September 2021 Standards Navigator Report

October 2021 Standards Navigator

This September 2021 Standards Navigator Report content is only available to Standards Navigator subscribers. See our Subscribe page for information on subscriptions.

SoftwareCPR® Standards Navigator provides information and tools related to standards that play a significant role in health software and software intensive medical devices.  In addition to information on existing standards, our report keeps you up to date on new standards activity and gives you expert insight into future changes to existing standards.

September 2021 Standards Navigator Recent standards and regulatory activity

Medical device standards

No new documents.

Medical device and health software standards

The IEC has asked member countries for suggestions of next steps for IEC 62304. The second edition of the standard was cancelled following three failed ballots. Because the standard is a joint effort of IEC and ISO, both organizations must approve it by a super majority. In all three ballots one standards organization approved it and one did not. It was not the same organization that did not approve each time, and the reasons for the lack of approval were not always the same. The two primary issues were the scope of the second edition and the failure to include requirements for new technology such as cybersecurity and artificial intelligence in the standard.

The stability date for the current version of 62304 (edition 1 with amendment) has been extended to 2025, meaning that no changes are expected until 2025.

IEC has asked that suggestions be provided by 5 November 2021. Since a standard generally takes 3 to 4 years to develop once a direction has been decided, new work will probably begin in 2022 to complete in 2025.

AAMI has completed work on a report on the Appropriate use of public cloud computing for quality systems and medical devices. This report addresses the issue of a manufacturer not having configuration control over the public cloud environment for medical devices executing on a cloud environment or being developed using tools that are based on a cloud environment. A key method the medical device industry has used to ensure device safety and performance has been planning, evaluating, controlling, and validating all changes to the device and its operating environment prior to deployment. Since a public cloud operating environment is not controlled by the manufacturer this method is no longer adequate. The traditional idea of a continuously “Validated State” is simply not possible. The report identifies six key recommendations to assess and manage the risk associated with using public cloud resources for medical devices and associated processes and tools.  It further gives guidance on how to utilize these key recommendations.


Medical device and health software cybersecurity standards

No new documents.


Medical device and health software artificial Intelligence standards

The European Commission has proposed a Regulation laying down harmonized rules on artificial intelligence (Artificial Intelligence Act or AIA). The proposal sets harmonized rules for the development, placement on the market and use of AI systems in the Union following a proportionate risk-based approach. The proposal lays down a solid risk methodology to define “high-risk” AI systems that pose significant risks to the health and safety or fundamental rights of persons. Those AI systems will have to establish a quality management system, a risk management system, comply with a set of horizontal mandatory requirements for trustworthy AI, and follow conformity assessment procedures before those systems can be placed on the Union market.

The proposed AIA requires that high-risk AI systems only be placed on the market if they comply with certain mandatory requirements. Third-party conformity assessment by notified bodies will be required to gain a certificate (CE mark) for AI. It is expected that the notified body will use harmonized standards or technical specifications. This will be a separate CE mark than the one required by the MDR or IVDR.

Most medical devices that include AI will be considered high-risk under the proposed AIA. There appears to be a good deal of overlap between the proposed AIA and the MDR/IVDR. While it will be several years before the AIA is adopted and goes into force, manufacturers should be discussing with their notified bodies for the MDR/IVDR whether the notified body will be intending to be a notified body for the new AIA regulation.

SoftwareCPR Training Courses:

IEC 62304 and other emerging standards for Medical Device and HealthIT Software

Our flagship course for preparing regulatory, quality, engineering, operations, and others for the activities and documentation expected for IEC 62304 conformance and for FDA expectations. The goal is to educate on the intent and purpose so that the participants are able to make informed decisions in the future.  Focus is not simply what the standard says, but what is meant and discuss examples and approaches one might implement to comply.  Special deep discount pricing available to FDA attendees and other regulators.

3-days onsite with group exercises, quizzes, examples, Q&A.

Instructor: Brian Pate

Next public offering:  June 5-7, 2024
Boston, MA

Email to request a special pre-registration discount.  Limited number of pre-registration coupons.

Registration Link:

Register Now



Being Agile & Yet Compliant (Public or Private)

Our SoftwareCPR unique approach to incorporating agile and lean engineering to your medical device software process training course is now open for scheduling!

  • Agile principles that align well with medical
  • Backlog management
  • Agile risk management
  • Incremental and iterative software development lifecycle management
  •  Frequent release management
  • And more!

2-days onsite (4 days virtual) with group exercises, quizzes, examples, Q&A.

Instructors: Mike Russell, Ron Baerg

Next public offering: February 12-15, 2024

Virtual via Zoom

Registration Link:

Register Now



Medical Device Cybersecurity (Public or Private)

This course takes a deep dive into the US FDA expectations for cybersecurity activities in the product development process with central focus on the cybersecurity risk analysis process. Overall approach will be tied to relevant standards and FDA guidance documentation. The course will follow the ISO 14971:2019 framework for overall structure but utilize IEC 62304, IEC 81001-5-1, and AAMI TIR57 for specific details regarding cybersecurity planning, risk characterization, threat modeling, and control strategies.

2-days onsite with group exercises, quizzes, examples, Q&A.

Instructor: Dr Peter Rech, 2nd instructor (optional)

Next public offering:  TBD

Corporate Office

15148 Springview St.
Tampa, FL 33624
Partners located in the US (CA, FL, MA, MN, TX) and Canada.