The third edition of ISO 14971 (Application of Risk Management to Medical Devices) was released in December 2019, and replaces the previous iterations of the standard, EN ISO 14971:2012 and ISO 14971:2007. So, what’s new for medical device manufacturers to note and act upon?
What is ISO 14971:2019?
ISO 14971:2019 provides a thoroughgoing process for manufacturers to identify medical device hazards, assess and control risks, as well as monitor the effectiveness of their company’s risk control processes throughout the lifecycle of a device.
This new edition consists of 10 clauses and three annexes and is aligned with the new EU MDR and EU IVDR.
In general the standard includes a reorganization of content, new definition of certain terms, and more detailed requirements around evaluating residual risks and collecting production and post-production information.
It also presents a new focus on benefit/risk evaluation, which is in line with the new provisions of the EU Medical Device Regulation (MDR) and In Vitro Diagnostic Regulation (IVDR).
1. Risk Management Plans
The standard includes detailed requirements for medical device developers to assemble risk management plans that define acceptable levels of risk for a product based on:
State of the art
These plans should include activities to verify the implementation and effectiveness of your risk control measures, as well as the information you need to collect during production and post-market activities.
2. Risk assessment requirements
ISO 14971 specifies the required risk assessment steps a medical device manufacturer needs to undertake for every product they develop.
This includes the documentation of their risk analysis and risk evaluation activities - which now should incorporate any ‘reasonably foreseeable’ risk of product misuse or failure (see below).
During this phase, risks are assessed using acceptability criteria defined in the risk management plan. If a risk is deemed acceptable, it becomes a ‘residual risk’. Residual risks are then subject to further controls, including a requirement to communicate them more clearly to the user.
3. Risk control requirements
The standard describes the risk control and mitigation measures that companies should document, implement and then verify for effectiveness.
Residual risks should be evaluated using risk acceptability criteria. If the risk is found to be unacceptable, more risk control activities will need to be implemented.
Where risk controls are not feasible, a benefit-risk analysis can be conducted to determine whether the benefits of using the medical device outweigh the residual risk.
4. Evaluation of Overall Residual Risk
The criteria for acceptability of overall residual risk should be documented in the risk management plan. This should mean a more objective process of risk evaluation takes place that ensures several smaller risks do not create a larger, unexpected risk.
The standard notes that the criteria for the acceptability of ‘overall residual risk’ can be different from the acceptability of risk to an individual (depending on any medical condition they may have).
Residual risks inherent in a device’s use even after all risk control measures have been implemented, therefore, must be disclosed to users by the manufacturer. This will allow them to make a more informed decision about whether to use the device or find alternatives.
5. Risk management review
This review should be documented in the risk management report. It requires manufacturers to provide evidence that the plan was effectively executed, objectives were achieved, and that methods to collect information during production and post-production have been established.
6. Production and Post-Production activities:
This step includes four stages, and the new standard includes more details of activities to be implemented:
Set up a system to collect and review information from production and postmarket activities to feed into future risk analysis
Continue to collect relevant information for the medical device from a range of sources (for example, information from users, distributors, publicly available information, literature, and more). The standard requires that the manufacturer actively collects the information and does not wait passively until this information becomes known.
Review the information gathered in stage 2 (above) to determine its ongoing relevance to device safety.,
Finally, actions should be implemented by reviewing the risk management file, determining whether new risks need to be assessed or previous risks require reassessment.
What’s new? Some new definitions and clarifications
“Reasonably foreseeable misuse”
The new definition in ISO 14971:2019 states that if misuse of a product can result from “predictable human behavior” then you need to take this into account in your risk analysis. Commentators point out this obviously broadens the range of risks you should include in your analysis - making those things that are ‘possible but not really likely’ part of your thinking, too. “Reasonably foreseeable” can be intentional or unintentional and equally applies to lay users and professional users of a product.
Within the new 2019 revision of the standard, section 7.4 asks companies to assess and document whether the medical benefits of the device outweigh the residual risks.
ISO 14971:2019 does not change the overall risk management process, but it does, for the first time, define “benefit” as a:
“Positive impact or desirable outcome of the use of a medical device on the health of an individual, or a positive impact on patient management or public health.”
In this definition of ‘benefit’ it extends beyond the impact on the patient to encompass ‘public health’, too.
The ISO/TR 24971 Technical Report provides more guidance on determining benefits and includes examples.
Clearer definition of Production and Post-Production Activities requirements
The principles of collecting and reviewing information have not changed, but the requirements and the activities are described in more detail. The standard adds clearer requirements concerning the collection and review of information about a medical device. Plus, requirements for using all that information to take action for your device and the risk management process.
The Method for Evaluating Overall Residual Risk Has Changed
Section 4.4 (risk management plan) of the updated ISO 14971 standard now emphasizes the necessity of
- Conducting an assessment of overall residual risk and
- Assessing your criteria for determining its acceptability.
The method can include gathering and reviewing data and literature about the medical device and other similar products on the market.
Risk Management Should Be Applied to Cybersecurity
As medical devices are increasingly “connected” to the internet, new security risks need to be evaluated and documented. This requirement appears in Annex F of ISO/TR 24971:2020.
The above is not an exhaustive or definitive guide to the changes included in the update to the standard. Instead, it is a look at areas where medical device developers may need to update their approach and revisit their processes and documentation.
As the standard adds more definition to existing requirements and defines more CAPA activity - now more than ever, medical device manufacturers should be considering what eQMS system can best accommodate its demands. For many it will underline the urgency to install a system in which risk management can ‘live’ more effectively throughout the entire product life cycle.