The ISO standards you need to know for SaMD and where to find them.
What are ISO and IEC standards?
ISO standards are developed by the International Organisation for Standardisation – a governing body that provides internationally recognised standards across all industries worldwide. ISO standards are designed to help businesses ensure that their products and services meet a certain level of quality, safety, and effectiveness.
The IEC standards are developed by the International Electrotechnical Commission and this organisation publishes standards related to electrical, electronic and related technologies.
ISO standards typically consist of two types of elements: normative and informative.
Normative elements in ISO standards specify the requirements that an organisation must meet in order to achieve certification or compliance with the standard. They are mandatory and use the terms “shall”, “should”, or “may” to indicate the level of requirement.
Informative elements in ISO standards provide guidance on how to meet the requirements of the standard. They are not mandatory and are intended to help organisations understand the concepts and principles underlying the standard. Informative elements may include examples, best practices, and case studies.
ISO and IEC are applicable to every industry, not just healthtech. But healthtech has its own standards that organisations may need to conform to. In the healthcare industry, both ISO and IEC are particularly important as they establish a set framework that ensures that medical devices and other healthcare solutions meet consistent standards of safety, effectiveness and cybersecurity, to safeguard patients and their carers.
Within healthcare, ISO standards cover a wide range of areas, including medical device quality management, risk management, and device performance standards. Adhering to these standards help to ensure the reliability of health products and practices through rigorous quality and risk management processes.
Why do medical software products need ISO and IEC standards?
As with most things, not conforming to standards can result in chaos and poor quality products, and this particularly holds true for healthcare solutions. In fact, ensuring comprehensive standardisation of all aspects of healthcare is arguably even more crucial, as any missteps can have a significant impact on patients’ lives.
Following standards for the design and manufacture of medical devices, which the regulatory authority in the UK has ‘designated’, in the EU has ‘harmonised’ or in the USA has ‘recognised’, ensures products are in line with corresponding rules. These are known as 'presumption of conformity' and are crucial to securing safety, effectiveness and cybersecurity.
ISO and IEC standards are in place to promote consistency. They demonstrate that your organisation has made a commitment to adhere to a level of quality, transparency and accountability to its customers, as well as its stakeholders. Not only this, but conformity with ISO standards can help your organisation improve its processes, making it easier for external parties to work with you as you are all working within the same framework. You also get access to tried and tested methods for best practice in every aspect of business operations, promoting an increase in customer satisfaction and the opportunity to gain a competitive advantage in the marketplace.
ISO and IEC standards benefit everybody, right from industry all the way to consumers. Standardised practice across the board means that healthcare providers and national governments can enjoy the advantage of complying with specifications across different markets. Regulators benefit from the internationally harmonised frequent review of and refinement of these standards as it allows them work within an up-to-date and sound framework that provides a reliable foundation for the development of health legislation.
We are all consumers of healthcare in one way or another, so in a way when organisations’ commit to adhere to the relevant standards we all benefit by ensuring we are provided with safe and reliable products and services.
What are the applicable ISO and IEC standards for software and AI medical devices?
Each industry has a set of standards they must adhere to. It is good to be aware that each jurisdiction may also have its own slightly different version of each standard – meaning you may need to demonstrate conformity to additional factors if you are targeting more than one market.
If you’re reading this you’re probably on the hunt for the key ISO standards for medical devices – we’ve listed the key ones for you:
ISO 13485:2016: Medical Devices - Quality Management Systems - Requirements For Regulatory Purposes - If you are developing a medical device you must demonstrate that you have a quality management system to make sure that your company has processes in place to track any changes to your device and/or your internal processes. Note, this standard requires formal audit and certification that must be maintained.
ISO 14971:2019: Application of risk management to medical devices - ISO 14971 details how to classify the risk of medical devices, consider the potential harm resulting from foreseeable events when a patient or user interacts with a medical device and how to mitigate these risks. It also takes into account the hazards that arise from this situation and how they can impact the safety of the device. In short, ISO 14971 provides guidance on managing the risks associated with medical devices to ensure their safe and effective use.
ISO 14155:2020: Clinical Investigation Of Medical Devices For Human Subjects - Good Clinical Practice - ISO 14155 walks you through the best practices in terms of design, conduct, recording and reporting of clinical investigations. It is also aligned with NIHR’s good clinical practice that defines basic human rights on consent and ethics. The standard provides you with a very comprehensive structure that you must follow when designing studies.
IEC 62304:2006+A1:2015: Medical Device Software - Software Life Cycle Processes - IEC 62304 ensures that there are ways to validate and test each part of the software to make sure it will integrate properly into existing systems.
ISO/IEC 27001:2022 Information Security, Cybersecurity And Privacy Protection - Information Security Management Systems - Requirements and related standards - ISO 27001 applies across many industries, not just healthcare. However, just because you comply with this standard doesn't mean you're done and dusted. Healthcare systems like the NHS, have their own information security standards that you need to conform to, as well as GDPR. Note, this standard requires formal audit and certification that must be maintained.
IEC 62366-1:2015: Medical Devices - Part 1: Application Of Usability Engineering To Medical Devices - IEC 62366-1 specifies a process for manufacturers to follow in order to ensure that medical devices are designed and developed with human factors relating to safety in mind. It outlines a framework for conducting a user-centred design process, including user research, use-related risk analysis, and usability testing.
There are more standards than these, of course, and depending on your type of device and intended use Hardian can help you identify which will be required.
Why can’t you download ISO and IEC standards for free?
The short answer is it’s illegal.
The process of developing and maintaining these standards is by no means quick or cheap. It involves significant investments in time, expertise, and resources, and can take years for a standard to progress from the initial proposal to the final publications.
Therefore, in order to recoup these costs the standards bodies such as ISO charge a fee for access to standards. The surplus gained from selling the standards is put back into the organisations to help cover the costs of developing, maintaining and publishing the standards. Healthtech companies should therefore look to put aside some money for initial purchase as well as funds for purchasing updates as they are released, or consider a subscription model.
Where can you buy ISO and IEC standards?
In the UK, you can buy the international version of the standards on the ISO website, iso.org. However if you wanted to solely purchase the British versions, you can buy them on knowledge.bsigroup.com; in the USA you can visit the ANSI webstore .
It is important to note that ISO standards can be purchased under individual or multi-user licences. This means that only those under the licence agreement can open and use it. PDF encryption and prohibition of copying and pasting from the document ensure that the standards cannot be used outside of the licence agreement.
In the case of formal audits by a notified body/approved body – for example for ISO 13485 – PDFs of ISO standards may be requested. Therefore, if you claim your organisation adheres to the standards you must include them in your quality management system. It is not sufficient to merely reference the standards in the documents submitted for certification to regulators.
Adhering to ISO/IEC standards and having them readily available for review can enhance your organisation's credibility by demonstrating compliance with regulatory requirements, and conformity to best practices.
Not sure where to start with ISO standards? Don't worry - we can help!
There are thousands of ISO, IEC and other standards so feeling a little overwhelmed about which ones you need to adhere to is completely normal.
By partnering with our expert multi-disciplinary team, we can work with you to identify exactly which standards you need to purchase, and how to optimise your purchases, to ensure your business is always regulatory compliant.
Hardian Health is a clinical digital consultancy focused on leveraging technology into healthcare markets through clinical evidence, market strategy, scientific validation, regulation, health economics and intellectual property.
