App Risk Alert Warning Sign
VDE / Canva
2018-06-25 expert contribution

What are the new developments in risk management of medical software?

For medical device manufacturers an efficient risk management is an important contribution to patient safety. In this respect, the Medical Device Regulation (MDR, [1]) as new European regulatory framework does not change this view. Article 10 (2) MDR does request an established, documented, implemented and maintained risk management system. Furthermore, the chapter I of the “Safety and Performance Requirements” in Annex I MDR highlights the term “risk” at several points (e. g. sections 1-5, 8, and 9).

Software as Medical Device

Either types of software as part of a medical device (embedded) and as medical device on its own (stand-alone) have to fulfil the above mentioned requirements. In addition, the European legislator defined some software-specific requirements in Annex I concerning possible risks:

  • 14.2.(d): “Devices shall be designed and manufactured in such a way as to remove or reduce as far as possible: […] (d) the risks associated with the possible negative interaction between software and the IT environment within which it operates and interacts; […]”
  • 17.1.: “Devices that incorporate electronic programmable systems, including software, or software that are devices in themselves, shall be designed to ensure repeatability, reliability and performance in line with their intended use. In the event of a single fault condition, appropriate means shall be adopted to eliminate or reduce as far as possible consequent risks or impairment of performance.”
  • 17.2.: “For devices that incorporate software or for software that are devices in themselves, the software shall be developed and manufactured in accordance with the state of the art taking into account the principles of development life cycle, risk management, including information security, verification and validation.”
  • 17.3.: “Software referred to in this Section that is intended to be used in combination with mobile computing platforms shall be designed and manufactured taking into account the specific features of the mobile platform (e.g. size and contrast ratio of the screen) and the external factors related to their use (varying environment as regards level of light or noise).”
  • 17.4.: “Manufacturers shall set out minimum requirements concerning hardware, IT networks characteristics and IT security measures, including protection against unauthorised access, necessary to run the software as intended.”


DGBMT im VDE e. V.

The last two requirements do not explicitly contain the word “risk”, but in the context it becomes clear that risks are addressed that result from the use of mobile computing platforms (e. g. tablet computers) or from the IT environment in which the software is used. Taken together the security and design aspects are becoming more important.

Current European Environment of Standards

Under the still applicable European Medical Device Directive (MDD, [2]) the standard EN ISO 14971:2012 was harmonised in the context of risk management [3]. In addition, the technical report ISO/TR 24971:2013 provides further guidance for manufacturers how to apply the ISO 14971 and the technical report IEC/TR 80002-1:2009 refers specifically to the application of ISO 14971 to medical device software. Of further interest might be the US standard AAMI TIR57:2016 for risk management regarding medical device security.

Future European Environment of Standards

Harmonised standards do play also an important role in the MDR, since “Devices that are in conformity with the relevant harmonised standards, or the relevant parts of those standards, the references of which have been published in the Official Journal of the European Union, shall be presumed to be in conformity with the requirements of this Regulation covered by those standards or parts thereof” (Article 8 (1) MDR). So far none of the previously harmonised standards has been harmonised under the MDR. Currently, the European standardisation organisations CEN (European Committee for Standardization) and CENELEC (European Committee for Electrotechnical Standardization) are compiling a list of standards and subjects for new standards that should be harmonized under the new regulations (including In Vitro Diagnostic Medical Device Regulation, IVDR) for discussion with the European Commission. A prerequisite for the listing in the EU official journal as harmonised standard is the adaptation/generation of the so-called Z annexes (ZA for CEN and ZZ for CENELEC standards) by the standardisation organisations. Z annexes establish a link between the requirements defined in Annex I of the regulation (or currently the directive) and the standards. A reason why the harmonisation under the MDD recently was only achieved for few standards is the ongoing discussion between the standardisation committees and the EU commission about the exact assignment of single requirements to certain parts of the standards. So far only CEN has published a guideline on the production of the ZA annexes [4] and, thus, it is currently unpredictable how fast this problem will be solved.

However, the above mentioned list also includes a new version of the EN ISO 14971. The leading international committee ISO/TC 210 for the ISO 14971 is currently working on the technical revision of the existing version leading to edition 3. Please note, that the ISO 14971 is referenced by other key standards for medical software such as IEC 62304 and IEC 62366-1. To comply with security requirements two changes are discussed [5]. First, the current definition of the term “harm” could be changed from “physical injury or damage to the health of people, or damage to property or the environment” by leaving out the word “physical”. A trivial change one would argue. But due to this minor change “harm” would also include non-physical injury or damage, e. g.  through loss of or uncontrolled access to data. Second, the described risk management process explicitly can be used to manage risks associated with data and system security. The new version of the ISO 14971 does not preclude the possibility of developing specific standards addressing the evaluation and reduction of security risks. The above mentioned technical report ISO/TR 24971 is currently under revision in parallel. 

As risk management is taking part during the whole life cycle of a medical device the currently developed US standard AAMI TIR97 addressing the post-market security management for device manufacturers might be of future interest.

Finally, a detailed discussion of risk management for medical software is available at [6].

Icon writers


Expand to see full list of references.

Icon writers

Expand to see full list of references.

[1] European Parliament and of the Council, Regulation (EU) 2017/745 of the European Parliament and of the Council of 5 April 2017 on medical devices, amending Directive 2001/83/EC, Regulation (EC) No 178/2002 and Regulation (EC) No 1223/2009 and repealing Council Directives 90/385/EEC and 93/42/EEC. 2017, pp. 1–175.

[2] European Parliament and of the Council, Directive 93/42/EEC of 14 June 1993 concerning medical devices. 1993, pp. 1–60.

[3] Commission communication in the framework of the implementation of Council Directive 93/42/EEC concerning medical devices (Publication of titles and references of harmonised standards under Union harmonisation legislation). 2016, pp. 100–135.

[4] CEN European Committee for Standardization, ‘How to draft European Standards for citation in the Official Journal’, Guidance documents. [Online]. Available: [Accessed: 17-May-2018].

[5] H. C. Wenner, ‘Medical Software - Considering Security as Part of Risk Management’, presented at the Software in Medicine - Requirements and Best Practice, Frankfurt/M., 28-Feb-2018.

[6] T. Prinz, Ed., Development and Production of Medical Software : Standards in Medical Engineering, 1. Edition. Berlin: VDE VERLAG GMBH, 2018.