

2-days onsite (4 days virtual) with group exercises, quizzes, examples, Q&A.

Instructors: Mike Russell, Ron Baerg

Next public offering: March 7 & 28, 2024

Virtual via Zoom

Registration Link:

Register Now



Medical Device Cybersecurity (Public or Private)

This course takes a deep dive into the US FDA expectations for cybersecurity activities in the product development process with central focus on the cybersecurity risk analysis process. Overall approach will be tied to relevant standards and FDA guidance documentation. The course will follow the ISO 14971:2019 framework for overall structure but utilize IEC 62304, IEC 81001-5-1, and AAMI TIR57 for specific details regarding cybersecurity planning, risk characterization, threat modeling, and control strategies.

2-days onsite with group exercises, quizzes, examples, Q&A.

Instructor: Dr Peter Rech, 2nd instructor (optional)

Next public offering:  TBD

Corporate Office

15148 Springview St.
Tampa, FL 33624
Partners located in the US (CA, FL, MA, MN, TX) and Canada.