Medical devices -- Guidance on the application of ISO 14971

ISO TR 24971:2013 provides guidance in addressing specific areas of ISO 14971 when implementing risk management. This guidance is intended to assist manufacturers and other users of the standard to understand the role of international product safety and process standards in risk management, develop the policy for determining the criteria for risk acceptability, incorporate production and post-production feedback loop into risk management, differentiate between "information for safety" and "disclosure of residual risk", and evaluate overall residual risk.

General Information

Status
Published
Publication Date
18-Jun-2013
ICS
11.040.01 - Medical equipment in general
 
29.035.50 - Mica based materials
Technical Committee
SC 62A - Common aspects of medical equipment, software, and systems
Drafting Committee
JWG 1 - TC 62/SC 62A/JWG 1
Current Stage
DELPUB - Deleted Publication
Start Date
19-Jun-2020
Completion Date
24-Nov-2017

Relations

Revised
ISO TR 24971:2020 - Medical devices - Guidance on the application of ISO 14971
Effective Date
05-Sep-2023

Overview

ISO TR 24971:2013 - "Medical devices - Guidance on the application of ISO 14971" is a Technical Report that clarifies specific aspects of implementing ISO 14971 (medical device risk management). It supplements ISO 14971 by providing practical guidance on how to interpret and apply risk-management requirements across device design, production and post‑production activities. The report is intended to help manufacturers and other stakeholders translate international product safety and process standards into effective risk-control measures.

Key Topics

  • Role of international product safety standards: How standards (for example IEC 60601 series) can be used as de-facto risk-control measures and when compliance can justify that residual risk is acceptable, unless there is objective evidence to the contrary.
  • Policy for risk acceptability: Guidance on developing company policies and criteria for deciding when residual risks are acceptable.
  • Production and post‑production feedback loop: Practical approach to observation, transmission, assessment and action for production and post‑market surveillance to keep the risk-management file current.
  • Information for safety vs disclosure of residual risk: How to differentiate risk-control communications intended to ensure safe use (e.g., instructions and warnings) from formal disclosures about remaining risks.
  • Evaluation of overall residual risk: Inputs and considerations for assessing aggregated risks after all controls are applied.

Practical implementation tips

  • Start by identifying hazards and hazardous situations per ISO 14971 and then check whether relevant product safety standards address them.
  • Where a standard specifies technical requirements and acceptance criteria (e.g., stability test on a 10° incline or leakage current limits in IEC 60601‑1), manufacturers may rely on conformity testing and design specs as verification of risk control.
  • For hazards not covered by standards, perform the full ISO 14971 risk-estimation and evaluation cycle.
  • Integrate post‑production data (complaints, vigilance reports, recalls) into the risk management file and update risk assessments and controls as needed.

Applications

  • Device design validation and verification planning
  • Creation of risk-management policies and acceptability criteria
  • Post‑market surveillance and corrective action planning
  • Labeling decisions: distinguishing between safety instructions and residual-risk disclosure

Who should use this standard

  • Medical device manufacturers and risk managers
  • Regulatory and quality professionals (QA/RA)
  • Notified bodies and conformity assessment teams
  • Usability engineers, clinical engineers and product development teams

Related standards

  • ISO 14971 (risk management for medical devices)
  • IEC 60601 series (medical electrical equipment) - examples cited in the report
  • IEC 62304 (software life-cycle processes)
  • IEC 62366 (usability engineering)
  • ISO 10993 series (biological evaluation)

Keywords: ISO TR 24971:2013, ISO 14971, medical device risk management, residual risk, product safety standards, post-production surveillance, risk acceptability.

ISO TR 24971:2013 - Medical devices -- Guidance on the application of ISO 14971 - Page 1 previewISO TR 24971:2013 - Medical devices -- Guidance on the application of ISO 14971 - Page 2 previewISO TR 24971:2013 - Medical devices -- Guidance on the application of ISO 14971 - Page 3 previewISO TR 24971:2013 - Medical devices -- Guidance on the application of ISO 14971 - Page 4 preview
PreviousNext
Technical report

ISO TR 24971:2013 - Medical devices -- Guidance on the application of ISO 14971

English language
12 pages
sale 15% off
Preview
sale 15% off
Preview
ISO TR 24971:2013 - Medical devices -- Guidance on the application of ISO 14971 Released:6/19/2013 - Page 1 previewISO TR 24971:2013 - Medical devices -- Guidance on the application of ISO 14971 Released:6/19/2013 - Page 2 previewISO TR 24971:2013 - Medical devices -- Guidance on the application of ISO 14971 Released:6/19/2013 - Page 3 previewISO TR 24971:2013 - Medical devices -- Guidance on the application of ISO 14971 Released:6/19/2013 - Page 4 preview
PreviousNext
Technical report

