ISO 14971 vs. IEC 62304 vs. 98/79/EC vs. ISO 13485 (Software Medical Device)

[HeatherC-S]

Hi all

I'm in a bit of a pickle and need your help. We made software which is classed as an IVD and are currently undergoing registration for ISO 13485 (2016), we also work to IEC 62304. For risk management we are working to ISO 14971, however there are clashes with the IVDD and by default need to comply with the IVDD. I just want to clarify a few points.

1. Identified risks cover pretty much everything from design of the software, finished software, QMS processes involved with its design and development.

2. Although there is an assigned RPN score this is meaningless as from what I understand no risks can be accepted? Or can risks be accepted once there are suitable controls put in place?

3. All risks (regardless of score) must have a risk-benefit analysis applied to them. Is that correct?

Many thanks

 

[Marcelo]

Hi

1. Identified risks cover pretty much everything from design of the software, finished software, QMS processes involved with its design and development.

Sure.

2. Although there is an assigned RPN score this is meaningless as from what I understand no risks can be accepted? Or can risks be accepted once there are suitable controls put in place?

What the deviation means is that you cannot simply accept risks because you identified the P x S as low. You have to justify it anyway.

RPNs have nothing to do with risk acceptability, they are only related to risk ranking. We are currently discussing this today at the JWG 1 meeting on the revision of ISO 14971 and will hopefully have some clear explanations in the future.

3. All risks (regardless of score) must have a risk-benefit analysis applied to them. Is that correct?

That's what the deviation say, but it does not make much sense to do it for individual risks.