Medical device risk management by ISO 14971: Top management

Risk management is an important aspect in the development of medical devices. Patients are already in a vulnerable position and, during diagnosis and treatment, they should be protected from risks that could further impact their health. International standard ISO 14971 was developed to provide a process to assist manufacturers in identifying the hazards associated with medical devices, assessing the corresponding risks, controlling these risks where needed, and monitoring the effectiveness of the risk control measures. The third edition of this standard will be published in 2019, together with the updated companion report ISO/TR 24971, which provides extensive guidance on the application of the standard. There will be a transitional period of three years following publication to allow all stakeholders to adapt to the requirements in the new edition.

The commitment of top management is indispensable for proper risk management. Large corporations can consist of separate entities (such as divisions or business units), where each entity can have its own risk management process and its own quality management system. In such cases, top management refers to those individuals who direct and control that entity.

Top management is responsible for the provision of adequate resources and the assignment of competent personnel. This means that personnel need to have appropriate training and also the tools and the time to perform the risk management tasks assigned to them. Top management is further responsible for the continued effectiveness of the risk management process and, therefore, needs to regularly review its suitability at planned intervals. Information from the post-production phase can be valuable input for this review.

Top management also needs to define the policy on how to establish the criteria for risk acceptability. These criteria need to be based on relevant international standards and the regulations of the countries or regions where the medical devices are intended to be marketed. Considerations of the generally acknowledged state of the art and known stakeholder concerns need to be taken into account as well. Local regulations can impose that risks must be reduced as far as possible or as low as reasonably practicable (i.e. technically feasible in practice). A well-known concept for exposure to ionising radiation is that the resulting radiation dose to any person must be as low as reasonably achievable (the ALARA principle). Where applicable, these concepts need to be incorporated in the criteria for risk acceptability. This means that the criteria need to provide guidelines on how far the risks shall be reduced. The end points for risk reduction “as far as possible” can be determined based on international standards that provide specific state-of-the-art technical solutions or on local regulations that have specific requirements or limits. These concepts and the end points for risk reduction should be described in the policy.

A risk chart or risk matrix shown in Figure 1 can be useful in supporting the estimation and evaluation of residual risk, especially those risks for which no requirements and no technical solutions exist in international standards or local regulations. In such cases, the criteria can require risk reduction as far as possible where the end point is based on the combination of the probability of occurrence of harm and the severity of possible harm, as indicated in a risk chart. However, it is emphasized that the criteria for risk acceptability need to take the applicable regulations and standards into account and need to be more comprehensive than only a risk chart, and that a risk chart by itself is not the criteria. It is further noted that the descriptors of the severity and probability levels in Figure 1 are just examples, and that more or fewer levels and different descriptors can be chosen (e.g. Negligible, Moderate, Significant, Serious, Catastrophic for the severity levels and Inconceivable, Unlikely, Rare, Possible, Often for the probability levels). ISO/TR 24971 provides guidance on defining the policy and on establishing the criteria for risk acceptability.

Figure 1. Example of a risk chart that can support risk estimation and risk evaluation.

The severity levels need to be described in relation to the possible harm (injury to people, or damage to property or the environment). These levels can distinguish between life-threatening injuries, serious injuries that are not life-threatening but needing immediate medical attention, major injuries that can result in permanent damage or impairment, minor injuries that are transient or reversible, minor injuries needing limited medical care, pain and discomfort. Concerning damage to property or the environment, the severity levels can distinguish between leakage of radioactive substances, leakage of or contact with hazardous chemicals, contamination with blood or other bodily fluids (possible infection with HIV), loss of x-ray images (where retaking adds radiation dose), loss of other images, loss of data, unauthorized access to data, destruction of the medical device, or repairable damage to the medical device. The probability range can be divided into discrete levels based on the probability of occurrence of harm per use, per procedure, per device, per hour of use, or within a population. The choice can depend on the type of medical device.

This is an excerpt from the forthcoming white paper Risk management for medical devices and the new ISO 14971. To download our other medical device white papers, please visit the Insight page on the Compliance Navigator website.