IEC 62304, ISO 14971 and FDA Medical Device SW Guidance

#1
The main FDA Guidance for medical device software development is Guidance for the Content of Premarket Submissions for Software Contained in Medical Devices (2005). This predates ISO 14971:2007 and IEC 62304:2006.

Both of these have been amended, however the 2012 amendment to ISO 14971 has not been recognized by the FDA as a consensus standard and it is also not recognized in the 2015 amendment to IEC 62304.

Yet, our SW contractor recommends making our Quality documentation compliant with ISO 14971:2012 Annex ZA, including the concept of reducing risk AFAP instead of ALARP, and not using labeling and training as risk control measures.

Would you agree with this strategy? It could be much more costly and time-consuming.

Do you know when an update to the FDA Guidance may occur?

Do you know when the release of IEC 82304 (for stand-alone software) is expected?

Thanks.
 
Elsmar Forum Sponsor

yodon

Staff member
Super Moderator
#2
I think the FDA does recognize 62304:2016. Go to this link and search on 62304: http://www.accessdata.fda.gov/scripts/cdrh/cfdocs/cfStandards/search.cfm

Back to your other questions...

14971:2012 - point of clarification, you can't use labeling to reduce the risk but labeling is still indicated for risks. Yes, certainly more effort to mitigate AFAP. I believe that even though not a consensus standard, the FDA would accept Risk Management compliant with :2012. You'd be "managing more" (ostensibly a safer product) not "managing less." So if you're planning on going to the EU, maybe it's a good strategy. (And really, how effective is controlling risks through labeling??)

I've not heard of any plans for the FDA to update the guidance. Seems the focus there is on post-market things. I don't have any inside info so no help there.

Also no idea about an 82304 release date.
 

Marcelo

Inactive Registered Visitor
#3
Both of these have been amended, however the 2012 amendment to ISO 14971 has not been recognized by the FDA as a consensus standard and it is also not recognized in the 2015 amendment to IEC 62304.
FDA does not recognize ISO 14971:2012 because it does not exist. What exists is the 2012 European version of ISO 14971:2007, EN ISO 14971:2012. FDA only recognize US or international standards.

Do you know when an update to the FDA Guidance may occur?
I don't see any information regarding any revision. I'm not sure there's a need for it, either.

Do you know when the release of IEC 82304 (for stand-alone software) is expected?
Next year.
 

mihzago

Trusted Information Resource
#4
On the one hand I would agree with the consultant's recommendation, because as yodon said, labeling and training are often not very effective; however, the Annex ZA of EN/ISO 14971 does not say you cannot use these types of controls to reduce risk. The deviation #7 in the Annex says that "manufacturers shall not attribute any additional risk reduction (...) to the "information for safety"", which is not the same as using instructions for use to reduce risk.


See the recommendation by the Notified Body Recommendation Group in the consensus paper titled: "Consensus Paper for the Interpretation and Application of Annexes Z in EN ISO 14971: 2012"

Recommendation:
Any information for safety comprising instructions of what actions the user can take or avoid in order to prevent a hazardous situation from occurring may be considered a risk control measure. As required by Essential Requirement 13.1 of Directive 93/42/EEC (respectively ER B.8 of 98/79/EC) it may be considered as a risk control measure. The information includes the instructions for use, labels, etc.. Since ‘safe use’ is related to risk control measures, the Medical Device Directives do not deviate
in that regard from EN ISO 14971. Any effects on risk reduction are to be documented by the manufacturer in the risk management file.
‘Disclosure of residual risk’ should be conducted in compliance with EN ISO 14971 Clause 6.4, 6.5 and 7. The manufacturer shall not claim a reduction to the probability of harm when disclosing residual risk.
Compliance is checked by inspection of the risk management file.
 
#5
Thank you all for your responses.

My reason for asking about an update to the FDA Guidance is because it predates SmartPhone technology (Apps and APIs) and there is no mention of software relative to connecting to the "cloud" in order to update medical data.

