Updated guidance on implementing risk management for medical devices

Revised guidance for new edition of ISO 14971 issued

Together with the draft revision of ISO 14971 - Medical devices — Application of risk management to medical devices – a companion Technical Report (TR) is also now available for review and ballot. The second edition of ISO TR/24971 - Medical devices — Guidance on the application of ISO 14971- has been developed in parallel with the revision of ISO 14971. The revised text has been issued for ballot and review by National Standards Organizations, including BSI.

ISO/TR 24971 has the same structure and numbering of clauses as the revision of ISO 14971. Guidance is provided to help understand and implement each requirement in ISO 14971. This new structure should make the guidance more relevant and easier to navigate. The guidance that was split up between the 2013 edition of ISO/TR 24971 and the informative annexes of ISO 14971:2007 had no obvious structure. All the guidance has now been merged into ISO/TR 24971, technically revised and updated with additional material.

Annexes to the draft guidance in ISO/TR 24971 have been prepared to provide more detailed approaches to specific aspects of risk management. The annexes include:

• Identification of hazards and characteristics of safety provides questions that can aid in identifying the characteristics of the medical device that could affect safety.
• Risk analysis techniques provides guidance on some available tools that support the performance of a risk analysis but emphasises that these techniques do not include all steps of the risk management process.
• Risk acceptability considerations describes aspects that can be used as part of risk control options analysis and be applied to risks for which the probability cannot be estimated.
• Information for safety and information on residual risk seeks to clarify the differences between "information for safety" and "disclosure of residual risk". It also provides guidance on information for safety as a risk control measure and how residual risks can be disclosed to promote risk awareness.
• Guidance on risks related to (cyber) security outlines terminology used in security risk management and the relationship between ISO 14971 and (cyber) security risks.
• Components and devices designed not using ISO 14971 aims to address preparing a risk management file retrospectively. It addresses how to build an initial risk management file when all the processes and requirements described in ISO 14971 were not followed at the time when the device was initially designed. This could be applicable for medical devices already available on the market or for constituent components of a medical device, such as subsystems of non-medical origin.
• Guidance for in vitro diagnostic medical devices is focused on the indirect risks to patients from incorrect or delayed in vitro diagnostic results.

The Annex providing guidance on risk analysis for biological hazards previously in ISO 14971:2007 has been removed because detailed guidance on risk management in relation to biological hazards is now included in a revised edition of ISO 10993-1 - Biological evaluation of medical devices. Evaluation and testing – which is at the final stage of revision.

This is an opportunity to review the guidance alongside the draft revision of ISO 14971 and will help to assess the implications of the changes to this key standard and their impact on your processes and procedures.

Author: Eamonn Hoxey, of E V Hoxey Ltd, UK, is a writer, trainer and consultant on a range of life science areas including regulatory compliance, quality management, sterility assurance and standards development