ISO 14971:2019: Conformity For Medical Device

Learn about the latest edition of ISO 14971 and how to ensure your medical device follows international standards.

What is ISO 14971:2019?

ISO 14971:2019 is an international standard that guides the application of risk management to medical devices. Manufacturers can use the standard to identify and control risks associated with their products to ensure the safety of patients, users, and third parties. Various experts developed ISO 14971, including medicine, engineering, quality management, and regulatory affairs experts.

The standard uses the principle of probabilistic risk assessment, which considers both the severity of potential hazards and the likelihood of those hazards occurring. To comply with ISO 14971, medical device manufacturers must establish a risk management system that includes identifying, assessing, controlling, and monitoring risks.

Is ISO 14971 required?

ISO 14971 is not required, and no formal accreditation process is associated. Conformity with ISO 14971 indicates safety and quality and is considered a good manufacturing practice. Many countries have adopted the standard as their national medical device regulations.

History

ISO 14971 is a risk management standard that helps organizations identify, assess, and control risks. The first edition was published in 2000, with the third and most recent edition being released in 2019. 

As the standard has evolved, the focus has shifted towards integrating risk management into the Quality Management System (QMS) to ensure that risks are taken into account throughout the product lifecycle. 

The most recent version of ISO 14971 has introduced several new criteria for post-market risk management, requiring manufacturers to analyze post-market data to identify emerging patterns.

Benefits

Industry-Specific Risk Framework

When it comes to medical devices, managing risk well can save people’s lives. ISO 14971 uses principles of risk management that are general but also information that is specific to the medical device industry.

Works With Other ISO Standards

ISO standards work together intentionally. It implies they all have the same High-Level Structure (HLS), making it simple to follow multiple standards. One example is ISO 13485, the standard for quality management in medical devices.

Preparedness for the Future

Technology is constantly changing in the medical device industry. It means that there is always some risk involved in whether or not manufacturers should join in on the latest trends. ISO 14971 can help companies make that decision.

Improve your GRC management

Simplify risk management and compliance with our centralized platform, designed to integrate and automate processes for optimal governance.

Implementing ISO 14971

Incorporating risk management early in the design process allows designers to consider hazardous situations early on and, if required, may be addressed with design choices. Here are some tips for implementing ISO 14971:

Part 1: Creating the Risk Management Plan

Each medical device must have its risk management plan that identifies how to manage risks at each stage of the product’s life. In addition, the plan should set out how to evaluate whether the risks associated with the device are acceptable. The plan will need revision over time, but a good initial plan can reduce problems later. It should contain the following guidelines:

Risk Acceptability Criteria

Establishing the criteria at the beginning of the design process is less likely to be influenced by data acquired during the development process. Criteria can be quantitative thresholds based on a calculation of the risk index number, which can be calculated using probability and severity metrics and other metrics for quantifying risk. Risk acceptability criteria will precede any mitigations or risk controls, so a higher level of risk is generally acceptable.

Residual Risk Acceptance Criteria

Residual risk acceptance criteria will follow applied risk controls. Only residual risks will be subject to these standards after complete mitigation efforts. Devices that fail to meet the thresholds for acceptable residual risk can still be used, but they must mitigate any other risks.

Plan For Verification of Risk Controls

The plan for verifying risk controls will outline how mitigations can be verified. Verification should follow the same process as change control verification when implementing design changes. It means it’ll check to make sure the changes happened and that they are working.

Plan For Collecting and Reviewing Post-production Information

Traditional ways to get feedback about risk management is the process and product nonconformance system and customer complaints. But it is expected that this happens much more often. It includes information from all levels of the supply chain, what is currently happening in the market, and any public information.

A work environment survey should also be included in the risk management plan to help assess and mitigate any risks associated with the workplace.

Part 2: Creating the Risk Management File (RMF)

The RMF contains all the evidence necessary to show that you identify hazards, mitigate them, and evaluate them once mitigations are in place. Specifically, the RMF must include traceability for each hazard to the associated risk analysis, risk evaluation, risk controls, and evaluation of residual risks.

