Quick Answer: Integrate IEC 62304 (software lifecycle) with ISO 14971 (risk management) by mapping hazards → requirements → design → tests → evidence. Use one traceability matrix that ties the risk file to SRS/SDS and V&V, then carry it into eSTAR sections for your 510(k)/De Novo. This yields regulator-friendly documentation without adding process overhead.

Why These Standards Matter Together

IEC 62304 gives you the “how” of building medical software—planning, requirements, design, implementation, verification, release, maintenance.

ISO 14971 gives you the “how” of identifying and controlling risks throughout a medical device’s lifecycle—hazard analysis, risk evaluation, risk control, residual-risk evaluation, and post-market surveillance.

For SaMD teams, these standards aren’t separate—they’re two halves of one FDA expectation—you must show not only what you built but how you managed every risk.

FDA reviewers look for:

  • Lifecycle documentation (per IEC 62304)
  • Risk files and control verification (per ISO 14971)
  • Clear mapping between the two

If you're building software that diagnoses, monitors, or treats—both standards apply.

Step-by-Step Integration Guide

🔹 Step 1: Create a Combined Traceability Matrix

Start with your Software Requirements Specification (SRS).

For each software requirement, link:

  • Associated hazards (ISO 14971)
  • Corresponding risk controls
  • Aligned test cases (IEC 62304)

Maintain this matrix as your single source of truth for regulatory audits.

🔹 Step 2: Embed Risk Management into Design Reviews

At every design phase gate, explicitly review:

  • Hazard logs and risk evaluations (FMEA, Annex C of ISO 14971)
  • Status of mitigation implementation
  • Any residual risks and their justifications

Document all decisions in design review records.

🔹 Step 3: Align V&V Protocols with Risk Controls

Each risk control must have a dedicated test case with:

  • Clear pass/fail criteria
  • Direct traceability to the originating hazard
  • Proof of control effectiveness, not just functionality

This ensures your V&V satisfies both standards.

🔹 Step 4: Integrate Maintenance & Post-Market Feedback

Use IEC 62304 processes to track:

  • Software updates, bug fixes, and patch logs
  • Field incidents and complaint trends

Feed this data back into your risk management file and update CAPA actions per ISO 14971.

The Fastest Path to Market

Screenshot 2026-05-14 at 3.41.08 AM

FAQs

Q: Do I need both standards for FDA SaMD submissions?

Yes. FDA reviewers expect software process compliance (IEC 62304) and full risk documentation (ISO 14971).

Q: Can ISO 14971 replace IEC 62304?

No. They serve different purposes—risk management vs. development lifecycle.

Q: How often should I update the risk management file?

Update at every major release, patch, or when new risks/complaints emerge.

Key Takeaways

  • Integrate early: build your traceability matrix before coding.
  • Keep docs in sync: link every test back to a hazard.
  • Plan maintenance: feed real-world data into your CAPA process.

For deeper guidance, visit our SaMD Compliance hub or learn how to define your Device Software Function.

Up nextSaMD & AI Track
Chapter 4 of 6

PCCPs for AI-enabled devices

What goes in your PCCP, what FDA reviews, and how to keep iterating after clearance.

Predetermined Change Control Plan (PCCP) for AI/ML-Enabled Devices: FDA Guide~8 min read →