IEC 62304 & ISO 14971 for SaMD: Integrating Lifecycle & Risk
- Beng Ee Lim
- 2 days ago
- 2 min read
TL;DR:
To build FDA-compliant SaMD, integrate IEC 62304’s software-lifecycle processes with ISO 14971’s risk-management steps: map planning, design, testing, and maintenance activities to your hazard analysis and risk controls.
This creates a single traceability matrix that streamlines V&V and risk documentation for premarket submissions.
Why These Standards Matter Together
IEC 62304 gives you the “how” of building medical software—planning, requirements, design, implementation, verification, release, maintenance.
ISO 14971 gives you the “how” of identifying and controlling risks throughout a medical device’s lifecycle—hazard analysis, risk evaluation, risk control, residual-risk evaluation, and post-market surveillance.
For SaMD teams, these standards aren’t separate—they’re two halves of one FDA expectation—you must show not only what you built but how you managed every risk.
FDA reviewers look for:
Lifecycle documentation (per IEC 62304)
Risk files and control verification (per ISO 14971)
Clear mapping between the two
If you're building software that diagnoses, monitors, or treats—both standards apply.
High-Level Comparison: Where They Align
IEC 62304 Activity | ISO 14971 Clause | Key Deliverable |
Software Development Planning | Risk Management Planning | Risk-linked software plan with owners |
Requirements & Architecture | Hazard Identification | Hazard log + preliminary risk analysis |
Implementation & Testing | Risk Control Verification | Test cases aligned to control measures |
Release, Maintenance, Patching | Postmarket Surveillance | Incident reports & CAPA integration |
Step-by-Step Integration Guide
🔹 Step 1: Create a Combined Traceability Matrix
Start with your Software Requirements Specification (SRS).
For each software requirement, link:
Associated hazards (ISO 14971)
Corresponding risk controls
Aligned test cases (IEC 62304)
Maintain this matrix as your single source of truth for regulatory audits.
🔹 Step 2: Embed Risk Management into Design Reviews
At every design phase gate, explicitly review:
Hazard logs and risk evaluations (FMEA, Annex C of ISO 14971)
Status of mitigation implementation
Any residual risks and their justifications
Document all decisions in design review records.
🔹 Step 3: Align V&V Protocols with Risk Controls
Each risk control must have a dedicated test case with:
Clear pass/fail criteria
Direct traceability to the originating hazard
Proof of control effectiveness, not just functionality
This ensures your V&V satisfies both standards.
🔹 Step 4: Integrate Maintenance & Post-Market Feedback
Use IEC 62304 processes to track:
Software updates, bug fixes, and patch logs
Field incidents and complaint trends
Feed this data back into your risk management file and update CAPA actions per ISO 14971.
Real-World Example: “Hypothetical SaMD X”
SRS ID | Functionality | Hazard | Control | Test ID |
SRS-12 | Auto-detection of AFib via ECG sensor | False negative = missed stroke | Real-time alert + human review | T-12.1 |
FAQs
Q: Do I need both standards for FDA SaMD submissions?
Yes. FDA reviewers expect software process compliance (IEC 62304) and full risk documentation (ISO 14971).
Q: Can ISO 14971 replace IEC 62304?
No. They serve different purposes—risk management vs. development lifecycle.
Q: How often should I update the risk management file?
Update at every major release, patch, or when new risks/complaints emerge.
Key Takeaways
Integrate early: build your traceability matrix before coding.
Keep docs in sync: link every test back to a hazard.
Plan maintenance: feed real-world data into your CAPA process.
For deeper guidance, visit our SaMD Compliance hub or learn how to define your Device Software Function.