ISO TR 24971:2013 - Medical devices -- Guidance on the application of ISO 14971 Released:6/19/2013

English language
12 pages
sale 15% off
Preview
sale 15% off
Preview

Frequently Asked Questions

ISO TR 24971:2013 is a technical report published by the International Electrotechnical Commission (IEC). Its full title is "Medical devices -- Guidance on the application of ISO 14971". This standard covers: ISO TR 24971:2013 provides guidance in addressing specific areas of ISO 14971 when implementing risk management. This guidance is intended to assist manufacturers and other users of the standard to understand the role of international product safety and process standards in risk management, develop the policy for determining the criteria for risk acceptability, incorporate production and post-production feedback loop into risk management, differentiate between "information for safety" and "disclosure of residual risk", and evaluate overall residual risk.

ISO TR 24971:2013 provides guidance in addressing specific areas of ISO 14971 when implementing risk management. This guidance is intended to assist manufacturers and other users of the standard to understand the role of international product safety and process standards in risk management, develop the policy for determining the criteria for risk acceptability, incorporate production and post-production feedback loop into risk management, differentiate between "information for safety" and "disclosure of residual risk", and evaluate overall residual risk.

ISO TR 24971:2013 is classified under the following ICS (International Classification for Standards) categories: 11.040.01 - Medical equipment in general; 29.035.50 - Mica based materials. The ICS classification helps identify the subject area and facilitates finding related standards.

ISO TR 24971:2013 has the following relationships with other standards: It is inter standard links to ISO TR 24971:2020. Understanding these relationships helps ensure you are using the most current and applicable version of the standard.

You can purchase ISO TR 24971:2013 directly from iTeh Standards. The document is available in PDF format and is delivered instantly after payment. Add the standard to your cart and complete the secure checkout process. iTeh Standards is an authorized distributor of IEC standards.

Standards Content (Sample)


TECHNICAL ISO/TR
REPORT 24971
First edition
2013-07-01
Medical devices — Guidance on the
application of ISO 14971
Dispositifs médicaux — Directives relatives à l’ISO 14971
Reference number
ISO/TR 24971:2013(E)
©
ISO 2013
ISO/TR 24971:2013(E)
© ISO 2013
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form
or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior
written permission. Permission can be requested from either ISO at the address below or ISO’s member body in the country of
the requester.
ISO copyright office
Case postale 56 • CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Published in Switzerland
ii © ISO 2013 – All rights reserved

ISO/TR 24971:2013(E)
Contents Page
Foreword .iv
Introduction .v
1 Scope . 1
2 The role of international product safety and process standards in risk management .1
2.1 Overview . 1
2.2 Use of international product safety standards in risk management . 2
2.3 International process standards and ISO 14971 . 4
3 Developing the policy for determining the criteria for risk acceptability .6
4 Production and post-production feedback loop . 6
4.1 Overview . 6
4.2 Observation and transmission . 7
4.3 Assessment . 9
4.4 Action . 9
5 Differentiation of information for safety and disclosure of residual risk .10
5.1 Difference between “information for safety” and “disclosure of residual risk” .10
5.2 Information for safety .10
5.3 Disclosure of residual risk .10
6 Evaluation of overall residual risk .11
6.1 Overview .11
6.2 Inputs and other considerations for overall residual risk evaluation .11
ISO/TR 24971:2013(E)
Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards
bodies (ISO member bodies). The work of preparing International Standards is normally carried out
through ISO technical committees. Each member body interested in a subject for which a technical
committee has been established has the right to be represented on that committee. International
organizations, governmental and non-governmental, in liaison with ISO, also take part in the work.
ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of
electrotechnical standardization.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular the different approval criteria needed for the
different types of ISO documents should be noted. This document was drafted in accordance with the
editorial rules of the ISO/IEC Directives, Part 2. www.iso.org/directives
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of any
patent rights identified during the development of the document will be in the Introduction and/or on
the ISO list of patent declarations received. www.iso.org/patents
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
ISO/TR 24971 was prepared jointly by Technical Committee ISO/TC 210, Quality management and
corresponding general aspects for medical devices, and Technical Committee IEC/SC 62A, Common aspects
of electrical equipment used in medical practice. The draft was circulated for voting to the national bodies
of both ISO and IEC.
iv © ISO 2013 – All rights reserved

