The ISO 14971 Risk Management standard defines principles for a risk management process of medical devices. The requirements given in this standard help manufacturers to comply with the main regulations. So, by implementing an ISO 14971 Risk Management Process you can have a big step in your EU MDR, IVDR or FDA certification route. The process described in the standard and examples given in ISO/TR 24971:2020 are powerful guide for manufacturers. In short, they define methods to identify the hazards associated with the medical device, to estimate and evaluate the associated risks, to control these risks, and to monitor the effectiveness of the controls
ISO 14971 Risk Management process has 10 main clauses and 3 Annexes. Most of the Annexes of 2007 version have been moved to ISO/TR 24971:2020. Therefore, for a successful implementation manufacturers shall also consider the latter with the classical PDCA (Plan- Do – Check – Act) approach throughout the life cycle of a medical device. Let’s have look to the details of the standard.
Risk Management Plan
Clause 4.4 of the standard lists 7 requirements for the risk management plan.
- scope of the planned risk management activities
- assignment of responsibilities and authorities
- review of risk management activities
- criteria for risk acceptability
- method to evaluate the overall residual risk
- activities for verification
- collection and review of relevant production and post-production information
The details of these can also be referenced in a documented risk management procedure. As mentioned above it is crucial that scope of the risk management activities cover the entire product life cycle.
Risk Management File
The records of all risk management activities shall be filed or referenced in the so called “Risk Management File”. According to the clause 4.5 of the standard, this file shall cover all phases of the medical device life cycle from initial conception until final decommissioning and disposal.
The main requirement is to establish a traceability for each identified hazard to:
- the risk analysis;
- the risk evaluation;
- the implementation and verification of the risk control measures; and
- the results of the evaluation of the residual risks.
In order to manage this a simple traceability matrix with the following elements can be used
- hazards and hazardous situations;
- the possible harm related to the specific hazard;
- the risk control measures;
- verification of implementation and effectiveness; and
- the acceptability of any residual risks.
Each identified hazard shall be analysed. This analysis shall take the intended use and reasonably foreseeable misuse, characteristics related to safety, and hazardous situations into consideration. Manufacturers shall estimate the risk related to each hazard using a predefined criteria. ISO 24971 includes very useful examples for methods of risk estimation, such as simple matrix for probability and severity.
For each identified hazardous situation, the manufacturer shall evaluate the estimated risks and determine if the risk is acceptable or not, using the criteria for risk acceptability defined in the risk management plan. The risk acceptability criteria shall be based on the risk benefit analyses for each hazard.
According to the results of the risk evaluation, the control methods for the unacceptable risks has to be planned and implemented by the manufacturers. The manufacturer shall use one or more of the following risk control options in the priority order listed:
- inherently safe design and manufacture
- protective measures in the medical device itself or in the manufacturing process
- information for safety and, where appropriate, training to users
The risk control methods shall be implemented until a positive risk benefit analysis can be justified.
Evaluation of Overall Residual Risk
ISO 14971:2019 requires that
- the overall residual risk are evaluated in relation to the benefits of the intended use of the medical device,
- overall residual risk are evaluated by persons with the knowledge, experience and authority to perform such tasks,
- the manufacturer informs users of significant residual risks and to provide the necessary information in the accompanying documentation to disclose those residual risks.
Of course, if the overall residual risk is not judged acceptable in relation to the benefits of the intended use, the manufacturer may consider implementing additional risk control measures. Again, the decision shall be based on the risk benefit analysis.
Risk Management Review
ISO 14971:2019 requires that
- the final results of the risk management process be reviewed to ensure that the risk management plan has been appropriately executed,
- that the overall residual risk is acceptable,
- that appropriate methods are in place to collect and review relevant production and post-production information.
The risk management review shall performed after implementation and verification of all risk control measures but prior to commercial release of the medical device. The risk management report shall include the summary of this review and is included in the risk management file.
Production and Post Production Activities
According to ISO 14971, the manufacturer shall establish, document and maintain a system to actively collect and review information relevant to the medical device in the production and post-production phases. When establishing this system, the manufacturer shall consider appropriate methods for the collection and processing of information.
This can be a part of the post marketing surveillance procedure. Manufacturers shall ensure that this information is part of the routine risk management review process.