Medical Device Risk Management: An ISO14971 Update

Dec 23, 2019 | News

Certified ISO 14971In 2000, the first edition of ISO 14971 was released as the international standard for risk management of medical devices. This year, the ISO technical committee (ISO/TC 210) has been hard at work updating this globally-recognized standard. And while the fundamental stages of the risk management process remain unchanged, there are some key modifications that medical device manufacturers should be aware of to ensure that they can successfully navigate the development, testing, and launching of new products in the coming years.

The most significant revisions include the following:

  • Three new definitions are being introduced (benefit, reasonably foreseeable misuse & state of the art)
  • Benefit-risk analysis is being refocused to align the concept with terminology used in other major regulations, such as the EU MDR
  • Additional emphasis on the scope of the ISO 14971-risk management process; for example, all risks associated with a medical device, ranging from electrical to usability and data security
  • More emphasis is being placed on the importance of risk management planning by explicitly requiring that proper execution of the plan is verified during risk management review
  • Risk management plans must define the methods and criteria used to evaluate acceptability of the overall residual risk
  • The various requirements to disclose certain residual risks are being merged into one requirement as part of the “Evaluation of overall residual risk”
  • Risk management requirements for proactive production and process-based post-production activities have been elaborated upon and restructured
  • The number of annexes to the standard have been decreased and the information moved to ISO/TR 24971 (Medical devices – Guidance on the application of ISO 14971) to maintain the focus on the normative requirements

It should be noted, relative to that last point, that the revised guidance (ISO/TR 24971) is currently under review and has not yet been published. If you did not know about this restructuring, you might purchase the new 14971 without realizing that a significant portion of information – such as recommendations on hazard identification, risk concepts and medical devices, risk analysis techniques, residual risk, risk management for in-vitro diagnostic devices, risk management for biological hazards, and risk management plan – was missing from ISO 14971. Once published, you will need to buy TWO documents for compliance.

It’s important to emphasize that the general process for risk management of medical devices has not significantly changed – manufacturers must still identify all relevant hazards and their situations, estimate the level of risk involved, and manage these risks to create a device suitable for its purpose.

One change that is particularly interesting to note however, is how risk-benefit analysis is now being viewed. The term is essentially being reversed, with the focus placed on benefits outweighing the risks. Benefits can now be considered to be any positive impact or expected outcome of the use of the medical device.

Likewise, it is worth noting that the definition of “reasonably foreseeable misuse” now explicitly extends the scope beyond the to-be-expected use errors – even though this was already the expectation for many years. Having an impact on a device’s benefit-risk-profile, this also explicitly includes unforeseen risks resulting from inadequate “data and system security,” implying that the risk analysis must be reviewed as new cyber risks are identified.

There is a new chapter concerning safety-related characteristics as well, but the requirement is not new. These are characteristics that are essential for the safety of the device, similar to the essential performance requirement identified in IEC 60601-1.

A planned, proactive collection and evaluation of data from post-development phases is also emphasized. This includes an information review on state of the art, competitor information, and information generated during the installation, use, and maintenance of the device.

To learn more about the newly-revised ISO 14971 and its possible impact upon your company’s risk management strategy, contact the risk management specialists here at MEDIcept.