Risk control in the third edition of ISO 14971

Risk control is one of the key steps in the risk management process of the new ISO 14971. The manufacturer has several risk control options for eliminating or reducing risks to an acceptable level. Many international standards provide specific technical solutions to address particular risks. Those standards should be considered in selecting the most appropriate options.

• The first and preferred option is to eliminate the risk by making the design of the medical device and its manufacturing process inherently safe. This ensures that a hazardous situation cannot occur. This is often related to the operating principle of the medical device. Examples include designing medical devices for single use such that they cannot be reused, designing medial electrical equipment such that live parts and high-voltage parts cannot be touched, and designing surfaces without sharp edges.
• If this is not possible, the second option is to implement protective measures in the design of the medical device or in the manufacturing process. Such measures can reduce the probability of occurrence of a hazardous situation or harm and/or the severity of the harm. Examples of such measures include gloves and special clothing to protect against contamination, covers to protect against electrical shock, barriers to prevent collision or trapping between moving parts, lead aprons and screens to protect against radiation. Protective measures also include alarms to alert people of a hazardous situation needing immediate attention to avoid any harm from occurring.
• If protective measures do not sufficiently reduce the risk, the third option is to provide information for safety to the users of the medical device. The information can be given in the form of warnings or contraindications, or as instructions on how to handle and use the medical device. This information can concern in particular actions that the user needs to take or to avoid to prevent the occurrence of a specific hazardous situation or harm. Some examples are warnings against reuse of single-use medical devices, warnings for high voltage, high temperature or radiation, instructions to use personal protective equipment, and instructions for calibration and maintenance of medical devices performing measurements. Training of users can be an important means of providing the information for safety.

The risk control measures selected must be implemented, and the implementation must be verified. This can be done as part of design and development verification in a quality management system. The effectiveness of the risk control measures implemented must also be verified, which can be done as part of design and development validation in a quality management system. The results of these verifications must be documented in the risk management file.

After implementation of the risk control measures the residual risk must be estimated and evaluated again using the criteria for risk acceptability. If the risk is not judged acceptable, it is necessary to consider more risk control. If, after careful analysis, it is concluded that further risk control is not practicable, the manufacturer may perform a benefit–risk analysis. Data and literature may be gathered and analysed to determine if the benefits of using the medical device outweigh the residual risk. If this is not the case, the manufacturer needs to go back in the process and consider modifying the medical device or to restrict the intended use (for example, to exclude vulnerable patient groups). Otherwise, the risk remains unacceptable and development must be abandoned.

Completeness is an important aspect in risk management. Therefore, the manufacturer is required to check that all identified hazardous situations have been addressed and all risk control activities have been completed. In addition, it must be checked that the selected and implemented risk control measures do not introduce new risks and do not affect other risks.

This is an excerpt from the BSI medical devices white paper Risk management for medical devices and the new ISO 14971. To download our other medical device white papers, please visit the Insight page on the Compliance Navigator website.