Standards are a useful way to demonstrate compliance with the Essential Principles on the safety and performance of medical devices. We recognise that several international standards represent the state of the art in medical device software development and cyber security. While we consider them best practice, we have not endorsed these standards and applying them is not mandatory.
Key standards for medical device software
Please note the following is not an exhaustive list of International Electrotechnical Commission (IEC) standards. Other standards may apply to software-based medical devices.
IEC 62304 Medical device software - Software life cycle processes
This standard outlines the requirements for the software development life cycle. It applies to all medical device software, regardless of whether the manufacturer is certified under Schedule 3, Part 1 or Part 4 of the Therapeutic Goods (Medical Devices) Regulations 2002. IEC 62304 requires:
- comprehensive design control
- structured life cycle management
- integration of quality into software design.
IEC 62366-1 Part 1: Application of usability engineering to medical devices
This standard applies to all medical devices, including those that are wholly or partly software based. It ensures that usability is considered throughout the design process to reduce use-related risks.
Supporting standards
While not mandatory, applying recognised standards can help demonstrate compliance with the Essential Principles. Relevant standards include:
- ISO 14971 Medical devices — Application of risk management to medical devices
- ISO 13485 Medical devices — Quality management systems — Requirements for regulatory purposes
- IEC 60601 series Technical standards for the basic safety and essential performance of medical electrical equipment
- UL 2900-2-1 Software cyber security for network-connectable products, Part 2-1: Particular requirements for network connectable components of healthcare and wellness Systems
- IEC 80001 series Application of risk management for IT networks incorporating medical devices
- ISO/IEC 29147 Information technology — Security techniques — Vulnerability disclosure
- ISO/IEC 30111 Information technology — Security techniques — Vulnerability handling processes
Cyber security and risk management
Cyber security is a critical component of medical device safety. To manage cyber security risks effectively, manufacturers should adopt risk management strategies that align with recognised international standards.
Key standards that support cyber security and risk management include:
- ISO 14971 Medical devices — Application of risk management to medical devices
- BS/AAMI 34971 Application of ISO 14971 to machine learning in artificial intelligence — Guide
- UL 2900-2-1 Software cyber security for network-connectable products, Part 2-1: Particular requirements for network connectable components of healthcare and wellness systems
- IEC 80001 series Application of risk management for IT networks incorporating medical devices
- IEC 81001-5-1 Health software and health IT systems safety, effectiveness and security, Part 5-1: Security — Activities in the product life cycle
- ISO/IEC 29147 Information technology — Security techniques — Vulnerability disclosure
- ISO/IEC 30111 Information technology — Security techniques — Vulnerability handling processes
- ANSI/AAMI SW96 Standard for medical device security — Security risk management for device manufacturers
In addition to applying these standards, manufacturers should:
- implement secure software development practices
- stay informed about updates to relevant standards
- review international guidance and best practices from the broader cyber security sector.
Detailed information is available at Complying with medical device cyber security requirements. These actions help ensure medical device software remains secure, resilient and compliant with the Essential Principles.
Staying up-to-date
Technology and standards continue to evolve. Manufacturers and sponsors are encouraged to regularly review updates to international standards and guidance to ensure ongoing compliance and device security.