January 2021 Standards Navigator Report

October 2021 Standards Navigator

This January 2021 Standards Navigator Report content is only available to Standards Navigator subscribers.  See our Subscribe page for information on subscriptions.

SoftwareCPR® Standards Navigator provides information and tools related to standards that play a significant role in health software and software intensive medical devices. In addition to information on existing standards, SoftwareCPR Standards Navigator keeps you up to date on new standards activity and gives you expert insight into future changes to existing standards.

Recent standards and regulatory activity

The expected new drafts of IEC 62304 Second Edition and IEC 81001-1 were circulated shortly after the start of the new year. New work on cybersecurity and artificial intelligence is continuing. Drafts of new standards will likely be available during the first half of 2021.

Medical device / Health software standards navigator

  • A new draft of IEC 62304 Ed. 2: Health software – Software life cycle processes has been circulated for vote. This is the third try to get the draft approved in both IEC and ISO. The second draft was approved in IEC but failed in ISO. The new draft makes a number of significant changes to resolve comments on the second draft. These include:
    • Removing the requirement for use of ISO 14971. This has been replaced by a requirement to have a process for managing risks. All Health software must still use a Risk management process and meet 62304 Risk Management requirements.
    • Adding a requirement for an established process for managing risks associated with system security.
    • Changing “Software Safety Classification” to the term “Software Process Rigor Level”. Software Process Rigor level is used to determine the required rigor of the software PROCESSES prior to the start of development.
    • Changing the software classification scheme from one focused on acceptable risk to one focused on the rigor that needs to be applied to software based on risk. Figure 3 has been updated to show the steps to software classification.

    • A hook for artificial intelligence was added to the requirements for planning:
      1 f) If appropriate, an algorithm change protocol for the delineation of data and procedures to be followed so that algorithm modifications meet intent and remain safe and effective after the modification. Components of an algorithm change protocol to consider include data management, algorithm retraining, algorithm performance evaluation, and algorithm update procedures.
    • A requirement has been added to software requirements content to include security capabilities that might be considered in the software and resolved into security requirements.
    • A requirement has been added to software maintenance planning to include a software retirement/decommissioning strategy.
    • Annexes have been updated, including a new section for the relationship of the IMDRF SaMD risk categorization and IEC 62304.

 

  • A final draft of ISO 81001-1 Health software and health IT systems safety, effectiveness and security — Part 1: Principles and concepts has been circulated for vote. This document establishes a coherent concepts and terminology for other standards that address specific aspects of the safety, effectiveness, and security (including privacy) of health software and health IT systems. It provides the principles, concepts, terms and definitions for health software and health IT systems, key properties of safety, effectiveness and security, across the full life cycle, from concept to decommissioning as represented in the following figure.
    It also identifies the transition points in the life cycle where transfers of responsibility occur, and the types of multi-lateral communication that are necessary at these transition points.
    Annex B provides concept diagrams as diagrammatic representations for the systems of concepts used in the document. The diagrams take the terms and definitions and group these into generic concepts that can assist in understanding the context of use of the terms and the relationship between terms. Each concept diagram represents one aspect of a related group of terms and the interaction between these terms within their context of use. The concept diagrams present the:

    • Relationship between key properties (safety, effectiveness and security) and processes.
    • Relationship between risk management concepts.
    • Relationship between harm concepts.
    • Relationship between health information and technology concepts.

Annex C provides guidance on the use of assurance cases for knowledge transfer where transfers of responsibility occur during the full life cycle of the health IT system.

Security standards navigator

  • IEC TR 60601-4-5: Medical electrical equipment – Part 4-5 Guidance and interpretation – Safety related technical security specifications for medical devices has been published and is available from IEC.

 

  • AAMI SW96 Medical device security – Security risk management for medical device manufacturers, a second committee draft is expected about the end of February.

Artificial Intelligence

  • The FDA has released an action plan for “Artificial Intelligence/Machine Learning (AI/ML)-Based Software as a Medical Device (SaMD)”. It outlines five actions the FDA intends to take:
    • Further developing the proposed regulatory framework, including through issuance of draft guidance on a predetermined change control plan (for software’s learning over time);
    • Supporting the development of good machine learning practices to evaluate and improve machine learning algorithms;
    • Fostering a patient-centered approach, including device transparency to users;
    • Developing methods to evaluate and improve machine learning algorithms; and
    • Advancing real-world performance monitoring pilots.

 

  • Technical report, ISO 24291 Health informatics – Applications of machine learning technologies in imaging and other medical applications has been approved and will be published in the first quarter of 2021.

See our December 2020 Standards Navigator at: Link

SoftwareCPR Training Courses:

IEC 62304 and other emerging standards for Medical Device and HealthIT Software

Our flagship course for preparing regulatory, quality, engineering, operations, and others for the activities and documentation expected for IEC 62304 conformance and for FDA expectations. The goal is to educate on the intent and purpose so that the participants are able to make informed decisions in the future.  Focus is not simply what the standard says, but what is meant and discuss examples and approaches one might implement to comply.  Special deep discount pricing available to FDA attendees and other regulators.

3-days onsite with group exercises, quizzes, examples, Q&A.

Instructor: Brian Pate

Next public offering:  TBD

Email training@softwarecpr.com to request a special pre-registration discount.  Limited number of pre-registration coupons.

Registration Link:

TBD

 


 

Being Agile & Yet Compliant (Public or Private)

Our SoftwareCPR unique approach to incorporating agile and lean engineering to your medical device software process training course is now open for scheduling!

  • Agile principles that align well with medical
  • Backlog management
  • Agile risk management
  • Incremental and iterative software development lifecycle management
  •  Frequent release management
  • And more!

2-days onsite (4 days virtual) with group exercises, quizzes, examples, Q&A.

Instructors: Mike Russell, Ron Baerg

Next public offering: March 7 & 28, 2024

Virtual via Zoom

Registration Link:

Register Now

 


 

Medical Device Cybersecurity (Public or Private)

This course takes a deep dive into the US FDA expectations for cybersecurity activities in the product development process with central focus on the cybersecurity risk analysis process. Overall approach will be tied to relevant standards and FDA guidance documentation. The course will follow the ISO 14971:2019 framework for overall structure but utilize IEC 62304, IEC 81001-5-1, and AAMI TIR57 for specific details regarding cybersecurity planning, risk characterization, threat modeling, and control strategies.

2-days onsite with group exercises, quizzes, examples, Q&A.

Instructor: Dr Peter Rech, 2nd instructor (optional)

Next public offering:  TBD

Corporate Office

15148 Springview St.
Tampa, FL 33624
USA
+1-781-721-2921
Partners located in the US (CA, FL, MA, MN, TX) and Canada.