The definitive medical device risk management standard – ISO 14971: 2019 – Medical Devices – Application of Risk Management and the accompanying guidance on its application – ISO TR 24971: 2019 were revised in December 2019. These revisions provide device manufacturers with more clarity on critical aspects of hazard identification, risk concepts and techniques, the importance of the risk management plan, as well as end-to-end traceability to ensure risk is effectively managed across all stages of the product life-cycle.
While the foundation and structure of the medical device risk management process has remained unchanged from previous versions, the 2019 revision contains specific information on aspects such as:
Clause 5.4 of ISO 14971: 2019 has been rewritten to stress the requirement for consideration of risks during normal operation, rather than use of tools that only address fault conditions, such as Failure Modes & Effects Analysis (FMEA). Under ISO 14971 risk has only two components – probability (occurrence) and severity (consequence), with no consideration for detectability as used in FMEA. The reasoning is that detectability would only influence the probability of an event occurring and can be offset by suitable adjustment of the occurrence scale. Since ISO 14971 provides a framework for risk management of medical devices aimed at reducing risk of harm to users, unless the end-user can detect the specific risk and react effectively in real time, detectability serves no useful purpose as a risk control measure. When applied in process FMEAs for instance, detection (of failures that may pose hazards, rather than harms) has been historically used as a significant measure in reducing the probability of the harm actually occurring, assuming the detected condition can be effectively acted upon, such as during production processes.
It is worth mentioning that ISO 14971 defines risk as the combination of the probability of occurrence of harm and the severity of that harm, whereas FMEA is about the probability of occurrence of a failure and severity of the consequences of the failure. As the common terms probability and severity represent very different entities with low correlation in these scenarios, care is required when applying these terms to FMEA and to risk management.
Management of medical device risk occurs in three-steps:
Starting the risk management process from the preliminary identification of hazards associated with the particular design and characteristics of the device, then estimating risk for the hazardous situations resulting from a sequence of events would provide the risks prior to any risk control measures.
In the next step, the identified hazardous situations are considered for applying appropriate medical device risk control measures one at a time and estimating risks for potential harm to users. Accordingly, two probabilities come into play: 1) the probability of the hazard resulting in a hazardous situation, and 2) the probability of the hazardous situation resulting in harm. The probability of occurrence of harm is the product of these two probabilities. Incidentally, use of the terms ‘pre-mitigation’ and ‘post-mitigation’ risks to characterize these two phases is considered inappropriate, as mitigation applies to acceptance of residual risks, rather than reduction of risk accomplished through risk control measures.
Two medical device risk analysis solutions particularly useful in the identification of hazards, hazardous situations, risk control measures and harm are the Preliminary Hazard Analysis and Fault Tree Analysis. Use of these top-down analysis tools should lay the foundation for risk analysis and serve as precursors for subsequent assessment of risks under fault conditions and failure modes. A combination of the analyses using the top-down and bottom-up (e.g. FMEA) tools would provide manufacturers a robust assessment of risks; on its own FMEA is not risk management as represented by ISO 14971.
To accommodate the addition of new or revised standards under the ‘generally acknowledged state of the art’ and align with ISO 13485: 2016 requirements, Clause 10 of both the ISO 14971: 2019 Standard and the Guidance have been substantially revised, to include monitoring of production and post-production information. The requirements for information collection, review and determination of information relevant to safety, both for the particular device and for the risk management process, largely align with post-market surveillance activities, including post-market clinical follow-up (PMCF) sought by regulatory bodies.
ISO TR 24971: 2019 provides guidance on benefit-risk analysis, by helping in estimation of anticipated benefits, based on positive impact on clinical outcomes and related factors, and then providing criteria for comparing benefit and risk, to determine if the overall residual risk is outweighed by the benefits.
Due to the complexity of medical devices, approaches to the life-cycle, and the iterative nature of risk management, end-to-end traceability is fundamental in ensuring all steps of the risk management process have been applied, and identified hazards have the appropriate risk controls in place. This level of traceability, linking individual hazards to the corresponding requirement and testing can pose as a challenge for device manufacturers; while any of several techniques may be adopted by device manufacturers, one example of how risk management activities can be summarized in a traceable manner is available in Annex C of GHTF/SG2/N15R8 – Implementation of risk management principles and activities within a Quality Management System.
Homi Dalal is a Regulatory Affairs professional with 20 years of experience with reputed multinational organizations, engaged in global medical device regulatory submissions, product life-cycle compliance and post-market activities. Homi is well-versed in medical devices regulations for global markets – United States FDA, European Union CE Mark, Australian TGA, New Zealand MedSafe, and IMDRF/ GHTF recommendations.
As a consultant for Brandwood CKC, Homi provides clients with assistance in achieving regulatory approval for their products in various jurisdictions worldwide. Homi has particular expertise in Risk Management across product life-cycle – ISO 14971, AS/ NZS 31000 as well as in depth knowledge of risk assessment methodologies and tools.
Enjoying this blog? Learn More.
ISO 14971 Medical Device Risk ManagementDownload Now