Part 3: Analyzing the Risk

Every medical device needs to have its special risk analysis. If there is already a risk analysis for a similar device, you can use it as a starting point, but you should not stop there. You should still do your risk analysis for the new device. A cross-functional team should perform the analysis and describe the device, who was involved, and what was analyzed.

Part 4: Evaluating the Risk

Defining what is acceptable for risk management must already be part of the plan. If this is clear, it should be easy to compare the estimated risk level to the criteria and see if it meets the standards.

Part 5: Controlling the Risk

Risk management strategies can minimize the chances of something harmful happening when a risk factor is discovered. The type of control utilized depends on the hazardous situation and may include training, labeling, verification, and design features.

Part 6: Evaluating the Residual Risk

A residual risk analysis examines the potential benefits the patient will receive if the device is used as intended. These benefits are taken into account when comparing residual risk with the standards.

Part 7: Reviewing the Risk Management Process

A complete review of the entire risk management process is the final step before releasing a device. This review should be part of your design controls system. This system checks things before making the device for people to use. The quality or regulatory team will do this process, which will be like an audit of the process.

Create your own ISO 14971 Audit Checklist

Build from scratch or choose from our collection of free, ready-to-download, and customizable templates.

How to Conduct Ongoing Risk Management

Risk management is not a one-time event. Always keep an eye out for ways to improve your process and stay current on the latest developments. Here are ways to do this:

Information Collection

A risk management plan is a dynamic document that should be updated whenever new information is discovered or if old data sources cease to be helpful. Some sources of information that can help keep the risk management plan current are:

  • Information about the manufacturing process
  • Data from the device’s user
  • Data from the installation and maintenance team
  • Data produced by the supply chain
  • Scientific literature that is accessible to the public and regulatory reporting
  • Information on cutting-edge technology

Information Review

The documentation must also include a mechanism for ongoing data and information analysis and a review of the current risk analysis papers. The evaluation procedure must also have escalation triggers that can be activated if concerning data or information is obtained.

Risk Management Cycle

The risk management process is never-ending, and regular review activities must continue throughout the device’s lifespan. The amount of work needed for risk management should lessen as the device stays on the market. In comparison, new devices will result in frequent updates to the risk assessment and will slowly become minimal once the device has been on the market for a while.

FAQs About ISO 14971:2019

ISO 13485 covers quality management systems and does not describe medical device quality risks in detail. In contrast, ISO 14971 is focused on risk management for medical devices. Some countries demand ISO 13485 accreditation to back up medical device regulatory approval.

Many risks come with medical devices. Some of these risks include:

  • Design and production
  • Medical device-related risks
  • Toxicology and degradation of materials
  • Biological dangers
  • Interaction with other devices
  • Continuity risks

Although ISO 13485 only covers QMS requirements and doesn’t address medical device quality specifically, many countries that base their medical device legislation on the International Medical Device Regulatory Forum (IMDRF) recommendations require QMS compliance with ISO 13485.

ISO 14971, the third edition of the medical device and In Vitro Diagnostics (IVD) risk management standard, has been given Recognized Consensus Standard status by the US Food and Drug Administration (FDA). FDA’s acceptance of ISO 14971 Third Edition 2019-12 will be three years, during which the standard moves from its previous edition, ISO 14971 Second Edition 2007-03-01, through late 2022.

“EN” standards for the “European Norm” and is the equivalent of ISO in the European market. EN ISO 14971 is essentially the same as ISO 14971 but with different annexes. If you are manufacturing and doing other businesses in Europe, it is best to follow the EN ISO standards.

Rob Paredes
Article by

Rob Paredes

SafetyCulture Content Contributor
Rob Paredes is a content contributor for SafetyCulture. Before joining SafetyCulture, he worked as a financial advisor, a freelance copywriter, and a Network Engineer for more than a decade. Rob's diverse professional background allows him to provide well-rounded, engaging content that can help businesses transform the way they work.