ISO 14971 – A Risk Management Standard for Medical Devices

There are several safety standards that address medical device safety. Some of them are ISO 14971, IEC 60601-1, IEC 62366 and ISO 10993-1. This article focuses on ISO 14971, a widely recognized risk management standard for medical devices.

iso 14971:2019 risk management standard for medical devices

I. ISO 14971 History and Origins

ISO 14971 is the primary product safety standard for risk management of medical devices. Many other safety standards for medical products make normative references to ISO 14971, parts 3 and 7.

This risk management standard was originally developed in 1998 with participation from more than 100 countries. It’s a product of work by both IEC and ISO. However, the ISO designation was chosen because the standard is not only about medical electrical equipment but about all types of medical devices.

The first release of the standard was in the year 2000. Currently, its third edition, i.e. ISO 14971:2019, is accepted in the United States. However, in the European Union, the harmonized version – EN ISO 14971:2019 – is current, and manufacturers can use it to achieve CE marking compliance.

Before ISO 14971, no other safety standards addressed the risk management of medical devices. 

II. ISO 14971 Requirements

ISO 14971 was drafted as a framework because there are so many types of medical devices that it’s challenging to create a single process that would cover all devices. This is both a blessing and a curse. On the one hand, manufacturers are free to develop their own risk management process following the standard’s framework. On the other hand, the standard doesn’t tell them how to do it, so their chosen technique becomes subject to questioning. Whatever the risk management method is, manufacturers must be able to show that it has been applied and the product’s respective safety risks have been reduced to acceptable levels.

Overall, this standard defines a set of requirements for managing the risks of medical devices. For instance, manufacturers must:

  • Have a documented process applied to the entire product life cycle
  • Create a risk management plan
  • Use qualified personnel for performing risk management
  • Evaluate the overall residual risk
  • Ensure completeness of risk controls for all identified risks
  • Be able to show that the benefits outweigh the risks
  • Create a risk management report
  • Create and maintain a risk management file
  • Monitor production and post-production information.

The above-stated requirements apply to all phases of the life cycle of a medical device, from the initial conception to the final decommissioning and disposal.

III. Scope of the standard

This standard applies to all types of medical devices, including software as a medical device and in-vitro diagnostic medical devices. A medical device is any apparatus, instrument, appliance, machine, implant, material, software or another article that is intended by the producer to be used for human beings for one or several of the following medical purposes:

  • Conception control
  • Supporting or sustaining life
  • Investigation, replacement, support or modification of a physiological process
  • Diagnosis, prevention, treatment, alleviation or monitoring of an illness
  • Diagnosis, treatment, alleviation, monitoring of or compensation for an injury
  • Disinfection of medical devices
  • Gathering of information through in vitro examination of human body’s samples.

In addition, the primary intended purpose cannot be achieved by immunological, metabolic or pharmacological means, but it may be assisted by such means. 

Furthermore, ISO 14971 can also be applied to products that aren’t necessary medical devices in some states. However, out of the standard’s scope are, as follows:

  • Decisions on the application of a medical device in regard to any specific clinical procedure
  • Managing business risks.

Lastly, ISO 14971 can be used to manage only risks associated with a medical device. For instance, hazards related to biocompatibility, data security, electricity, radiation, moving parts and usability.

IV. What’s new in ISO 14971:2019?

To start with, the new version of ISO 14971 includes three important definitions – reasonably foreseeable misuse, benefit, and state of the art. Additionally, the following terms had minor changes: documentation, manufacturer, harm, in-vitro device, and use error.

There are also more requirements for the production and post-production activities. The whole section in the standard was expanded by a page. Some of the new requirements relate to, as follows:

  • Collection and review of information about the medical device. 
  • Use of the collected data to make decisions regarding the medical device and its risk management process.

Moreover, manufacturers must evaluate and document any cybersecurity risks present in their devices. This requirement is nothing new for most medical device producers, but those unfamiliar with it can find more guidance in Annex F of ISO/TR 24971:2020.

Lastly, ISO 14971:2019 keeps up with the changes made in the new EU regulations for medical devices – MDR 2017/745 and IVDR 2017/746. Section 4.4. of the standard emphasizes the necessity of evaluating the overall residual risk in a medical device and the criteria for determining its acceptability.

V. What is ISO/TR 24971:2020?

ISO/TR 24971:2020 is a technical report including the annexes of ISO 14971:2007, which aren’t present in the contents of ISO 14971:2019. This technical report also provides more guidance and explanation on the development, implementation and maintenance of a medical device risk management system according to ISO 14971:2019. In addition, the document describes approaches that medical device manufacturers can use to develop, execute and maintain a risk management process compliant with ISO 14971:2019. However, alternative methods can also satisfy the requirements of the safety standard.

The clauses and subclauses in ISO/TR 24971:2020 have the exact same structure and numbering as those of ISO 14971:2019. This was done to facilitate the use of the document in applying the requirements of the safety standard. Furthermore, the informative annexes at the end of the technical document contain additional guidance on specific aspects of risk management, such as hazard identification and risk analysis tools.

Related Articles