2022 has just started!

We have several exciting news to share with you!

2022 has just started and we already have several exciting news to share with you. To start with, the regulation (EU) 2022/12 has finally been signed and published in the Official Journal, amending the transitional provisions for the IVD Regulation (EU) 2017/746 to prevent disruption of supply of essential healthcare products in the context of the COVID-19 pandemic.

Standardization and harmonization of standards is also progressing. Several standards have already been harmonized with both MDR and IVDR, and more are in the pipeline. And lastly, the new standard, IEC 81001-5-1:2021 Health software and health IT systems safety, effectiveness, and security – Part 5-1: Security – Activities in the product life cycle, was finally published in December.

This is only a fraction of all that is ongoing in the regulatory world, and more news within regulations, standards and guidelines are expected and awaited to come during the year.

Standards harmonization process for MDR and IVDR

The medical device industry has been waiting for European harmonized standards for the Medical Devices Regulation 2017/745 (MDR) and In Vitro Diagnostic Medical Devices Regulation 2017/746 (IVDR). The European Commission and European standardization organizations (CEN/Cenelec) have been working hard to get the first standards ready. Recently the commission published in the Official Journal a second batch of harmonized standards.

The development of European harmonized standards is important. Products developed in conformity with harmonized standards, referenced in the Official Journal of the European Union, are presumed to be in conformity with the corresponding legal requirements laid out in the regulations.

The commission published the first batch of harmonized standards 16 July 2021 in support of MDR, and 19 July 2021 in support of IVDR. These documents include 5 references to harmonized standards related to MDR and 4 references related to IVDR.

The second batch of harmonized standards were published 4 January 2022 in support of MDR, and 6 January 2022 in support of IVDR. These documents include 9 references to harmonized standards related to MDR and 5 references related to IVDR.

The newly published harmonized standards give a total number of 14 harmonized standards related to MDR and 9 related to IVDR. The second batch of harmonized standards includes for example EN ISO 13485:2016 + A11:2021 (Quality management systems) and EN ISO 15223-1:2021 (symbols).

A third batch of harmonized standards is expected to be published in March/April.

The published standards follow the commission standardization request to the European standardization organizations (CEN/Cenelec), to revise existing standards and to draft new harmonized standards in support of the new regulations.

The standardization request is intended to be regularly revised and updated when deemed necessary and harmonized standards will continue to be published when ready.

Consolidated text MDR harmonized standards:

Consolidated text IVDR harmonized standards:

At last, a cybersecurity lifecycle standard for Med Tech!

Nobody could have missed the increasing threats of cyber-attacks to the society. These are made possible by vulnerabilities in software. Some recent examples are vulnerabilities in software packages widely used by many different systems, including medical devices: Ripple20 (communication software) and Log4j (logging functions).

ISO/IEC JWG7 has published a new lifecycle standard for development and maintenance of medical device and health software, IEC 81001-5-1:2021 Health software and health IT systems safety, effectiveness and security – Part 5-1: Security – Activities in the product life cycle. IVD devices are included as “medical devices” in this context.

Since cybersecurity risks are introduced through software, the new standard is intended to be used together with the lifecycle standard for medical device software, IEC 62304. One of the objectives with the new standard was to make it easy to apply. Therefore, the chapter structure of IEC 81001-5-1 directly matches the structure of IEC 62304. This facilitates extension of existing medical device development procedures with the new cybersecurity parts. IEC 81001-5-1 clauses are essentially the same as IEC 62443-4-1, a lifecycle standard for industrial automation, but adapted to a terminology familiar to medical device developers.

The standard addresses introduction and prevention, evaluation, and reporting of vulnerabilities. One interesting feature is found in Annex F, which describes how to evaluate and possibly improve the security of existing software, also called Transitional health software. Another element worth mentioning is the requirement to coordinate cybersecurity risk management with risk management of patient safety. Also, the shared responsibility for cybersecurity, between the manufacturer and the user, leads to additional requirements on accompanying documentation.

It is worth noting that a lifecycle standard like this does not include specific product requirements. Such requirements can be found in IEC TR 60601-4-5:2021 Medical electrical equipment – Part 4-5: Guidance and interpretation – Safety-related technical security specifications, a technical report published in January 2021. This technical report refers to IEC 62443-4-2, which is a standard for technical security in industrial automation.

If you have any questions about our newsletter, please feel free to contact Hermine Redl, Office Manager, by phone on +46 8 621 01 05 or email here.

Meet us in person

Nils Lidström

What is your area of expertise within the Medical Device industry?
I have been working in the software industry since the 1990s and with medical device software for a long time.
I know the ins and outs of developing software in a regulated industry and in particular the challenges that start-up companies face.

What is your best quality in your work as a consultant?
I have a very broad technical background and a knack of quickly finding the core of a challenge or root cause of a problem.

If you can only pick ONE piece of advice to give to your client, based on your expertise, what would it be?
Product development, and to no lesser extent software development, is a team sport. So always make sure everybody in the team is involved, that they know what to do and why they have to do it.

Where do you find recovery in your everyday life?
For me recovery typically means outdoor activities. I am a passionate surfer, snowboarder and biker but enjoy almost every sport there is.

Nils has a master’s degree in system engineering and over 25 years of working with software development, the last 6 years with medical device software development using agile methodologies. Key areas of expertise are regulatory requirements and how to adapt procedures and use tool-based support to achieve compliance while minimizing documentation workload. Nils is based out of QAdvis’ Stockholm office.