Risk Management is the systematic application of policies, procedures, and practice in various aspects and processes of a Medical Device in order to achieve a safe and effective product. 

Risk Management allows the manufacturer to understand the controls and design features needed in their Medical Device. 
This process ends only at the end of a Medical Device's life cycle, so even after the Medical Device has been placed on the market, continuous monitoring and identification of new hazards are required.

For Medical Device companies, this process is often complex. This rises not only due to the device complexity of design, materials, production processes, software used, and device function – but also due to the various stakeholders (Clinical aspects, marketing considerations, manufacturing and available technology, suppliers and sub-contractors), each contributes to the way risk is perceived AND CONSIDERATIONS.

ISO 14971 principles are implemented globally in the Medical Device Industry and conforming to the standard requirements is used to show compliance to regulation all over the world.

Towards the transition to MDR (EU Medical Device Regulation) and IVDR (EU In-Vitro Diagnostic Regulation) and the recognition of ISO 14971:2019 by FDA, and other regulatory bodies, Medical Device companies must assess risk management processes and existing documentation.

Gsap is a leading consultancy firm with accumulated decades of experience in the industry of medical devices and pharmaceutical companies. We work with our customers, corporates to start-up companies in R&D, production, and post-market stages. We deliver the shortest pathway, and consider our clients as partners to success, with tailored service and support.

ISO 14971:2019 meets Regulatory Requirements

Risk management according to ISO 14971:2019 (NEW VERSION) is required according to the new MDR (EU 2017/745) which enters into enforcement in May 2021 and IVDR (EU 2017/746) which enters into enforcement in May 2022.

The transition period from ISO 14971:2012 to ISO 14971:2019 for FDA is December 25, 2022.  After this transition period, only declarations of conformity to ISO 14971:2019 will be accepted by FDA.

ISO 14971 Relations with other standards

ISO 14971 has relationships with various standards: ISO standards such as ISO 9000 (Quality Management Systems), IEC 62366 (Usability), ISO 13485 (Medical Devices – Quality Management Systems), IEC 60601-1 (electrical medical equipment).

Whereas ISO 60601 addresses single fault, ISO 14971:2019 also addresses a combination of fault modes and hazardous situations as a result of a sequence or combination of independent events. Another example of relation with other standards is the Usability Engineering process (IEC 62366). This process is used for the identification of reasonably foreseeable misuse (in addition to use errors and use associated risks). The outputs of the usability engineering process must be fed back into the risk management process and help complete the identification of hazards. This includes System Security (Cyber Security) and breaches of data. IEC 62304 (Medical Device Software – Software Life Cycle Processes) refers to ISO 14971 for the risk management process of software. ISO 14971 adds an identification of hazards that are related to software that needs to be considered in the process, such as confidentiality, the integrity of data, and availability of data.

ISO 10993-1:2018 Biological evaluation of medical devices requires that the evaluation of overall residual risks associated with the medical device acceptability will be part of the risk management file according to ISO 14971.

It is crucial that traceability will be kept and linked between the various related processes.

An example of this relationship is demonstrated in figure 1.

ISO 14971:2019 Vs. ISO 14971:2007

ISO 14971 guidance annexes were removed from the standard and are found in ISO TR 24971:2020. This new version of the ISO TR 24971 document contains all the normative references and is used to guide the proper implementation of the risk management process.

Revised Terms and Definitions:

New terms that are defined in the standard:

• Benefit: The types of benefits to be considered are discussed: the positive impact of clinical outcome, quality of life, diagnosis, public health. The benefit-risk analysis is aligned to meet MDR and IVDR requirements (the MDR mentions benefit over 60 times vs. 2 times in MDD).

• Reasonably foreseeable misuse: There is an understanding that medical devices can be used for a different intention than the device intended use and that use of the medical device by different populations may result in different outcomes – such as use by medical professionals versus use by laypersons.

• State of the art: This does not necessarily imply the latest most advanced technology. Under the ISO 14971:2019 standard principles, when considering the latest most advanced technology, compared with a more established and widely used technology – it is possible that the benefit-risk perspective of the options will be equivalent. Manufacturers must consider state of the art (clause 10.2), and continually monitor and gather information (generally acknowledged state of the art), and understand if the state of the art changes. This concept is considered in the MDR.

ISO 14971:2019 Scope: The scope of the standard has been clarified to avoid misinterpretation and so specifically mentioning software as a medical device (A.2.1), the Risk Management Process can also be applied to data and security (cyber security), and more detail is given to hazards related to these areas and Radiation, Usability and Biocompatibility. 
The standard is not limited to Medical Device Manufacturers, but to products that are not necessarily recognized as Medical Device under Regulation and to Suppliers, Contractors, and Service Providers that are involved in the Medical Device life-cycle (compliance with some or all ISO 14971:2019 requirements).
• Clause 4.1: The diagram representing the risk management process revised to reflect how the role of the risk management plan in the process.
• Clause 4.4: Addition of risk management to include a method for the evaluation of the overall residual risk and requirement to plan criteria of acceptance to this activity (for Medical Device) see clause 8.
• Clause 4.5: traceability
• Clause 5.4: requires the use of multiple risk analysis tools in order to meet the requirement of identifying known and foreseeable hazards (in both normal and fault conditions) and serve as input to the design process (Annex E ISO TR 24971). This clarifies the need for more than single hazard identification tools: Intended Use; Safety-Related Characteristics; Research/Clinical Trials; Preliminary Hazard-Analysis; Fault Tree Analysis; Usability Engineering Analysis/Human Factors Engineering. During design output, the use of single fault analysis is appropriate in risk management on the design, such as FMEA, SW, and biocompatibility analysis and production. Further identification of hazards is done using data from Risk Control Implementation Verification (Design Verification); Risk Control Verification of Effectiveness (Design Validation phase); Complaints and CAPA process (Post Production) which is also part of the suitability evaluation of risk control measures.

• Clause 8 Disclosure of significant residual risks (Annex A.2.8 ISO 14971 and Annex D ISO TR 24971) Discretion for the analysis of risk/benefit has changed to the requirement to perform a benefit/risk analysis.

• Clause 9 Risk Management Review needs to identify who is going to do the review and when to perform it. Note that the risk management review is part of the risk management fie. The review process can be part of product realization (design reviews).

• Clause 10 Production and Post Production Activities: Expanded and is aligned with clause 8 (Measurement analysis and improvement) in ISO 13485:2016 (and GHTF SG3/N18:2010 QMS MD Guidance on corrective action and preventive action and related QMS processes). Emphasis is given to the active process for gaining information (alignment with EU MDR and FDA Requirements) and inclusion of risk management in post-market surveillance.

• Annex C – Since questions for identification of hazards in the previous editions were taken as mandatory even though, the intention of these questions as guidance was taken out from ISO 14971 and moved to annex A in ISO TR 24971:2020 with additional considerations.

• Annex G – techniques – now annex B in ISO TR 24971:2019 (techniques to support risk analysis). Has additional information to clarify misapplication of techniques, and single-tool use such as FMEA in risk management (see above).

New ISO TR 24971:2020

ISO TR 24971:2013 had some information that did not appear in ISO 14971:2007.
The document has been completely revised so it is a very useful guide to risk management and provides guidance with risk analysis, identification of hazards, and evaluation of residual risks – if you follow ISO TR 24971:2020 you can more easily achieve a Medical Device which its’ Risk Management Process conforms with ISO 14971:2019.

Gsap experts will be happy to assist you in updating and preparing your risk management process according to ISO 14971 and related standards.

This Article Prepared by:

Adam Samucha, B.Sc

Medical Device Quality Project Manager

For more information about our services visit: