The approval of ISO 14971 for medical device risk management in December 2019 marked a significant milestone in ensuring the safety and efficacy of medical devices. While the core principles of risk management remained largely unchanged, the standard underwent a substantial reorganization, reflecting a concerted effort to enhance clarity and efficacy.
A notable aspect of the 2019 version of ISO 14971 is the introduction of new terminology and more detailed requirements pertaining to post-market risk management, underscoring the evolving landscape of medical device regulation and the need for comprehensive risk mitigation strategies throughout the product lifecycle.
One of the most substantial changes in this revision pertains to the annexes accompanying the standard. Unlike previous versions, which contained numerous annexes, the 2019 edition features only three, with the remaining annexes relocated to ISO 24971, a complementary standard published in 2020. Noteworthy annexes retained within ISO 14971 include those addressing the rationale for requirements, the risk management process, and fundamental risk concepts.
The emergence of ISO/TR 24971 underscores its potential to become a cornerstone of medical device risk management, housing annexes that are currently absent from ISO 14971. This evolution reflects a broader industry commitment to continuously refining and expanding risk management methodologies to meet evolving regulatory requirements and ensure patient safety.
Among the pivotal activities integral to effective risk management is risk analysis. Various methodologies exist for conducting such analyses, with one prominent approach being Failure Mode Effect Analysis (FMEA), which systematically identifies and evaluates potential failure modes and their associated effects to inform risk mitigation strategies.
-
Risk Management Procedure€64,00
General Overview of the ISO 14971:2019
Particular attention was paid on the newly updated ISO 14971:2019 on the benefit-risk analysis of medical devices, so to align the standard with EU MDR (2017/745) and IVDR (2017/746). The new ISO 14971 now requires to perform an assessment of overall residual risk and to determine the criteria for risk acceptability. The methodology to assess the acceptability of the overall residual risk can be different from the acceptability criteria of individual risks.
New terms and definition was also added in the new standard, including benefit, state of the art and reasonably foreseeable misuse.
Important updates was given on cybersecurity side, reinforcing the importance to evaluate the security-related risks that come from connected devices. This attention to cybersecurity is aligned with FDA and other regulatory agency behavior, that in last years have increased the focus on medical device cybersecurity.
Overview of the Risk Management Process
The overall risk management process can be described by the scheme below:
Basically, the risk management process has the goals of:
- identification of hazards and hazardous situation
- estimation and evaluation of the risks
- Risk control
- monitoring and effectiveness of the risk control measures
Risk Management Plan
The risk management plan is one of the most important document of the risk management process. Here below, we summarise within the following table the main contents of the risk management plan:
| Content of the Risk Management Plan |
|---|
| Scope of Risk Management Activities |
| Responsibilities and Authorities |
| Requirements for review of Risk Management Activities |
| Criteria for Risk Acceptability |
| Method for evaluation of the residual risk |
| Methods for verification of risk control measures |
| Post-production risk management activities |
Risk Control according to ISO 14971
Risk Control Measures
We are going to talk about only few specific steps of the risk management process. One of them is the Risk Control part of the process.
Risk control options are of fundamental importance in order to reduce the risks. It is essential that risk control measures are going to be implemented following a specific priority order:
- inherently safe design and manufacturing of the device
- protective measures in the medical devices itself or in the manufacturing process
- information for safety and / or training;
When risk reduction through implementation of risk control measures are not feasible, a benefit risk analysis shall be performed and the residual risk shall be evaluated and discussed.
Verification of the risk control measures
All the risk control measures which are identified need to implemented and verified. The type of verification performed depends of course on the nature of the risk control measures; typically it can be done through a specific tests, visual inspection, validation activities, etc. It is possible, of course, to combine verification activities conducted in the framework of the design process with verification of the effectiveness of the specific risk control measure.
Residual Risk Evaluation
After the implementation of the risk control measure, the residual risks shall be evaluated by comparing it with the risk acceptability threshold defined in the risk analysis.
It is important to mention that any type of risks need to be reduced as far as possible, including risks that by nature are relatively low. In any case, after the implementation of risk control measures, it is not possible to have any unacceptable risks defined in the risk analysis. If, during lifetime of a device, an unacceptable risk came up, actions on the field (recall, safety notice) shall be implemented to immediately reduce this risk to an acceptable level.
Benefit-Risk Analysis
In case a residual risk is not evaluated as acceptable, a benefit-risk analysis shall be documented to demonstrate that the benefits of the intended use outweight this residual risk.
Risks arising from risk control measures and review of risk control measures
The effect of risk control measures shall be reviewed to evaluate whether new hazards have been introduced and if the risk control measure affects the estimation of the risks for previously identified hazardous situations.
Moreover, the risk control activities shall be reviewed to make sure that these activities are competed and all the risks associated to the identified hazardous situations have been identified.
Conclusions
One of the key enhancements introduced in the newly updated ISO 14971 pertains to the section addressing post-market risk management. Notably, Clause 10 of the standard has undergone a significant modification, now titled “Production and post-production activities,” aligning more closely with Clause 8 of ISO 13485. This alteration underscores the importance of establishing robust processes for managing risks associated with products after they have entered the market.
Clause 10 emphasizes the imperative of maintaining an active system for post-market risk management. It outlines the framework for collecting information related to production and post-production activities and mandates the evaluation of this data from a risk perspective. This systematic approach aims to identify and address potential risks promptly, thereby enhancing the safety and efficacy of medical devices throughout their lifecycle.
An insightful resource on post-market risk management is a document published by AAMI, which offers valuable guidance and best practices in this critical area.
In summary, the updated ISO 14971, in conjunction with the newly introduced ISO 20471 focusing on labeling requirements, will serve as indispensable tools for Medtech companies seeking to ensure product safety and regulatory compliance. By implementing these standards effectively, organizations can enhance their risk management practices, bolstering consumer confidence and promoting public health.
