28
Jul
2021

July 2021 Standards Navigator Report

,
, , ,
0
October 2021 Standards Navigator

This July 2021 Standards Navigator Report content is only available to Standards Navigator subscribers. See our Subscribe page for information on subscriptions.

SoftwareCPR® Standards Navigator provides information and tools related to standards that play a significant role in health software and software intensive medical devices.  In addition to information on existing standards, our report keeps you up to date on new standards activity and gives you expert insight into future changes to existing standards.

July 2021 Standards Navigator Recent standards and regulatory activity

Medical device standards

The harmonization of existing and new international medical device standards is uncertain due to a disagreement between CEN/CENELEC and the European Commission over the scope of the mandate from the Commission for content of harmonized standards.

As of this time no international medical device standards have been harmonized under the Medical Device Regulation.

AAMI has begun work on a draft of a standard for remote control of medical devices.  In response to the COVID-19 crisis, a consensus report (AAMI CR511), was rapidly developed to address the immediate needs posed by the pandemic with respect to the remote control of therapeutic devices such as critical care ventilators.  This standard seeks to build upon that work to provide guidance with respect to the remote control of a patient’s medical devices to address the challenges noted.

Medical device and health software standards

The project to create a second edition of IEC 62304: Health software – Software life cycle processes has been cancelled. Consensus could not be reached on the content of the new edition. Several issues were contentious, including:

  • The expanded scope of the second edition to cover health software that may not be regulated
  • Lack of sufficient requirements for cybersecurity
  • No specific requirements for medical devices containing artificial intelligence software

As a result of the cancellation of the project, the stability date for IEC 62304 edition 1 with amendment 1 has been changed to 2025.  This means that the current edition of IEC 62304 will not be changed before 2025. What this means for use of 62304 by Notified Bodies under the Medical Device Regulation is unclear.

ISO 81001-1: Health software and health IT systems safety, effectiveness and security — Part 1: Principles and concepts has been approved and will be published later this year.  This standard identifies: the terms, concepts, core themes and life cycle necessary to create safe, effective and secure health software and health IT systems. The standard uses the figure below to illustrate the foundations and life cycle accountability. It also identifies the transition points in the life cycle where transfers of responsibility occur, and the types of multi-lateral communication that are necessary at these transition points.

IEC 80001-1: Safety, effectiveness and security in the implementation and use of connected medical devices or connected health software – Part 1: Application of risk management edition 2 has been approved and will be published later this year. This standard specifies general requirements for organizations in the application of risk management before, during and after the connection of a health IT system within a health IT infrastructure, by addressing the key properties of safety, effectiveness and security whilst engaging appropriate stakeholders. Within the context of ISO 81001-1, this document covers the generic lifecycle phases “implementation and clinical use.”

AAMI is revising TIR45, Guidance on the use of AGILE practices in the development of medical device software. This guidance provides recommendations for how to comply with FDA requirements for software and IEC 62304.  First published in 2012, the TIR is being updated and new content added.

ISO Technical Specification 82304-2, Health software – Part 2: Health and wellness apps – Quality criteria across the life cycle – Code of practice has been approved and will be published later this year. This document provides quality requirements for health apps and defines a health app quality label to visualize the quality and reliability of health apps.  This document is applicable to health apps, which are a special form of health software. It covers the entire life cycle of health apps. This document is intended for use by app manufacturers as well as app assessment organizations to communicate the quality and reliability of a health app. Consumers, patients, carers, health care professionals and their organizations, health authorities, health insurers and the wider public can use the health app quality label and report when recommending or selecting a health app for use, or for adoption in care guidelines, care pathways and care contracts.

Work has begun on a new ISO technical specification, ISO TS 81001-2-1: Safe, effective, and secure health software and health IT systems – Assurance cases Application guidance — Guidance for the use of assurance cases – safety & security.  Work has begun on developing a committee draft.

Medical device and health software cybersecurity standards

IEC 81001-5-1 Security Activities in the product life cycle has passed its draft ballot and after comment resolution will be circulated as a Final Draft International Standard.  The draft standard defined the life cycle requirements for development and maintenance of health software, including medical devices, needed to support conformity to IEC 62443-4-1 – taking the specific needs for health software into account.  Requirements are arranged in the ordering of IEC 62304.  Implementing the processes, activities and tasks specified in this document is sufficient to implement the process requirements of IEC 62443-4-1.  By implementing the specifications in Annex E full conformity to IEC 62443-4-1 may be achieved.

IEC 80001-2-2, Application of Risk Management for IT-Networks Incorporating Medical Devices — Part 2-2: Guidance For The Disclosure And Communication Of Medical Device Security and IEC 80001-2-8, Application Of Risk Management For IT Networks Incorporating Medical Devices – Part 2-8: Application Guidance – Guidance On Standards For Establishing The Security Capabilities Identified In IEC 80001-2-2 have both begun work on a second edition.

