Let’s review the background of ISO 14971. As a medical device manufacturer, the first thing you need to do is make sure your devices do what they’re supposed to. Next, you need to make sure it meets the regulations and standards set for the markets you intend to use.
Risk management is an integral part of the manufacture and final sale and acceptance of medical devices on the market. When producing medical devices, manufacturers should always consider that the end user may not have a choice regarding the device.
Therefore, as a manufacturer, you must meet all risk management standards laid down for your devices to be accepted by regulators and the physicians who use them on their customers.
What is Risk Management?
Risk management is the process by which a medical device manufacturer can identify and analyze hazards and risks and develop policies to control and monitor risks. Risk is the probability of the harm occurring and the extent of the harm if it does occur.
ISO 14971;
- ISO 14971 is the current International Standard that provides guidelines and guidelines for risk management in medical device manufacturing.
- The standard should be used to guide medical device manufacturers in establishing and monitoring an appropriate risk management process.
- Regulators follow the guidelines provided by this standard when evaluating medical devices and allowing them to enter the market.
- ISO 14971 was developed to provide a standardized process for identifying and monitoring risks throughout the lifecycle of a medical device. This standard ensures that these risks are monitored from the product design and concept stage, through purchasing, production and after-market use.
- Medical devices are attracting interest from a variety of stakeholders. These include manufacturers, doctors, governments, other healthcare professionals and patients. Therefore, a standardized framework for risk management processes for medical devices is important for all these stakeholders to agree on the devices risk management process.
- In addition to the guidelines provided in the standard, the document has appendices. The appendices contain detailed explanations of the guidelines and detailed examples of how to implement the risk management procedures provided.
- This standard has evolved over time and has become a comprehensive guide to risk management for medical device manufacturers. The state-of-the-art guide was recently republished in 2019. Previous standards are now used as guidelines for the current standard.
- ISO 14971 includes definitions of terms related to medical device risk management. It also gives some general requirements for a risk management system, then goes on to provide guidelines on risk analysis, assessment and control. It also provides a risk management review guide and manufacturing and post-production activities for medical devices.
Some terms defined in ISO 14971 include:
- Hazard—a possible source of harm.
- Damage – physical injury to a person or damage to property or the environment.
- Risk analysis – the process of identifying hazards with available information and calculating the severity of harm.
- Risk estimation – the process of calculating the likelihood of harm occurring and estimating its severity.
- Risk assessment – linking risk severity to risk criteria
- Risk control – the process of developing measures to eliminate, reduce or maintain a certain level of risk.
- Residual risk – risk that may occur even after taking the necessary risk control measures.
Risk Management Process
Once you have read and understood the ISO 14971 standard, it is now up to you to set up your risk management process. Top management of the organization is involved to begin the development of the risk management process for a medical device manufacturer.
ISO 14971 recommends that top management be responsible and provide resources for comprehensive risk management. Senior management also needs to establish a risk management policy that determines acceptable risk levels for the devices they manufacture.
The risk management process provided by ISO 14971 includes the following steps.
Step 1. Establishing a risk management framework in the organization
The organization’s senior management must establish a written policy of the organization’s risk management plan for all medical devices they manufacture. This will help establish a clear risk management process that includes the roles and responsibilities of the different parties in the organization.
Step 2. Define and provide the intended use of the device being manufactured
The risk management policy should identify the device through which the risk management process is carried out. It should also state the intended use of the device when placed on the market. This helps to easily assess the risks that may be associated with the life of the device.
Step 3. Identify Hazards
Senior management, together with the design/production team, should identify potential sources of risk for the device they are designing/producing at this stage of developing the risk management process.
Step 4. Identify any foreseeable abuse
This helps identify potential risks and plan ahead how to avoid them.
Step 5. Risk Estimation
Assess the severity of the potential risk if it has occurred at any time.
Step 6. Risk assessment
- With the potential risks identified, how likely are they to occur?
- Is it possible to reduce the frequency of occurrence of risks?
Answer these two questions at this stage.
Step 7. Risk Control
The organization should prepare risk controls for when risks occur. Risk control includes steps or conditions that could limit the severity of the risk if it occurs.
Step 8. Assess Risk Acceptability
- Are the identified risks acceptable given the purpose of the medical device you are manufacturing?
- If so, are there ways to minimize the likelihood and severity of the risk occurring?
