To prevent the wind from blowing in your face in the form of stricter guidelines and you facing unexpected hurdles, the seleon experts have done the research for you: Since December 2019, ISO 14971:2019, the risk management standard for medical devices, has been public in its third version. What has changed since then? What is there for you to do?

Although the European Commission updated the list of harmonized standards for the Medical Device Directive MDD (93/42 EEC) in March of this year, there is not yet a list of harmonized standards for the Medical Device Regulation (EU 2017/745) and therefore no harmonized risk management standard. This presents a challenge for the development and presumption of conformity of medical devices under MDR EU (2017/745).

According to a recent decision of the EU Commission, the list of harmonized standards of the Medical Devices Directive MDD may NOT be used to prove the GRUSULA (Essential Safety and Performance Requirements) of the MDR. Thus, in order to show that GRUSULA are met, medical device manufacturers will have to go the extra mile and check for each item individually to what extent it is covered by existing standards – be it risk management, quality management or other relevant requirements.

Nevertheless, harmonization of the risk management standard for medical devices ISO 14971:2019 is strongly expected. For comparison: at the FDA, the standard is already listed among the “Recognized Consensus Standards”, so it may be applied there.

Guidance published: ISO/TR 24971

About six months after the publication of the risk management standard for medical devices ISO 14971:2019, the related guidance document ISO/TR 24971:2020-06 woher was published in June.

The guide can be considered a long commentary, as it fleshes out the requirements from ISO 14971 and provides guidance for medical device manufacturers on implementation. The first 30 pages comment on ISO 14971:2019 chapter by chapter. This is followed by eight annexes comprising 55 pages:

Annex A: Identification of hazards and characteristics related to safety.

Annex B: Techniques that support risk analysis

Annex C: Relation between the policy, criteria for risk acceptability, risk control and risk evaluation

Annex D: Information for safety and information on residual risk

Annex E: Role of international standards in risk management

Annex F: Guidance on risks related to security

Annex G: Components and devices designed without using ISO 14971

Annex H: Guidance for in vitro diagnostic medical devices

Annex on cyber and data security

Following the inclusion of software as a medical device in the third edition of ISO 14971, Annex F of ISO/TR 24971 addresses data security and cybersecurity for the first time.

The annex introduces six important terms:

Security (Security): the system is invulnerable to hostile action.

Threat: Potential to violate security and cause damage.

Vulnerability: Flaws or weaknesses in the design that could be exploited to damage a system.

Confidentiality: Only authorized individuals have access to the data.

Integrity: Accurate and complete data.

Availability: Accessibility of the data.

Furthermore, there is information on hazards, sequences of events and damage. If you have not yet dealt with the topic of cybersecurity, you can get a first idea of the subject here. (TIP: Also check out our newsletter on cybersecurity).

Risk management requirements for medical devices according to MDR suggests ISO 14971

Important for international medical device manufacturers, as well as anyone who doesn’t read standards until Chapter 3, is the principle of “upper beats lower.” The stubborn application of ISO 14971:2019 and its guidance document ISO/TR 24971:2020 may hold a nasty surprise. That’s because ISO 14971:2019 is broader than the risk management requirements for medical devices under MDR. This was already the case with the second version of ISO 14971 from 2012. What is still “allowed” by ISO 14971 may be considered “against the law” by MDR. For the application of the harmonized EN ISO 14971:2012, this meant that the specifications of the MDD trumped many a principle of ISO 14971.

But it is true: Upper beats Lower or: MDR beats ISO 14971.

ALARP/ALARA and the risk management standard for medical devices MDR

For example, the principles of ALARA (As low as reasonably achievable) and ALARP (As low as reasonably practicable) are stated in ISO/TR 24971, but clearly contradict the requirements from the EU Medical Devices Regulation MDR, Annex I. The principles of ALARA and ALARP are as follows:

“2. the requirement set out in this annex to minimize risks as far as possible shall be understood to mean that risks shall be reduced as far as is possible without adversely affecting the risk-benefit balance.”

Even though nothing has happened yet in the harmonization of ISO 14971:2019, ISO/TR 24971 is certainly worth a look!

Noticing that the wind is not only whistling from the MDR direction, but that risk management is also giving you stormy times? Are you in the midst of a development process and wondering which standard specifications will finally apply to you and how the presumption of conformity is to be established? We will be happy to help you in these stormy times and provide you with competent support in minimizing your risks. Please contact us.

Please note that all details and lists are not exhaustive, are without guarantee and are for information purposes only.