ISO 14971 Certification Plus 5 More Medical Device Risk Management Myths
ISO 14971 has been the de facto international standard for medical device risk management for more than 20 years. If you want to sell your devices in the US or Europe, the standard will become an absolute necessity in your quest to obtain FDA clearance / approval for your device or CE Marking certification under the EU MDR or IVDR.
ISO 14971 was initially known as EN1441 and was introduced in 1997. Soon after (in 1998), the first version of ISO 14971 was introduced. Subsequent versions followed, and most recently, ISO 14971:2019 was published. Over its 20-plus-year history, many myths have been perpetuated about how to apply risk management to medical devices and IVDs. Among them are the six most common myths:
Myth #1: Manufacturers Can Get ISO 14971 Certified
This international standard for risk management is so universally applied among medical device companies that many assume that an ISO 14971 certification program exists. Years ago, some certification bodies did indeed offer a standalone ISO 14971 certification program, but that is not the case anymore. Why not? Most likely it is because your conformance to ISO 14971 is essentially being audited while you are going through your overall ISO 13485 QMS certification. The concepts and requirements for risk management are so integral to your medical device QMS that a separate ISO 14971 certification would not mean much. Also, no regulatory authorities require a specific ISO 14971 certification, so that is not a driver to offer or maintain an ISO 14971 certification.
Myth 2: “State of The Art” Refers to Cutting-Edge Technology
Your risk analysis must carefully consider the current “state of the art.” Many assume this to be the latest technology, but it is broader than that. MEDDEV 2.7/1 rev 4 adds some insight: “The state of the art embodies what is currently and generally accepted as good practice…The state of the art does not necessarily imply the most technologically advanced solution.” Thus, it is more useful to think of “state of the art” as meaning the developed stage of current technical capabilities. See Section 3.28 of ISO 14971:2019.
Myth 3: ISO 14971 is 100% About Risk Reduction
Seems entirely logical, right? ISO 14971:2019 is a risk management standard, but it is not just about risk reduction. Increasingly, regulators want to know more about the benefits your medical device offers. ISO 14971:2019 defines benefits in a way that ISO 14971:2007 and EN ISO 14971:2012 did not. The ISO/TR 24971:2020 Guidance on the application of ISO 14971 provides guidance on determining benefits and provides examples. You may also want to read this informative blog post on evaluating medical device benefits.
FDA has stated that they expect a three-year transition period to ISO 14971:2019. Manufacturers are expected to conform to the latest version by December 25, 2022. Find more information by reading this FDA notice.
Myth 4: FMEA = Risk Management File
Identifying potential hazards, hazardous situations, and harms is a three-legged stool – you cannot properly comply with ISO 14971 without analyzing all of them together. Engineers commonly use Failure Mode and Effects Analysis (FMEA) as a tool to identify, evaluate, and control risks associated with a medical device. While an FMEA is a strong risk management tool, it focuses on failure modes (just like the title says!) and is not designed to include an analysis of hazards that are present in the normal use of your device. ISO 14971 requires that you identify hazards related to your device in both normal and fault conditions. A preliminary hazard analysis (PHA) is a common tool that many manufacturers use to capture hazards in normal conditions.
Myth 5: Complaint Handling = Risk Management Production and Postproduction Activities
Well, if that were true, it would certainly be convenient. The reality is that risk management is every bit as much proactive as it is reactive. Reactive risk management, such as complaints, is mandatory. Proactive risk management – including postmarket studies, user reviews, and literature searches – is often perceived as optional. But it is not optional. Part of the confusion is that the extent to which you carry out proactive risk management is dependent on the risk profile of your device. Clearly, a lot more sustained effort should go into production and postproduction activities for an implant than a surgical instrument.
Myth #6: Residual Risk Analysis Should Include Every Possible Risk
The number of possible hazardous scenarios is limited only by imagination. Does that mean you must document all possible risks, including the likelihood that Godzilla will invade your city and crush your manufacturing plant? No.
ISO 14971 requires you to identify and document known and foreseeable hazards. Clauses 7.4 and 8 of ISO 14971:2019 talk about “residual risk” in more detail. Likewise, Annex I of the European Medical Device Regulation (2017/745) says that you should “reduce risks as far as possible” without adversely impacting the benefit-risk ratio. To ensure that you do not go overboard in analyzing residual risks, establish a systematic process and focus on the risks that are within your control and lead to new insights about the design.
Want to learn more?
If you are new to risk management or want to go more in depth on the changes, consider our ISO 14971:2019 risk management training course. Our team of consultants is also available to assist with specific risk management issues that affect your company.