ISO 14971:2019 (Risk Management)

Risk Management in according with ISO 14971:2019 Standard and the ISO/TR 24971:2020 Guidance for the application of ISO 14971 to medical devices.

Negligible Risks – Deviation #1 in ISO 14971

4 Comments / ISO 14971:2019 (Risk Management) / By /

This blog reviews the treatment of the negligible risks, which is deviation #1 within the EN ISO 14971:2012 European normative risk management standard.

%name Negligible Risks Deviation #1 in ISO 14971

In 2012, the European National (EN) version of the Medical Device Risk Management Standard was revised, but there was no change to the content of Clauses 1 through 9. Instead, the European Commission identified seven content deviations between the 14971 Standard and the requirements of three device directives for Europe. This seven-part blog series reviews each of these changes individually.

Treatment of Negligible Risks in ISO 14971

The first deviation is specific to the treatment of negligible risks. In Annex D8.2, the ISO 14971 Standard indicates that the manufacturer may discard negligible risks. However, Essential Requirements in the three device directives require that “All risks, regardless of their dimension, need to be reduced as much as possible and need to be balanced, together with all other risks, against the benefit of the device.”

Common Misinterpretations

One of the most common mistakes is to confuse the concepts of hazard, harm, and risk. Each of these terms is defined in the ISO 14971 Standard in section 2, but the common mistake is to think that the European Commission is saying that 100% of the hazards you identify need to be reduced as much as possible.

The intent is to require manufacturers to reduce risks, rather than hazards. The first step of the risk analysis process involves identifying hazards. Still, some of these hazards may never result in harm, due to risk controls that are inherent to the design your company has chosen. Also, the severity of harm that a hazard may present could be so low that it may present no risk to the user or patient.

The best practice in risk management is to identify as many hazards as possible at the beginning of the risk analysis process. Still, then these hazards must be sorted into those hazards that will be analyzed for risk. One of the common phrases used in training is: “It is better to estimate the risk of 10% of 1,000 hazards than it is to estimate 50% of 100 hazards.”

If you follow the logic behind the phrase above, your team will need to estimate risk for 100 hazards, rather than 50 hazards. Your risk analysis team will also need to document the rationale behind the categorization of hazards.

Categorizing Hazards

If a hazard is associated with adverse events in the Manufacturer and User Facility Device Experience (MAUDE) database for your device or a similar device, then you need to ensure that the risk associated with that hazard is assessed and there are adequate risk controls. This is also true for any hazard associated with a customer complaint that your company anticipates. Any hazard that presents a high potential severity of harm should also be included in your risk analysis. However, if a hazard is entirely eliminated by the design of your device, then you do not need to include it in the risk analysis.

I recommend writing a hazard identification report that includes all the hazards that were identified. This report should also categorize the hazard. You only need two categories: 1) hazards to be analyzed for risk, and 2) hazards that do not require risk analysis. You need a rationale for each risk that you do not perform risk analysis for, and you need traceability to risk controls and the risk-benefit analysis for each hazard that you do analyze.

Example of a Rationale for Not Analyzing the Risk of a Hazard

About eight years ago, the United States Food and Drug Administration (USFDA) issued an alert cautioning physicians to avoid the use of hemostatic agents near the spinal column, due to the potential hazard of paralysis caused by the swelling of a hemostatic agent as it absorbs the blood. My employer, Z-Medica, quickly received many customer inquiries asking about the safety of QuikClot near the spinal column. I was able to quickly respond that there were zero risks of QuikClot causing paralysis because that particular hemostatic agent did not swell. Instead of absorption, the product adsorbed blood and did not change in size or shape during the adsorption process.

Impact of Deviation #1 about “Negligible Risk”

As companies become aware of this deviation between the 14971 Standard and the Essential Requirements of the device directives, I believe teams that are working on risk analysis and people that are performing a gap analysis of their procedures will need to be more careful about which hazards are identified in their risk management reports. The burden of showing traceability from hazards to risk controls and risk-benefit analysis is substantial. Therefore, it is important to be systematic about how hazards are identified and to provide a clear justification for any hazards that are not included in the risk analysis.

