Risk management is one of the most important regulatory requirements that manufacturers of medical devices must fulfill.
ISO 14971 is the standard for the “application of risk management to medical devices.” It describes a risk management process designed to ensure that the risks associated with medical devices are known, controlled, and acceptable in relation to the benefits.
Fig. 1: Risk management process according to ISO 14971 (click to enlarge)
Content
On this page, you will find articles…
The first step in risk management for a specific device is to prepare a risk management plan. This plan specifies
This risk management plan must be included in the standard operating procedure for risk management.
Manufacturers must first determine the intended purpose of the device.
Then, they must identify the hazards and hazardous situations as part of a hazard or risk analysis. There are several methods for this:
The process FMEA (pFMEA) is recommended for identifying risks arising from faulty processes.
The next step is for manufacturers to assess the risks. To do this, they must determine:
Many manufacturers work with a Risk Priority Number (RPN). However, this concept does not comply with ISO 14971.
At this point, the manufacturers’ task is to determine their risk acceptance criteria. This is usually done in the form of a risk acceptance matrix.
The FDA’s Benefit-Risk Guidance also helps with this.
You should be familiar with these figures when assessing the residual risk. The Kaplan-Meier curve also helps in risk management.
Laws such as the MDR and IVDR oblige manufacturers to minimize or control risks. This means that they must reduce the risks as far as possible and in accordance with their acceptance criteria.
The article on information as risk control measures and the safety assurance cases, which the FDA even requires for some devices, are beneficial in discussions with auditors and authorities.
Manufacturers must document the output of all previous activities in a risk management report. In this assessment, manufacturers should ensure they are avoiding the 7 most common risk management errors.
All these records and documents then form the risk management file.
This is not the end of risk management. Instead, the post-market phase, or post-production phase, as ISO 14971 calls it, follows. Part of this is post-market surveillance and monitoring of the devices on the market.
There is a 2022 version of DIN EN ISO 14971. However, the last significant change was made in 2019. These changes were introduced with third edition of ISO 14971. This makes EN ISO 14971:2012 with Annex ZA obsolete.
You can learn more about the meaning of prefixes such as DIN, EN, and ISO in the article on harmonized standards.
The article on ISO 24971 describes how manufacturers should apply the (new version) of the standard.
Another critical question is whether ISO 14971 is applicable at all. In this context, the terms foreseeable misuse and abnormal use are essential.
In other areas of law, ISO 31000 is used, which can at least serve as a source of inspiration for medical device manufacturers.
For medical devices that contain software or are software, IT security significantly impacts the risks. The following publications are helpful here:
For medical devices that contain software or are standalone software, we recommend these articles:
Risk management for medical device manufacturers differs in some aspects from risk management for other organizations:
Benefit from the support of the Johner Institute:
Contact us right away to discuss the next steps. In this way, you can achieve safety devices quickly, without unnecessary effort, and promptly obtain approval.
Laws require risk management in hospitals, especially in order to improve patient safety. Nevertheless, many hospitals find this difficult. This article presents the most important regulatory requirements and provides tips for implementation. 1. Typical risks in a hospital a) Risks for patients The most important risks for patients include: b) Risks for all people in…
DetailsMedical device cybersecurity is a focus not only for the FDA but also for other legislators and authorities, both in the US and other markets. This is understandable The USA has added requirements for cyber devices to the Food, Drug & Cosmetic Act (FD&C), and the FDA has published several guidance documents on cybersecurity, which…
DetailsOutsourcing risk management to service providers. Wouldn’t that be convenient? But is that allowed? And how much sense does it make anyway? Conversely, what should you as a service provider not be burdened with under any circumstances? This article provides the answers. It suggests how manufacturers and service providers can divide their activities and gives…
DetailsSoftware maintenance is the phase in which software is further developed, e.g., with the objective of According to the FDA, 79% of all bugs occur during software maintenance. Accordingly, some regulations address this topic. Regulatory requirements for software maintenance Requirements of the Medical Device Regulation MDR (2017/745) The Medical Device Regulation requires medical device manufacturers…
DetailsThe risk management plan is one of the most important documents in technical documentation. Accordingly, authorities and notified bodies examine this plan intensively. However, it is not only from a regulatory perspective that medical device manufacturers benefit from a precise risk management plan. This article 1. What a risk management plan is In a risk…
DetailsTrend analysis is a legal obligation of all medical device manufacturers, especially in “Post-Market Surveillance.” Manufacturers must not fail in the selection and application of suitable statistical methods for trend analysis. This is because the focus of authorities and notified bodies is increasingly shifting to monitoring post-market activities. This article provides a quick introduction to this…
DetailsIEC 80001-1 has the long title “Application of risk management for IT-networks containing medical devices – Part 1: Tasks, responsibilities and activities“. This article reveals what the standard requires and why manufacturers should also consider it. 1. About DIN EN IEC 80001-1 a) Objectives of DIN EN IEC 80001-1 The standard aims to help minimize…
DetailsWhether risk mitigation through information is permitted regularly leads to discussions. The answer to this question is important because it determines the conformity and non-conformity of medical devices. This article provides the answer and thus resolves a “historical misunderstanding.” 1. Regulatory framework All manufacturers are obliged to minimize the risks posed by their medical devices.…
DetailsThis article identifies the seven most common risk management errors that Johner Institute and its auditors encounter most often. It also offers advice on how to avoid these errors. Risk management is among the most important requirements medical device manufacturers must meet. Therefore, it is important that they avoid risk management errors. 1st error class:…
DetailsThe probability of software defects is difficult to estimate. It’s so difficult that the “old” DIN EN IEC 62304:2006 wrote: “However, there is no agreement on how to determine the probability of the occurrence of software failures using traditional statistical methods.” The standard concluded that “the probability of such a malfunction must be assumed to…
Details