ISO 14971 and Stand-Alone Diagnostic Software

#1
Hi all -- I am really struggling with a risk analysis.

We make a stand-alone software device which is used to view echocardiograms. If, for some reason, the software fails and part of the echocardiogram is missing, a physician could potentially plan treatment with missing information. Or if, for some reason, the software fails, corrupting the images, the clinician could plan treatment with incorrect information. Both of these circumstances could, should the physician choose to treat the patient using our device as the sole means of diagnosis, lead to death.

Now, the odds of this happening are improbable. Vanishingly small.

Do I need to account for these in a 14971/62304 risk analysis?

EU and FDA say we are Class IIa and Class II respectively -- but how can this be if death is a possibility? Any cardiological intervention would lead to some sort of injury, most of the requiring medical treatment.

Can someone please clarify?
 
Last edited:
Elsmar Forum Sponsor

QAengineer13

Quite Involved in Discussions
#2
Hi all -- I am really struggling with a risk analysis.

We make a stand-alone software device which is used to view echocardiograms. If, for some reason, the software fails and part of the echocardiogram is missing, a physician could potentially plan treatment with missing information. Or if, for some reason, the software fails, corrupting the images, the clinician could plan treatment with incorrect information. Both of these circumstances could, should the physician choose to treat the patient using our device as the sole means of diagnosis, lead to death.

Now, the odds of this happening are improbable. Vanishingly small.

Do I need to account for these in a 14971/62304 risk analysis?

EU and FDA say we are Class IIa and Class II respectively -- but how can this be if death is a possibility? Any cardiological intervention would lead to some sort of injury, most of the requiring medical treatment.

Can someone please clarify?
"Do I need to account for these in a 14971/62304 risk analysis?" YES, you definitely require to document the foreseeable sequence along with the potential harm/hazard along with mitigation, if any and have rating for RPN from a ISO 14971 perpective and from a IEC 62304 perspective identify what software safety class is this stand-alone software and follow the requirements for the 62304 Software safety class. Also if its complex software you need to consider having a separate software component safety class incorporated in your risk assessment document.

In addition to this you should also consider the FDA Level of Concern documentation to identify what software LOC this software would be and document the rationle.

"EU and FDA say we are Class IIa and Class II respectively " ...the Agencies in general only provide recommendation to the manufacturer and only the manufacturer can provide necessary information about their product safety and effectiveness, intended use, indication for use, reliability related to safety and effectiveness in submission documentation to appropriate agency for their clearance/ approval . So I don't understand the part you mentioning that the EU and FDA say we are Class IIa and Class II respectively "?
 

ValGal

Starting to get Involved
#3
I agree with QAengineer13.

You must account for these hazard/harms.
Also, if you are selling you device in the EU, you must follow the 14971:2012. This means that you will need to mitigate risk As Far As Possible (AFAP) vs. the 14971:2007's As Far As Reasonably Practicable (AFARP).
Also, 2012's version expects more risk/benefit analysis activities (but there are ways to limit that burden).

Finally, my company submits 510(k)s for firms and we have been seeing tons of AIs (additional information) requests for cybersecurity risk and mitigation/controls (ANSI/AAMI/ISO/IEC TIR 80001-2 series and AAMI TIR 57).

Just something to keep in mind.
 

QAengineer13

Quite Involved in Discussions
#4
I agree with QAengineer13.

You must account for these hazard/harms.
Also, if you are selling you device in the EU, you must follow the 14971:2012. This means that you will need to mitigate risk As Far As Possible (AFAP) vs. the 14971:2007's As Far As Reasonably Practicable (AFARP).
Also, 2012's version expects more risk/benefit analysis activities (but there are ways to limit that burden).

Finally, my company submits 510(k)s for firms and we have been seeing tons of AIs (additional information) requests for cybersecurity risk and mitigation/controls (ANSI/AAMI/ISO/IEC TIR 80001-2 series and AAMI TIR 57).

