ISO 14971 specifies terminology, principles and a process for Medical Device Risk Management, including Software as Medical Device and InVitro Diagnostic Medical Devices. The process described in ISO 14971 intends to assist manufacturers of medical devices to identify the hazards associated with the medical device, to estimate and evaluate the associated risks, to control these risks, and to monitor the effectiveness of the controls.
The process described in ISO 14971 can also be applied to products that are not necessarily medical devices in some jurisdictions and can also be used by others involved in the medical device life cycle.
“Risk management can be an integral part of a quality management system”
The different stages of the Risk Management, and how they interact, remain unchanged. Nonetheless, there are still some remarkable changes, listed further below, in comparison to the previous version of ISO 14971. Given the increased attention on benefit-risk by legislators worldwide – including the EU Commission and the US FDA, it is welcoming to see that the ISO 14971:2019 further elaborates on benefit-risk when evaluating the amount of risk involved with Medical Devices. How tISO 14971 standard addresses this increased focus on benefit-risk, is described below:
The 2007-version of ISO 14971 is explicitly mentioned in ISO 13485:2016 – Medical Devices Quality Management Mystems – Requirements for regulatory purposes as the go-to document for guidance on how to apply Medical Device Risk Management principles during device realization. Taking into account the ongoing discussions on the potential convergence of the US Quality system regulation (21 CFR 820) to the widespread ISO 13485, and the upcoming Medical Device Regulation EU MDR 2017/745 requiring manufacturers to have an active Quality Management System, it is likely that this updated version will ensure that ISO 14971 remains the global standard for product Risk Management in the Medical Device industry.
Changes compared to the previous edition of ISO 14971
- Introduction of three new definitions (benefit, reasonably foreseeable misuse & state of the art)
- Increased attention to benefit-risk analysis, aligning the concept with terminology used in certain regulations, such as the MDR.
- Additional emphasis on the scope of the ISO 14971-risk management process, i.e. all risks associated with a medical device, ranging from risks related to electricity, usability, data security etc.
- The risk management plan has to define the methods and criteria to evaluate acceptability of the overall residual risk.
- The requirements to disclose certain residual risks are merged into one requirement, as part of the “Evaluation of overall residual risk”.
- More emphasis on the importance of planning of risk management activities, by stating explicitly that during risk management review the proper execution of the risk management plan has to be verified.
- The requirements with regards to production and post-production activities as part of risk management have been elaborated and restructured.
- The number of annexes to the standard have been decreased and the information moved to ISO/TR 24971, in order to maintain the focus on the normative requirements.
Benefit-risk: New definitions and risk-benefit reshuffle
Clause 3 in the 2019 version of ISO 14971 maps to Clause 2 in the 2007 version of ISO 14971.
Clause 5, Risk Analysis maps to Clause 4 in 2007 version of ISO 14971, is revised to give it “a more logical order.
Clause 5.1 describes the general risk management process and notes that device-makers must record risk management results in a risk management file, among other directions.
And Clause 5.2 goes into some detail about intended use and reasonably foreseeable misuse. It says “the intended use should take into account information such as the intended medical indication, patient population, part of the body or type of tissue interacted with, user profile, use environment, and operating principle.”
Clause 5.3 talks about the identification of characteristics related to safety, while Clause 5.4 focuses on the identification of hazards and hazardous situations. And Clause 5.5 is all about risk estimation.
Clause 8 – Evaluation of Overall Residual Risk, which maps to Clause 7 in the 2007 standard, “says the manufacturer must evaluate the overall residual risk. When the residual risk is unacceptable, you can do a benefit-risk analysis on the overall residual risk.
Clause 10 – Production and Post-Production Activities – This clause takes one large section in ISO 14971:2007 – Clause 9, “Production and Post-Production Information” – and restructures it into three bite-sized sections.
10.1 Information Collection 10.2 Information Review 10.3 Actions
Conclusion
The updated ISO 14971 – Medical devices – Application of risk management to medical devices does not cause a major shift in the perception of risk within the medical device industry. The current risk management process (risk analysis, risk evaluation, risk control & evaluation of residual risk) is not drastically revamped, as the authors confirmed the risk management process as defined in the previous version. However, the level of attention given to the concept of benefit, and how it compares to risk, is new in this version. Whereas the concept was already present in the previous versions of the ISO 14971, the new version is now fully embracing this concept. By doing this, the ISO 14971:2019 – Medical devices – application of risk management to medical devices clearly addresses the global requirements for risk management.
If you have any questions about the update, our experts will be happy to help you. Just send us a message and we will be in touch shortly.
