From IEC 62304 to Product Security: Safe, Secure Software and AI in Medical Devices

Software is playing an increasingly important role in medical devices – as embedded software, connected products, and Software as a Medical Device, SaMD. At the same time, requirements for quality, documentation, risk management, cybersecurity, and AI-enabled functionality are becoming more comprehensive.

In this after-work seminar, you will get a practical introduction to how medical device software can be approached from two perspectives: first, software architecture, requirements, AI, and quality systems; then product security, AI-related security considerations, and regulatory cybersecurity expectations.

The presentation is divided into two parts of approximately 45 minutes each.

Part 1: SaMD, Software Architecture, Requirements, and AI

Brian Hedegaard will introduce key principles for software development in medical devices and SaMD. We will look at how architecture, requirements, risk management, traceability, documentation, and AI-enabled functionality are connected in practice – including perspectives from IEC 62304 and ISO 13485.

The session will focus on questions such as:

• How can intended use, risks, and regulatory requirements be translated into useful software architecture?
• How can you work with requirements, design, verification, and traceability without drowning in documentation?
• How does software development fit into a medical device quality management system?
• How should AI-enabled functionality be considered in relation to intended use, requirements, data, validation, monitoring, and change control?

We will also briefly touch on how AI and machine learning can affect software architecture and lifecycle thinking in SaMD, including the need for clear boundaries, robust data governance, explainability where relevant, performance monitoring, and careful handling of updates after release.

Part 2: Product Security, Cybersecurity, and AI for Medical Devices

Jens Schønberg will introduce medtech product security and the cybersecurity requirements that increasingly affect the development, maintenance, and market access of medical devices.

We will look at topics such as:

• Why product security is not just IT security.
• How cybersecurity connects with risk management, software development, supplier management, vulnerability management, incident response, and coordinated vulnerability disclosure.
• How standards and guidance such as IEC 81001-5-1, AAMI/ANSI SW 96, ISO/IEC 27035, ISO/IEC 27036, ISO/IEC 29147, and ISO/IEC 30111 can be used as points of reference.
• How AI introduces new product security considerations, including data protection, model integrity, adversarial manipulation, insecure integrations, monitoring, and vulnerability handling across the product lifecycle.

We will also briefly discuss how AI can be both a capability and a risk factor in medical device software: it may support advanced functionality, automation, and analysis, but it also creates new questions around trust boundaries, supplier dependencies, validation, misuse, security monitoring, and post-market change management.

The event (both parts) is relevant for start-ups, scale-ups, and established manufacturers of medical devices – as well as advisors, software architects, developers, QA/RA professionals, product owners, and security specialists working with or around medical device software.

We will not cover every detail in one evening. Instead, the goal is to provide a useful overview, create a common language between software, quality, regulatory, AI, and security disciplines, and give participants concrete ideas they can take back to their own organizations.

There will be opportunities for questions and discussion along the way.

Language:

English

Speakers:

Brian Hedegaard
Brian Hedegaard is an independent advisor specializing in medical device software and digital health solutions. He brings more than 29 years of experience in software development across multiple industries, including 16 years focused on medical devices, regulatory requirements, and quality management for software in and as medical devices. His experience spans both large MedTech and pharmaceutical companies as well as early-stage startups, covering all phases of the product lifecycle.

Jens Schønberg
Jens Schønberg is a freelance cybersecurity consultant who primarily helps medical device manufacturers with product security, secure development, standards, and regulatory cybersecurity requirements. Jens is also ISO co-lead and co-author of IEC 81001-5-1, as well as contributor/co-author of the upcoming IEC 81001-5-2.