Get more pharma outsourcing insight with our FREE newsletter  sign me up

Guest Column | December 11, 2019

Analyzing The Changes To Risk Management Standard ISO 14971:2019

By Marcelo Trevino, President, Global Regulatory Affairs and Quality Systems, TregMedical Compliance Services

[Editor's Note: This article has been updated to reflect the Dec. 10, 2019,
publication of ISO 14971:2019]

Historically, risk management has been a complex subject, with different

stakeholders assigning different values on the probability and severity of harm. In
medical devices, its high importance has necessitated ISO 14971 providing a generic
risk-management framework applicable to all medical devices, from design and
development through production and post-production activities.

The third edition of ISO 14971 — in addition to an updated companion report,

ISO/TR 24971 — provides clearer guidance and greater detail in the application of
risk management concepts while aligning with essential safety and performance
principles. European directives and regulations do not provide enough guidance on additional steps to take in the risk management
process, nor on the acceptability of residual risks, so this standard represents the state of the art.

The new European EU MDR and IVDR require manufacturers to implement a quality management system that incorporates risk
management. While Annexes Z have been prepared to harmonize the risk management standard with the European Medical Device and
In Vitro Diagnostic Medical Device directives, as well as the new European regulations, ISO 14971:2019 was published on Dec.
10, 2019, without including these Annexes, for now.

Risk Management Process Steps in ISO 14971:2019

While most of ISO 14971:2019’s risk management concepts are not new, below is a summary of the risk management process as defined in
the standard’s third edition:

Step 1: Risk Management Plan — A risk management plan outlines all risk management activities to be conducted over a medical
device’s life cycle, including criteria for risk acceptability based on regulations, international standards, state of the art, and stakeholder
concerns. Activities to verify implementation and effectiveness of risk control measures, as well as information to be collected during
production and postmarket activities, also must be included in the plan. A risk management report is created after review of the plan
execution.

Step 2: Risk Assessment — The risk assessment step includes risk analysis and risk evaluation.

Risk Analysis: The medical device’s intended use is documented, an essential step to determine the device’s appropriate use. Reasonably
foreseeable misuse errors (including abnormal use) and correct use are considered and documented. Usability engineering is applied to
consider all risks and reduce them by adding controls, as needed.

Additionally, device characteristics that can affect safety are identified. Reasonably foreseeable events that can contribute to hazardous
situations — taking into account intended use, reasonably foreseeable misuse, and safety related characteristics — all are relevant inputs
in this hazard analysis. Finally, the risk of each identified hazardous situation is estimated, taking into account severity of harm and the
probability of its occurrence.

Risk Evaluation: During this phase, risks are assessed using criteria for risk acceptability defined in the risk management plan. If the risk
is deemed acceptable, it becomes the residual risk; otherwise, risk control activities are performed. The evaluation is documented as part
of the risk management file.

Step 3: Risk Control — Risk is reduced to an acceptable level. This can be done by designing the device to be inherently safe, ensuring
that hazardous situations can’t occur. If this is not feasible, then protective measures are implemented in the device design to reduce the
probability of occurrence and the severity of a hazardous situation or harm. When protective measures do not sufficiently reduce risk,
safety
This information
website is provided
uses cookies to ensureto
youdevice
get theusers
best in instructions,
experience on ourwarnings, and more
website. Learn contraindications. User training can also be incorporated. It
Got it!
is important to ensure that risk control measures do not incorporate new risks or influence other risks.
 Risk mitigation measures areGet
implemented, verified
more pharma for effectiveness,
outsourcing and
insight with documented.
our Residual risks
FREE newsletter are then evaluated using risk
 sign me up
acceptability criteria. If the risk is deemed unacceptable, more risk control activities need to be implemented. When risk controls are not
feasible, a benefit-risk analysis can be conducted to determine whether benefits of using the medical device outweigh its residual risk.
Depending on the outcome, the device may need to be modified, or its intended use limited.

Step 4: Evaluation of Overall Residual Risk — The contributions of all individual risks together are analyzed to ensure that several
small risks do not create an unexpected big risk. The method and criteria for acceptability of overall residual risk is documented in the risk
management plan to ensure an objective evaluation takes place.

It is important to note that the criteria for acceptability of overall residual risk can differ from the criteria of acceptability of individual risk
based on the organization’s procedure to determine acceptable risk. Residual risks inherent in a device’s use after all risk control measures
have been implemented must be disclosed to users, allowing them to make an informed decision whether to use the device or find
alternatives, considering the patient’s condition.

Step 5: Risk Management Review — This step comprises conducting a review of the risk management plan to ensure it was properly
executed and documenting that the residual risk is acceptable. This review is documented in the risk management report, providing
evidence that the plan was effectively executed, the objectives were achieved, and that methods to collect production and post-production
information are established.

