ISO 14971:2019 defines the international requirements of risk management systems for medical devices. How does it dovetail with ISO 13485 to identify potential hazards and mitigate risk to patients throughout the product lifecycle?
Before ISO 14971, there was no universally accepted method for risk management in the medical device industry. ISO 14971 introduced a standardised process that could be consistently applied across the industry and the world, ensuring that doctors and patients could have confidence in the shared safety standards of all the devices they procure.
It also formalised a shared risk management vocabulary to help medical device developers understand and implement consistent risk control measures in their design and manufacturing process. Follow this link for a short glossary of some key terms in medical device risk management.
ISO 14971 provides a structured methodology for managing risk throughout the lifecycle of medical devices, from design and development through to production and post-production.
The standard (and its accompanying guidelines ISO TR 24971: 2019) outlines the critical steps for identifying potential hazards, estimating and evaluating associated risks, implementing effective control measures, and continuously monitoring their effectiveness.
Compared to previous iterations, the latest version, ISO 14971:2019, introduced new requirements such as:
The complexity of medical devices is rapidly increasing, driven by advances in technology, the rise of Software as a Medical Device (SaMD), and the integration of artificial intelligence (AI). These developments have introduced new potential hazards, such as software bugs, algorithmic errors, data security vulnerabilities, and unintended consequences of AI decisions.
Given these evolving risks, it is crucial to systematically assess and manage risks from the early stages of development through the entire product lifecycle.
It’s also worth noting that while AI can introduce risk, it also offers opportunities for enhanced risk identification and assessment. AI can assist in modeling scenarios of foreseeable misuse, plus suggest ways of mitigating risk in exhaustive ways.
ISO 14971 provides a formal six-step process for identifying, assessing, controlling, and continually reviewing risk, helping you create a dynamic risk management strategy that can address emerging hazards throughout the product’s lifecycle.
The first step in the ISO 14971 risk management process is to develop a comprehensive risk management plan. This plan acts as a blueprint for the entire risk management process and includes several key components:
Risk assessment is a critical step in the risk management process and involves the following sub-steps:
Once the risks have been assessed, the next step is to implement risk control measures to mitigate any unacceptable risks. This step involves:
After risk control measures have been implemented, it is essential to evaluate any residual risks:
Evaluating residual risk is important as it helps an organisation understand and document the nature of the risks still posed by a device and if they are acceptable. In the EU MDR (Medical Device Regulation) Manufacturers must demonstrate that the benefits of the device outweigh any residual risks. This analysis must be documented and be part of the technical documentation.
Regular review of the risk management process is crucial to ensure its ongoing effectiveness and your compliance with regulation:
Risk management does not end with the design and development of the medical device; it continues throughout the product’s lifecycle:
Both ISO 14971 and ISO 13485 are integral to ensuring the safety, quality, and effectiveness of medical devices. While ISO 14971 focuses on risk management, ISO 13485 encompasses the broader quality management system (QMS) and creates the mechanisms for controlling risk across the organisation. The integration of these standards ensures a risk becomes a central focus of medical device development and lifecycle management.
ISO 13485 explicitly requires the implementation of risk management processes as an integral part of the QMS. Clause 7.1 of ISO 13485 states that the organisation must establish a risk management process that meets the requirements of ISO 14971. This ensures that risk management is a foundational element of the QMS, driving the consistent application of risk management practices across all stages of the product lifecycle.
ISO 13485 mandates that organisations document their risk management activities. This includes having documented procedures for risk management throughout the product lifecycle, as defined in ISO 14971. Documentation must cover risk analysis, risk evaluation, risk control, and the results of these activities. This ensures transparency, traceability, and accountability in the risk management process.
Clause 7.3 of ISO 13485 focuses on design and development. It requires that risk management activities be carried out during these phases and that the outputs of these activities be documented as part of the design and development records. This aligns with the steps in ISO 14971, which necessitate identifying and mitigating risks during product development. By integrating risk management into the design and development phases, organisations can proactively address potential issues before they become critical problems.
