This September 2021 Standards Navigator Report content is only available to Standards Navigator subscribers. See our Subscribe page for information on subscriptions.
SoftwareCPR® Standards Navigator provides information and tools related to standards that play a significant role in health software and software intensive medical devices. In addition to information on existing standards, our report keeps you up to date on new standards activity and gives you expert insight into future changes to existing standards.
September 2021 Standards Navigator Recent standards and regulatory activity
Medical device standards
No new documents.
Medical device and health software standards
The IEC has asked member countries for suggestions of next steps for IEC 62304. The second edition of the standard was cancelled following three failed ballots. Because the standard is a joint effort of IEC and ISO, both organizations must approve it by a super majority. In all three ballots one standards organization approved it and one did not. It was not the same organization that did not approve each time, and the reasons for the lack of approval were not always the same. The two primary issues were the scope of the second edition and the failure to include requirements for new technology such as cybersecurity and artificial intelligence in the standard.
The stability date for the current version of 62304 (edition 1 with amendment) has been extended to 2025, meaning that no changes are expected until 2025.
IEC has asked that suggestions be provided by 5 November 2021. Since a standard generally takes 3 to 4 years to develop once a direction has been decided, new work will probably begin in 2022 to complete in 2025.
AAMI has completed work on a report on the Appropriate use of public cloud computing for quality systems and medical devices. This report addresses the issue of a manufacturer not having configuration control over the public cloud environment for medical devices executing on a cloud environment or being developed using tools that are based on a cloud environment. A key method the medical device industry has used to ensure device safety and performance has been planning, evaluating, controlling, and validating all changes to the device and its operating environment prior to deployment. Since a public cloud operating environment is not controlled by the manufacturer this method is no longer adequate. The traditional idea of a continuously “Validated State” is simply not possible. The report identifies six key recommendations to assess and manage the risk associated with using public cloud resources for medical devices and associated processes and tools. It further gives guidance on how to utilize these key recommendations.
Medical device and health software cybersecurity standards
No new documents.
Medical device and health software artificial Intelligence standards
The European Commission has proposed a Regulation laying down harmonized rules on artificial intelligence (Artificial Intelligence Act or AIA). The proposal sets harmonized rules for the development, placement on the market and use of AI systems in the Union following a proportionate risk-based approach. The proposal lays down a solid risk methodology to define “high-risk” AI systems that pose significant risks to the health and safety or fundamental rights of persons. Those AI systems will have to establish a quality management system, a risk management system, comply with a set of horizontal mandatory requirements for trustworthy AI, and follow conformity assessment procedures before those systems can be placed on the Union market.
The proposed AIA requires that high-risk AI systems only be placed on the market if they comply with certain mandatory requirements. Third-party conformity assessment by notified bodies will be required to gain a certificate (CE mark) for AI. It is expected that the notified body will use harmonized standards or technical specifications. This will be a separate CE mark than the one required by the MDR or IVDR.
Most medical devices that include AI will be considered high-risk under the proposed AIA. There appears to be a good deal of overlap between the proposed AIA and the MDR/IVDR. While it will be several years before the AIA is adopted and goes into force, manufacturers should be discussing with their notified bodies for the MDR/IVDR whether the notified body will be intending to be a notified body for the new AIA regulation.