Tony Parise, Product Strategist—Life Sciences, ETQ03.29.19
ISO 14971 for medical device risk management is in the final stages of an important update slated for publication this year. While ISO has specifically said the intent of the revision isn’t to rework the risk management process, subtle changes in the latest version could impact medical device manufacturers in a variety of ways.
The changes include a significant reorganization of content, new terms, and more detailed requirements around evaluating residual risks and collecting production and post-production information. It also refocuses the standard on benefit-risk evaluation, which is in line with changing regulatory requirements such as the EU Medical Device Regulation (MDR) and In Vitro Diagnostic Regulation (IVDR).
The revision is aimed mainly at clarification of the risk analysis process and the specific steps device manufacturers must take. Another goal was making it easier to update the standard’s guidance without going through the entire process of changing it.
The joint working group (JWG) tasked with revising the standard achieved this by moving most of the guidance in ISO 14971 to Technical Report (TR) 24971, which is being revised in parallel. The new ISO 14971 has three informative annexes, with the other seven incorporated into TR 24971. The only annexes that would remain are rationale for requirements, risk management process, and fundamental risk concepts.
The rest of the guidance has been moved to TR 24971, including recommendations on hazard identification, risk concepts and medical devices, risk analysis techniques, residual risk, risk management for in-vitro diagnostic devices, risk management for biological hazards, and risk management plan.
This makes TR 24971, once a lesser-known document, an essential companion piece for ISO 14971 implementation. TR 24971’s guidance has expanded from 75 pages to over 100, providing detailed information on risk management tools, best practices, and useful examples.
ISO 14971 defines a handful of new terms, including benefit (counterpart to the existing definition of risk) and state-of-the- art. One interesting addition is “reasonably foreseeable misuse,” defined as any improper use arising from “readily predictable human behavior,” according to the standard, and may or may not be intentional. This goes beyond user error, requiring manufacturers to consider a broader range of risks.
For example, orthopedic manufacturers developing smart implants must consider the cybersecurity implications of connected devices in patients. Anything with embedded software must be robust and secure, where “reasonably foreseeable misuse” can result in high-impact risks. It’s why manufacturers incorporating IoT technology must prioritize risk management and should consider implementing (or at least following) ISO 14971 and companion standards.
There are also changes to the standard’s requirements. Device manufacturers should pay special attention to language around benefit-risk analysis, residual risk, and production and post-production activities.
ISO 14971:20XX strengthens language around benefit-risk analysis in the standard, reflecting a growing area of attention by regulatory bodies in evaluating compliance. The new TR 24971 expands guidance on determining benefits and criteria for benefit-risk analyses, providing specific examples of these types of decisions.
Monitoring benefits is also important for post-production activities to determine whether the benefit-risk balance changes over time to adjust the risk management process accordingly. According to the new TR 24971, manufacturers should look for changes during post-production activities to inform benefit-risk analysis, including more/fewer patient benefits as revealed by clinical data; changes in medical practices; patient population changes; and introduction of new devices with different risks and benefits.
ISO 14971 features a few small but important updates to the risk analysis process. Clause 5.4 focuses on hazard identification and now requires manufacturers to address reasonably foreseeable combinations of events that can create hazardous situations.
Another key change is ISO 14971’s language around how to handle residual risks remaining after implementation of controls. The standard requires manufacturers to:
ISO 14971 provides more detail on collecting production and post-production data, adding three new subclauses: Information Collection (10.1), Information Review (10.2), and Actions (10.3).
The subclause on information collection requires companies to collect production and monitoring data; user-generated data; data originating from installation, use, and maintenance; supply chain data; and data related to the state-of-the-art, such as new standards, data, or alternative devices.
The information review subclause relates to ongoing monitoring and requires manufacturers to consider the information they collect when the state-of-the-art changes.
A new, important requirement under Actions (10.3) is manufacturers must take action on devices already on the market. For instance, if post-market surveillance uncovers a defective device, you may need to institute a recall, which wasn’t explicit in the previous version. These changes align with the existing FDA Quality System Regulation (QSR) and updated EU MDR requirements, part of a push toward globalizing product development regulations.
The JWG also sought to clarify the difference between ISO 14971 and ISO 31000. As a result, they updated ISO 14971’s scope and will include a statement that it doesn’t apply to managing business risk. Companies now have more clarity when deciding whether to implement standards such as ISO 13485, ISO 14971, and ISO 31000. (See table)
When ISO 14971 was last revised in 2007, the European Committee for Standardization released a European Normative (EN) version identifying gaps between the international standard and European regulations. EN ISO 14971:2012 highlights seven controversial deviations where regulators felt the standard fell short of the Medical Device Directive.