The FDA Guidance - Cybersecurity for Networked Medical Devices Containing Off-the-Shelf (COTS) Software (2005) addresses security issues only, not development issues.

The FDA Guidance - Off-The-Shelf Software Use in Medical Devices (1999) is even older. Should it just be assumed that all such software would be fully covered according to this guidance?

Thanks.
 

mihzago

Trusted Information Resource
#6
The FDA guidance documents you listed do not describe the development process. Since all design and development, regardless of the type of the product and its features must follow Design Controls, the "Design Control Guidance" would be more appropriate. To your point, however, many of these guidance document don't have a lot of examples specific to software, and are written in traditional "manufacturing" language, which is often obscure to software developers, so a good bit of interpretation is required.

The regulation and guidance is generic enough that it applies to all types of devices. If you combine the Design Control Guidance, with the other guidance documents, and IEC 62304 and ISO14971, and supplement with other Consensus Standards such as: TIR45, IEC80001 series (see a full list here: https://www.accessdata.fda.gov/scripts/cdrh/cfdocs/cfStandards/results.cfm), that should give you sufficient info.

There is another guidance that may be useful: "Postmarket Management of Cybersecurity in Medical Devices"

Oh and I almost forgot one more, specific to software that was just released last week. "Deciding When to Submit a 510(k) for a Software Change to an Existing Device", which contains many examples that should give you an idea what the agency is looking for in terms of documentation.
 
