MedTech Terms
    The authoritative reference
    Sign in
    All comparisons
    Compare

    IEC 62304 vs ISO 14971

    Software lifecycle standard vs medical device risk management standard

    IEC 62304 and ISO 14971 are the two standards regulators expect on every software-containing medical device, and they are frequently confused. ISO 14971 is the risk management standard for the whole device. IEC 62304 is the software lifecycle standard for the software item inside it. They are complementary: 14971 drives what risks matter, 62304 drives how the software is built, verified, and maintained to control those risks.

    Attribute
    Standards
    IEC 62304
    Standards
    ISO 14971
    Full title
    IEC 62304, Medical device software, Software life cycle processes
    ISO 14971, Medical devices, Application of risk management to medical devices
    Scope
    Software items: design, development, integration, verification, and maintenance of software
    The entire medical device across its lifecycle, from concept through post-production
    Applies to
    SaMD and SiMD, any software that is itself a medical device or contained in one
    All medical devices, whether or not they contain software
    Core concept
    Software safety class (A, B, C) based on hazard severity, driving process rigor
    Risk = probability x severity, controlled to reduce residual risk to acceptable levels
    Classification output
    Class A (no injury), Class B (non-serious injury), Class C (serious injury or death)
    Risk levels defined by the manufacturer's risk acceptability policy; hazards, hazardous situations, harms
    Key deliverables
    Software development plan, software requirements, architecture, unit and integration test records, SOUP list, problem resolution records
    Risk management plan, hazard analysis, risk evaluation, risk control measures, risk management file, risk management report
    Relationship to the other standard
    Uses the risk analysis from ISO 14971 as input to determine software safety class
    Cites IEC 62304 as an acceptable process for software risk control
    Post-market obligations
    Problem resolution, change control, SOUP anomaly monitoring across the maintenance process
    Post-production information review, feedback into risk file, benefit-risk re-evaluation
    Regulatory recognition
    FDA recognized consensus standard; harmonized to EU MDR and IVDR
    FDA recognized consensus standard; harmonized to EU MDR and IVDR; adopted globally
    Most recent revision
    IEC 62304:2006 + Amd 1:2015 (Ed. 2 under development)
    ISO 14971:2019 (accompanied by ISO/TR 24971:2020 guidance)
    Common misuse
    Applying Class C process rigor to a Class A utility feature, or skipping SOUP evaluation
    Treating risk management as a one-time premarket exercise instead of a lifecycle activity

    When to use which

    Choose IEC 62304

    Apply IEC 62304 to decide how rigorously to build the software: which processes are required, which documents are needed, and how strict verification and change control must be. Software safety class flows from the ISO 14971 risk analysis.

    Full IEC 62304 page
    Choose ISO 14971

    Apply ISO 14971 first, at the device level. It identifies hazards, evaluates risks, defines risk control measures, and sets acceptability criteria. Its outputs feed IEC 62304 (software), IEC 60601-1 (electrical safety), and IEC 62366-1 (usability).

    Full ISO 14971 page

    Frequently asked questions

    No. IEC 62304 explicitly requires a risk management process compliant with ISO 14971. The software safety class, the single biggest driver of required activities, cannot be assigned without a hazard analysis from ISO 14971.
    Comparison built from the sourced definitions and FAQs on the linked term pages. MedTech Terms is a vendor-neutral community resource sponsored by Blue Goat Cyber. Definitions are written for educational use and are not legal or regulatory advice.