Step 6: Production and Post-Production activities — This step includes four phases, each with detailed activities to be
implemented:

1. Establish a system to collect and review information from production and postmarket activities
2. Collect relevant information for the medical device (i.e., information from users, distributors, publicly available information,
literature, etc.).
3. Review the information gathered in phase 2 to determine its relevance to device safety. Any previously unidentified hazards or
hazardous situations, new risks, or significant changes affecting the risk need to be assessed to determine if a new benefit-risk
assessment is warranted.
4. Implement actions by reviewing the risk management file to determine whether new risks need to be assessed or previous risks
require reassessment. This phase also includes determining whether actions are necessary for devices already on the market and
assessing the impact of previous risk management activities. Additional risk control measures may need to be implemented.

Summary of Changes from ISO 14971:2019

These are the new definitions in ISO 14971:2019:

Benefit: “Positive impact or desirable outcome of the use of a medical device in the health of an individual, or a positive impact on
patient management or public health.”

“Benefits can include positive impact on clinical outcome, the patient’s quality of life, outcomes related to diagnosis, positive impact from
diagnostic devices on clinical outcomes, or positive impact on public health.”

It is important to note that the risk-benefit analysis requirements are not expected to change.

Reasonably foreseeable misuse: “Use of a product or system in a way not intended by the manufacturer, but which can result from
readily predictable human behavior.”

“Readily predictable human behaviour includes the behaviour of all types of users, e.g. lay and professional users.”

“Reasonably foreseeable misuse can be intentional or unintentional.”

State of the art: “Developed state of technical capability at a given time as regards products, processes and services, based on the
relevant consolidated findings of science, technology and experience.”

“The state of the art embodies what is currently and generally accepted as good practice in technology and medicine. The state of the
art does not necessarily imply the most technologically advanced solution. The state of the art described here is sometimes referred to as
the “generally acknowledged state of the art”.

Other definitions from ISO 14971:2007 — such as those for “harm,” “manufacturer,” “user error,” and “in vitro diagnostic medical device”
— were updated with minor wording changes

Comparing ISO 14971:2019 with ISO 14971:2007 / EN ISO 14971:2012

This website uses cookies to ensure you get the best experience on our website. Learn more Got it!
 Get more pharma outsourcing insight with our FREE newsletter  sign me up

Underlined sections above constitute title

changes new to the third edition. The main
body of the standard includes 10 clauses
instead of nine, as well as three informative
Annexes — Annex A: Rationale for
requirements, Annex B: Risk Management
Process for Medical Devices, and Annex C: Fundamental Risk Concepts.

A summary of the most relevant changes incorporated to the standard can be found below:

Section 4.4 e), Risk Management Plan — An addition stating that a method to evaluate the overall risk and the criteria for
acceptability of the overall risk shall be included
Section 5.2 — clarifies the requirement to document reasonably foreseeable misuse
Section 5.4 — adds a requirement for hazardous situations to be considered and documented. A reference to Annex C is included.
Section 5.5 (Risk Estimation), Section 6 (Risk Evaluation), Section 7.1 (Risk control option analysis), Section 7.2 (Implementation
of risk control measures), Section 7.3 (residual risk evaluation), Section 7.4 (benefit-risk analysis), and Section 10.1 (information
collection) — include clarification and updates to their notes.
Section 8 (Evaluation of overall residual risk) — addition of disclosure of residual risk statement
Section 9 (Risk Management Review) — addition stating that manufacturers shall determine when subsequent reviews of the risk
management plan's execution need to be performed and when the risk management report needs to be updated.
Section 10.2 (Information Review) — clarifies the requirement to review for possible relevance to safety and includes changes in
general state of the art.
Section 10.3 (Actions) — separates the actions into particular medical devices and risk processes. Adds consideration of devices
already on the market.
Annex B — provides a detailed correspondence between ISO 14971:2007 and ISO 14971:2019, including a graphic reflecting the
amendments in 2019.
Annex C — Includes a graphic that describes the relationship of hazard, sequence of events, hazardous situation, and harm that was
previously in Annex E.1. Also includes examples of: hazards, events and circumstances, the relationship between hazards foreseeable
sequences of events, hazardous situations, and harm that can occur.

Conclusion

ISO 14971:2019 provides a thorough process for manufacturers to identify medical device hazards, assess risks, control risks, and monitor
the effectiveness of risk controls throughout the life of a device. This new edition, consisting of 10 clauses and three annexes (informative),
is aligned with the general safety and performance requirements within the new EU MDR and EU IVDR; it is expected to become a
European harmonized standard and therefore represents the state of the art.

While the existing changes are aimed at clarifying concepts and no changes have been made to the overall process to conduct risk
management, manufacturers still need to consider device-specific standards. These can be used — in addition to ISO 14971 — to control
specific risks associated with some unique device categories to demonstrate how risks can be reduced to acceptable levels.

