Risk management: From the Directives to the new ISO 14971

A recent history of medical device risk management

Performing risk management became an essential requirement for medical device manufacturers with the publication of the European Directives AIMDD, MDD and IVDMDD. The risk management requirements only covered risk analysis and were expressed in general, not very specific terms. Risks needed to be reduced as far as possible while taking account of the generally acknowledged state of the art and maintaining a high level of protection of health and safety. Similar requirements can be found in the regulations of other countries. European standard EN 1441 provided a procedure for manufacturers to investigate the safety of medical devices by identifying hazards and estimating risks based on available information. The scope of this standard was restricted to risk analysis because it was intended for conformity assessment purposes, i.e. to support demonstrating conformity with the essential requirements related to risk analysis in the European medical device directives. Unfortunately, the directives provide little guidance on further steps in the risk management process and on the acceptability of residual risks.

ISO Technical Committee 210 (Quality management and corresponding general aspects for medical devices) and IEC Subcommittee 62A (Common aspects of electrical equipment used in medical practice) recognized the need to develop an international standard for risk management of medical devices and established their Joint Working Group 1. EN 1441 was taken as a starting point and was converted with minimal editing to ISO 14971-1 in 1998, which thus also covered risk analysis. ISO 14971-1 was intended to be the first part in a series of standards. It was decided later that, instead of publishing separate parts, it would be better to publish one document covering all elements of the risk management process. This effort led to the first edition of ISO 14971 in 2000, in which the principles of risk management for medical devices were elaborated further and the entire risk management process was described. This standard provided a complete framework for risk management including monitoring risks in the post-production phase. The standard was amended with a rationale in 2003.

The second edition of ISO 14971 was published in 2007 and the third edition is under development. The requirements in the third edition of ISO 14971 are expressed more accurately and are elaborated with more detail compared to the second edition. The requirements are in line with the recognized essential principles of safety and performance of medical devices (see BS ISO 16142-1) and in vitro diagnostic medical devices (see BS ISO 16142-2).

They are also aligned with the general safety and performance requirements of the European Regulations, MDR and IVDR. In view of the improved and more detailed risk management requirements in these regulations compared to the European Directives, it is more accurate to say that the general safety and performance requirements in the Regulations have been aligned with the globally accepted risk management framework and principles that have evolved over the past decades. As result of this alignment, there are no content deviations between the risk management requirements of the European MDR and IVDR and those in the third edition of (EN) ISO 14971.

This is an excerpt from the BSI medical devices white paper Risk management for medical devices and the new ISO 14971. To download our other medical device white papers, please visit the Insight page on the Compliance Navigator website.