ISO 14971:2007 was released in 2007, replacing an earlier version published in 2000. While the definitions of "risk" and medical device "risk management,"defined as "combination of the probability of occurrence of harm and the severity of that harm" and "the systematic application of management policies, procedures and practices, to the tasks of analyzing, evaluating, monitoring and controlling risk," respectively, haven't changed from the first edition, the new edition better aligns the requirements of ISO 13485:2003.
This edition provides more guidance on the application of the Risk Management Plan, particularly with regard to risk acceptability. It is acknowledged that "absolute safety" in medical devices is unattainable; however, the standard describes and recommends management policies, procedures and practices of a system to analyze, evaluate and control risk. Minor changes were made to the normative section, and the fundamental medical device Risk Management Activities and steps remain unchanged.
Six new terms and definitions are identified in ISO 14971:2007:
The definition of "risk evaluation" from the first edition was modified to delete the reference to "based on the current values of society," to reflect the following: process of comparing the estimated risk against given risk criteria to determine the acceptability of risk.
Clearly, both editions require a medical device risk management process as a component of the design of a medical device. Previously, ISO 13485:2003, Product Realization, Clause 7, made reference to use of ISO 14971 as the guidance for medical device risk management. Since ISO 13485 didn't exist when the first edition of ISO 14971 was published, the new edition comments specifically on Clause 7 of ISO 13485:2003. ISO 14971:2007 emphasizes that the risk analysis and risk management process is an ongoing process throughout the medical device life cycle. The new edition clarifies that "top management" is the de facto manufacturer, "direct(s) and control(s) a manufacturer at the highest level" and "provide evidence of its commitment to risk management," "define and document the policy for determining criteria for risk acceptability" and "review the suitability of the risk management process." The standard does not define acceptable risk levels; therefore, top management has a pivotal role.
Both editions include annexes titled Questions That Can Be Used to Identify Medical Device Characteristics That Could Impact Safety. While the list is "not exhaustive, or representative of all medical devices," ISO 14971:2007 includes additional comments and factors. The new edition further characterizes a manufacturer's policy for determining acceptable risk as "essential" and recommends, as one option, matrices (examples provided in Annex D), which document the combinations of probability of harm and severity of harm that are acceptable or unacceptable.
One matrix (Figure D.4) of a 3 x 3 risk evaluation matrix has qualitative probability levels (high, medium, low) on the vertical side and qualitative severity levels (negligible, moderate, significant) on the horizontal side, as well as a conclusion if the risk is acceptable or unacceptable. The acceptable region of the matrix can be further subdivided into insignificant and investigate further risk reduction. In fact, Annex D, Risk Concepts Applied to Medical Devices of the 2007 edition, compared to Annex E of the same title in the old version, has been significantly revised. Additional sections about Risk Control (D.5), Risk/Benefit Analysis (D.6) and Overall Residual Risk Evaluation (D.7) have been added. References from the first edition to the risk region termed "ALARP" (As Low As Reasonably Practicable) are discussed in greater detail in its own section (D.8), titled the "As-Low-as-Reasonably Practicable Approach." The new edition provides guidance on the relationship between hazards and hazardous situations (Annex E).
An interesting note is that the IEC 60601-1:2005 third edition, titled Medical Electrical Equipment, Part 1, General Requirements Safety, Clause 4.2, requires that "a risk management process complying with ISO 14971 shall be performed." While it can't be sufficiently reiterated that standards are voluntary, the above statement integrates into a test standard process-based requirements. Furthermore, some organizations (notified bodies, testing laboratories, registrars) have capitalized and provide related services. Of note, Underwriters Laboratories Inc. is the first to offer an ISO 14971 registration service for medical devices to ensure the manufacturer's risk management process is complaint with the medical device risk management process expectations of IEC 60601. BSI similarly has suggested that it will offer an ISO 14971 certification for medical device manufacturers. The consequences and impact of this additional certification is interesting. From this perspective, how is this certification going to fit into the wider scheme of ISO and CE Marking certificates in Europe? Obviously, the medical device community will continue to monitor these changes especially as it relates to increased requirements for CE Marking medical devices.
Medical device risk management and risk analysis is a serious and ongoing process that is inherent in the medical device product realization process. ISO 14971:2007 should facilitate the risk management process, and the added guidance is welcomed.