Mindset XR Module 5: What standards apply to medical devices?

• 
  

  Are mandatory requirements that an organisation must meet in order to achieve certification or compliance with the standard.

• 
  

  Typically are described using terms such as, shall, should or may, which indicates the level of that requirement.

• 
  

  Is guidance on how to meet the requirements of the standard.

• 
  

  Are not mandatory and intended to be a helpful guide for organisations to understand the concepts within the standard.

• 
  

  May include examples and best practices.

• 
  

  ISO 13485:2016: Medical Devices – Quality Management Systems – Requirements For Regulatory Purposes

ISO 13485 provides the requirements for quality management systems (QMS) for medical device manufacturers. A QMS is a company level system which covers all aspects of design, manufacturing, risk management, management responsibility, customer related processes, and CAPAs. A QMS is company wide so whilst a medical device manufacturer may have a number of CE marked medical devices, they only need one QMS. It is important to note that a QMS applies to the company as a whole and is not specific to the product(s), so it requires the input of all staff and not just the quality and regulatory members of the team. 

Medical device manufacturers are legally required to have a QMS in the EU and US. At Hardian, we like to say that a QMS should be built, not bought, as off-the-shelf eQMS can give false assurance of attaining quality by appearing to check off compliance while not being fully functional or appropriate to an organisation’s bespoke needs. 

Whilst a company can run an ISO 13485 compliant QMS without formal certification, suppliers / manufacturers of medical devices require formal audit and certification by an approved body.  

• 
  

  ISO 14155:2020: Clinical Investigation Of Medical Devices For Human Subjects – Good Clinical Practice

ISO 14155:2020 is a crucial international standard that outlines the principles and requirements for the clinical investigation of medical devices involving human subjects. Key aspects of ISO 14155:2020 aim to:   

• Protect the rights, safety and well-being of human subjects, 

• Ensure the scientific conduct of the clinical investigation and the credibility of the clinical investigation results, 

• Define the responsibilities of the sponsor and principal investigator, and 

• Assist sponsors, investigators, ethics committees, regulatory authorities and other bodies involved in the conformity assessment of medical devices. 

The standard includes comprehensive guidelines on planning, conducting, recording, and reporting clinical investigations. It emphasises the importance of a well-structured clinical investigation plan, informed consent, risk management, and rigorous monitoring procedures. 

By adhering to ISO 14155:2020, manufacturers can enhance the credibility and acceptability of clinical data, facilitating regulatory approval and market access for medical devices. This standard also promotes global harmonisation, making it easier to conduct multinational studies and compare data across different regions. Overall, ISO 14155:2020 serves as a vital framework to ensure that medical device investigations are conducted with the highest ethical standards and scientific rigour. 

• 
  

  ISO 14971:2019: Application of risk management to medical devices

ISO 14971:2019 is a pivotal international standard that provides a comprehensive framework for the application of risk management to medical devices. This standard is essential for ensuring that medical devices are designed, manufactured, and maintained with a focus on minimising risks to patients, users, and others involved throughout the device’s lifecycle.  

The core of ISO 14971:2019 is its systematic approach to identifying, evaluating, controlling, and monitoring risks associated with medical devices. It emphasises the importance of establishing a risk management process that includes risk analysis, risk evaluation, and risk control measures. The standard also underscores the need for continuous monitoring of the device’s performance and risk throughout its operational life. 

ISO 14971:2019 requires manufacturers to document a comprehensive risk management file, which includes risk analysis, risk control measures, and the evaluation of overall residual risk. This ensures transparency and traceability in the risk management process. The standard aligns with regulatory requirements globally, helping manufacturers meet compliance and gain market approval. ISO 14971 does not require formal audit and certification but is a key standard for medical device manufacturers.  

• 
  

  IEC 62304:2006+A1:2015: Medical Device Software – Software Life Cycle Processes

IEC 62304:2006+A1:2015 is an essential international standard that outlines the life cycle processes for medical device software. It provides a structured framework for the development and maintenance of software used in medical devices, ensuring safety and effectiveness throughout the software’s life cycle. 

The standard covers all stages of software development as you can see in the figure here, from initial conception and development, to release, to maintenance and eventual retirement. It emphasises risk management, requiring developers to identify and mitigate risks associated with the software. Key processes include software development planning, requirements analysis, design, implementation, and verification. 