This website uses cookies to ensure you get the best experience on our website. Learn more Got it!
 It is anticipated that some organizations will have
Get more pharma to spend some
outsourcing time
insight updating
with references
our FREE to the previous
newsletter  sign mestandard
up in existing quality
system documentation. ISO 14971:2019 cancels and replaces ISO 14971:2007. However, a transitional period of three years following
official publication is a common practice to allow stakeholders to successfully transition to the new edition.

About The Author

Marcelo Trevino is the President, Global Regulatory Affairs and Quality Systems, at TregMedical Compliance Services, a life sciences
consulting firm focused exclusively on regulatory, quality, and compliance solutions for medical device companies.

Marcelo has 23+ years’ experience in quality and regulatory affairs, serving in multiple senior leadership roles with different organizations
while managing a variety of medical devices: surgical heart valves, patient monitoring devices, insulin pump therapies, surgical
instruments, orthopedics, medical imaging/surgical navigation, among others. He has an extensive knowledge of medical device
management systems and medical device regulations worldwide (ISO 13485:2016, ISO 14971:2019, EU MDD/MDR, MDSAP). Mr. Trevino
holds a B.S. degree in Industrial and Systems Engineering and an MBA in Supply Chain Management from the W.P. Carey School of
Business at Arizona State University. He is also a certified Quality Management Systems Lead Auditor by Exemplar Global.

He has experience working on Lean Six Sigma Projects and many Quality/Regulatory Affairs initiatives in the US and around the world
including Third Party Auditing through Notified Bodies, Supplier Audits, Risk Management, Process Validation and remediation
activities.

Additionally, he is a Certified Six Sigma Black Belt and Biomedical Auditor through the American Society for Quality (ASQ) and holds
Certificates in Environmental & Sustainability Management Regulatory Affairs Management from University of California, Irvine.

He regularly publishes articles to assist corporations in their quest for exceptional quality and regulatory compliance.

Comments
Login

There are no comments posted yet. Be the first one!

Post a new comment

Enter text right here!

Comment as a Guest, or login:

Name Email Website (optional)

Displayed next to your comments. Not displayed publicly. If you have a website, link to it here.

Subscribe to None Submit Comment

Newsletter Signup

Get the latest articles from Outsourced Pharma

delivered to your inbox.

Email

I agree to the Terms and Privacy

Statement.

 SIGN ME UP

YOU MAY ALSO LIKE...

EU MDR Implementation Challenges: Harmonized Standards, Common Speci cations, And Risk Management Changes
Harmonized standards need to be reviewed and revised to reflect requirement changes under the MDR and IVDR. The creation of
Common Specifications, as well as changes to ISO 14971, further complicate...

A Look At The ISO 14971 And ISO TR 24971 Updates

How will changes to the ISO 14971, the medical device risk management standard, and its accompanying guidance document, ISO TR 24971, an ISO
Technical Report, affect your company?
This website uses cookies to ensure you get the best experience on our website. Learn more Got it!
Managing Risk For Medical Device Clinical Trials
 This article explains the basics of project risk management and how to execute it, and the vital role clinical data play in product risk management, so the
Get more pharma outsourcing insight with our FREE newsletter  sign me up
clinical trial manager can be better...

What Happens To ISO 13485 When Annex L Is Adopted?

Although the structure of ISO 13485 will expand from the current eight main clauses to ten, most of the QMS requirements should essentially remain the
same.

A High-Level Overview of the Proposed Rule To Align FDA’s QSR with ISO 13485
The latest version of ISO 13485 already contains several requirements that do not exist in 21 CFR 820. In advance of the new proposed rule’s release, this
article presents a summary of the...

8 Key Changes To Understand In The New European MDR And IVDR

Packaging Good Manufacturing Practices (GMPs) For Medicinal Products

Quality Risk Management 101: ICH Q9 In Context

Will We Have Harmonized Standards By The MDR’s Date Of Application?

A Simpli ed, Five-Step Approach To Applying FDA’s Human Factors Guidance

Integrating Risk Management In The Quality Management System — A Primer

How to Prepare for an FDA Inspection of Medical Devices

Advertise Life Science Connect Editorial Learn More

Ad Specifications BioProcess Online Archived Newsletters About Us
Request Media Kit Biosimilar Development Article Reprints Contact Us
Cell & Gene Editorial Submission Guidelines Work For Us
Subscribe Clinical Leader Editorial Advisory Board
Drug Discovery Editorial Contributors
Newsletter
Laboratory Network
Life Science Leader Magazine Events
Med Device Online
CMO Leadership Awards
Pharmaceutical Online
CRO Leadership Awards
Outsourced Pharma Events

Training
Life Science Training Institute

Copyright © 1996-2020 VertMarkets, Inc. All Rights Reserved. Terms of Use. Privacy Statement. Subscriber Request Form.

This website uses cookies to ensure you get the best experience on our website. Learn more Got it!