This article is the first in a multi-part series on risk management for medical devices. In it, we not only want to provide an overview of the most important requirements of the basic standard ISO 14971:2019, but also tips for practical application and implementation.
Risk management for medical devices plays a crucial role in ensuring the safety of patients, users and third parties. Bijan Elahi put it this way in his book “Safety Risk Management for Medical Devices (Academic Press, 2018): “Our patients trust us with their lives. They expect us to do everything we can to make medical devices as safe as possible. It is our moral and ethical responsibility to apply good risk management practices to provide our patients with products that are as safe as possible.” At seleon, we see this as our mission for risk management.
The international standard ISO 14971:2019 specifies the terminology, principles and process for the risk management of medical devices, including software as a medical device and in vitro diagnostic medical devices. This standard is applicable to all phases of the life cycle of a medical device and is therefore an integral part of product development, production and maintenance.
ISO/TR 24971:2020 as a guideline
The guidance document ISO/TR 24971:2020 provides valuable assistance for the correct application of ISO 14971:2019. It serves as an orientation aid for companies to effectively implement the requirements of the standard and should be taken into account when developing the risk management process and its application!
Scope of risk management
It is important to emphasise that risk management for medical devices only considers risks to patients, users and third parties or the environment. Business risks, planning risks and project risks are explicitly excluded.
Important definitions
The standard defines risk as the combination of the probability of harm occurring and the severity of that harm. The benefit of a medical device lies in the positive influence on a person’s health or patient management. Safety is defined as freedom from unacceptable risks, whereby the medical device does not have to be completely free of risks as long as these are acceptable in relation to the benefit.
This article is the first in a multi-part series on risk management for medical devices. In it, we not only want to provide an overview of the most important requirements of the basic standard ISO 14971:2019, but also tips for practical application and implementation.
Two examples serve to illustrate this concept: Skin burns can occur when using a defibrillator, but the benefit of saving lives outweighs the risk. Similarly, radiation exposure in imaging procedures is accepted because the expected benefit, such as a possible diagnosis, is rated higher.
Risk management process according to ISO 14971:2019
The standard requires a structured risk management process that includes the following steps
Risk analysis: Identification of hazards and hazardous situations of a product.
Risk assessment: Assessment and evaluation of the risks associated with the use, production, transport, storage and disposal of the product.
Risk control: Definition and implementation of measures to control the identified risks.
Activities during production and downstream production phases: Integration of risk management into the entire life cycle of the medical device.
The coordinated implementation of these activities is defined in the risk management plan.
Risk management plan according to ISO 14971:2019
The risk management plan (RMP) must contain at least the following elements
Scope of the planned risk management activities:
This primarily includes a description of the medical device (incl. variants) and the life cycle phases to which the RMP is to be applied. For example, some activities may only relate to the design and development phase of the product, others only to production or its downstream phases (e.g. field observations). This definition is made at the beginning of product development.
Assignment of responsibilities and authorisations:
This is where the roles within the risk management team are defined and assigned to specific individuals so that their qualifications can be specifically checked if necessary. Here, too, the definition takes place at the beginning of product development.
Requirements for the review of risk management activities:
The RMP specifies when and how the risk management activities are to be reviewed. In addition to the method, the how also includes the necessary persons/roles and how the results of the review are to be dealt with. These requirements can also be defined independently of the specific RMP in the QMS in accordance with ISO 13485.
Criteria for the acceptance of risks:
Risk acceptance criteria are an integral part of risk management and are defined based on the company’s own risk policy. It is important that this is done before the actual risk assessment begins, as otherwise the results of the assessment could influence the acceptance criteria.
Methods for assessing the overall risk:
These are also derived from the risk policy. ISO/TR 24971:2020 devotes a separate section to this point (Chapter 8) and describes possible approaches. Here, too, the aim should be to define the policy as early as possible, but this is not required, as this also includes information that is only available late in the product development process.
Activities to review the implementation and effectiveness of risk control measures:
The RMP should describe how these two levels of evidence for risk control measures are to be implemented. The realisation (=implementation) of risk control measures is normally part of product verification. Depending on the nature of the risk control measure, its effectiveness is also verified at the same time, e.g. the achievement of a safe device state after a fault has been recognised by the implementation of a protective measure. Product verification is also normally sufficient for risk control measures that offer “safety by design”. Other measures require separate verification of effectiveness. One example of this is all warnings in instructions for use, which can be checked as part of the summative evaluation of the medical device’s suitability for use, for example. A general specification should be made at the beginning of product development and can be supplemented later for special cases.
Activities to collect and review relevant information from production and downstream phases:
The manufacturer must establish robust processes to collect the diverse information from these phases and can utilise established QMS processes in accordance with ISO 13485. In this area, there is a strong overlap with vigilance and post-market clinical follow-up (PMCF) activities, which the manufacturer is also obliged to perform for other regulatory reasons. The information collected must be reviewed regularly, with the frequency of review depending on the product risk, the number of devices in the field, the number of incident reports and the severity of damage reported. The definition of activities can be described in general terms at the beginning of product development (especially if established processes can be used), but must then be concretised and updated later.
The RMP is therefore a “living document” (ISO/TR 24971:2020, 4.4.1): At the beginning of product development, not all variants of the product have been finalised or no precise statements can yet be made about the activities in manufacturing and downstream phases. Personnel fluctuations make it necessary to recruit new RM team members or change responsibilities. New information from the field requires adjustments to risk management activities. All of this means that the RMP must be adapted within the product life cycle. These changes must be documented.
What happens next?
As mentioned at the beginning, risk management accompanies a product through all phases of its life cycle and is one of the central processes in a company’s process landscape. Risk management cannot function in isolation, but interacts in many ways with other development activities. It is therefore necessary for the company’s top management to guarantee basic requirements and set central guidelines that form the basis for the implementation of risk management in a company. In the next instalment of our series, we will look at these responsibilities of the management and the resulting risk policy of a company.
Please note that all details and lists do not claim to be complete, are without guarantee and are purely for information purposes.
