Unraveling regulatory compliance for medical device software

Unraveling regulatory compliance for medical device software

By: David Sparks

Medical devices are heavily regulated, and for a good reason, as the safety and performance of these devices are of paramount importance. Within the European Union, the Medical Device Regulation (MDR) ensures the safety and performance of medical devices. Complying with the MDR and after an assessment of a Notified Body, a manufacturer can get a CE mark for their device and place it on the European market. Access to the US market is governed via a different regulatory pathway, a topic worth a whole blog post on its own.

In our previous blog post, Performance and safety first, the importance of clinical evaluations, you read about the role of clinical evidence and clinical evaluation on the safety and performance of a device such as BoneMRI. When it comes to regulatory compliance, there is more regulatory work than just the clinical evaluation to be done before a device is put on the market.

For medical devices on the European market, including software as a medical device such as BoneMRI, the manufacturer needs to ensure that all the General Safety and Performance Requirements set out in the MDR are met. One of the methods a manufacturer can use to demonstrate that the device conforms to these regulatory requirements is the use of international standards, such as those published by ISO or IEC. While the use of these international standards is voluntary, it is generally accepted that these standards represent the state of the art and are a useful tool to demonstrate conformity to MDR requirements.

To ensure the BoneMRI software conforms to all these requirements, MRIguidance has implemented a number of international standards that control all the aspects of the medical device life cycle. Below are just a few aspects of the (software) medical device life cycle that are controlled using international standards as a basis.

Software life cycle processes

The IEC 62304 standard for medical device software describes all the software life cycle processes that a manufacturer should have in place for their design and development process. What does this standard mean for our BoneMRI software? It means we use a clearly defined process throughout every phase of the development of the software. We start by planning all our development activities, and we have a number of development plans, including a project plan, a risk management plan and a software test plan. After this phase we move on to defining all the software requirements and risks associated with the device. The next step is to design the software architecture, modules, units, interfaces, etc., before we move on to the actual writing of the software code.

Throughout the design and development process we continuously verify if we are on the right track, using different review processes, such as the following:

  • Risks and requirements are reviewed by larger multidisciplinary teams, including external experts;
  • The design of the device is reviewed in detail by an independent reviewer;
  • Code changes are always reviewed by multiple developers;
  • Testing of code is performed continuously;
  • The end product is again reviewed by larger multidisciplinary teams, including external experts before MRIguidance releases the software.

The work does not stop after the release. Maintenance plans are in place, and a problem-resolution process is defined, to make sure that if a bug is inadvertently found, we can fix it quickly.


Risk management

As mentioned earlier, risk management activities are important in the life cycle of a medical device. Our ultimate goal is to ensure that patients have access to safer and more effective medical devices, which is essential for improving healthcare and quality of life. To do so, we need to make sure that any risks involved with our device are identified, analyzed, evaluated, and controlled. To guide all these risk management activities, MRIguidance follows the ISO 14971 standard for risk management in medical devices.

We make sure that multiple ‘risk sessions’ are conducted, both internally and with external experts, so that we can identify and analyze all the risks associated with our product. This results in a large number of risks that are then evaluated. Where necessary, control measures are put into place to reduce the probability or severity of these risks.

One of the last steps in the risk management process is to look at all residual risks that are identified throughout the risk activities, and take these risks into the clinical evaluation process, where the clinical benefits, safety and performance of the device are established and verified, as we have discussed in the blog post Performance and safety first, the importance of clinical evaluations.

The risk management process does not finish after the release of the medical device, but continues throughout the whole life cycle of the product. Using Post-Market Surveillance (PMS), MRIguidance assures the collection and review of information and insights of BoneMRI’s use in the clinical workflow. This data is used to continuously assess the benefits and risks associated with the device and to keep on top of any corrective actions needed. These PMS activities ensure that when the device is on the market, MRIguidance is in control of the safety and performance of the device.

Using the risk management processes as described in the international standard has ensured that we have developed a robust process that identifies and controls all the risks associated with our medical device, and that the General Safety and Performance Requirements set out in the MDR are met.


Security in health software

Just as risks to the patient are important, so is the security of a medical device. More and more cybersecurity is becoming an important aspect in everyday life, and the healthcare industry is no different. At MRIguidance we understand the need to ensure that our product is secure and as such we have put a lot of work into a number of technological and organizational controls to protect ourselves and our customers.

We have implemented an Information Security Management System (ISMS) that conforms to the requirements set out in the ISO 27001 and NEN 7510 standards. Via this ISMS we manage and control risks related to the security of data that we own or process. In addition, we have implemented activities in our product life cycle that conform to the IEC 81001-5-1 standard for security in health software. Following this standard means we have implemented a huge number of security controls, ranging from defense-in-depth-architectural design to secure coding practices, vulnerability scanning and product penetration testing.

Following these international standards (and other standards and guidance documents) means that we are fully in control of the security aspects of our software product and organization. This is yet another way to demonstrate our commitment to the safety, security and performance of the BoneMRI product.


To comply with all the regulatory requirements really is an endless amount of work, but at MRIguidance we understand that these requirements are an important part of what we deliver to our customers, and more importantly, to patients and healthcare providers. We work hard to deliver safe and effective software and we make sure to keep on improving. Why? Because we really do care.