5 Key Changes in ISO 14971:2019
The third edition of ISO 14971, just published, aims to clarify requirements and improve effectiveness of medical device risk management.
ISO 14971 is the International Standard for application of risk management to medical devices across their entire lifecycle. It is widely used in the industry as part of a Quality Management System (QMS) to satisfy global regulatory requirements. Until now, the 2nd edition issued in 2007, and the 2012 European version, has been used in the industry. The third edition, issued in Dec 2019, now supersedes the older 2007 edition. FDA has already recognized this revised edition as a consensus standard, and has issued a transition period until December 2022 for declaration of conformity. Regulatory agencies in other major markets are expected to follow a similar 3-year transition period.
As you consider your next steps, it is important to keep the big picture in mind. The medical device industry is undergoing a significant transition and changes in regulatory requirements are on the rise. Medical devices are using increasingly sophisticated technology. Not surprisingly, ISO 13485:2016 has newly added risk requirements the European regulation for Medical Devices (EU MDR and IVDR) has a heavy emphasis on risk management. There is increasing awareness that risk management practices have to fundamentally improve in the industry to ensure patient safety and public health.
In this light, there are 5 key, high-level changes in the latest revision of ISO 14971 as shown in the figure below. In our opinion, these changes aim to clarify and simplify requirements and to improve the effectiveness of the risk management process. In this blog, we will provide an overview of these high-level changes. Future articles will provide additional details and insights for implementation of each of these changes.
Key Change #1 - New Terms
Three new terms and their definitions have been added in Clause 3 of the revised standard:
Benefit is defined as “positive impact or desirable outcome of the use of the medical device on the health of an individual, or a positive impact on patient management or public health.”
Clarifying the types of potential benefits of a medical device is important for making benefit-risk decisions. Both benefits and risks should be evaluated, not in absolute terms, but relative to the standard of care at the time. These benefits may extend broadly to public health, not just an individual patient.
Reasonably foreseeable misuse is defined as “use of a product or system in a way not intended by the manufacturer, but which can result from readily predictable human behavior.”
There are two elements to this definition – reasonable and foreseeable. Both require an understanding of the intended uses and users, including patients and providers, and the different ways a device may be misused. There is now an explicit requirement in clause 5.2 to document reasonably foreseeable misuse of the medical device.
State of the art is defined as the “developed stage of technical capability at a given time as regards products, processes and services, based on the relevant consolidated findings of science, technology and experience.”
This term signifies generally accepted good practices and technology in medicine. It does not necessarily mean the most advanced technology, for example, robotics or artificial intelligence. It is sometimes also referred to as the generally acknowledged state of the art. There is now a requirement in Clause 4.2 to define and document a policy for risk acceptability based on national or regional regulations, International Standards and state of the art.
Key Change #2 - New Requirements for the Risk Management Plan
A new requirement to establish a method to evaluate the overall residual risk and criteria for risk acceptability has been added to the contents of a risk management plan. How the overall residual risk is evaluated needs to be clearly defined. There is also more clarity on verification activities to include implementation and effectiveness of risk control measures.
Requirements for risk management review in Clause 9 now have clarity to review the execution of the risk management plan, instead of a review of the risk management process required by the older version. As a result, there is more specificity to what needs to be reviewed prior to commercial distribution of the medical device.
Key Change #3 - Additional Clarity and Requirements for Production/Post-Production Activities
There are significant changes in Clause 10 on Production and Post-Production activities with clear requirements structured in 4 sub-clauses for collecting, reviewing and taking appropriate actions. Various sources of relevant information are clearly outlined. Required review of collected information is now more detailed and explicit. When the review of information indicates impact to safety, actions related to both the specific medical device and the risk management process are identified. In particular, the output of the evaluation is required to be used as an input for the reviewing the suitability of risk management process by top management. In this light, the risk management process now more closely linked to the management review process.
These changes reflect the increased requirements related to post-market surveillance in the EU MDR (and IVDR). These are also consistent with requirements of ISO 13485:2016 and evolving expectations at the FDA.
Key Change #4 - Simplification of Residual Risk Disclosure
The requirements for disclosure of individual residual risks and overall residual risk are now merged into a single requirement after the evaluation of the overall residual risk based on the method outlined in the risk management plan. In this way, this approach should now facilitate a more consistent and holistic benefit-risk evaluation for the overall residual risk. Devices which offer a significant benefit even when the overall residual risk is not acceptable based on pre-defined criteria may be acceptable. As an example, when no current treatment for a serious condition exists, even a high-risk device (overall residual risk) may still be beneficial.
Only those residual risks assessed to be significant need to be disclosed to the user and relevant information provided in accompanying documentation. It does not mean that less information should be disclosed, rather the standard aims to facilitate appropriate disclosure so the users (patient, provider and/or payor) can make informed decisions.
Key Change #5 - Focus on Competence, not on Qualification of Personnel
The change in Clause 4.3 is subtle, yet focusing on competence instead of qualification, has the potential to strongly influence the entire risk management process. Consistent with ISO 13485:2016, the requirements specify competence to be based on a combination of education, training, skills and experience relevant to the specific task assigned to each individual involved in the risk management process. It is not enough to just provide training and keep records. Training is only one action taken to achieve and maintain competence. Competence implies demonstrated ability to perform a task correctly, which suggests that training should lead to skills development and reinforcement through experience gained at the job. Effectiveness of training now becomes an important aspect, linked closely to the overall effectiveness of the risk management process.
In Conclusion, the updated third edition of ISO 14971 reflects the current state of the art on risk management for medical devices through experience gained in over a decade since the second edition. The 5 key changes highlighted in this blog should help you consider your next steps in improving your process. Risk management is a challenging process in the industry, and in our view, these changes aims to clarify and simplify requirements. The end goal should be to improve the effectiveness of the risk management process to consistently launch highly beneficial, safe and effective medical products.
Share your comments and questions below. Contact us and let us know how we can help.
References
ISO 14971:2019 – Application of Risk Management to Medical Devices, December 2019
ISO 13485:2016 for Medical Devices, March 2016