By Marcelo Trevino
Historically, risk management has been a complex subject, with different stakeholders assigning different values on the probability and severity of harm. In medical devices, its high importance has necessitated ISO 14971 providing a generic risk-management framework applicable to all medical devices, from design and development through production and post-production activities.
The third edition of ISO 14971—in addition to an updated companion report, ISO/TR 24971—provides clearer guidance and greater detail in the application of risk management concepts while aligning with essential safety and performance principles. European directives and regulations do not provide enough guidance on additional steps to take in the risk management process, nor on the acceptability of residual risks, so this standard represents the state of the art.
The new European Medical Device Regulation (MDR) and In Vitro Diagnostic Medical Device Regulation (IVDR) require manufacturers to implement a quality management system that incorporates risk management. Although Annexes Z have been prepared to harmonize the risk management standard with the EU MDR and IVDR, ISO 14971:2019 was published on Dec. 10, 2019, without including these Annexes—for now.
Risk management process steps in ISO 14971:2019
Although most of ISO 14971:2019’s risk management concepts are not new, below is a summary of the risk management process as defined in the standard’s third edition:
Step 1: Risk management plan. A risk management plan outlines all risk management activities to be conducted over a medical device’s life cycle, including criteria for risk acceptability based on regulations, international standards, state of the art, and stakeholder concerns. Activities to verify implementation and effectiveness of risk control measures, as well as information to be collected during production and postmarket activities, also must be included in the plan. A risk management report is created after review of the plan execution.
Step 2: Risk assessment. The risk assessment step includes risk analysis and risk evaluation.
- Risk analysis: The medical device’s intended use is documented, an essential step to determine the device’s appropriate use. Reasonably foreseeable misuse errors (including abnormal use) and correct use are considered and documented. Usability engineering is applied to consider all risks and reduce them by adding controls, as needed. Additionally, device characteristics that can affect safety are identified. Reasonably foreseeable events that can contribute to hazardous situations—taking into account intended use, reasonably foreseeable misuse, and safety-related characteristics—all are relevant inputs in this hazard analysis. Finally, the risk of each identified hazardous situation is estimated, taking into account severity of harm and the probability of its occurrence.
- Risk evaluation: During this phase, risks are assessed using criteria for risk acceptability defined in the risk management plan. If the risk is deemed acceptable, it becomes the residual risk; otherwise, risk control activities are performed. The evaluation is documented as part of the risk management file.
Step 3: Risk control. Risk is reduced to an acceptable level. This can be done by designing the device to be inherently safe, thereby ensuring that hazardous situations can’t occur. If this is not feasible, then protective measures are implemented in the device design to reduce the probability of occurrence and the severity of a hazardous situation or harm. When protective measures do not sufficiently reduce risk, safety information is provided to device users in instructions, warnings, and contraindications. User training can also be incorporated. It is important to ensure that risk control measures do not incorporate new risks or influence other risks.
Risk mitigation measures are implemented, verified for effectiveness, and documented. Residual risks are then evaluated using risk acceptability criteria. If the risk is deemed unacceptable, more risk control activities need to be implemented. When risk controls are not feasible, a benefit-risk analysis can be conducted to determine whether the benefits of using the medical device outweigh its residual risk. Depending on the outcome, the device may need to be modified, or its intended use limited.
Step 4: Evaluation of overall residual risk. The contributions of all individual risks together are analyzed to ensure that several small risks do not create an unexpected big risk. The method and criteria for acceptability of overall residual risk is documented in the risk management plan to ensure an objective evaluation takes place.
It is important to note that the criteria for acceptability of overall residual risk can differ from the criteria of acceptability of individual risk based on the organization’s procedure to determine acceptable risk. Residual risks inherent in a device’s use after all risk control measures have been implemented must be disclosed to users, allowing them to make an informed decision whether to use the device or find alternatives, considering the patient’s condition.
Step 5: Risk management review. This step comprises conducting a review of the risk management plan to ensure it was properly executed and documenting that the residual risk is acceptable. This review is documented in the risk management report, providing evidence that the plan was effectively executed, the objectives were achieved, and that methods to collect production and post-production information are established.
Step 6: Production and post-production activities. This step includes four phases, each with detailed activities to be implemented:
- Establish a system to collect and review information from production and postmarket activities.
- Collect relevant information for the medical device (i.e., information from users, distributors, publicly available information, literature, etc.).
- Review the information gathered in phase 2 to determine its relevance to device safety. Any previously unidentified hazards or hazardous situations, new risks, or significant changes affecting the risk need to be assessed to determine if a new benefit-risk assessment is warranted.
