By Marcelo Trevino, President, Global Regulatory Affairs and Quality Systems, TregMedical Compliance Services

[Editor's Note: This article has been updated to reflect the Dec. 10, 2019, publication ofISO 14971:2019]

Historically, risk management has been a complex subject, with different stakeholders assigning different values on the probability and severity of harm. In medical devices, its high importance has necessitated ISO 14971 providing a generic risk-management framework applicable to all medical devices, from design and development through production and post-production activities.

The third edition of ISO 14971 in addition to an updated companion report, ISO/TR 24971 provides clearer guidance and greater detail in the application of risk management concepts while aligning with essential safety and performance principles. European directives and regulations do not provide enough guidance on additional steps to take in the risk management process, nor on the acceptability of residual risks, so this standard represents the state of the art.

The new European EU MDR and IVDR require manufacturers to implement a quality management system that incorporates risk management. While Annexes Z have been prepared to harmonize the risk management standard with the European Medical Device and In Vitro Diagnostic Medical Device directives, as well as the new European regulations, ISO 14971:2019 waspublished on Dec. 10,2019,without including these Annexes, for now.

Risk Management Process Steps in ISO 14971:2019

While most of ISO 14971:2019s risk management concepts are not new, below is a summary of the risk management process as defined in the standards third edition:

Step 1: Risk Management Plan A risk management plan outlines all risk management activities to be conducted over a medical devices life cycle, including criteria for risk acceptability based on regulations, international standards, state of the art, and stakeholder concerns. Activities to verify implementation and effectiveness of risk control measures, as well as information to be collected during production and postmarket activities, also must be included in the plan. A risk management report is created after review of the plan execution.

Step 2: Risk Assessment The risk assessment step includes risk analysis and risk evaluation.

Risk Analysis: The medical devices intended use is documented, an essential step to determine the devices appropriate use. Reasonably foreseeable misuse errors (including abnormal use) and correct use are considered and documented. Usability engineering is applied to consider all risks and reduce them by adding controls, as needed.

Additionally, device characteristics that can affect safety are identified. Reasonably foreseeable events that can contribute to hazardous situations taking into account intended use, reasonably foreseeable misuse, and safety related characteristics all are relevant inputs in this hazard analysis. Finally, the risk of each identified hazardous situation is estimated, taking into account severity of harm and the probability of its occurrence.

Risk Evaluation: During this phase, risks are assessed using criteria for risk acceptability defined in the risk management plan. If the risk is deemed acceptable, it becomes the residual risk; otherwise, risk control activities are performed. The evaluation is documented as part of the risk management file.

Step 3: Risk Control Risk is reduced to an acceptable level. This can be done by designing the device to be inherently safe, ensuring that hazardous situations cant occur. If this is not feasible, then protective measures are implemented in the device design to reduce the probability of occurrence and the severity of a hazardous situation or harm. When protective measures do not sufficiently reduce risk, safety information is provided to device users in instructions, warnings, and contraindications. User training can also be incorporated. It is important to ensure that risk control measures do not incorporate new risks or influence other risks.

Risk mitigation measures are implemented, verified for effectiveness, and documented. Residual risks are then evaluated using risk acceptability criteria. If the risk is deemed unacceptable, more risk control activities need to be implemented. When risk controls are not feasible, a benefit-risk analysis can be conducted to determine whether benefits of using the medical device outweigh its residual risk. Depending on the outcome, the device may need to be modified, or its intended use limited.

Step 4: Evaluation of Overall Residual Risk The contributions of all individual risks together are analyzed to ensure that several small risks do not create an unexpected big risk. The method and criteria for acceptability of overall residual risk is documented in the risk management plan to ensure an objective evaluation takes place.

It is important to note that the criteria for acceptability of overall residual risk can differ from the criteria of acceptability of individual risk based on the organizations procedure to determine acceptable risk. Residual risks inherent in a devices use after all risk control measures have been implemented must be disclosed to users, allowing them to make an informed decision whether to use the device or find alternatives, considering the patients condition.

Step 5: Risk Management Review This step comprises conducting a review of the risk management plan to ensure it was properly executed and documenting that the residual risk is acceptable. This review is documented in the risk management report, providing evidence that the plan was effectively executed, the objectives were achieved, and that methods to collect production and post-production information are established.

