Current Issues in Medical Device Risk Management

Current Issues in Medical Device Risk Management
Companies developed risk management systems 
for their devices using the ISO standardized process.
Medical devices have been developed with some requirements for product safety since the implementation of the Medical Device Amendments of 1976 to the Federal Food, Drug and Cosmetic Act.  Initially FDA required manufacturers to submit information related to safety as part of the 510(k) premarket notification process, providing comparative data on predicate devices versus the device under consideration.  In the more rigorous Premarket Approval (PMA) process, more detailed safety information on the device under consideration has been required.  Additionally, in a guidance document published in 1991, the FDA required a “hazard analysis” in all premarket submissions for devices containing software.
As far back as 1986, risk analysis was required to receive the CE Mark in Europe.  In 1994, with the implementation of Europe’s Medical Device Directive under the Essential Requirements section of the law, product safety information was required and a European standard was developed to conduct risk analysis for devices under consideration, EN 1441. That standard began a push to develop an international standard for risk, which eventually became ISO 14971 on risk management, released in 2000, and revised in 2007.

Europe accepted ISO 14971 as a replacement for EN 1441, as it was realized that risk had to be managed throughout the product lifecycle, and not just analyzed in the development process.  The Medical Device Directive helped drive that realization and at the same time the FDA was developing the new Quality System Regulation, which was released in late 1996 and effective June 1997.  So there was impetus from both sides of the Atlantic for development of the risk management process.  Even Australia got into the picture with their own move towards medical device regulation with risk requirements.
The national committees from ISO and IEC, as well as the European Union CEN and CENELEC bodies, adopted ISO 14971 with a 100% affirmative vote in 2000 and again in 2007.  All was well with an internationally recognized standard process for managing risks in medical devices.
The FDA recognized both versions of the standard, and Europe harmonized the standard.  Other countries provided some form of acceptance of the standard based on their regulatory systems.
Companies began to develop risk management systems for their devices using the ISO standardized process.   As with anything new, it took time and effort for companies to develop systems for product safety conforming to the standard.  Even after the 2007 release, there were firms that lacked a conforming process. 
When the IEC developed a new version of the electro-medical device standard IEC 60601 in 2005, a large move forward in risk management occurred.  The new IEC standard required documented proof of conformance to ISO 14971 in order to have a product claim conformance to IEC 60601.  Many regulators require conformance to this standard to place a device on the market.
With the new FDA Quality System Regulation (QS Reg) in place, FDA began to cite companies for lack of performing risk analyses.  The FDA became stuck in terminology due to the timing of the QS Reg versus the development of the risk management standard, and so the regulation required “risk analysis” and not “risk management.”  The preamble to the regulation did, however, point the reader to the work of the standard technical committee developing the international risk management standard and it was clear throughout the preamble that the FDA expected “risk management” not just “risk analysis.”  In the premarket activities, they recognized that companies should be able to provide more detailed product safety data from their risk management systems and have included requirements for risk data in a number of premarket submissions guidance documents.
Everything was moving forward until late August 2012, when the European Union put a caveat in the harmonization of the ISO 14971 standard.  The European regional version of the standard, EN ISO 14971:2009, was determined not to provide information that met all of the requirements of the Medical Device Directive, the Active Implantable Medical Device Directive, and the In Vitro Device Directive.
Since Europe was not able to modify the requirements of the standard, they provided, through three Informative Annexes to the standard, statements on what additional steps the manufacturer would need to take to meet the Directive requirements.  Informative Annexes are methods of providing suggestions and additional information on meeting the requirements of the standard but are not binding.  The Normative Section of the Standard alone defines the requirements of the Standard.  Annex ZA provides information on steps required to meet the Medical Device Directive, Annex ZB to meet the Active Implantable Device Directive, and ZC to meet the In Vitro Device Directive.  In the next few paragraphs the general steps in the Annexes are discussed.
Representatives of the European Union, through the Informative Annexes to EN ISO 14971:2012, decided that, in order to meet the Directives, manufacturers should ignore economic considerations in reducing risk associated with the device.  Previously, many European companies utilized a practice known as ALARP, or As Low As Reasonably Practicable, in determining when product risks were acceptable.  Now the EC was insisting that this not be permitted via the European regional standard
In reality, economic considerations are always a part of the development and release of a product, and this is actually acknowledged in the Medical Device Directive, but the European regional standard informs that this is not permitted in   controlling risk associated with a medical device.  In fact, European representatives have stated in the regional standard that the manufacturer cannot establish an acceptable level of risk.  Instead, the manufacturer should continue to reduce risk until no more reduction is possible.  However, there is no Informative Annex or guidance that explains how to do this.  Technically, there is always one more risk control “possible,” especially if economic limits are not considered.  Without determining a level of acceptable risk, how does a manufacturer know that the device is safe?  The term “safe” does not mean all possible risk controls were implemented.  In court, there will always be one more risk control beyond what was implemented.  The definition of the word “safe” as per the standard means freedom from unacceptable risk.    
Additionally, in the European standard, it was decided that the only acceptable method of reducing risk is through “inherently safe design and construction”.  Products developed with safeguards to reduce risk are not specifically mentioned, though that may be part of the inherently safe design identified in the Annexes. It is no longer permissible to take credit for risk reduction through providing the required safety information to the product user.  The international version of the standard had always identified information as the least acceptable method of risk reduction, recognizing that this is, in many cases, a regulatory requirement and in some instances the only means of risk reduction, e.g. “off label” use.