- Implement actions by reviewing the risk management file to determine whether new risks need to be assessed or previous risks require reassessment. This phase also includes determining whether actions are necessary for devices already on the market and assessing the effect of previous risk management activities. Additional risk control measures may need to be implemented.
Summary of Changes from ISO 14971:2019
These are the new definitions in ISO 14971:2019:
“Benefit”: “Positive impact or desirable outcome of the use of a medical device in the health of an individual, or a positive impact on patient management or public health.”
“Benefits can include positive impact on clinical outcome, the patient’s quality of life, outcomes related to diagnosis, positive impact from diagnostic devices on clinical outcomes, or positive impact on public health.”
It is important to note that the risk-benefit analysis requirements are not expected to change.
“Reasonably foreseeable misuse”: “Use of a product or system in a way not intended by the manufacturer, but which can result from readily predictable human behavior.”
“Readily predictable human behavior includes the behavior of all types of users, e.g. lay and professional users.”
“Reasonably foreseeable misuse can be intentional or unintentional.”
“State of the art”: “Developed state of technical capability at a given time as regards products, processes, and services, based on the relevant consolidated findings of science, technology, and experience.”
“The state of the art embodies what is currently and generally accepted as good practice in technology and medicine. The state of the art does not necessarily imply the most technologically advanced solution. The state of the art described here is sometimes referred to as the ‘generally acknowledged state of the art’.”
Other definitions from ISO 14971:2007—such as those for “harm,” “manufacturer,” “user error,” and “in vitro diagnostic medical device”—were updated with minor wording changes.
Comparing ISO 14971:2019 with ISO 14971:2007 / EN ISO 14971:2012
Underlined sections above constitute title changes new to the third edition. The main body of the standard includes 10 clauses instead of nine, as well as three informative Annexes—Annex A: “Rationale for Requirements,” Annex B: “Risk Management Process for Medical Devices,” and Annex C: “Fundamental Risk Concepts.”
A summary of the most relevant changes incorporated to the standard can be found below:
- Section 4.4, “Risk management plan”. An addition stating that a method to evaluate the overall risk and the criteria for acceptability of the overall risk shall be included
- Section 5.2. Clarifies the requirement to document reasonably foreseeable misuse
- Section 5.4. Adds a requirement for hazardous situations to be considered and documented; a reference to Annex C is included
- Section 5.5 (“Risk estimation”), Section 6 (“Risk evaluation”), Section 7.1 (“Risk control option analysis”), Section 7.2 (“Implementation of risk control measures”), Section 7.3 (“Residual risk evaluation”), Section 7.4 (“Benefit-risk analysis”), and Section 10.1 (“Information collection”). Include clarification and updates to their notes
- Section 8 (“Evaluation of overall residual risk”). Addition of disclosure of residual risk statement
- Section 9 (“Risk management review”). Addition stating that manufacturers shall determine when subsequent reviews of the risk management plan’s execution need to be performed and when the risk management report needs to be updated
- Section 10.2 (“Information review”). Clarifies the requirement to review for possible relevance to safety and includes changes in general state of the art
- Section 10.3 (“Actions”). Separates the actions into particular medical devices and risk processes; adds consideration of devices already on the market
- Annex B. Provides a detailed correspondence between ISO 14971:2007 and ISO 14971:2019, including a graphic reflecting the amendments in 2019
- Annex C. Includes a graphic that describes the relationship of hazard, sequence of events, hazardous situation, and harm that was previously in Annex E.1; also includes examples of hazards, events and circumstances, the relationship between hazards foreseeable sequences of events, hazardous situations, and harm that can occur
ISO 14971:2019 provides a thorough process for manufacturers to identify medical device hazards, assess risks, control risks, and monitor the effectiveness of risk controls throughout the life of a device. This new edition, consisting of 10 clauses and three annexes (informative), is aligned with the general safety and performance requirements within the new EU MDR and EU IVDR; it is expected to become a European harmonized standard and therefore represents the state of the art.
Although the existing changes are aimed at clarifying concepts and no changes have been made to the overall process to conduct risk management, manufacturers still need to consider device-specific standards. These can be used—in addition to ISO 14971—to control specific risks associated with some unique device categories to demonstrate how risks can be reduced to acceptable levels.
It is anticipated that some organizations will have to spend some time updating references to the previous standard in existing quality system documentation. ISO 14971:2019 cancels and replaces ISO 14971:2007. However, a transitional period of three years following official publication is a common practice to allow stakeholders to successfully transition to the new edition.
About the Author
Marcelo Trevino is the President, Global Regulatory Affairs and Quality Systems, at TregMedical Compliance Services, a life sciences consulting firm focused exclusively on regulatory, quality, and compliance solutions for medical device companies.