AAMI SW95 Medical device security – Security risk management for medical device manufacturers, completed a first committee draft for vote. Based on the resolution of comments, the committee will either submit another committee draft or will submit a final draft for approval. The next draft is expected during the second half of 2021.

ISO has a new proposed project for – Cyber Security Framework for Telehealth Environments. Work on this project has not yet been approved.

Medical device and health software artificial Intelligence standards

Technical report, ISO 24291 Health informatics – Applications of machine learning technologies in imaging and other medical applications has been approved and will be published in 2021.

JTC1/SC7 has developed ISO/IEC TR 29119-11 Software and systems engineering — Software testing — Part 11: Guidelines on the testing of AI-based systems. IEC has formed an ad hoc group to analyze the methods described for their usefulness for the medical world.

JTC1/SC42 is expected to have committee drafts for two new standards in the next few months:

  • ISO/IEC CD 23053.2 Framework for Artificial Intelligence (AI) Systems Using Machine Learning (ML)
  • ISO/IEC CD 23894 Information Technology — Artificial Intelligence — Risk Management

AAMI is working on Consensus Report 34971, Guidance on the application of ISO 14971 to artificial intelligence and machine learning. The committee currently has a committee draft.

The Russian national standardization body GOST (Gossudarstwenny Standard, the national standardization organization of Russia) has made a proposal regarding a standard on Artificial Intelligence (AI) — Software testing of AI medical devices – clinical evaluation. This proposal has been made to ISO/TC215, but there is much work to be done in many areas before standards work on the proposal will be ready to be initiated.

An ISO ad hoc committee on AI has proposed that a new guidance on AI addressing security and privacy analysis be developed. This would include:

  • Use case analysis
  • Integration of an AI system into a health care system of systems
  • Security by design and privacy by design approach and practice
  • Trustworthy framework including suitable assurance needs

No new project has been submitted yet, but a new work proposal is expected in 2021.

IEC TC62 has an advisory group on Software, Networks, Artificial Intelligence (SNAIG) to monitor current developments in the IT landscape and advise on future standardization needs for software, networks and artificial intelligence (AI). The group has asked for input on the priorities of the countries involved in IEC TC62.  AAMI is gathering input for the US response.  SoftwareCPR® may comment on what the priorities should be by August 17.  Download the form below, mark it up, and email to standards@softwarecpr.com.

The matrix in this document shows the input requested by the SNAIG: Priorities for SNAIG Worksheet

 

SoftwareCPR Training Courses:

IEC 62304 and other emerging standards for Medical Device and HealthIT Software

Our flagship course for preparing regulatory, quality, engineering, operations, and others for the activities and documentation expected for IEC 62304 conformance and for FDA expectations. The goal is to educate on the intent and purpose so that the participants are able to make informed decisions in the future.  Focus is not simply what the standard says, but what is meant and discuss examples and approaches one might implement to comply.  Special deep discount pricing available to FDA attendees and other regulators.

3-days onsite with group exercises, quizzes, examples, Q&A.

Instructor: Brian Pate

Next public offering:  TBD

Email training@softwarecpr.com to request a special pre-registration discount.  Limited number of pre-registration coupons.

Registration Link:

TBD

 

 

Being Agile & Yet Compliant (Public or Private)

Our SoftwareCPR unique approach to incorporating agile and lean engineering to your medical device software process training course is now open for scheduling!

  • Agile principles that align well with medical
  • Backlog management
  • Agile risk management
  • Incremental and iterative software development lifecycle management
  •  Frequent release management
  • And more!

2-days onsite (4 days virtual) with group exercises, quizzes, examples, Q&A.

Instructors: Mike Russell, Ron Baerg

Next public offering: March 7 & 28, 2024

Virtual via Zoom

Registration Link:

Register Now

 

 

Medical Device Cybersecurity (Public or Private)

This course takes a deep dive into the US FDA expectations for cybersecurity activities in the product development process with central focus on the cybersecurity risk analysis process. Overall approach will be tied to relevant standards and FDA guidance documentation. The course will follow the ISO 14971:2019 framework for overall structure but utilize IEC 62304, IEC 81001-5-1, and AAMI TIR57 for specific details regarding cybersecurity planning, risk characterization, threat modeling, and control strategies.

2-days onsite with group exercises, quizzes, examples, Q&A.

Instructor: Dr Peter Rech, 2nd instructor (optional)

Next public offering:  TBD

Corporate Office

15148 Springview St.
Tampa, FL 33624
USA
+1-781-721-2921
office@softwarecpr.com
Partners located in the US (CA, FL, MA, MN, TX) and Canada.