Myths about ISO 14971 Certification and Medical Device Risk Management
For more than 20 years, ISO 14971 has been the international standard for managing medical device risks. The standard is essential if you plan to sell devices in the US and Europe.
ISO 14971 was initially known as EN1441 and was first introduced in 1997. The first ISO 14971 version was published in 1998. The ISO 14971:2019 edition was the latest to be published. Many myths about risk management for medical devices and IVDs have been perpetuated throughout its more than 20-year-long history. These are the six most widespread myths.
Myth #1 — Manufacturers Can Get ISO 14971 Certified
Medical device companies have widely used this international standard for risk management; many believe in an ISO 14971 program. Several certification bodies offered a standalone ISO 14971 program years ago. However, that is no longer the case. Why is this? Your ISO 14971 conformances are likely being audited as you go through your ISO 13485 QMS certificate. A separate ISO 14971 certificate would not be enough to cover the concepts and requirements of risk management. Any regulatory authority does not require specific ISO 14971 certificates, so it is unnecessary to maintain or offer an ISO 14971 certificate.
Myth 2: Cutting-Edge Technology is “State of the Art”
The current state of the art is an essential part of risk analysis. Many people assume it to mean the most recent technology. However, it is much more. MEDDEV.2.7/1 rev 4 provides some insight. “The state-of-the-art embodies what is currently accepted as good practices…” It is better to define “state of the art” as the advanced stage of technical capabilities. Refer to Section 3.28 in ISO 14971:2019
Myth #3: ISO 14971 is 100% about Risk Reduction
It seems logical. ISO 14971 is a standard for risk management, but it is not about risk reduction. Regulators are increasingly interested in the benefits of your medical device. ISO 14971:2019 defines the benefits in a different way than EN ISO 14971:2012 and ISO 14971:2007. The ISO/TR 24971:2020 Guidance for the Application of ISO 14971 gives guidance and examples on determining benefits.
Myth 4: FMEA = Risk Management File
Identifying potential hazards, dangerous situations and harms is a three-legged stool. ISO 14971 cannot be appropriately complied with without analysing all of them together. Engineers often use Failure Mode and Effects Analysis to help identify, evaluate and control the risks associated with medical devices. FMEA can be a robust risk management tool, but it focuses only on failure modes. It is not intended to analyse hazards that may be present during regular device use. ISO 14971 demands that hazards be identified for your device under both normal or fault conditions. Many manufacturers use a preliminary hazard analysis (PHA), which is common to identify hazards under normal conditions.
(Related — What are the cosmetic FDA Labelling requirements)
Myth 5: Complaint handling = Risk Management Productions and Postproduction Activities
It would be very convenient if it were true. Risk management can be both proactive and reactive. Reactive risk management such as complaints is mandatory. It is sometimes perceived that proactive risk management, which includes post-market studies, user reviews and literature searches, is optional. It is not an option. It is essential to understand that your device’s risk profile will determine how proactive risk management should be. Producing and managing postproduction activities for implants is a much more intensive task than for surgical instruments.
Myth #6: Every possible risk should be included in a residual risk analysis
Only imagination can limit the number of potentially dangerous scenarios. Do you think that this means that you should document all potential risks, even the possibility that Godzilla might invade your city and destroy your manufacturing plant? No.
ISO 14971 requires that you identify and document all known and foreseeable hazards. The “residual risks” section of ISO 14971:2019 is covered in detail in clauses 7.4–8. Annex I to the European Medical Device Regulation 2017/745 states that it is essential to “reduce risk as much as possible” without affecting the benefit-risk ratio. It would be best if you did not over analyse residual risks. Instead, focus on those that are within your control. This will allow you to gain new insight into the design.
Do you want to know more?
Our consultants are also available to help with specific risks that may affect your company.
