Labeling risk controls – Deviation #7 in EN ISO 14971:2012

Requirements for the Instructions for Use and labeling as labeling risk controls for medical devices in ISO 14971.

Residual Risks Labeling risk controls   Deviation #7 in EN ISO 14971:2012This article reviews the requirements for Instructions for Use and labeling as risk controls in the risk management standard for medical devices: ISO 14971. Specifically, the impact of the seventh deviation identified in the EN ISO 14971 Standard is reviewed. This is the 7th and final blog in our EN ISO 14971:2012 risk management series. If you would like additional, risk management training, we have a training webinar.

Why are labeling risk controls not effective?

Labeling, instructions, and warnings are required for medical devices. Unfortunately, the information provided by manufacturers is not effective at preventing hazardous situations and foreseeable misuse–especially if the user throws the paper leaflet in the garbage 10 seconds after the box is opened. Since the information provided to the user and patients is not effective in preventing harm, the European Commission indicated that this information (i.e. labeling risk controls) should not be attributed to risk reduction.

Labeling risk controls do not quantitatively reduce risks

The European Commission is not suggesting that your company should stop providing directions or warning users of residual risks. This deviation intends to identify incorrect risk estimation procedures. For example, if you are using Failure Mode And Effects Analysis (FMEA), (see Annex G.4 of the risk management standard) to estimate risk for a new product, you should not be listing labeling risk controls as the primary risk control. Clause 6.2 of the ISO 14971 Standard correctly identifies “information for safety” provided by the manufacturer as risk controls. Still, the effectiveness of labeling risk controls is so poor that you should not estimate that the implementation of labeling and IFUs reduces risks.

In Clause 2.15 of the ISO 14971 Standard, residual risk is defined as “risk remaining after risk control measures have been taken.” However, I prefer the following definition, which incorporates the concept of clinical evidence, design validation, and post-market surveillance:

“Residual risks are risks that remain: 1) after implementation of risk controls, 2) when products are used for new indications for use, 3) when products are used for wider user and patient populations, 4) when products are misused, and 5) when products are used for periods of time longer than the duration of pre-market clinical studies.”

The second essential requirement (ER2) states that users shall be informed of residual risks, but the conclusion that “information about residual risks cannot be a risk control” is incorrect. The most important wording in the deviation is “the information given to the users does not reduce the (residual) risk any further.” Failure to reduce risks any further is due to the lack of effectiveness of risk controls. Validation of risk control effectiveness should be performed during design validation, but validation will be limited to a small group of users and patients.

Risk management reports & post-market surveillance planning

In your risk management report, risk control options analysis should be summarized. Instead of evaluating risk acceptability before implementing risk controls, risk controls should be implemented, and any residual risks should be identified. A benefit/risk analysis must be performed for each residual risk and the overall residual risks. If the conclusion is that the benefits of the device outweigh the residual risks, then the device can be commercially released.

At the time of the final design review and commercial release, a Post-Market Surveillance (PMS) plan should be developed that includes an updated risk management plan. The updated risk management plan should specifically address how to estimate residual risks and verify the effectiveness of information provided to users and patients. Verification of risk control effectiveness should be part of the design verification and validation activities, but verification of effectiveness should also be part of ongoing PMS.

To facilitate future updates of your risk management report, you may want to organize risk controls into the following categories (in this order):

  1. Design elements (highly effective)
  2. Materials of construction (highly effective)
  3. Methods of manufacture (highly/moderately effective)
  4. Protective measures & alarms (moderately effective)
  5. Information provided to users & patients (least effective)

Each of the above risk controls will need to be addressed by your PMS plan.

3 thoughts on “Labeling risk controls – Deviation #7 in EN ISO 14971:2012”

  1. Rob – the definition you proffer of Residual Risk seems a bit confusing to me. Do risks *remain* “when products are used for new indications for use” or new hazards *come into being*? Same for wider populations or longer periods: Are new risks generated or the previously identified risks remain?

    Also, the idea that the risk controls should be implemented, but don’t count on them having any effect is hard to digest. As you correctly indicated: “Validation of risk control effectiveness should be performed during design validation” implying that one may find them to be effective (even the risk control of information for safety).

    Though not perfectly consistent, I personally have been most able to understand and identify with the distinction highlighted by Dan O’Leary 15 days ago between “information for safety” and “information about residual risk” or disclosure of residual risk. There Dan explains that the former is a legitimate risk control, and the latter refers to “Disclosure of individual and overall residual risk(s) giv[ing] background and relevant information necessary to explain the residual risk so users can proactively take appropriate actions to minimize exposure to the residual risk(s).” see http://lnkd.in/uphwGg.

    Disclosure of residual risk is different than information for safety as it is descriptive and not instructive. Disclosure of residual risk does not reduce risk further, and is an obligation, thus no extra credit can be taken for it.

  2. Pingback: IFU Validation and Post-Market Surveillance - A risk-based approach -

  3. Pingback: IFU validation is not a risk reduction - Medical Device Academy Deviation 7 Medical Device Academy

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload the CAPTCHA.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Scroll to Top