Regulatory Consulting for Medical Device Software (SaMD)

ISO 13485: The Foundation for Medical Device Compliance

ISO 13485 is the cornerstone standard for organizations developing and bringing medical devices to market. It lays out the requirements for a Quality Management System (QMS) to ensure consistent product's quality and safety.

ISO 13485 doesn't specify how a product should be designed or developed; it is more about the operational measures of your company.

IEC 62304: Guiding the Software Lifecycle

IEC 62304 focuses specifically on the software lifecycle, covering:

• Initial design and development

• Implementation and verification

• Ongoing maintenance

• Decommissioning and market withdrawal

This standard ensures that every phase of the product’s lifecycle is controlled and documented. It works hand-in-hand with other standards to ensure a seamless process.

ISO 14971: Managing Risks Effectively

No medical device can reach the market without a robust Risk Management System, which is the focus of ISO 14971. This standard emphasizes:

• Identifying potential risks

• Evaluating and mitigating those risks

• Continuously monitoring risks throughout the product’s lifecycle

ISO 14971 must be tightly integrated with IEC 62304 to align risk management with the design and development processes. Implementing these standards in isolation would lead to inefficiencies and gaps in compliance.

IEC 81001-5-1: Addressing Cybersecurity Risks

Cybersecurity risks are becoming increasingly significant, warranting a dedicated standard: IEC 81001-5-1. Unlike traditional risk management outlined in ISO 14971, this standard focuses on managing technical risks, such as:

• Threat identification

• Vulnerability management

• Security controls specific to medical software

Cybersecurity and risk management must work together to provide a complete picture of potential threats, ensuring both patient safety and data security.

Medical Device Regulation (MDR): The Umbrella Framework

The EU Medical Device Regulation (MDR) serves as the overarching regulatory framework that consolidates all requirements from ISO 13485, IEC 62304, ISO 14971, and other standards.

In addition to these, MDR also emphasizes:

• Privacy and handling of medical data

• Organizational-level data security measures, such as backups and controlled access

Here, the connection to IEC 81001-5-1 becomes evident, as cybersecurity is a critical aspect of compliance.

ISO 27001: Organizational Data Security

While IEC 81001-5-1 addresses product-level cybersecurity, ISO 27001 focuses on broader organizational data security, including:

• Data storage and access management

• Backup systems

• Incident response planning

Though not mandatory, ISO 27001 offers a comprehensive framework for managing information security risks. For mandatory compliance in Europe, organizations must also consider NIS 2 requirements.

AI and Medical Device Software

Artificial intelligence (AI) is increasingly integrated into medical device software. The EU AI Act sets the normative framework for AI systems, which must be implemented in alignment with other standards like:

• IEC 22989 for AI concepts and terminology

• IEC 23053 for AI explainability

• IEC 23894 for managing AI risks

For a holistic approach to medical device software, AI compliance cannot be overlooked.

FDA Regulations: Aligning with U.S. Standards

For organizations targeting the U.S. market, FDA regulations must also be factored in. These regulations complement the ISO and IEC standards by defining specific requirements for:

• Design controls (21 CFR 820.30)

• Electronic records (21 CFR Part 11)

• Submission processes like 510(k) for market entry