IEC 62304:2006+A1:2015 also mandates documentation and traceability, ensuring that each phase of the software life cycle is well-documented and that changes can be tracked and reviewed. This standard aligns with global regulatory requirements, helping manufacturers achieve compliance and ensuring the reliability and safety of medical device software. 

• 
  

  IEC 82304-1:2016 and ISO/TS 82304-2:2021 – Health software

IEC 82304-1:2016 and ISO/TS 82304-2:2021 are pivotal standards focused on health software, providing comprehensive guidelines to ensure safety, effectiveness, and quality. 

IEC 82304-1:2016 outlines the requirements for the development and maintenance of health software. It emphasises the importance of lifecycle processes, including design, development, validation, and maintenance. This standard ensures that health software meets high-quality standards, is safe for use, and performs reliably in healthcare settings. 

ISO/TS 82304-2:2021 complements this by focusing on health and wellness apps. It provides a voluntary framework for evaluating the quality and reliability of these apps, covering aspects such as safety, usability, security, and interoperability. This technical specification aims to promote trust and confidence in health and wellness apps by ensuring they meet rigorous quality standards. 

Together, these standards ensure that health software and wellness apps are developed with a focus on patient safety, effectiveness, and user satisfaction. By adhering to IEC 82304-1:2016 and ISO/TS 82304-2:2021, developers can ensure their products meet the stringent requirements of the healthcare industry, fostering innovation while maintaining high standards of quality and safety. 

Currently there is no formal accreditation scheme in existence for ISO/TS 82304-2, however this may change in the future. 

• 
  

  ISO/IEC 27001:2022 Information Security, Cybersecurity And Privacy Protection – Information Security Management Systems

ISO/IEC 27001:2022 is an international standard for information security, cybersecurity, and privacy protection. It provides a robust framework for establishing, implementing, maintaining, and continually improving an Information Security Management System (ISMS). ISO/IEC 27001 is the most common standard for ISMS and defines requirements an ISMS must meet. 

This standard outlines the requirements for managing sensitive company information, ensuring its confidentiality, integrity, and availability. Key aspects include risk assessment and treatment, security controls, and management responsibilities. ISO/IEC 27001:2022 emphasises a systematic approach to managing sensitive information, involving people, processes, and IT systems. 

By adhering to this standard, organisations can protect against data breaches, cyber threats, and other security risks. It helps businesses comply with legal, regulatory, and contractual obligations related to information security. Moreover, achieving ISO/IEC 27001:2022 certification demonstrates a commitment to information security, building trust with customers and stakeholders. 

ISO 27001 requires formal audit and certification that must be maintained and whilst you have certification, some healthcare systems like the NHS, have their own information security standards that you need to conform to, as well as GDPR. 

• 
  

  IEC 62366-1:2015: Medical Devices – Part 1: Application Of Usability Engineering To Medical Devices

IEC 62366-1:2015 is an international standard focusing on the application of usability engineering to medical devices. IEC 62366 (British version:  BS EN 62366) outlines the best practices for building safe and usable medical devices (including software). The focus of IEC 62366 is on minimising risk from lack of usability. 

The usability engineering process found in IEC 62366 consists of a series of steps to ensure that the UI of a medical device has been rigorously evaluated for user and patient safety, including: 

• Define intended users, use environments, and user interface, 

• Identify use-related hazards, 

• Identify and categorise critical tasks, 

• Develop and implement risk mitigation/control measures, 

• Validate user safety and effectiveness, 

• Document your evaluation process. 

IEC 62366-1:2015 mandates a user-centred design approach, requiring manufacturers to document usability engineering processes and provide evidence of compliance. This includes creating a usability engineering file that captures all relevant activities, findings, and design decisions. 

IEC 62366-1:2015 describes both formative and summative user evaluations, meaning: 

Formative evaluations: Formative evaluations are conducted while a device is still in design and development. These evaluations are used to address safety concerns that emerge during preliminary analyses or to explore different design options for the UI before it’s finalised. You may end up carrying out multiple formative evaluations. 

Summative evaluations: Summative evaluations are conducted during the design validation stage of a device. A summative evaluation is much more rigorous than a formative evaluation, as its goal is to demonstrate that the UI is safe for users. Testing should involve the intended end users of the device engaging with the final UI design under realistic conditions.