Facebook
  1. Home
  2. Insights
  3. Blog
  4. Managing risk for medical devices part 2

Managing risk for medical devices

ISO 14971: What it is and is not

In this series, we review ISO 14971 (Application of risk management to medical devices)—its history, the principles embedded within it and how it relates to other standards and regulation.

As a process standard, ISO 14971 (like ISO 9001) specifies a set of activities that turn inputs into outputs by identifying, defining and managing processes to achieve the desired outcomes. While such standards dictate the broad process control elements that are required, they do not give detailed instructions for how to implement those controls.

ISO process standards are expected to follow a defined, high-level structure (HLS) comprising 10 clauses, including sections on organisational context, leadership, planning, support, operation, performance evaluation and improvement. This structure, however, does not address the needs of the medical device sector (particularly in relation to regulatory compliance) and so the ISO committees responsible for medical device standards have declined to adopt it. 

The HLS was implemented to introduce risk-based decision-making into a wide range of processes while giving organisations flexibility in the way they meet their overall objectives.  However, many medical device standards require compliance with ISO 14971 and are thus already risk-based. Moreover, medical device standards are constrained by the risk-based regulations they are intended to underpin. Flexibility is, therefore, not an advantage.  Attempting to introduce the HLS into such a well-established standard as ISO 14971 would create, we believe, needless disruption and so is unlikely in the foreseeable future.

A history of risk-based thinking

Risk-based thinking has been a feature of medical device standards since the consolidated version of ISO 14971 was first published in 2000. The first product standard to follow the ISO 14971 risk-management process was the fourth edition of the heart value standard, ISO 5840:2005. This standard began with the fundamental requirements that ISO 14971 and ISO 13485 shall apply and that the acceptability of a heart valve for clinical use shall be determined at all stages of its life cycle. The standard required risk reduction in line with the generally accepted risk management concepts “broadly acceptable” and “as low as reasonably practicable (ALARP)”, rather than with their misleading interpretation “as low as possible”, that had been included in the essential requirements of the Medical Devices Directive (MDD). 

Interestingly, by 2012, this wording (“Any identified risk shall be reduced to a level that is broadly acceptable or, if that is not feasible, as low as reasonably practicable (ALARP)”) had been replaced in ISO 5840 by the requirement to simply define and implement a risk-management programme in accordance with ISO 14971. However, to this day the default position of European medical device regulations is that risks must be reduced “as far as possible.” This is the case even though risk-management theory dictates that, in circumstances where benefit arises, ALARP is the appropriate goal. Thus, a work-around involving maintaining the benefit-risk balance is needed to demonstrate conformity with the EU Medical Device Regulation (MDR), while remaining true to the fundamental principles of risk management on which ISO 14971 has always been based. 

Misunderstandings around risk analysis methods

Reaching a consensus on the incorporation of risk management principles and practices into other standards is challenging given that people have different views on how the elements of risk management are constituted. One person’s hazard is another’s hazardous situation. Although there is a distinct difference – a hazard can be present but there may be no hazardous situation and therefore no risk – this nuance may be missed. 

Another difficulty is that some people are under the misconception that they must conduct a failure modes and effects analysis (FMEA) when a risk estimate is needed. This suggests a basic misunderstanding of the content of ISO 14971. In the past, this misunderstanding arose in the workings of the ISO Technical Committee responsible for biological and clinical evaluation (ISO/TC 194). Although risk management is central to both biological and clinical safety, some ISO Working Group experts maintained that ISO 14971 was not relevant to the evaluation of biological or clinical risks because they believed ISO 14971 required a FMEA—something done as part of design control—but clinical and toxicological risks are estimated using different risk-analysis methods.

Once the experts understood that ISO 14971 only describes a process and that any method of estimating risk is permitted, they recognised that the methods that they routinely used were compliant with the standard. ISO 14155 (clinical investigation) has encompassed the process and principles from ISO 14971 for many years and the draft standard ISO 18969 is now following suit for clinical evaluation. Meanwhile, the substantial revision to ISO 10993-1 (biological evaluation) now at Final Draft International Standard (FDIS) stage, is firmly bonded to ISO 14971 and focuses on risk estimation. FMEA is nowhere to be found in any of these developments.

FMEA is, in fact, just one of many tools that can be used for risk analysis. It is not only not mandatory, but it is actually inappropriate in many circumstances because it is a “bottom-up” approach that only looks at fault conditions. A risk analysis from one angle alone does not meet the requirements of ISO 14971, the MDR or the IVDR. To meet regulatory expectations, risk management needs to include an analysis of risk from normal use, reasonably foreseeable misuse, abnormal use and potential failure. Because of this, FMEA should not be relied upon as a standalone risk-analysis method. Instead, it should be used along with other tools that analyse both normal and fault conditions. 

A Preliminary Hazard Analysis (PHA) or Fault Tree Analysis (FTA) are two examples of “top-down” tools that can be incorporated into a risk analysis to ensure it is being done from multiple angles. It is important to consider reasonably foreseeable sequences or combinations of events—not just single faults. One should also review the risk analysis throughout the device life cycle through post marketing surveillance information, including customer complaints and regulatory authority databases. 

So, as a process standard, ISO 14971 provides a framework, but it is left to the user to fill this framework with analyses and evaluations that are fit for purpose and sufficient for regulatory conformity. 

References:

van Vroonhoven, J. “Risk management for medical devices and the new BS EN ISO 14971,” BSI White Paper Series, BSI Standards Ltd. July 2022. Accessed at: https://www.bsigroup.com/globalassets/localfiles/en-us/images/wp_risk_management_web.pdf

Author

Jeremy Tinkler, ERT

Regulatory Affairs Director, ICON plc

Member of the Joint ISO/IEC Working Group responsible for ISO 14971

In this section

Connect with us