The common phrase that has been used in risk management training classes should be reconsidered in light of feedback from the European Commission. Maybe a better phrase would be: “It is better to estimate the risk of 10% of 200 hazards than it is to estimate 50% of 20 hazards. However, it is important to provide a clear justification for any hazards that are not included in the risk analysis.”

If you are interested in ISO 14971 training, we are conducting a risk management training webinar on October 19, 2018.

Auditing ISO 14971 – 4 Steps to Assess Compliance

7 Comments / ISO 14971:2019 (Risk Management) / By / , ,

This article describes four key steps for auditing ISO 14971, and suggested auditing questions are included.

Let’s say that you went ahead and purchased ISO 14971:2012, read Annex ZA, and identified a couple of gaps in your procedure. After you revised your Risk Management procedure to be compliant with the revised Standard, then what are you supposed to do?

Most QA Managers struggle over whether they should purchase ISO 14971:2012. I wrote a couple of blog postings about this matter, but my point was not to debate this question but to ensure companies are aware that they need to be compliant with the MDD and the ISO 14971 Standard. The “changes” from 2009 to the 2012 version are simply the European Commission reminding manufacturers that there are seven aspects of the ISO 14791 Standard that do not meet the requirements of the MDD. Therefore, if your company has already verified that your risk management process is compliant with the MDD–then you have nothing to change. However, if your risk management process is only compliant with ISO 14971:2009, then you need to revise your processes and procedures to address these seven aspects. 

4 Steps in Auditing ISO 14971

Once you have made revisions to your risk management process, how do you perform auditing of ISO 14971?

Step 1: Planning your auditing ISO 14971

This will be an internal audit, and since you (the QA Manager) are the process owner for the risk management process, you personally cannot audit this process. You need to assign someone that has the technical skill to perform the audit, but this person cannot be the process owner (you) or a direct report to the process owner (the rest of the QA department). Fortunately, the Director of Engineering is also trained as an internal auditor at your company. She is trained on ISO 14971:2009, but she did not receive risk management training to the most current version. To address this gap, she must read the updated Standard to understand what’s new.

novcover preview 211x300 Auditing ISO 14971 4 Steps to Assess Compliance
Clause 3.2 of ISO 14971 requires that top management review the Risk Management Process for Effectiveness.

She has participated in risk management activities, but each product development engineer participates in risk management activities for their own design projects. Therefore, she has several projects she can sample risk management records from without auditing her own work. You have communicated that you need this audit finished sometime in December because you want any CAPAs resulting from the audit to be finalized before the next Management Review at the end of January. The timing of the Management Review is important because the risk management procedure requires that top management assess the effectiveness of the risk management process during Management Review meetings.

There are no previous audit findings to close from the last audit of the risk management process. Still, the Director of Engineering has seven specific items to emphasize from the 2012 revision of the Standard, and a revised procedure for risk management. Therefore, she will prepare for the audit by identifying some new interview questions to specifically address these changes–as well as some more general, open-ended questions.

Specific questions related to Annex ZA when auditing ISO 14971

1. How does the risk analysis evaluate the acceptability of risks in the lowest category? (This is a leading question, but it is specifically designed to determine if negligible risks are discarded).

2. Please provide a few examples of how risks in the lowest category were reduced. (In sections 1 and 2 of the Annex, I require all risks to be reduced as far as possible, and for all risks to be evaluated for acceptability. The wording of this question also allows auditors flexibility in their sampling).

3.  How did the design team determine when they had implemented sufficient risk controls to minimize risks? (Many companies use a color-coded matrix as a quasi-objective method for determining when risks are adequately reduced. This process is often referred to as the ALARP concept. Annex ZA specifically prohibits using economic considerations as part of this determination).

4. How did you conduct a risk-benefit analysis? (The Standard allows for performing a risk-benefit analysis when overall residual risks exceed the acceptability criteria as outlined in the risk management plan. However, the MDD requires an overall risk-benefit analysis in Section 1 of Annex I. Section 6 also requires that a risk-benefit analysis be performed for each individual risk).

