What is ISO 14971?
ISO 14971 (or, to give it its full title, ISO 14971:2019 – Medical Devices – Application of risk management to medical devices) is a Standard that was developed specifically for manufacturers of medical devices based on established principles of risk management that have evolved over many years.
The Standard can guide developing and maintaining a risk management process for other products that are not necessarily medical devices in some jurisdictions and for suppliers and other parties involved in the medical device life cycle. The study of this Risk Management Standard is a vital addition to an ISO 13485 Course for those implementing and/or maintaining an MDMA.
What is the purpose of ISO 14971?
The purpose of the Standard is to specify the processes for managing risks associated with medical devices. Risks can be related to injury, not only to the patient but also to the user and others. Risks can also be related to damage to property (for example, objects, data, and other equipment) or the environment.
Risk management is a complex subject because each stakeholder can place a different value on the acceptability of risks in relation to the anticipated benefits. Risk Management concepts are particularly important concerning medical devices because of the variety of stakeholders, including medical practitioners, the organizations providing health care, governments, industry, patients, and members of the public.
What are the benefits of using ISO 14971?
It is generally accepted that the concept of risk has two key components
- the probability of occurrence of harm, and
- the consequences of that harm, that is, how severe it might be.
All stakeholders need to understand that using a medical device involves an inherent risk, even after the risks have been reduced to an acceptable level. It is well known that some residual risks remain in the context of a clinical procedure. The acceptability of a risk to a stakeholder is influenced by the key components listed above and by the stakeholder’s perception of the risk and the benefit.
Each stakeholder’s perception can vary depending upon their cultural background, the socio-economic and educational background of the society concerned, and the patient’s actual and perceived state of health.
The way risk is perceived also considers other factors, for example, whether exposure to the hazard or hazardous situation seems to be involuntary, avoidable, from a man-made source, due to negligence, arising from a poorly understood cause, or directed at a vulnerable group within society.
As one of the stakeholders, the manufacturer reduces risks and makes judgments relating to the safety of a medical device, including the acceptability of residual risks. The manufacturer considers the generally acknowledged state of the art to determine the suitability of a medical device to be placed on the market for its intended use.
The Standard specifies a process through which the manufacturer of a medical device can identify hazards associated with the medical device, estimate and evaluate the risks associated with these hazards, control these risks, and monitor the controls’ effectiveness throughout the medical device’s life cycle.
The decision to use a medical device in the context of a particular clinical procedure requires the residual risks to be balanced against the anticipated benefits of the procedure. The Standard and its companion Guide, ISO 24971, directs the manufacturer in making such decisions.
Does ISO 13485 Require ISO 14971?
ISO 14971 is not a requirement of ISO 13485, but Section 7.1 of ISO 13485, the medical device management system standard, has a Note that states: ‘Further information can be found in ISO 14971.’ THEREFORE, the ISO 14971 Standard is not a requirement of ISO 13485; it’s not even given the status of a Guideline. How do you meet the requirement of ISO 13485 that ‘The organization shall document one or more processes for risk management in product realization.’?
There are two key issues to note here …
1. The threats to be treated here are risks to the user and/or patient safety, not a component failure or failure of a process activity to function as intended.
2. Almost without exception, organizations certified to ISO 13485 choose to include ISO 14971 in their QMS.
See also: ISO 13485 requires Risk Management and Risk-based Thinking.
Is the use of ISO 14971 mandatory?
Yes and No. ISO 13485:2016 Clause 7.1 in a Note states: ‘Further information can be found in ISO 14971’. So, that means that ISO 14971 is not mandatory. However, almost without exception, manufacturers choose to use ISO 14971 in their medical device management systems, and so, for practical purposes, you are advised to consider the Standard mandatory. If you do not use it, you will be challenged by external auditors to demonstrate how you achieved the same level of risk management control by other methods as you would have through the application of ISO 14971.
Do Internal Auditors need training in ISO 14971?
If your Internal Auditors are to be able to audit the risk management used and their effectiveness, training in ISO 14971 is essential. Hence, we developed the ISO 14971 Risk Management for Medical Devices – Foundation Course (8 hours approx.). Select the button above for details.