Thread starter Similar threads Forum Replies Date
M Risk Analysis Flow - Confusion between ISO 14971 and IEC 62304 IEC 62304 - Medical Device Software Life Cycle Processes 8
P Risk acceptability alignment between ISO 14971 and IEC 62304 IEC 62304 - Medical Device Software Life Cycle Processes 6
S Relationship between IEC 62304 problem resolution and ISO 13485 IEC 62304 - Medical Device Software Life Cycle Processes 8
T Is there any requirement to be compliant with IEC 62304 while implementing ISO 13485 ISO 13485:2016 - Medical Device Quality Management Systems 5
B Our NB says that IEC 62304 is an ISO 14971 Requirement ISO 14971 - Medical Device Risk Management 1
B Clarification on interpretation of some EN ISO 14971:2012 & IEC 62304:2006 req's ISO 14971 - Medical Device Risk Management 46
H ISO 14971 vs. IEC 62304 vs. 98/79/EC vs. ISO 13485 (Software Medical Device) ISO 14971 - Medical Device Risk Management 1
K ISO 14971 and IEC 62304 - Medical Device Software House ISO 14971 - Medical Device Risk Management 9
D Applications that assist completing IEC 62304, ISO 14971 or ISO 13485 Documentation IEC 62304 - Medical Device Software Life Cycle Processes 7
I Is ISO 14971 certification required for IEC 62304? IEC 62304 - Medical Device Software Life Cycle Processes 11
A IEC 62304 safety classification, External Controls and off-label use related risks IEC 62304 - Medical Device Software Life Cycle Processes 5
S IEC 62304 software costs and time Medical Device and FDA Regulations and Standards News 3
S IEC 62304 - Software verification cost IEC 62304 - Medical Device Software Life Cycle Processes 3
Sravan Manchikanti Software Risk Management & probability of occurrence as per IEC 62304 IEC 62304 - Medical Device Software Life Cycle Processes 8
M IEC 62304 Software changes - Minor labeling changes on the GUI IEC 62304 - Medical Device Software Life Cycle Processes 3
K IEC 62304 - Testing Independance IEC 62304 - Medical Device Software Life Cycle Processes 5
K IEC 62304 - Functional and performance requirements for SOUP items IEC 62304 - Medical Device Software Life Cycle Processes 2
K IEC 62304 compliance - Code reviews as part of verification strategy IEC 62304 - Medical Device Software Life Cycle Processes 5
D IEC 62304 Risk Classification - With and without hardware control IEC 62304 - Medical Device Software Life Cycle Processes 2
M IEC 62304 Class A Project IEC 62304 - Medical Device Software Life Cycle Processes 15
B Clause 5.1.12 of Technical Standard IEC 62304/A1 IEC 62304 - Medical Device Software Life Cycle Processes 5
P SOUP anomaly evaluation for MMA (Mobile Medical Application) IEC 62304 clause 7.1.3 IEC 62304 - Medical Device Software Life Cycle Processes 4
P IEC 62304 - evaluation of integration and system testing IEC 62304 - Medical Device Software Life Cycle Processes 4
D Required Checklist Showing Compliance to IEC 62304 IEC 62304 - Medical Device Software Life Cycle Processes 11
P Proposed revision of IEC 62304 - 2019 IEC 62304 - Medical Device Software Life Cycle Processes 6
P IEC 62304:2006 A1:2015 - Software from the early 1990s IEC 62304 - Medical Device Software Life Cycle Processes 4
B IEC 62304:2015 vs IEC 62304:2006 + AMD1 IEC 62304 - Medical Device Software Life Cycle Processes 4
F IEC 62304 - Segregation and communication between software items IEC 62304 - Medical Device Software Life Cycle Processes 1
B Class IIB Device - IEC 62304 Software Classification IEC 62304 - Medical Device Software Life Cycle Processes 13
B IEC 62304 - Update Checklist IEC 62304 - Medical Device Software Life Cycle Processes 2
L Connection between IEC 62304 and Chapter 14 of IEC 60601-1 IEC 60601 - Medical Electrical Equipment Safety Standards Series 2
M IEC 62304 - Develop an Architecture for the Interfaces of Software Items IEC 62304 - Medical Device Software Life Cycle Processes 8
S Does IEC 62304 require documenting unresolved anomalies for all safety classes? IEC 62304 - Medical Device Software Life Cycle Processes 4
A SOP for software validation of software in medical device IEC 62304 IEC 62304 - Medical Device Software Life Cycle Processes 5
T I need to make test reports according IEC 62304 & IEC 62366 IEC 62366 - Medical Device Usability Engineering 2
D Changing software classification via software - IEC 62304 IEC 62304 - Medical Device Software Life Cycle Processes 3
D Software as risk control - Confused on one aspect of IEC 62304 IEC 62304 - Medical Device Software Life Cycle Processes 20
K Trying to figure out what satisfies a few aspects of IEC 62304 IEC 62304 - Medical Device Software Life Cycle Processes 2
Y IEC 62304 Section 4.3(a) - 100% probability of failure IEC 62304 - Medical Device Software Life Cycle Processes 3
Y Application of IEC/EN 62304 at an advanced stage of software development IEC 62304 - Medical Device Software Life Cycle Processes 4
L Documentation Planning - IEC 62304 Clause 5.1.8 IEC 62304 - Medical Device Software Life Cycle Processes 2
C Software for Medical Devices - Requirements Content for compliance with IEC 62304 IEC 62304 - Medical Device Software Life Cycle Processes 1
W CPU BIST IEC 62304 - Embedded code has CPU instruction tests IEC 62304 - Medical Device Software Life Cycle Processes 2
K IEC 62304 Amd 1 2015 - Figure 3 – Assigning Software Safety Classification IEC 62304 - Medical Device Software Life Cycle Processes 11
K Risk Reduction by Risk Control: IEC:62304-Class C ISO 14971 - Medical Device Risk Management 15
C Per IEC 62304, are DHF documents Configuration Items? IEC 62304 - Medical Device Software Life Cycle Processes 5
P IEC 62304 AMD1:2015: What's new vs.the 2006 Edition? IEC 62304 - Medical Device Software Life Cycle Processes 4
F FDA PMK 510(k) - IEC 62304 Software Components Segregation Other US Medical Device Regulations 3
M IEC 62304 Applicability - GUI Control Software IEC 62304 - Medical Device Software Life Cycle Processes 3
D A desperate call for help - IEC 62304 software IEC 62304 - Medical Device Software Life Cycle Processes 5

Similar threads

Top Bottom