ISO 13485 emphasises the importance of post-production feedback and its role in the risk management process. Clause 8.2.1 requires organisations to collect and analyse data from post-production activities and feed this information back into the risk management process. This is consistent with ISO 14971, which requires continuous monitoring of risks and the effectiveness of control measures even after the product is released to the market. Post-production feedback is crucial for identifying new risks and ensuring that existing control measures remain effective over time.
ISO 13485 requires the maintenance of a risk management file as per ISO 14971. This file must include all records and documents generated through the risk management process, ensuring traceability from hazard identification to risk control measures and their verification. The risk management file serves as comprehensive documentation of the risk management activities, providing evidence of compliance with both ISO 13485 and ISO 14971.
Implementing the risk management requirements of ISO 14791 manually can be a time-consuming and error-prone process.
Without the digital tools to integrate and automate your risk management strategy through a ISO 13485 complaint quality management system, you can end up with a siloed approach that might tick a few compliance boxes, but do nothing to materially control your risk.
The right eQMS system will help you digitally integrate risk management with every part of your development, production, and post-production process in line with the standards and regulation.
The right QMS software provides a centralised platform for managing all risk-related documentation, ensuring that all necessary records, such as risk assessments, plans and matrices, are easily accessible and consistently updated.
Automated workflows should link each element of your risk management process together, notifying and reminding stakeholders to regularly review risk management activities; triggering fresh risk assessments when plans, processes and designs change.
The systems should automate the collection and analysis of post-production information, feeding this data back into the risk management process to ensure continuous improvement, after the product has launched.
One of the key requirements of ISO 14971 and ISO 13485 is the documentation and traceability of risk management activities. eQMS software ensures traceability by helping you gather and curate necessary information about decision making, maintaining a clear audit trail for all risk management activities.
The right eQMS software facilitates real-time collaboration among team members - breaking down the information silos that can emerge within organisations, ensuring all stakeholders are aligned and that risk management activities are conducted efficiently and effectively at the right time.
The right platform should make risk management a collaborative, visible and trackable process across your organisation.
Advanced eQMS software often includes data analytics capabilities that provide insights into the effectiveness of risk management activities. By analysing data collected from various sources, the software can identify trends and potential areas for improvement. These insights enable organisations to make data-driven decisions, enhancing the overall quality and safety of their medical devices.
The integration of ISO 14971 and ISO 13485, supported by robust document control and eQMS software, provides a comprehensive approach to managing the quality and safety of medical devices. By digitising and automating risk management processes, organisations can improve efficiency, ensure compliance, and enhance patient safety. This holistic approach not only meets regulatory requirements but also supports the continuous improvement of medical device quality and safety throughout the product lifecycle.
Benefit: Positive impact or desirable outcome of the use of a medical device on the health of an individual, or a positive impact on patient management or public health.
Foreseeable Misuse: The use of a product, process, or service in a way not intended by the manufacturer.
Harm: Physical injury or damage to the health of people or damage to property or the environment, compromising safety.
Hazard: A potential source of harm that could affect the safety of the medical device.
Hazardous Situation: A set of circumstances in which people, property, or the environment are exposed to one or more hazards, posing a threat to safety.
Intended Use: The use for which a product, process, or service is intended according to the specifications, instructions, and information provided by the manufacturer.
Probability of Occurrence: The likelihood that a specific hazard will occur, which is crucial in assessing the safety of the device.
Risk: The combination of the probability of occurrence of harm and the severity of that harm, impacting the safety of the medical device.
Risk Analysis: The process of identifying hazards and estimating the associated risks.
Risk Control: Measures taken to reduce risks to acceptable levels.
Risk Evaluation: The process of comparing estimated risks against given risk criteria to determine the acceptability of the risk.
Risk Management: A systematic process for identifying, evaluating, controlling, and monitoring risks associated with medical devices.
Risk Management File: A compilation of all documents and records produced during the risk management process.
Risk Management Plan: A documented plan outlining the strategy and actions for risk management throughout the lifecycle of a medical device.
Safety: Freedom from unacceptable risk.
Severity: The measure of the potential impact of a hazard on the health of individuals or on property, directly influencing safety.