5. How were risk control options selected? (Section 2 of the MDD implies that the manufacturer shall review All the control options and pick the most appropriate ones. Therefore, the auditor should specifically look for evidence that the team systematically reviewed all possible control options to reduce risks–rather than stopping as soon as the risks were reduced to an acceptable level).

6. What were your team’s priorities for the implementation of risk control options? (It’s possible that the previous question will be sufficient to gather evidence that risk controls were implemented with the required prioritization, as specified in the MDD. However, this question would be used as a follow-up question if it is not clear that the team prioritized the risk control options in accordance with Section 2 of Annex I).

7. How was the effect of labeling and warnings in the instructions for use incorporated into the estimation of residual risks? (Almost every company remembers to include residual risks in their IFU as a warning or caution statement. However, Section 2 of Annex I does not allow for including this information given to the users as a method of reducing risks. Therefore, in a Design FMEA, you would not list labeling and IFUs in your column for current risk controls when you determine the risk. This should be identified as an action to be taken–with no impact on the score for residual risk).

%name Auditing ISO 14971 4 Steps to Assess ComplianceThe above questions are not examples of using the process approach, but each question is phrased in an open-ended manner to maximize the objective evidence gathered during the interview process. If you are doing a process audit, it’s still acceptable to include questions that use the element approach.

Generic questions when auditing ISO 14971

1. When was the ISO 14971:2012 version of the Standard added to the controlled list of external Standards?

2. Please provide examples of where you have updated the Essential Requirements Checklist (a Technical File document) to reference the newest revision of ISO 14971:2012, and please show at least one example of how the risk management report was updated to reflect this revision.

3. How did you verify training effectiveness for the design team specific to the updated risk management procedure before conducting a risk analysis?

%name Auditing ISO 14971 4 Steps to Assess ComplianceThese generic questions do not require reading the ISO 14971:2012 Standard. Instead, each question forces the auditee to demonstrate their knowledge of the revised Standard by answering open-ended interview questions. Each of these questions is also designed to test linkages with other support processes. This is an example of how to use the process approach.

Step 2: Auditing ISO 14971

The next step is to conduct your audit of ISO 14971. During the auditing of ISO 14971, the Director of Engineering will gather objective evidence of both conformity and nonconformity for the risk management process. The generic interview questions that were developed allow her to evaluate the effectiveness of linkages between the risk management process and other processes, such as:

1) Document control

2) Creating technical documentation for regulatory submissions

3) The training process

Specific questions verify that each of the seven elements identified in Annex ZA of ISO 14971:2012 is adequately addressed in the revised procedure. When the audit is completed, the auditor will have a closing meeting with the process owner (you) and the auditee(s), so that everyone is clear about what the findings were, and if there were any nonconformities. This is the time to clarify what needs to be done to prevent each nonconformity from recurring.

Step 3: Writing the Report & Taking Corrective Action(s)

This is no different from any other audit. Still, it is critical to have the report completed soon enough so that CAPAs can be initiated (not necessarily completed) before the Management Review.

Step 4: Verifying Effectiveness of Corrective Action(s)

Many people struggle with verifying the effectiveness of corrective actions–regardless of the process. My advice is to identify a process metric to measure effectiveness. Then the effectiveness check is objective. For example, monitoring the frequency of updates to the list of external standards can help verify that the process for monitoring when Standards are updated is effective. Likewise, the frequency of updates to the Essential Requirements Checklist and the risk management records referenced in the Essential Requirements Checklist indicates if the risk management process is being maintained. Finally, monitoring the lag between the time procedures are updated and when the associated training records are updated quickly identifies if there is a systemic problem with training or if a training gap is just an example of a single lapse.

Do you need to purchase the latest EN ISO 14971 version?

13 Comments / ISO 14971:2019 (Risk Management) / By / ,

It is not necessary to purchase the EN ISO 14971 version because you should already be compliant and amendments are sold separately.

