Application of Risk Management to Medical Devices Following ISO 14971:2019 Version
It is imperative to understand the Application of Risk Management to Medical Devices. Technically, we could say it involves Identifying, Assessing, and Prioritizing risks. In general, it simply means that Risk Management helps us reduce risk.
Before the invention of ISO 14971, there were no standards for device manufacturers to use. Then came the idea of ISO 14971 where manufacturers could apply the principles contained in ISO 14971 list to their medical devices to ensure safety.
The product safety standard couldn’t address all the possible risks in medical devices, hence, the decision by the Standard Development Committee (SDC), to create ISO 14971, the first version of which was published in 2000. In 2007, another version was released.
The Evolution of the ISO 14971 Version
The European Union introduced a harmonized version that combined the two previous versions with new changes for European Device manufacturers. The Harmonized European Version harmonized the three directives related to medical devices namely;
- Active Implantable Medical Device Directive.
- Medical Devices Directive
- In-vitro Diagnostic Medical Device Directive.
As a result, any manufacturer that wants to sell their medical devices in Europe must comply with the EU 2012 harmonized standard. Meanwhile, the rest of the world can use the 2007 ISO 14971 and the 2009 ISO 14971 standards for medical device risk management.
The Importance of ISO 14971 2019 Version
There are a lot of changes that came with the 2007 ISO 14971 version. Similarly, the introduction of ISO 14971 2019 version came with several changes that differ from the 2007 version. Most of the changes between the 2007 and 2019 ISO versions are in the clauses.
The ISO 14971: 2007 had 9 clauses namely;
- The Scope
- Terms and definition
- General Requirement for Risk Management
- Risk Analysis, Risk Evaluation
- Risk Control
- Evaluation of Overall Residual Risk Acceptability
- Risk Management Report
- Production and Post Production Information.
The Difference between ISO 149721: 2019 and ISO 14972: 2007
We’ll look at the changes adopted in the ISO 14971: 2019, but first we need to list the clauses. The current 2019 version unlike the 2007 version, has 10 clauses namely;
- Scope, Normative Reference
- Terms and definition
- General Requirement for Risk Management
- Risk Analysis
- Risk Evaluation
- Risk Control
- Evaluation of Overall Residual Risk
- Risk Management Review
- Production and Post Production activities.
Note the introduction of a new clause (Normative Reference) to the latest edition in the second step. Also, there changes in the arrangement of the steps between steps 3 and 10.
Likewise, some keywords changed in the latest version. For example, the Evaluation of Overall Residual Risk Acceptability was changed to the Evaluation of Overall Residual Risk. The Risk Management Report is now Risk Management Review. Lastly, Production and Post Production Information became Production and Post Production Activities.
These changes might seem insignificant, but most companies have had to revise their documents to accommodate the changes.
There are other standards e.g IEC 62304, IEC 62366- 1, IEC 60601- 1, to mention but a few. The major difference between the ISO 14971 and other standards is their approach to risk management. ISO 14971 provides the fundamental procedures to manage all risks while other standards that attend to only specific risks. The combination of all these standards forms the basics of all medical devices’ risk management.
The Clauses of ISO 14971:2019
Clause 3: Terms and Definitions.
These terms include;
- Hazard: This refers to the possible source of harm. Identification of all possible hazards is important for your product, be it chemical, mechanical, or any other form.
- Harm: According to Section 3.3 of ISO 14971: 2019, harm refers to injury or damage to the health of people or damage to property or environment.
- Hazardous situation: situations in which people, property, or environment are exposed to hazards of any form.
- Benefit: Good impact of the use of medical devices on the health of individuals, or a positive impact on patient management or public health.
- State of Art: According to Section 3.28 of ISO 14971: 2019, it refers to the developed stage of technical capability at a given time as regards products, processes, and services, based on the relevant consolidated findings of science, technology, and experience.
- Reasonably Foreseeable Misuse: Section 3.15 of ISO 14791: 2019 defines it as the use of a product or system in a way not intended by the manufacturer, but which can result from readily predictable human behavior.
- Risk: Risk is basically the probability of harm occurring, and the severity of that harm. It is the possibility, whether high or low of any of the aforementioned hazards causing harm to individuals. Once the hazard has been identified, it is then easy to go on with managing the risk.
Clause 4: General Requirement for Risk Management.
The sub-clauses include:
- Risk Management Process – It involves the overall processes which producers establish, implement, and maintain throughout the lifespan of a medical device.
- Management Responsibilities – Management responsibilities show the proof of the commitment of management to Management Risk Processes by the provision of adequate resources and qualified persons to carry out the job.
- Risk Management Plan– It is a document that helps identify risk management activities and helps plan ahead throughout the production cycle. It is a dynamic document and can be updated at will.
- Risk Management File – Location where manufacturers can find all records and documents relating to risk management. A manufacturer is required to establish and maintain a risk management file which contains evidence of the following;
- Risk management plan intended
- Foreseeable misuse
- Risk analysis
- Risk evaluation
- Risk control and more.
Clause 5: Risk Analysis.
Risk Analysis is the use of available information to identify hazards and to estimate the risk – Section 3.19 ISO 14971: 2019. It involves the identification of hazards and hazardous situations, identification of characteristics that are related to safety, and risk estimation.
Clause 6: Risk Evaluation.
After risk estimation comes risk evaluation. It involves clearly identifying what amount of risk is acceptable. A common way of doing this is by the use of Risk Evaluation Matrix. As earlier stated, risk evaluation is basically what risks are acceptable and which ones are not, hence, the working principle of Risk Evaluation Matrix.
It is a chart of the occurrence of risk against the severity. The unacceptable parts are made red, the acceptable ones are marked green, and yellow stands for the middle region where further consideration is probably needed.
Clause 7: Risk Controls.
Section 7.0 of ISO 14971 provides that manufacturers shall determine risk controls that are appropriate for the reduction of risk to the acceptable level. Simply put, it refers to the steps you take once you’ve identified unacceptable risks.
There are quite many options for Risk control, they include;
- Inherently safe design and product
- Protective measures in medical devices
- Information for safety and training where appropriate.
- Residual Evaluation Risk: Once risk control measures have been implemented, it is next to evaluate any residual risk using risk management plan criteria as a guide.
- Risk-Benefit Analysis: In such cases where the evaluated residual risk is not deemed acceptable by the manufacturer, the intended medical use of the device is compared to the residual risk. If the intended use does not outweigh the residual risk, it means the risk is unacceptable. The manufacturer is expected to modify the medical device or its intended use. The device is however good to go if the intended medical benefits outweigh the residual risk.
Clause 8: Evaluation of Overall Residual Risk.
Having evaluated individual residual risks for your medical device, there is the need to also make an overall evaluation of the residual risk of your medical device. The occurrence versus severity chart is also used for this. If it happens that the overall residual risk of your medical device is not acceptable, that is, the overall residual risk is higher than the benefits, the medical device is not fit for sale.
Clause 9: Risk Management Review
This is a summary of all risk management activities stating any risk-benefit analysis and explanation of overall residual risk acceptability. It identifies voids between planned management activities and what was achieved. All identified voids should be filled before proceeding to sell your medical device.
Clause 10: Production and post-production information.
There are quite many ways of going about this, but the best method will be to use the post-market surveillance together with an upgraded risk management plan. Once the device is released, a post-market surveillance plan starts. It basically involves the monitoring of residual risks even when the device is out, to ensure the continued validity of the risk evaluation.