Step 6: Production and Post-Production activities This step includes four phases, each with detailed activities to be implemented:

Summary of Changes from ISO 14971:2019

These are the new definitions in ISO 14971:2019:

Benefit: Positive impact or desirable outcome of the use of a medical device in the health of an individual, or a positive impact on patient management or public health.

Benefitscan include positive impact on clinical outcome, the patients quality of life, outcomes related to diagnosis, positive impact from diagnostic devices on clinical outcomes, or positive impact on public health.

It is important to note that the risk-benefit analysis requirements are not expected to change.

Reasonably foreseeable misuse: Use of a product or system in a way not intended by the manufacturer, but which can result from readily predictable human behavior.

Readily predictable human behaviour includes the behaviour of all types of users, e.g. lay and professional users.

Reasonably foreseeable misusecan be intentional or unintentional.

State of the art: Developed state of technical capability at a given time as regards products, processes and services, based on the relevant consolidated findings of science, technology and experience.

Thestate of the artembodies what is currently and generally accepted as good practice in technology and medicine. Thestate of the artdoes not necessarily imply the most technologically advanced solution. Thestate of the artdescribed here is sometimes referred to as the generally acknowledgedstate of the art.

Other definitions from ISO 14971:2007 such as those for harm, manufacturer, user error, and in vitro diagnostic medical device were updated with minor wording changes

Comparing ISO 14971:2019 with ISO 14971:2007 / EN ISO 14971:2012

Underlined sections above constitute title changes new to the third edition. The main body of the standard includes 10 clauses instead of nine, as well as three informative Annexes Annex A: Rationale for requirements, Annex B: Risk Management Process for Medical Devices, and Annex C: Fundamental Risk Concepts.

A summary of the most relevant changes incorporated to the standard can be found below:

Conclusion

ISO 14971:2019 provides a thorough process for manufacturers to identify medical device hazards, assess risks, control risks, and monitor the effectiveness of risk controls throughout the life of a device. This new edition, consisting of 10 clauses and three annexes (informative), is aligned with the general safety and performance requirements within the new EU MDR and EU IVDR; it is expected to become a European harmonized standard and therefore represents the state of the art.

While the existing changes are aimed at clarifying concepts and no changes have been made to the overall process to conduct risk management, manufacturers still need to consider device-specific standards. These can be used in addition to ISO 14971 to control specific risks associated with some unique device categories to demonstrate how risks can be reduced to acceptable levels.

It is anticipated that some organizations will have to spend some time updating references to the previous standard in existing quality system documentation. ISO 14971:2019 cancels and replaces ISO 14971:2007.However, a transitional period of three years following official publication is a common practice to allow stakeholders to successfully transition to the new edition.

About The Author

Marcelo Trevino is the President, Global Regulatory Affairs and Quality Systems, at TregMedical Compliance Services, a life sciences consulting firm focused exclusively on regulatory, quality, and compliance solutions for medical device companies.

Marcelo has 23+ years experience in quality and regulatory affairs, serving in multiple senior leadership roles with different organizations while managing a variety of medical devices: surgical heart valves, patient monitoring devices, insulin pump therapies, surgical instruments, orthopedics, medical imaging/surgical navigation, amongothers. He has an extensive knowledge of medical device management systems and medical device regulations worldwide (ISO 13485:2016, ISO 14971:2019, EU MDD/MDR, MDSAP). Mr. Trevino holds a B.S. degree in Industrial and Systems Engineering and an MBA in Supply Chain Management from the W.P. Carey School of Business at Arizona State University. He is also a certified Quality Management Systems Lead Auditor by Exemplar Global.

He has experience working on Lean Six Sigma Projects and many Quality/Regulatory Affairs initiatives in the US and around the world including Third Party Auditing through Notified Bodies, Supplier Audits, Risk Management, Process Validation and remediation activities.

Additionally, he is a Certified Six Sigma Black Belt and Biomedical Auditor through the American Society for Quality (ASQ) and holds Certificates in Environmental & Sustainability Management Regulatory Affairs Management from University of California, Irvine.

He regularly publishes articles to assist corporations in their quest for exceptional quality and regulatory compliance.

View original post here:
Analyzing The changes To Risk Management Standard ISO 149712019 - Med Device Online