Building a Quality Plan for Implementing EN ISO 14971:2012

On May 16 of 2012, the European Committee for Standardization (CEN) approved a revised European National Standard for medical device risk management: EN ISO 14971:2012. There were no changes to the main body of the Standard (i.e. – Clauses 1 through 9). Instead, the revised European National (EN) version identifies seven deviations in Annex ZA, ZB, and ZC with respect to the intent of the MDD, the AIMD, and IVDD respectively. Those seven deviations are:

1. Treatment of Negligible Risks
2. Discretionary power of manufacturers as to the acceptability of risks
3. Risk reduction “as far as possible” (AFAP) vs. “as low as reasonably practicable” (ALARP) 4. Discretion as to whether a risk-benefit analysis needs to take place
5. Discretion as to the risk control options/measures
6. Deviation as to the first risk control option
7. Information of the users influencing the residual risk

    The following sections of this article provide recommendations for how to update your existing risk management procedure and processes to ensure compliance for CE Marked medical devices.

    How to Address Deviation #1

    In Annex D 8.2, the ISO 14971 Standard indicates that negligible risks may be disregarded. However, essential requirement 1 and 2 specifically require that all risks must be considered. You need to remember that in the context of the Medical Device Directive (MDD), risks are specific to hazards that may result in harm. Therefore, any business risks that may impact customer satisfaction should not be included in this requirement unless there is a patient safety risk. Instead you should identify severity based upon harm. You might try using a scale of zero to five. A score of zero indicates that the potential hazard will not result in harm, while scores ranging from one to five correspond to: 1) delay in treatment, 2) non-reportable injury, 3) injury requiring treatment, 4) permanent injury, and 5) death. Scores of three to five should also be identified as reportable adverse events.

     Risk Dev 1

    How to Address Deviation #2

    The ISO 14971 Standard indicates in Annex D4 that the acceptability of risk is not specified by the Standard and must be determined by the manufacturer. The ISO 14971 Standard also indicates that the manufacturer should establish a risk management policy indicating a threshold for risk acceptability. Essential requirement 1 and 2 require that risks be reduced as far as possible, and that all risks shall be included in a risk/benefit analysis—not just the risks above a certain threshold. Therefore, the requirement to establish a risk policy for the acceptability of risk directly contradicts the MDD. Instead, your company should base acceptability of risk solely upon the clinical risk/benefit analysis and should involve the manufacturer’s medical officer in making this determination. The proper place to document this conclusion is in the conclusions of the clinical evaluation report and risk management report. Both of these documents should cross-reference to one another and the conclusion should be reassessed as new post-production data is collected over time.

    How to Address Deviation #3

    Annex D.8 in ISO 14971, referred to in Clause 3.4, contains the concept of reducing risks “as low as reasonably practicable” (i.e. – the ALARP concept). However, the first indent of essential requirement 2 requires that risks be reduced “as far as possible” (i.e. – AFAP). The 2012 European national version of the 14971 Standard explains that manufacturers and Notified Bodies may not apply the ALARP concept with regard to economic considerations.

    The third deviation is the primary reason why medical device companies should discontinue to the use of phthalates and latex for most medical devices. Even though these materials are inexpensive solutions to many engineering challenges presented by medical devices, these materials present risks that can be avoided by using more expensive materials that are not hazardous and do not pose allergic reactions to a large percentage of the population. The use of safer materials is considered “state-of-the-art” and these materials should be implemented if the residual risks after implementation of the risk control (i.e. – use of a safer material) is not equal to or greater than the risk of the cheaper material.

    Your company may have created a risk management procedure which includes a matrix for severity and probability. The matrix is probably color-coded to identify red cells as unacceptable risks, yellow cells that are ALARP, and green cells that are acceptable. To comply with EN ISO 14971:2012, the “yellow zone” should not be labeled as ALARP. A short-term solution is to simply re-label these as high, medium and low risks.

     Risk Dev 3

    How to Address Deviation #4

    Clauses 6.5 and 7 of the 14971 Standard imply that a risk/benefit analysis is only required if risks exceed a threshold of acceptability, and Annex D.6.1 indicates that “A risk/benefit analysis is not required by this International Standard for every risk.” However, essential requirements 1 and 2 require that you perform a risk/benefit analysis for each risk and the overall residual risk. Essential requirement 6a also requires a risk/benefit analysis as part of the conclusion in your clinical evaluation report (refer to MEDDEV 2.7.1 rev 3 for guidance on the format and content of a clinical evaluation report).