Just something to keep in mind.
Thanks ValGal, it was good point around the Cybersecurity, In addition to that I would personally consider integrating Usability related risks ( IEC/ ISO 62366) along with the risk management. The Flowchart in the IEC 62366-1:2015 is very useful in understanding the integration of Risk management ISO 14971 (decision making process) to Usability Engineering IEC 62366-1 (design and development process)
 
#5
Thank you very much for the information. I inferred as much from reading the guidance you cited. Just to note, we have provided for not only the cybersecurity but also HIPAA hazards in our hazard analysis -- administrative safeguards are overlooked and I'm pretty sure the will be coming up in future reviews.

Back to my earlier question -- then how are Patient Physiological Monitors, even many including "Moderate" level of concern? If the foreseeable, though very improbable outcome of a malfunction of the device is death? The Level of Concern states the failure in the device can only be a Minor Injury.

A patient is in a walk-in clinic, hooked up to a patient monitor without an alarm. Say they're recovering from dehydration, so they're under observation, but not in the ICU. Monitor software malfunctions continuing to display a normal waveform, respiration or what have you. In the meantime, the patient is having some sort of event, but the doctors fail to treat patient for symptoms due to the missing information. The patient dies due to delay in treatment.

Or how can any PACS system be Moderate level of concern?

This isn't a great example but a patient goes to the doctor complaining of persistent headaches, unresponsive to other treatment. To be safe, the doctor orders an MRI. The PACS then swaps the patient's MRI for one from another patient that shows a small mass near the patient's spine. Doctor order a procedure to remove or shrink the mass. Is this a minor injury?

I'm sure someone with better knowledge of the field can easily imagine dozens of examples where the PACS showing the wrong images would lead to an adverse event. They are all possible (P1 = 1 for software after all) -- it's just that the odds of them happening are vanishingly small.

So my question is if something has never happened before, is it still a risk?
 