ISO 14971:20XX should effectively address all but two of the seven deviations—benefit/risk analysis and risk control—in several cases by copying MDR language. As for unaddressed deviations, device manufacturers CE marking products must still:
The new EU MDR and IVD regulations strongly emphasize risk management. While these regulations are clearly different from this latest version of ISO 14971, the standard’s architects clearly attempted to align it with EU regulations.
Meanwhile, the FDA will adopt ISO 13485 for quality management as the basis for requirements to replace the existing QSR. ISO 13485 refers to ISO 14971 as a recommended approach to meeting ISO 13485’s requirements on risk management.
All in all, it makes ISO 14971 an important standard for device manufacturers wanting to market products in both the EU and the U.S. An EN version of the standard is yet to come; the EU and potential Brexit impact still represent uncertainty.
These updates add up, making it critical device manufacturers stay on top of the requirements. An effective quality management system (QMS) provides crucial support for complying with both standard and regulatory requirements, especially when the system is powered by automation.
In place of unwieldy spreadsheets to manage ISO programs, many companies are moving quality and risk tracking processes to flexible, cloud-based platforms. This drives greater efficiency and visibility via applications with built-in best practices that help meet requirements. Core tools supporting compliance include risk register and risk analysis, document control, employee training, audit management, corrective action, centralized reporting and data analysis, and complaints management.
ISO 14971 also adds a new subclause for normative references, changing the clause and subclause numbering from the 2007 to 20XX version (more details available in Annex B of the draft standard). It may not seem significant, but this will force companies to renumber many documents like training materials and quality procedures, as well as audit checklists, questions, and templates. Automation can also simplify this process.
While the update seems like a raft of small changes, together it means a new, clearer direction for the standard and companies pursuing certification. The changes will leave a lasting impact and give manufacturers who invest in QMS automation a clear product quality and compliance competitive advantage.
Anthony Parise is a product strategist for life sciences at ETQ, a Burlington, Mass.-based leading provider of quality, EHS, and compliance management software trusted by some of the world’s strongest companies to secure brand reputation, transform insight into action, and help them focus on what matters most.
The changes include a significant reorganization of content, new terms, and more detailed requirements around evaluating residual risks and collecting production and post-production information. It also refocuses the standard on benefit-risk evaluation, which is in line with changing regulatory requirements such as the EU Medical Device Regulation (MDR) and In Vitro Diagnostic Regulation (IVDR).
The revision is aimed mainly at clarification of the risk analysis process and the specific steps device manufacturers must take. Another goal was making it easier to update the standard’s guidance without going through the entire process of changing it.
The joint working group (JWG) tasked with revising the standard achieved this by moving most of the guidance in ISO 14971 to Technical Report (TR) 24971, which is being revised in parallel. The new ISO 14971 has three informative annexes, with the other seven incorporated into TR 24971. The only annexes that would remain are rationale for requirements, risk management process, and fundamental risk concepts.
The rest of the guidance has been moved to TR 24971, including recommendations on hazard identification, risk concepts and medical devices, risk analysis techniques, residual risk, risk management for in-vitro diagnostic devices, risk management for biological hazards, and risk management plan.
This makes TR 24971, once a lesser-known document, an essential companion piece for ISO 14971 implementation. TR 24971’s guidance has expanded from 75 pages to over 100, providing detailed information on risk management tools, best practices, and useful examples.
ISO 14971 defines a handful of new terms, including benefit (counterpart to the existing definition of risk) and state-of-the- art. One interesting addition is “reasonably foreseeable misuse,” defined as any improper use arising from “readily predictable human behavior,” according to the standard, and may or may not be intentional. This goes beyond user error, requiring manufacturers to consider a broader range of risks.
For example, orthopedic manufacturers developing smart implants must consider the cybersecurity implications of connected devices in patients. Anything with embedded software must be robust and secure, where “reasonably foreseeable misuse” can result in high-impact risks. It’s why manufacturers incorporating IoT technology must prioritize risk management and should consider implementing (or at least following) ISO 14971 and companion standards.
There are also changes to the standard’s requirements. Device manufacturers should pay special attention to language around benefit-risk analysis, residual risk, and production and post-production activities.
ISO 14971:20XX strengthens language around benefit-risk analysis in the standard, reflecting a growing area of attention by regulatory bodies in evaluating compliance. The new TR 24971 expands guidance on determining benefits and criteria for benefit-risk analyses, providing specific examples of these types of decisions.
