ISO 14971: Managing Risk in Medical Device Development
With the growth of medical device usage, the challenge for medical device developers and manufacturers for making the device safe for human use has significantly increased. Medical device regulators across the major markets recognize that risk management principles identify and address safety issues of medical devices throughout their product life cycle. Therefore, risk management is a vital component that is necessary to ensure device usability, safety, and regulatory compliance.
Medical Device Risk Management
ISO 14971: 2019, Application of Risk Management to Medical Devices, is an international risk management standard for medical devices (including in vitro diagnostic medical devices). The purpose of this standard is to help manufacturers to establish a medical device risk management process that can be used to identify hazards, to estimate and evaluate risks, and to implement and monitor the effectiveness of risk control measures. Nearly every global medical device regulator, including the FDA, Health Canada, and European Commission, requires manufacturers to implement an ISO 14971-based risk management system throughout the medical device product development lifecycle.
ISO 14971 defines Risk Management as “a systematic application of management policies, procedures, and practices to the tasks of analyzing, evaluating, controlling, and monitoring risk.”
Medical device developers and manufacturers must have an established risk management process defined, documented, and implemented and are expected to identify possible hazards associated with the design and the associated risks including those resulting from user error in both normal and fault conditions. If any risk is judged unacceptable, it should be reduced to acceptable levels by appropriate means. Risk management needs to involve more than just engineers and product developers. Effective risk management includes input from end-users, marketing, sales, business development, quality, regulatory and manufacturing to provide different perspectives and experiences for the medical device being designed, developed, and manufactured.
ISO 14971 provides the manufacturer with a framework and process for risk management activities, which include the following components, and a schematic representation of the process is shown in Figure 1:
Risk Management Plan:
A product-level document which outlines the process of how the manufacturer or developer will anticipate and plan risk management activities for a particular device throughout its life cycle. The plan is dynamic and should be revisited and updated on regular interval, including after the completion of product development.
Risk Analysis:
Based on the device’s intended use and the characteristics of the medical device under normal and fault conditions, known and foreseeable hazards and the sequence of events that might result in hazards leading to hazardous situation are identified.
Risk Evaluation:
Using the criteria for risk acceptability defined in the risk management plan, the manufacturer or developer must evaluate the estimated risks and determine if the risk is acceptable or not. There are some common tools that can be used to evaluate risks, including (but not limited to) Failure Mode and Effects Analysis, Fault Tree Analysis, and Hazard Analysis.
Risk Controls:
Once the manufacturer and developer have identified the risks, analyzed their severity, and assessed their likelihood to occur, the risk control activity must be conducted to confront the questions including:
- Can we reduce the risk?
- What is the best way to do it?
- Did the risk control work?
- Is the residual risk acceptable?
Overall Residual Risk Acceptability:
Once the individual risks are identified and controlled to an acceptable level, the manufacturer/developer must evaluate the overall residual risk acceptability of the medical device as whole using the same risk evaluation criteria. If it is determined that the residual risk is not acceptable, benefit-risk analysis should be conducted and identify whether or not the medical benefits of the medical device outweighs the residual risks.
Risk Management Review:
Before entering the product in the market for use, the results of all the risk management process must be reviewed by the executive management for its completeness. This report should also include the plan for evaluation of risks in production and post-production.
Production & Post-Production Information:
Medical device manufacturers and developers must have a process for documenting all the production and post-production related activities and events. They should be continuously observing the product in the market, analyzing hazards, and updating the risk acceptance criteria. Various aspects that are required to be tied into the risk management includes complaints, customer feedback, non-conformance and CAPAs.
Risk management must be taken seriously and performed thoroughly. An effective risk management process minimizes use-related hazards, assures that intended users can use medical devices safely and effectively throughout the product life cycle, and facilitates review of new device submissions and design control documentation.
At Simbex, many of our clients rely on our ISO 14971-compliant risk management process to build safe and reliable products that comply with relevant safety standards. We provide expertise, guidance, and tools that our clients need to achieve the most efficient path for a safe and successful product.
