Application of risk management to medical devices

Jurisdictions and placing on the market

In the past years regulators all over the world have tried (and still try) their best to make it easier to market products worldwide. Reason why it is difficult to place devices on the market in different jurisdictions is because each jurisdiction has its own rules. These rules are set out in regulatory documents like the MDR for the EU and the CFR for the USA. It was found to be beneficial to align requirements between different jurisdictions to simplify market access in different jurisdictions for such key areas as QMS (MDSAP program) and UDI worldwide traceability of the medical devices (GUDID, EUDAMED).

Besides aligning high level requirements between different jurisdictions, another trend has been clearly seen in the field. All recently revised international standard series that refer to safety and performance of medical devices (like IEC 60601, IEC 61010, IEC 10993) explicitly require application of risk management at all stages of the device’s lifecycle and strongly recommend to use ISO 14971 standard. Following those standards, the risk management requirements do not end with design and manufacturing stages, but also apply for:

• device lifecycle stages referring to device installation and operation by the end user
• maintenance/reparations
• disposal

The revised third edition published in December 2019 reiterates all the demands scattered over various standards to make absolutely clear that the risk management process is a continuous process that ends only once a medical device is completely removed from the market.

Second edition
As seen in the timeline above, the second edition of the risk management standard ISO 14971:2007 was only partially recognized in the EU in 2009. Eventually, the standard was modified to comply with the MDD Directive in 2012 and was finally harmonized to it. In December 2019 the third edition of ISO 14971 was published to address the developments in the medical device sector and stricter requirements from regulatory bodies  such as incoming MDR.

Third edition
In the end of December ISO 14971:2019 was published and came into force. Usually, that means that manufacturers should make transition to the latest edition of the standard within three following years on voluntary basis. However, the regulators might shorten or lengthen that period. The standard was reviewed and its structure got changed compared to the second edition. There was need for more guidance on certain topics, such as: post market surveillance, overall residual risk evaluation, etc. Therefore, the standard was split in two parts:

1. ISO 14971:2019 Medical devices – Application of risk management to medical devices
2. ISO/TR 24971 Medical devices – Guidance on the application of ISO 14971

A more detailed description of risk management process is to be found in the standard itself. The guidance on how the manufacturers are expected to implement the process is given in ISO/TR. Putting the guidance in separate ‘TR’ documents was done to allow more frequent ISO/TR updates, costing less time and money, and assuring that the state of the art is maintained in the standard.

Main changes

The foreword of the third edition lists nine major changes compared to the second edition. The following will have the biggest impact:

1.
The change that has probably the largest impact is addition of the clause 2 Normative reference. Result of this addition is that all the following clauses got a +1 to their number. This requires manufacturers to go through all Risk Management File documents to change clause references to comply with the third edition.

2.
A second change is that the Risk/Benefit analysis is being replaced by Benefit-Risk analysis. This means that benefits should be documented in risk management documentation, which is not expected in such documentation. ISO/TR 24971 provides guidance as to what information is needed.

3.
Another section that is added to the third edition is an explanation of the statement that the requirements are applicable to all stages of the life-cycle of a medical device. It is made clear that all types of hazards and risks associated with biocompatibility, data and system security, usability etc. should be evaluated within a single file. Furthermore, by stating “data and system security risks”, it is made clear that the manufacturers should evaluate cybersecurity risks for their connected medical device. However, it is not clear for the moment whether existing standards will be harmonised to MDR/IVDR or new standards will be developed.

4.
Finally, the clause on production and post-production activities got expanded. This clause (number 10) of the third edition is divided into three sub-clauses: information collection, information review and actions to be taken based on the review of information. Guidance on implementing post-market surveillance that is equally required from MDR/IVDR can be found in ISO/TR 24971. Another guidance will be provided at a later stage, namely ISO/PRF TR 20416 Medical devices – Post-market surveillance for manufacturers.

What is still left unclear: will ISO 14971:2019 be harmonised with MDR?

In preparation to compliance with risk management requirements set out in the MDR and FDA, manufacturers are recommended to use ISO 14971:2019. Are you a manufacturer of medical devices and not sure what the new standard means to your risk management? Don’t hesitate to contact us.