A requirement to provide risk-benefit analysis for each risk and for the Overall Residual Risk for the device was also added.  Previously, the international version had only required these analyses when the individual risk or the overall residual risk was unacceptable.  With the removal of the manufacturers’ ability to define acceptable risk, the risk-benefit changes were also made.  Again, there is no Informative Annex that documents how to perform risk-benefit on each individual risk and there is no consensus in the International Medical Device Standards community on how to perform this, especially for a complex medical device. 
FDA did publish a guidance “Factors to consider when making Benefit-Risk Determinations in Medical Device Premarket Approval and DeNovo Classification.”  The document refers to Section 513(a) of the FD&C Act, which requires “reasonable assurance of safety and effectiveness” by “weighing any probable benefit to health through use of the device against any probable risk of injury or illness from such use.” The guidance further states, “…if the data supports the claims made by the sponsor concerning clinically significant results from the device, i.e. intended use and indications for use, and if the data analysis demonstrates that the probable benefits of the device outweigh its probable risks. A balanced consideration of probable benefits and probable risks is an essential part of FDA’s determination that there are reasonable assurances of safety and effectiveness.”
Facing these changes in the European position, manufacturers encountered some major efforts to update their risk management system, but they needed some guidance in what all this meant.  Those that sought the advice of their European Notified Bodies (NB) found confusion.  The NBs had been blindsided and did not have a position on what to do.
The NBs published an interim position paper, TEAM NB (The European Association Medical Devices - Notified Bodies) Position Paper on EN ISO 14971:2012 dated June 25, 2014 promising to provide more detailed information for manufacturers.  The interim recommendations were in the form of NB Audit questions to be addressed:
1. Are all design solutions in conformity with the safety principles given in the Essential Requirements and EN ISO 14971 (inherent safe design and construction > protection measures > information for safety)?
2. Has the manufacturer demonstrated that all risks have been reduced to an acceptable level in the sense of this guidance paper?
3. Has the manufacturer conducted a risk benefit analysis for all individual residual risks that are not acceptable according to the risk acceptability criteria?
4. Has the manufacturer conducted an overall risk benefit analysis considering all individual risks combined?
5. Has the manufacturer demonstrated that information for safety is effective?
6. Has the manufacturer included information on residual risks, if needed, in the accompanying documents?
 As of a June 25th meeting a final consensus has not been reached, although the new draft discussed above was published.  So manufacturers are trying to make changes to their risk management system to meet the European requirements and to update the risk management file for products on the European market (since the revised regional standard was applied retroactively) to attempt to meet the EU position.  At the same time, it has been reported that the Directives are being revised in Europe, so that the changes being made today may not apply in the future.
Meanwhile in the US, the FDA is making some improvements to the 510(k) process and is considering requiring more risk documentation in product submissions.  This has spilled over into the PMA process as well.  A pilot product is the infusion pump where risk management documents in the form of safety assurance cases is now required as part of product submissions.  It is not likely this detailed process will be required for all products, but it is possible that some Class III devices may see this in the future.  At least in the premarket review process, look for more requests of risk data, if not provided in the original submission.
In summation, we see that there is turmoil in medical device risk management, and manufacturers need to stay abreast of the situation.  They should keep in touch with their particular Notified Body for the latest information on the NBs expectation on risk management.  A manufacturer should also monitor the FDA, especially for expectations in premarket submissions, but also to assure when product development starts the steps are in place for a risk management process that can provide the FDA and the Notified Body with the expected data and documents.  Other sources of information are FDA Warning Letters and FDA-483 reports which provide information on FDA’s compliance activities regarding risk management as well as other valuable compliance information.
Consensus Paper for the Interpretation and Application of Annexes Z in EN ISO 14971: 2012, Notified Bodies Recommendation Group, June 25, 2014
Factors to consider when making Benefit-Risk Determinations in Medical Device Premarket Approval and DeNovo Classification, FDA Guidance issued March 28, 2012
EN ISO 14971:2012, Medical devices-Application of risk management to medical devices, European Committee for Standardization, Brussels, 2012
ISO 14971:2007, Medical devices-Application of risk management to medical devices, International Organization for Standardization, Geneva, 2007
EN 1441-Risk Analysis, European Committee for Standardization, Brussels, 1994 (Withdrawn and no longer available)
During his career in medical devices, Edwin Bills has held a number of quality and regulatory affairs positions in over 30 years experience in the field of quality and regulatory affairs.  Currently he consults and provides training in the area of medical device quality, regulatory and risk management.
ASQ has awarded Mr. Bills with Fellow status as well as Certified Quality Engineer, Certified Quality Auditor, Certified Manager of Quality and Organizational Excellence, and he is a Regulatory Affairs Certified by the Regulatory Affairs Professionals Society.
Mr. Bills has also served in international standards work, participating in the development of ISO 14971 risk management standard.
He may be reached at PO Box 76191,Highland Heights, KY 41076 or by phone at
(843) 810-2157.   Email him at