Post-market surveillance – A stich in time saves cybercrime

In this blog we look at the guidance for medical device manufacturers in relation to post-market surveillance and more specifically how cybersecurity concerns impact these activities.

For all of us active in the medical device sector the topic of post-market surveillance is a key area, as unfortunately hazards don’t disappear when the development is complete and the product is placed on the market. In ISO 13485 and ISO 14971 the framework of post-market activities is established (post-production the term favoured by 14971), but very much at a high level. The draft ISO TR 20416 will be a good addition to the medical device standards stable providing significantly more detail on these activities and building the bridge between 13485 and 14971. There is good coverage on data analysis methods as well as example post market plans.

Figure 1: Relationship between 13485, 14971 and ISO TR 20416

Post-market in IEC 62304

For those of us involved in software and the daily activities associated with IEC 62304 software of unknown provenance (SOUP), is a key post-market topic. The changes that have been made to the SOUP and the impact on risk control measures before integrating the next version of the SOUP are key topics.

Cybersecurity: Time is money

The stakes have been raised without a doubt when we turn our attention to cybersecurity concerns. The one factor that is not covered in any of the above standards and guidance documents is time.

Who in the team will be assigned the role of monitoring cybersecurity threats, analysing the impact on the device and particularly device safety or the integrity of electronic healthcare records? How quickly solutions can then be defined, analysed, implemented, verified and validated is another story. Over and above this there is the activity of communicating issues to regulatory bodies and customers.

In our previous blog (IEC 62304 Cybersecurity opening the flood gates) we looked at the use of AAMI TIR57 as a good route to applying a cybersecurity framework. At the end of last year AAMI brought out TIR97 Principles for medical device security – Postmarket risk management for device manufacturers.

This technical information report aligns itself well with ISO 14971 and TIR57, but above all brings the time factor into the equation with section 6.3.1 tackling the speed of response. This section looking at the link between risk management and subsequent action whether patches are required prior to the full update. There is also good coverage of topics including information sharing, supplier monitoring and secure disposal.

Figure 2: TIR 97 Cybersecurity signal handling process

There is no doubt that the current planned changes in the medical device standards help to improve post-market activities, the ability to respond quickly will however still be a major challenge for all in the sector.

By Alastair Walker, Consultant

Do you want to learn more about the implementation of IEC 62304, ISO 14971, AAMI TIR57 or any other standard in the Automotive or Medical Device sector? We work remotely with you. Please contact us at for bespoke consultancy or join one of our upcoming online courses.



We look forward to hearing from you.

    Show privacy policy