Monitoring benefits is also important for post-production activities to determine whether the benefit-risk balance changes over time to adjust the risk management process accordingly. According to the new TR 24971, manufacturers should look for changes during post-production activities to inform benefit-risk analysis, including more/fewer patient benefits as revealed by clinical data; changes in medical practices; patient population changes; and introduction of new devices with different risks and benefits.
ISO 14971 features a few small but important updates to the risk analysis process. Clause 5.4 focuses on hazard identification and now requires manufacturers to address reasonably foreseeable combinations of events that can create hazardous situations.
Another key change is ISO 14971’s language around how to handle residual risks remaining after implementation of controls. The standard requires manufacturers to:
- Describe the method for evaluating overall residual risk
- Define criteria for acceptability of individual risks and overall residual risk
- Perform a benefit-risk analysis on individual residual risks not meeting the criteria, as well as on the overall residual risk
- Implement processes to continuously update risk management documentation, including with production and post-production data
ISO 14971 provides more detail on collecting production and post-production data, adding three new subclauses: Information Collection (10.1), Information Review (10.2), and Actions (10.3).
The subclause on information collection requires companies to collect production and monitoring data; user-generated data; data originating from installation, use, and maintenance; supply chain data; and data related to the state-of-the-art, such as new standards, data, or alternative devices.
The information review subclause relates to ongoing monitoring and requires manufacturers to consider the information they collect when the state-of-the-art changes.
Standard | Scope |
ISO 13485 for medical device quality management |
|
ISO 14971 for medical device risk management |
|
ISO 31000 for risk management |
|
A new, important requirement under Actions (10.3) is manufacturers must take action on devices already on the market. For instance, if post-market surveillance uncovers a defective device, you may need to institute a recall, which wasn’t explicit in the previous version. These changes align with the existing FDA Quality System Regulation (QSR) and updated EU MDR requirements, part of a push toward globalizing product development regulations.
The JWG also sought to clarify the difference between ISO 14971 and ISO 31000. As a result, they updated ISO 14971’s scope and will include a statement that it doesn’t apply to managing business risk. Companies now have more clarity when deciding whether to implement standards such as ISO 13485, ISO 14971, and ISO 31000. (See table)
When ISO 14971 was last revised in 2007, the European Committee for Standardization released a European Normative (EN) version identifying gaps between the international standard and European regulations. EN ISO 14971:2012 highlights seven controversial deviations where regulators felt the standard fell short of the Medical Device Directive.
ISO 14971:20XX should effectively address all but two of the seven deviations—benefit/risk analysis and risk control—in several cases by copying MDR language. As for unaddressed deviations, device manufacturers CE marking products must still:
- Perform a benefit/risk analysis for all individual and residual risks (versus just those not meeting acceptability criteria per the ISO 14971 standard)
- Implement risk controls for all individual risks (as compared to only those not meeting acceptability criteria)
The new EU MDR and IVD regulations strongly emphasize risk management. While these regulations are clearly different from this latest version of ISO 14971, the standard’s architects clearly attempted to align it with EU regulations.
Meanwhile, the FDA will adopt ISO 13485 for quality management as the basis for requirements to replace the existing QSR. ISO 13485 refers to ISO 14971 as a recommended approach to meeting ISO 13485’s requirements on risk management.
All in all, it makes ISO 14971 an important standard for device manufacturers wanting to market products in both the EU and the U.S. An EN version of the standard is yet to come; the EU and potential Brexit impact still represent uncertainty.
These updates add up, making it critical device manufacturers stay on top of the requirements. An effective quality management system (QMS) provides crucial support for complying with both standard and regulatory requirements, especially when the system is powered by automation.
In place of unwieldy spreadsheets to manage ISO programs, many companies are moving quality and risk tracking processes to flexible, cloud-based platforms. This drives greater efficiency and visibility via applications with built-in best practices that help meet requirements. Core tools supporting compliance include risk register and risk analysis, document control, employee training, audit management, corrective action, centralized reporting and data analysis, and complaints management.
ISO 14971 also adds a new subclause for normative references, changing the clause and subclause numbering from the 2007 to 20XX version (more details available in Annex B of the draft standard). It may not seem significant, but this will force companies to renumber many documents like training materials and quality procedures, as well as audit checklists, questions, and templates. Automation can also simplify this process.
While the update seems like a raft of small changes, together it means a new, clearer direction for the standard and companies pursuing certification. The changes will leave a lasting impact and give manufacturers who invest in QMS automation a clear product quality and compliance competitive advantage.
Anthony Parise is a product strategist for life sciences at ETQ, a Burlington, Mass.-based leading provider of quality, EHS, and compliance management software trusted by some of the world’s strongest companies to secure brand reputation, transform insight into action, and help them focus on what matters most.