The answers to these questions will allow you to continue to manufacture the device if the effect of its use is positive.
If you have evaluated the risk acceptability level and found it unacceptable, you may discontinue production of the medical device.
Step 9. Review Your Risk Management Process
Review the risk management process, checking that you follow the corporate policy on risk management. Also, it’s best to consult the ISO manual to make sure you’re following the correct process. Then prepare a report on your review.
Now you can start the production of your device.
Step 10. Production and Post-Production Activities
Record and report any new information arising from the manufacture of the device. If you’re going to run tests, record any new information you can get. Record customer feedback on how the product works and the possibility of previously unidentified risks.
Risk management and review is an ongoing process. For this reason, you should follow and apply new developments related to the produced device.
Make a Risk Management Plan
At the senior management level, the organization will develop policy around the risk management process. Ideally, this should happen before your product goes into production. Also, post-production should be reviewed as new information emerges.
Once your product is on the market, you need to make a risk management plan. This is a plan for how to deal with the risks that arise while the product is on the market.
If you normally only manufacture one product, the risk management process is sufficient for a risk management plan. If you have more than one product, you need a risk management plan for each product.
Using your risk management process as a guide, list all identified risks that could affect your product. Then list all the action steps you will take to contain or minimize the risk should it arise.
Record all activities that will take place and identify the individuals who will be responsible for the different risk management activities. Have a risk management team for every medical device you bring to market. They should be knowledgeable about the production and purpose of the product.
In the risk management plan, determine how you will acquire new information to assist in risk management.
Continue to review the risk management plan whenever you have any new information regarding the likelihood of an identified risk occurring or not occurring.
Research the Risk
Once you have a product-specific risk management plan, the next step is to research the risk. Consider the intended use and foreseeable misuse of the product. Using these parameters, you can easily identify hazards that could pose potential risks to your product. A risk analysis tool will help you do this.
The first step is to research the risks that may arise around the value chain of your product and service. Identify risks from parties such as your suppliers, among other types of risk, risks that may arise when shipping the product to the directions market.
There are many tools you can use for risk analysis.
Once you’ve identified the risks your product will pose, you now need to find ways to control your risk. In this case, you can set rules for the use of the product so that you can easily manage the risks.
Conducting user trainings so that users can use the product for its intended purpose. You can also use warning labels affixed to the device to show how to use it. Doctors and other users can follow these alerts to ensure that the device is used correctly.
Also do a risk-benefit analysis. This will help you determine whether the risks from the use of the medical device you create are greater than the benefits. You will do this throughout the lifecycle of the device you are building.
Risk Controls
Risk controls are measures you take with your device to reduce the impact and probability of occurrence of identified risks.
Risk controls are part of the risk management process. When developing a policy on how to handle risks, you need to consider reducing the likelihood that the risk will occur.
Risk controls can be evaluated at different levels of the lifecycle of the medical device you manufacture. The first stage is the design and manufacture of the medical device. At this point, manufacturing organizations should try to add inherent security features that can reduce the occurrence of risks.
This means that the device must be designed to be already safe when tested on the market.
Another level of risk control to consider is to ensure that protective measures are in place within the device. If one of the identified risks is electrical problems, manufacturers may add a fuse that limits the product’s use of power. This will reduce the risk of an electrical malfunction or damage to the device.
The third level of risk controls is to provide warnings and instructions for use on the device. This level takes into account the purpose for which the device was built. It also considers the possibility of abuse.
So the manufacturer can provide instructions for use on the device. If it’s a large enough device, instructions can be pasted onto the device. Instructions for a small device can be written on the packaging.
In addition, manufacturers can organize training for key users of medical devices to ensure they use the devices as needed. It also helps to ensure that risks for the user are also controlled.
Report Your Risk Management Results
When you thoroughly follow ISO 14971 guidelines for your device’s risk management process, you will need to document everything you do.
You will do this by creating a risk management report for your device or devices. In this report, you will certify that you comply with all ISO standards for medical device risk management. You will also document the results of your risk management mitigation and how you mitigate the inherent risk in the medical device you manufacture.
Finally, ISO 14971 has a strong link with other standards. Primarily ISO 13485, because this standard has a large number of references to risk management and therefore ISO 14971 methods should be applied. Other standards also have strong links to ISO 14971. To name a few: ISO 10993-1 (biological evaluation of medical devices), IEC 62344 (medical device software) or IEC 62366-1 (availability).
