Risk Management
ISO 14971

General information about risk management

The ISO 14971 standard was developed specifically for manufacturers of medical devices on the basis of established risk management principles developed over many years. In general, the aim is to identify hazards, assess and evaluate the associated risks, control these risks and monitor the effectiveness of risk management measures.

In addition to the terminology, the standard also describes the process of risk management and that it is to be applied to the entire product life cycle. Through the requirements and explanations described, the document provides some degree of assistance in the implementation or interpretation of the contents.

Sound risk management is an important part of the development of safe medical devices, in vitro diagnostics and accessories. The consideration of risks is not limited to the medical device in use, but is also supplemented by data from production and downstream phases.

RM Guidance TR/ISO 24971

In addition to the contents of the standard, there is a Technical Report, TR/ISO 24971, which contains further explanations of ISO 14971 and offers much more concrete assistance. Within the scope of the updated version of ISO 14971, ISO/TR 24971 will also be updated.

Changes of ISO 14971:2019

• Normative references have been included
• The definitions have been updated
• Greater focus on the benefits of the medical device or IVD
• Clarification regarding the applicability of the standard for all risks associated with medical devices and IVDs
• The RM plan must now include criteria for the determination and acceptance of the overall residual risk
• Updating of requirements regarding the need to disclose residual risks (e.g. for the patient or user)
• The requirements regarding the RM report have been updated
• The link with post-market surveillance was further explained
• Informative annexes have been removed. They are now available in technical report TR/ISO 24971

Risk Management Plan

ISO 14971 requires that activities must be planned. The RM plan must be created for this purpose. This includes, for example, a description of the medical device, responsibilities and authorities, acceptance criteria and the method for assessing the overall risk.

Risk Analysis

The risk analysis contains of (1) the identification of risks related to the device and (2) the analysis of these risks. The identification can by difficult especially in case of new devices or very complex ones. It is therefore necessary to have a product expert within the RM team. When analysis risks, the actual Rm methods are to ne used. For example, a failure mode and effects analysis (FMEA) can be a useful tool in analysis risks. This method provides an overview of the causes leading to a risk and the harms arrising from it.

In general, it is a good start to think about: "What can go wrong with the device?" This helps to identify hazards. Each hazard is linked to a risk which is described by a severity of harm and the probability of occurence of that harm. In case a patient, user or third is exposed to the harm, this is a hazardous situation. A hazardous situation can lead to a harm. But that´s of course not always happening.

When analyzing the risks, it is necessary to keep in mind that a hazardous situation must be present in order to create a harm. That is a good link to risk mitigation. Because if, for example, the hazard you identified is related to a sharp edge and you mitigate by inherently safe design (removal of the sharp edge), no hazardous situation can occur. Thus, no harm will happen.

Risk Control

The possibilities of risk mitigation have not changed with the new version of the standard. As before, it provides the following options which shall be followed in the written order.

• Inherently safe design
• Protective measures in the actual medical device and/or manufacturing process
• Information for safety, such as labeling and instructions for use

The measures are provided in that certain order according to the individual potential of actually mitigating a risk. In general, the measures to be taken for risk mitigations are very specific to each product. One aspect to consider is, that risk mitigation measures may also introduce new risks or even may reduce the benefit of the medical device. Therefore, implemented measures need to be reviewed.

Risk Management Report

The RM report addresses the following issues:

• The confirmation that the RM plan has been executed
• The acceptance of the overall residual risk
• Confirmation that adequate methods for collecting data from production and downstream phases are implemented.

The report must be completed before the medical device is commercially distributed.