    Your company may have created a risk management procedure which includes a matrix for severity and probability. The matrix is probably color-coded to identify red cells as unacceptable risks that require a risk/benefit analysis, yellow cells that are ALARP, and green cells that are acceptable. To comply with EN ISO 14971:2012, the “red zone” should not be labeled as risk/benefit analysis because even risks in the “green zone” require risk/benefit analysis.

     Risk Dev 4
    Risk Dev 5

    How to Address Deviation #5

    Eseential requirements 1 and 2 require that risk control options are implemented for all risks prior to determining acceptability of the residual risks. Essential requirement 2 also requires manufacturers to implement all risk control options—unless the risk controls do not further reduce risk. Clause 6.2 of the 14971 Standard suggests that you only need to use “one or more” of the risk control options, and Clause 6.4 indicates that further risk control measures are not needed if the risk is acceptable. There is a clear contradiction between the intent of the Standard and the Directive here.

    Therefore, my advice is to eliminate the second step of risk assessment from your flow chart for risk management (see Figure 1 from the 14971 Standard) and ignore Clause 5 of the 14971 Standard completely. There is really no need for performing a preliminary risk evaluation for acceptability if acceptability has no impact upon whether you will implement risk controls to reduce risks. What should be done instead is to move Clause 6.5, risk/benefit analysis, to Clause 7 where the evaluation of overall residual risk acceptability is required.

    How to Address Deviation #6

    Clause 6.2 of the 14971 Standard requires the manufacturer to “use one or more of the following risk control options in the priority order listed: (a) inherent safety by design...”. Essential Requirement 2 of the MDD requires the manufacturer to “eliminate or reduce risks as far as possible (inherently safe design and construction)." The difference between these two phrases may seem to be semantics, but the European Commission feels that it is necessary to clarify this.

    Intravenous (IV) tubing presents one of the more prevalent examples of the implications resulting from this interpretation. Most IV tubing is currently manufactured from PVC and contains plasticizers that are phthalates. These phthalates are hazardous substances, but the widespread use of PVC tubing with phthalates continues due to the lower cost of this tubing rather than other types of tubing. If you interpret Clause 6.2 to be specific only to the geometry and features of the IV tubing, then you are compliant. However, the EU Commission is clarifying that you must also use materials of construction that will eliminate the risks associated with these plasticizers.

    How to Address Deviation #7

    The seventh deviation states that no risk reduction shall be attributed to information provided to the user. Therefore, in your risk analysis documentation you cannot identify instructions for use (IFUs) and labeling as a risk control. If you are using an FMEA, you will need to identify other risk controls. This may be especially challenging for risks associated with misuse (the requirement for identifying reasonable misuse is found in Clause 4.2 of the 14971 Standard).

    In the case of the risks associated with re-using single-use devices, most companies add the harmonized symbol for “single-use only” to the labeling and IFUs. In Essential Requirement 13.6h of the MDD, it is required to identify the risks associated with re-use of single-use devices. These are often considered the only risk controls to prevent this type of misuse, but the explanation for this deviation eliminates this as a risk control.

    For all disposable devices that could present a risk if re-used, you must now identify design options that make it impossible to re-use the device. If you have a re-usable electronic device with disposable accessories, you are expected to consider the addition of software and hardware controls that detect the identity of each disposable accessory and to track its usage. State of the art risk controls are to display an error message and fail to operate when a user attempts to re-use the disposable element.

    Final Words of Advice

    You should not blindly implement each of these recommendations, because this is a European National Standard. The Canadian TPD still recognizes ISO 14971:2007—as does the US FDA. Ultimately it will probably be necessary to revise the content of the main body in order to create a harmonized Standard that is acceptable to regulators and industry alike. If you do choose to implement changes to address these seven deviations, you should identify how your risk management process deviates from the ISO 14971:2007 Standard when you are submitting regulatory submissions for review by the CDRH, TPD, etc.

    Robert Packard is a regulatory consultant with 20 years experience in the medical device, pharmaceutical and biotechnology industries. He is a graduate of UConn in Chemical Engineering. Robert was a senior manager at several medical device companies—including President/CEO of a laparoscopic imaging company. His Quality Management System expertise covers all aspects of developing, training, implementing, and maintaining ISO 13485 and ISO 14971 certification. From 2009-2012, he was a Lead Auditor and instructor for one of the largest Notified Bodies. Robert’s specialty is regulatory submissions for high-risk medical devices, such as implants and drug/device combination products for CE marking applications, Canadian medical device applications and 510(k) submissions. The most favorite part of his job is training others. Please visit his website,, if you are interested in reading his blogs or registering for a training event. You can also email him directly at:

    [ { "key": "fid#1", "value": ["GxP Lifeline Blog"] } ]