Risk Management ISO Standards – ISO 14971: 2019 and ISO TR 24971: 2019.
The definitive risk management standard for medical devices – ISO 14971: 2019 – Medical Devices – Application of Risk Management and the accompanying guidance on its application – ISO TR 24971: 2019 were revised in December 2019 to provide device manufacturers clarity on critical aspects of hazard identification, risk concepts and techniques, the importance of the risk management plan, and end-to-end traceability in ensuring risk is effectively managed across all stages of the product life-cycle.
While the basic foundation and structure of the risk management process has not changed from previous versions, the 2019 revision contains specific information on aspects such as:
- integration with the quality management system;
- extension into the post-production activities;
- applicability to Software as a Medical Device (SaMD) and in vitro diagnostic (IVD) devices and data security;
- criteria for acceptability of overall residual risks; and
- benefit-risk analysis, amongst others.
Clause 5.4 of ISO 14971: 2019 has been rewritten to stress the requirement for consideration of risks during normal operation, rather than use of tools that only address fault conditions, such as Failure Modes & Effects Analysis (FMEA). Under ISO 14971 risk has only two components – Probability (Occurrence) and Severity (Consequence), with no consideration for Detectability as used in FMEA. The reasoning is that Detectability would only influence the Probability of an event occurring and can be offset by suitable adjustment of the occurrence scale. Since ISO 14971 provides a framework for risk management of medical devices aimed at reducing risk of harm to users, unless the end-user can detect the specific risk and react effectively in real time, Detectability serves no useful purpose as a risk control measure. When applied in Process FMEAs for instance, Detection (of failures that may pose hazards, rather than harms) has been historically used as a significant measure in reducing the probability of the harm actually occurring, assuming the detected condition can be effectively acted upon, such as during production processes.
It is worth mentioning that ISO 14971 defines risk as the combination of the Probability of occurrence of harm and the severity of that harm, whereas FMEA is about the Probability of occurrence of a failure and severity of the consequences of the failure. As the common terms Probability and Severity represent very different entities with low correlation in these scenarios, care is required when applying these terms to FMEA and to risk management.
Management of risk occurs in three-steps:
- Hazard identification
- Risk assessment (i.e. analysis and evaluation)
- Risk control
Starting the risk management process from the preliminary identification of hazards associated with the particular design and characteristics of the device, then estimating risk for the hazardous situations resulting from a sequence of events would provide the risks prior to any risk control measures. In the next step, the identified hazardous situations are considered for applying appropriate risk control measures one at a time and estimating risks for potential harm to users. Accordingly, two probabilities come into play – 1) the probability of the hazard resulting in a hazardous situation, and 2) the probability of the hazardous situation resulting in harm. The probability of occurrence of harm is the product of these two probabilities. Incidentally, use of the terms ‘pre-mitigation’ and ‘post-mitigation’ risks to characterise these two phases is considered inappropriate, as mitigation applies to acceptance of residual risks, rather than reduction of risk accomplished through risk control measures.
Two risk analysis tools particularly useful in the identification of hazards, hazardous situations, risk control measures and harm are the Preliminary Hazard Analysis and Fault Tree Analysis. Use of these top-down analysis tools should lay the foundation for risk analysis and serve as precursors for subsequent assessment of risks under fault conditions and failure modes. A combination of the analyses using the top-down and bottom-up (e.g. FMEA) tools would provide manufacturers a robust assessment of risks; on its own FMEA is not risk management as represented by ISO 14971.
To accommodate the addition of new or revised standards under the ‘generally acknowledged state of the art’ and align with ISO 13485: 2016 requirements, Clause 10 of both the ISO 14971: 2019 Standard and the Guidance have been substantially revised, to include monitoring of production and post-production information. The requirements for information collection, review and determination of information relevant to safety, both for the particular device and for the risk management process, largely align with Post-market Surveillance activities, including Post-Market Clinical Follow-up (PMCF) sought by regulatory bodies.
ISO TR 24971: 2019 also provides further guidance on benefit-risk analysis, firstly by helping in estimation of anticipated benefits, based on positive impact on clinical outcomes and related factors, and then providing criteria for comparing benefit and risk, to determine if the overall residual risk is outweighed by the benefits.
Due to device complexity, the life-cycle approach, and the iterative nature of risk management, end-to-end traceability is fundamental in ensuring all steps of the risk management process have been applied, and risk controls are in place for each identified hazard. This level of traceability, linking individual hazards to the corresponding requirement and testing, poses a challenge for most device manufacturers; while any of several techniques may be adopted by device manufacturers, one example of how risk management activities can be summarised in a traceable manner is available in Annex C of GHTF/SG2/N15R8 – Implementation of risk management principles and activities within a Quality Management System.
We offer deep support for navigating international regulatory processes. Whether it’s a TGA application, a strategy for MDR transition, a US presubmission or 510(k) filing, or specific help with regulatory documents (e.g. Clinical Evaluation Reports), or an update of your quality system to gain MDSAP. We understand you need a commercial approach which delivers viable options. Reach out today and start a conversation. Contact us to discuss your needs and how we can help. You can drop us an email [email protected] or call 1 888-271-5063 (US toll free) ♦ +61 2 9906 2984 (Sydney)
The views and options expressed in this article are those of the author/s and do not necessarily reflect the views of Brandwood CKC Pty Ltd ACN 128 762 505.
The information presented in this article is of a general nature only and does not consider the particular circumstances of your business. Prior results and case studies do not guarantee a similar outcome in future. You should not rely on this information, and you should seek specific advice for your particular business needs.
Where indicated, certain content has been sourced from third parties; we have not independently verified it. Neither Brandwood CKC nor the author makes any warranty as to the accuracy, completeness or reliability of this article, nor do those parties accept any liability or responsibility arising in any way from omissions or errors contained in the content.