Thread starter Similar threads Forum Replies Date
C What does the revision letter stand for in ISO 14971:2007(E) ISO 14971 - Medical Device Risk Management 11
M ISO 14971 Determination of Competent Persons ISO 14971 - Medical Device Risk Management 4
M ISO 14971:2019: Criteria for overall residual risk ISO 14971 - Medical Device Risk Management 6
R Risk control measures as per ISO 14971 ISO 14971 - Medical Device Risk Management 6
B Timeframe for updating QMS / transitioning from ISO 14971:2012 to ISO 14971:2019 ISO 14971 - Medical Device Risk Management 10
D ISO 14971:2019 vs MDR Annex 1, Requirement #4 - "Manufacturers shall inform users of any residual risks" ISO 14971 - Medical Device Risk Management 5
S Practical Implementation of ISO 14971 ISO 14971 - Medical Device Risk Management 6
R Identify Medical Device characterstics as Annex C of ISO 14971 Risk Management ISO 14971 - Medical Device Risk Management 5
A ISO 14971 PFMEA Manufacturing Risk ISO 14971 - Medical Device Risk Management 2
K Overall residual risk according to ISO 14971:2019 ISO 14971 - Medical Device Risk Management 5
M Gap analysis on ISO 14971:2019 with previous revision ISO 14971 - Medical Device Risk Management 8
Bill Hansen New ISO 14971:2019 Harm: unreasonable psychological stress, and cybersecurity ISO 14971 - Medical Device Risk Management 13
M Risk Analysis Flow - Confusion between ISO 14971 and IEC 62304 IEC 62304 - Medical Device Software Life Cycle Processes 8
B ISO 14971 Applied to Software ISO 14971 - Medical Device Risk Management 2
D Recent changes to ISO 14971 - SOP required for managing standard revisions ISO 13485:2016 - Medical Device Quality Management Systems 1
A EN ISO 14971:2019 does not include the Annex Zs ISO 14971 - Medical Device Risk Management 4
J ISO 14971 applied to ISO 13485? Low risk class 1 devices ISO 13485:2016 - Medical Device Quality Management Systems 5
Ronen E Informational What's new in ISO 14971:2019 ISO 14971 - Medical Device Risk Management 2
T ISO 14971-2019 doubt - Evaluate if estimated risks are acceptable ISO 14971 - Medical Device Risk Management 9
A We are ISO 13485:2016 should we be audited to ISO 14971 ISO 13485:2016 - Medical Device Quality Management Systems 16
Y When will Notified Bodies require MedDev manufacturers to fully implement ISO 14971:2019? ISO 14971 - Medical Device Risk Management 1
P Risk acceptability alignment between ISO 14971 and IEC 62304 IEC 62304 - Medical Device Software Life Cycle Processes 6
S ISO 14971 Risk Management - Questions for Hazard identification ISO 14971 - Medical Device Risk Management 2
M Informational ISO 14971 / ISO TR 24971 revision update – atualizações sobre a revisão Medical Device and FDA Regulations and Standards News 1
R The difference b/w FMEA & Risk analysis as per iso 14971 ISO 14971 - Medical Device Risk Management 8
D Risk management according to ISO 14971 - When to document risk controls? ISO 14971 - Medical Device Risk Management 10
D Where does FMEA fit in your ISO 14971 Risk Management process? ISO 14971 - Medical Device Risk Management 13
Q Information for safety EN ISO 14971:2012 - Customer Risk Reduction ISO 14971 - Medical Device Risk Management 6
M Informational ISO TC 210 JWG 1 meeting in São Paulo – Revision of ISO 14971 and ISO TR 24971 – Medical Device Risk Management Medical Device and FDA Regulations and Standards News 0
A Our auditor requires us to attend a training on EN ISO 14971:2012 Other ISO and International Standards and European Regulations 3
S In a risk analysis, how can we tie mobile app security breach to ISO 14971? 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 4
F IMDRF opened a Consultation on Annex E & F and the link to ISO 14971 ISO 14971 - Medical Device Risk Management 4
M Updates to EN 62366 & ISO 14971? Other Medical Device Related Standards 3
D IEC 60601-1 and ISO 14971 Assessment IEC 60601 - Medical Electrical Equipment Safety Standards Series 25
M Example ISO 14971 policy and risk criteria ISO 14971 - Medical Device Risk Management 0
P ISO 13485 and ISO 14971 - one mandates the other? ISO 13485:2016 - Medical Device Quality Management Systems 8
D Rationale for Risk Acceptability Matrix - ISO 14971 ISO 14971 - Medical Device Risk Management 9
H Task analysis and ISO 14971 ISO 14971 - Medical Device Risk Management 9
dgrainger Benefit - What is the definition of Benefit in ISO 14971? ISO 14971 - Medical Device Risk Management 7
Y Training as a risk control for ISO 14971 ISO 14971 - Medical Device Risk Management 13
W Risk Benefit Analysis - ISO 14971:2012 Requirements ISO 14971 - Medical Device Risk Management 27
thisby_ ISO 14971 - ALARP and P2 - New ISO 14971 does not allow the concept of ALARP? ISO 14971 - Medical Device Risk Management 3
C What is the difference between "Overall Risk" and "Risk"? (ISO 14971) ISO 14971 - Medical Device Risk Management 10
B New EU Medical Device Regulation & Reconciling with EN ISO 14971 EU Medical Device Regulations 41
B IFU and deviation 7 in ISO 14971 Annex ZA ISO 14971 - Medical Device Risk Management 1
B Interpreting Deviations 5 & 6 in Annex ZA in ISO 14971:2012 ISO 14971 - Medical Device Risk Management 1
B Our NB says that IEC 62304 is an ISO 14971 Requirement ISO 14971 - Medical Device Risk Management 1
B Clarification on interpretation of some EN ISO 14971:2012 & IEC 62304:2006 req's ISO 14971 - Medical Device Risk Management 46
H ISO 14971 vs. IEC 62304 vs. 98/79/EC vs. ISO 13485 (Software Medical Device) ISO 14971 - Medical Device Risk Management 1
M ISO 14971 and ISO TR 24971 revision ISO 14971 - Medical Device Risk Management 32

Similar threads

Top Bottom