IEC 62304 §5.5 code implementation activities, peer code review, and problem resolution process for defects found during development.
Static Code Analysis integrated in CI/CD, implementation review against secure coding standard with documented deviations, and traceability verification from implementation to security capabilities in 5.3 and 5.4.
SCA tool configuration and finding closure records — SAST tools with default rulesets not tuned to the secure coding standard do not satisfy the implementation review intent.
Maps to
IEC 81001-5-1: §5.5.1 Secure coding standards
Requirement text
The manufacturer shall establish an implementation activity (or activities) following secure coding standards (5.5.1). The manufacturer shall establish an activity (or activities) to ensure that implementation reviews identify, characterize and feed into the problem resolution process all security-related issues including: a) security requirements not adequately addressed by the implementation; b) secure coding standards used and any deviations documented (e.g., banned functions, failure to apply least privilege); c) Static Code Analysis (SCA) of source code using the secure coding standard; d) review of implementation traceability to the security capabilities defined in 5.3 and 5.4; and e) examination of threats and their ability to exploit implementation interfaces, trust boundaries, and assets.
Why this clause exists
Code that was written under a declared secure coding standard but never reviewed for compliance with that standard provides no assurance that the standard was actually followed. Studies of code review practices in regulated software development consistently find that security-specific review criteria are applied inconsistently or not at all when not explicitly required — reviewers focus on functional correctness and ignore security properties unless a security review is formalized as a separate gate. Static analysis tools catch a defined class of vulnerabilities automatically, but they do not catch architecture-level implementation errors, logic-level authorization bypasses, or violations of custom secure coding rules not covered by tool signatures. IEC 81001-5-1:2021 clause 5.5 requires both static analysis and implementation review as complementary activities — the tool for automated detection of known vulnerability patterns, the review for human judgment on logic and design compliance. The clause's coverage of both activities reflects the lesson that neither alone is sufficient: static analysis without review misses logic errors; review without static analysis misses the automated-detection class of vulnerabilities that tools reliably catch.
What changed
IEC 81001-5-1:2021 is the first standalone cybersecurity standard purpose-built for health software and medical device software. Published in December 2021, it was adapted from IEC 62443-4-1 (industrial control systems security) to address the unique safety and regulatory context of medical devices — adding health-specific requirements that account for patient safety, clinical workflows, and the manufacturer-HDO relationship.
The standard mirrors IEC 62304's lifecycle structure but adds security-specific activities at every phase — planning, development, testing, release, and maintenance. It requires security risk management to be integrated with ISO 14971 safety risk management, not treated as a separate IT concern. FDA formally recognized it as Consensus Standard 13-122 on December 19, 2022 and references it as providing one acceptable framework for satisfying the cybersecurity requirements of Section 524B(b)(2), which requires manufacturers to design, develop, and maintain processes and procedures to provide a reasonable assurance that cyber devices and related systems are cybersecure.
EU MDR harmonization was originally targeted for May 2024 but postponed to May 2028. Despite this delay, Notified Bodies and Competent Authorities universally recognize it as "state of the art" for health software cybersecurity under MDR GSPR Annex I, Section 17.2. Missing or inadequate cybersecurity documentation is already a top cause of Notified Body major non-conformities for SaMD. A December 2025 Interpretation Sheet (ISH1:2025) clarified software item classification into maintained, supported, and required software categories, affecting risk transfer and post-market obligations.
Common gaps (what we see in audits)
- No static analysis or code review for security vulnerabilities — Code reviews focus on functionality without systematic review for security vulnerabilities. SAST tools are not integrated into CI/CD or are configured with default rulesets not tuned to the secure coding standard.