ISO 14971:2019 – Changes in the Current Version of ISO 14971
The third edition of ISO 14971 was finally released in December 2019 and it replaces ISO 14971:2007. Overall, no tectonic shifts have occurred – the risk management process itself remains largely unchanged. Nonetheless, there are important clarifications and updates in ISO 14971:2019 that you should be aware of.
In reviewing the new ISO 14971 standard, pay particular attention to the highlighted sections below.
ISO/TR 24971:2020 Is Now an Essential Companion Guide
If you recently purchased a copy of ISO 14971:2019 you may have noticed that your PDF is much “skinnier.” Sorry to disappoint you but this doesn’t mean the risk management process is simpler. One reason for the smaller size, is the old annexes content in ISO 14971:2007 was moved to Technical Report ISO/TR 24971:2020 which itself has been revamped. (See table below).This was done because changes can be more easily applied to supporting Technical Reports than they can be to standards. You can think of ISO/TR 24971:2020 in the same way you do FDA guidance documents: None of its recommendations are required but you would be foolish not to heed them.
The new ISO/TR 24971:2020 is more than just the new home of the “old” ISO 14971:2007 annexes – it’s been expanded to include more guidance, explanation and examples of the risk management process requirements. The production and post-production section alone is four pages of content.
Important Definitions Have Been Included in the Current Version of the ISO 14971 Standard
Three important definitions have been added to the new ISO 14971:2019 standard and are noted below. Other minor changes were made to the following terms: accompanying documentation, harm, IVD, manufacturer, and use error. Be sure to review those.
- Reasonably foreseeable misuse (3.15) – The new definition states that if misuse of a product can result from “predictable human behavior” then you need to take this into account in your risk analysis. “Reasonably foreseeable” can be unintentional or intentional and includes those “why -in-the-world would-someone-do-that” scenarios. This analysis applies to lay users and professional users.
- Benefit (see 3.2) – It’s not surprising that a standard focused on risk would neglect to define “benefits.” This term was not defined in ISO 14971:2007 or EN ISO 14971:2012, but it is addressed in the third edition. The definition now aligns with terminology used in many regulations. See more on this below.
- State of the art (3.28) – This perplexing term appears 12 times in the EU MDR and 20 times in the IVDR but is not defined in either regulation! ISO 14971:2019 helps settle the matter by borrowing the newly minted definition found in ISO/IEC Guide 63:2019. That guide defines state of the art as: “Developed stage of technical capability at a given time as regards products, processes and services, based on the relevant consolidated findings of science, technology and experience.” In that context, ISO 14971:2019 could be considered the “state of the art” when it comes to risk management for medical devices. Want to know more? Read this. It’s state of the art, we promise.
More Requirements for Production and Post-Production Activities
Most of the additions to requirements content were made related to production and post-production activities. and has restructured these clauses. To give you an idea of how much this section was overhauled, the requirements have gone from about half a page to nearly a page and a half! This section now dovetails more closely with the ISO 13485:2016 section 8 requirements for feedback, analysis of data and CAPA. They’ve added explicit requirements concerning collection and review of information about your device. Plus, requirements for using all that information to take actions for your device and for the risk management process are included.
More Attention is Focused on Articulating the Benefits of Your Device
ISO 14971:2019 is a risk management standard but it’s not just about risk reduction. Increasingly regulators want to know more about the benefits your medical device offers. ISO 14971:2019 defines benefits in a way ISO 14971:2007 and EN ISO 14971:2012 did not. The ISO/TR 24971 Technical Report provides guidance on determining benefits and includes examples. You may also want to read this informative blog post on evaluating medical device benefits from an FDA perspective.
Risk Management Should Be Applied to Cybersecurity
Risk comes in all forms. As medical devices are increasingly “connected” to the interweb, new security risks need to be evaluated and documented. For most manufacturers, this issue is nothing new, but Annex F of ISO/TR 24971:2020 acknowledges and reinforces to need for medical device companies to address the very real risks posed to users or patients that has nothing to do with misuse of the device.
The Method for Evaluating Overall Residual Risk Has Changed
The newly updated ISO 14971:2019 standard refocuses attention on the benefit-risk analysis of medical devices which is in keeping with the changes made in the new EU MDR (2017/745) and IVDR (2017/746). Section 4.4 (risk management plan) of the updated ISO 14971 standard now emphasizes the necessity of conducting an assessment of overall residual risk and your criteria for determining its acceptability. The method can include gathering and reviewing data and literature for the medical device and other similar products on the market. The criteria for the acceptability of the overall residual risk can be different from the criteria for acceptability of individual risks. The requirements to disclose residual risks has also been moved and merged into one requirement, after the overall residual risk has been evaluated and judged acceptable.
Next Steps to Prepare for Transition
Companies that have followed ISO 14971:2007 and EN ISO 14971:2012 should not find this to be an onerous upgrade, however they do need take the time to assess any gaps they may have and update them accordingly. If you already have a working knowledge of ISO 14971:2007 and EN ISO 14971:2012 revisions and would like to get a deep understanding of the changes, consider our 1-day virtual instructor-led training class, ISO 14971:2019 Update Training. If you are new to risk management or want to go into more depth on the risk management consider our ISO 14971:2019 risk management training course. As well, our team of consultants is available to assist with specific risk management issues that affect your company. Contact us today.