Discussion about a risk management standard 1024x664 Do you need to purchase the latest EN ISO 14971 version?

If the above conversation sounds familiar, hopefully, this blog will help.

Note: This is a 2012 blog that will be updated and/or consolidated soon, but here’s a link for risk management training.

Question 1: What is the current version of EN ISO 14971?

Answer 1: EN 14971 was revised to 2012 on July 6, 2012. The previous 2009 version was withdrawn. The ISO version is not changing–just the EN version.

Question 2: What’s new in 2012?

Answer 2: Only the three Annexes related to harmonization with the three directives (MDD, AIMDD, and IVDD) were updated. The content of the Standard itself has not changed.

Question 3: Do I need to buy EN ISO 14971… which really hasn’t changed since 2007?

Answer 3:  No…unless you still have the 2000 version. (just my personal opinion … not anyone else necessarily agrees)

Why you don’t need to buy the  EN ISO 14971 version…

Historically, Annex ZA was the annex at the back of a Standard that would explain how it is harmonized with the European Directives. However, in 2009, Annex ZA was separated into ZA, ZB, and ZC. Each of these Annexes explained how the current version of ISO 14971  (then ISO 14971:2007) differs from each of the three directives. In addition, there was a correction to Figure 1 (i.e., – arrow in the wrong location). Neville Clarke provided a good summary of these minor changes that occurred in 2009. The European Commission was concerned with some of the differences between the 2009 Standard and the Directives. Therefore, the Standard has been updated to clarify these differences.

There are seven technical deviations from the Standard that are required for compliance with the European Directives. Marcelo Antunes is an expert on Standards, and he accurately describes these deviations as “weird” in a discussion thread on Elsmar Cove’s Forum. The deviation that seems to have caught the most attention is the requirement to reduce ALL risk to “as low as possible” (ALAP) rather than to a level that to “as low as reasonably practicable” (ALARP concept). The “ALAP” acronym was a joke, but it wouldn’t be the first time that something like this stuck (i.e., – SWAG).

An alternative approach to verifying compliance with EN ISO 14971

If you sleep with a label maker under your pillow, you should buy the new BS EN 14971:2012 version,  so you can ensure that you are staying in compliance with each of these seven deviations and that you have considered the implications fully in your procedure for Risk Management. However, if you are a practical person that prefers not to upset the entire development team, I recommend a different approach.

1. Download a copy of the relevant Directive from the Europa Website

2. Using Adobe, search the entire Directive for the word “risk”:

AIMDD = 24 times

MDD = 55 times

IVDD = 34 times

3. Systematically review where the word “risk” is used to determine if you need to make adjustments for your CE Marked products. If you already have a CE Mark, there should be no changes required to your risk management documents. Your procedures might need clarification to observe the requirements of the Directive when there is a difference between the Standard and the Directive.

Last Question: What is your Notified Body auditor going to do?

Final Answer: I’m not sure, because every auditor is a little different in their approach. However, as an instructor, I would teach an auditor to ask open-ended questions, such as: “How did you determine if there is an impact upon your procedures and design documentation with regard to the updated Standard?” (i.e., – impact analysis). If the company provides an impact analysis and explains why the existing risk documentation and procedure should not change, I believe this meets the requirements for “equivalency with the State of the Art.”

Honestly, I haven’t seen one single company that was 100% in compliance with the “letter” of the Directives or the Standard. Sometimes, rational thought must overcome political compromises and irrational behaviors.

On the other hand, it’s always possible that these seven deviations, and the information on corrective action, will fundamentally change the way your company approaches risk management (I just dare you to bring it up in your next management review).

If you would like a second opinion, the Document Center’s Standard Forum says, “As you can see, this material is essential to conformance with the EN requirements and will make the purchase of the EN edition (BS EN ISO 14971 is the official English language edition) mandatory for medical device manufacturers certifying to the standard for sales in Europe.” FYI…Document Center’s Standard Forum sells Standards. You can buy this one from them for $324.

 

Scroll to Top