Standards, specific for medical devices

Ask any questions about Standards, specific for medical devices.


Great job in setting up this forum. We are currently going through Class 1 MDR (UKCA) and after that Class 1 CE and thereafter ISO 13485. It is a software as a medical device. I have a question about the following image, which I came across in social media. The requirement for Information security is not needed for UKCA marking but only needed for CE marking correct?

Thank you

Screenshot 2022-03-12 at 11.02.14

I’m in fairly early stage of the medical device development and am looking to build a regulatory roadmap for a Class IIA device aimed at improving outcomes for ventilated patients in the ICU. The product is not completely developed, and there might be some changes that might make the product class I or class III. I was wondering when is a good time to start building out a QMS, and if there were any parts of ISO 13485/14971 I should start with right now to help make strategic decisions that will guide product development?

Hello Ravi

Currently, the UKCA mark is based on the same principles as MDD/IVDD/AIMDD, so there is no specific reference to software security though there is a requirement for software to be validated to state of the art (ER12.1a), so this would include state of the art for information security. The requirements for UKCA mark are about to change, so expect cybersecurity to be more explicit in future UK regulations.

The latest MHRA advice on software talks about security (


Hi Mihir,

Hope you are well? Just been through the process of setting one up. With regards to a QMS, it would be of benefit at the early stage of product development to take into consideration the requirements of clause 7.3 Design & Development from ISO 13485. Clause 7.3.3 will point you towards risk management, which is where 14971 will come in, this will provide you with further design inputs and requirements to meet or take into consideration, which may influence your classification of the device. Worth getting familiar with Clause 5 of 14971, in particular clause 5.2 aimed at intended use.

When there is certainty about the device’s intended use/purpose, and associated risks you will hopefully have more assurance regarding the device’s classification therefore the regulatory requirements you may need to meet and the works required to meet them. Then at this point it’s worth starting to build your QMS.

In brief:

Define intended use/purpose

Qualify that it is a medical device

If it is, then define the classification

Then choose the conformity route

and then build your QMS around that.

Without defining the devices intended use/purpose you have the headache of constantly having to revisit the QMS and processes, due to potential changes in the device’s intended use/purpose as you go through the development cycle.

Happy to arrange a time to talk further.