Over the last couple of months, the ISO Technical Committee 210 (ISO/TC 210) and the Subcommittee 62A of the International Electrotechnical Commission (IEC/SC 62A) combined their forces for updating the globally recognised standard for medical devices’ risk management, ISO 14971. In ISO 14971:2019 – Medical devices – Application of risk management to medical devices, no groundbreaking changes were made on the risk management process. The different stages of the risk management process, and how they interact, remain unchanged. Nonetheless, there are still some remarkable changes, listed further below, in comparison to the previous version. Given the increased attention on benefit-risk by legislators worldwide – including the EU Commission and the US FDA, it is welcoming to see that the ISO 14971:2019 further elaborates on benefit-risk when evaluating the amount of risk involved with devices. How the standard addresses this increased focus on benefit-risk, is described below.
Defining risk management worldwide
The new version of ISO 14971 remains a voluntary standard, but is nonetheless an invaluable tool for the appropriate management of risks involved with a medical device. The 2007-version is explicitly mentioned in ISO 13485:2016 – Medical devices – Quality management systems – Requirements for regulatory purposes as the go-to document for guidance on how to apply risk management principles during device realisation. Taking into account the ongoing discussions on the potential convergence of the US Quality system regulation (21CFR820) to the widespread ISO 13485, and the upcoming Medical device regulation (EU) 2017/745 (MDR) requiring manufacturers to have an active quality management system, it is likely that this updated version will ensure that ISO 14971 remains the global standard for product risk management in the medical device industry.
Changes compared to the previous edition
The update of ISO 14971 is a technical revision of the previous 2007-version of this standard. The most noteworthy changes, mentioned by the authors of JWG1 in the foreword of ISO/FDIS 14971:2019, are as follows:
Introduction of three new definitions (benefit, reasonably foreseeable misuse & state of the art)
Increased attention to benefit-risk analysis, aligning the concept with terminology used in certain regulations, such as the MDR.
Additional emphasis on the scope of the ISO 14971-risk management process, i.e. all risks associated with a medical device, ranging from risks related to electricity, usability, data security etc.
The risk management plan has to define the methods and criteria to evaluate acceptability of the overall residual risk.
The requirements to disclose certain residual risks are merged into one requirement, as part of the “Evaluation of overall residual risk”.
More emphasis on the importance of planning of risk management activities, by stating explicitly that during risk management review the proper execution of the risk management plan has to be verified.
The requirements with regards to production and post-production activities as part of risk management have been elaborated and restructured.
The number of annexes to the standard have been decreased and the information moved to ISO/TR 24971, in order to maintain the focus on the normative requirements.
If you compare the main changes in the 2019-version to its predecessor, the general process for risk management of medical devices itself is not drastically changed across versions. It is still required to identify all relevant hazards and their hazardous situation, estimate the level of risk involved, and to control these risks, in order to create a device fit for its purpose.
Some changes increase readability of the standard, by restructuring some parts, or are meant to prepare the risk management process for the future, for example by the explicit inclusion of data collection and management as potential source of risk, or the focus on electricity-related hazards. Based upon these main changes, it is clear that one of the authors’ main intents was to address the worldwide regulatory interest in benefit-risk as the deciding factor for the evaluation of the safety and the performance of a medical device.
Benefit-risk: New definitions and risk-benefit reshuffle
The three definitions added in the 2019-update, as well as the alignment of the concept with the newest regulations, can be viewed as an answer provided by the authors to the globally increased regulatory focus on benefit-risk.
Whereas risk-benefit analysis was already required by the previous version of the standard, the new version switches risk and benefit around, with emphasis on “benefit”, as first word of the concept – assuming that the benefit should outweigh the risk; The 2007-edition required manufacturers to take the benefits into consideration, without elaborating on what to consider as a ‘benefit’ of a medical device. According to the given definition, benefit can be considered to be any positive impact, or expected outcome of the use of the medical device. This impact is not necessarily limited to a patient’s quality of life or the device’s clinical outcome, but can also be related to public health, or even considered as an improvement to patient management.
When calculating the benefit-risk-ratio of a medical device, and evaluating a device’s acceptability, manufacturers shall take account of the current, generally acknowledged ‘state-of-the-art’, a concept for which the 2019-version tries to offer a clear definition. This concept can aid manufacturers in assessing the added value of their devices, and whether it has its place on the market.
It is also worth noting that the definition of ‘reasonably foreseeable misuse’, now explicitly extends the scope of misuse beyond the to be expected use errors - even though this was already the expectation for quite some years-having an impact on a device’s benefit-risk-profile as well.
New requirements for the risk management plan
The new ISO 14971 requires manufacturers to address the methods and criteria that will be applied for the evaluation of the overall residual risk of a medical device in their device-specific risk management plans. When there is still an unacceptable residual risk after all risk control measures have been exhausted, performing a benefit-risk analysis, taking into account similar medical devices and the generally acknowledged state of the art, can result in the overall residual risk being deemed acceptable. It is not unlikely that certain devices will always involve a certain degree of risk. Despite the frequency and severity of certain hazards, the risk they impose can still be acceptable compared to the benefits they deliver. Requiring manufacturers to detail in their risk management plans, written prior to all other risk management activities, how they will exactly evaluate the remaining overall risk of their devices, obliges them to think in advance about which potential risks could be unacceptable, especially if compared to the benefit these medical devices have to offer.
In the risk management report, the document concluding the performed risk management activities, the risk management plan has to be reviewed as well. In the new ISO 14971, the risk management report now has to address the review on whether the risk management activities have been performed as instructed by the risk management plan.
The updated ISO 14971 – Medical devices – Application of risk management to medical devices does not cause a major shift in the perception of risk within the medical device industry. The current risk management process (risk analysis, risk evaluation, risk control & evaluation of residual risk) is not drastically revamped, as the authors confirmed the risk management process as defined in the previous version. However, the level of attention given to the concept of benefit, and how it compares to risk, is new in this version. Whereas the concept was already present in the previous versions of the ISO-standard, the new version is now fully embracing this concept. By doing this, the ISO 14971:2019 – Medical devices – application of risk management to medical devices clearly addresses the global requirements for risk management.
If you have any questions about the update, our experts will be happy to help you. Just send us a message and we will be in touch shortly.