ISO/TR 24971:2013(E)
Introduction
Experience indicates that manufacturers have difficulty with practical implementation of some clauses
of the risk management International Standard, ISO 14971:2007, Medical devices — Application of risk
management to medical devices. This Technical Report provides guidance to assist in the development,
implementation and maintenance of risk management for medical devices that aim to meet the
requirements of ISO 14971. It provides guidance for specific aspects of ISO 14971 for a wide variety
of medical devices. These medical devices include active, non-active, implantable, and non-implantable
medical devices and in vitro diagnostic medical devices.
This Technical Report is not intended to be an overall guidance document on the implementation of
ISO 14971 for organizations. It supplements the guidance contained in the informative annexes of
ISO 14971 related to the following areas.
— Guidance on the role of international product safety and process standards in risk management
— Guidance on developing the policy for determining the criteria for risk acceptability
— Guidance on how the production and post-production feedback loop can work
— Guidance on the differentiation of information for safety as a risk control measure and disclosure of
residual risk
— Guidance on the evaluation of overall residual risk
This Technical Report provides some approaches that an organization can use to implement and maintain
some aspects of a risk management system that conforms to ISO 14971. Alternative approaches can be
used if these satisfy the requirements of ISO 14971.
When judging the applicability of the guidance in this Technical Report, one should consider the nature
of the medical device(s) to which it will apply, the risks associated with the use of these medical devices,
and the applicable regulatory requirements.
TECHNICAL REPORT ISO/TR 24971:2013(E)
Medical devices — Guidance on the application of ISO 14971
1 Scope
This Technical Report provides guidance in addressing specific areas of ISO 14971 when implementing
risk management.
The guidance is intended to assist manufacturers and other users of the standard to:
— understand the role of international product safety and process standards in risk management;
— develop the policy for determining the criteria for risk acceptability;
— incorporate production and post-production feedback loop into risk management;
— differentiate between “information for safety” and “disclosure of residual risk”; and
— evaluate overall residual risk.
2 The role of international product safety and process standards in risk manage-
ment
2.1 Overview
International product safety and process standards play a significant role in risk management as
described by ISO 14971. In principle, these standards are developed using a type of risk management
that can include identifying hazards and hazardous situations, estimating risks, evaluating risks,
and specifying risk control measures. More information on a process for developing medical device
standards using a type of risk management can be found in documents such as ISO/IEC Guide 51 and
ISO/IEC Guide 63. International product safety and process standards are developed by experts in the
field and represent the generally accepted state of the art (see D.4 of ISO 14971:2007).
These standards can have an important role in risk management. When performing risk management,
the manufacturer first needs to consider the medical device being designed, its intended use and the
hazards/hazardous situations related to it. Manufacturers can, if they choose, identify standard(s) that
contain specific requirements that help manage the risks related to those hazards/hazardous situations.
For medical devices that satisfy the requirements and compliance criteria of these standards, the
residual risks related to those hazards/hazardous situations can be considered acceptable unless there
is objective evidence to the contrary. Some potential sources of objective evidence to the contrary can
include reports of adverse events, product recalls and complaints. The requirements of International
Standards, such as engineering or analytical processes, specific output limits, warning statements, or
design specifications, can be considered risk control measures established by the standards writers
that are intended to address the risks of specific hazardous situations that have been identified and
evaluated as needing risk control.
In many cases, the standards writers have taken on and completed elements of risk management
and provided manufacturers with answers in the form of design requirements and test methods for
establishing conformity. When performing risk management activities, manufacturers can take
advantage of the work of the standards writers and need not repeat the analyses leading to the
requirements of the standard. International standards, therefore, provide valuable information on risk
acceptability that has been validated during a worldwide evaluation process, including multiple rounds
of review, comment, and voting.
ISO/TR 24971:2013(E)
2.2 Use of international product safety standards in risk management
An international product safety standard can establish requirements that, when implemented, result in
acceptable risk for specific hazardous situations (e.g. safety limits). The manufacturer can apply these
requirements in the following way when managing risk.
a) Where an international product safety standard specifies technical requirements addressing
particular hazards or hazardous situations, together with specific acceptance criteria, compliance
with those requirements is presumed to establish that the residual risks have been reduced to
acceptable levels unless there is objective evidence to the contrary. For example, in IEC 60601-1,
Medical electrical equipment — Part 1: General requirements for basic safety and essential performance,
leakage current must be controlled to achieve an acceptable level of risk. IEC 60601-1 provides
leakage current limits that are considered to result in an acceptable level of risk when measured
under the conditions stated in 8.7 of IEC 60601-1:2005. For this example, further risk management
would not be necessary. The following steps need to be taken in this case.
1) Implement 4.2 and 4.3 of ISO 14971:2007 to identify characteristics related to safety and
identify hazards and hazardous situations associated with the device as completely as possible.
2) Identify those hazards and hazardous situations relevant to the particular medical device that
are exactly covered by the international product safety standard.
3) For those identified hazards and hazardous situations exactly covered by the international
product safety standard, the manufacturer may choose not to estimate (4.4 of ISO 14971:2007) or
evaluate (Clause 5 of ISO 14971:2007) the risks so identified but rather rely on the requirements
contained in the international standard to demonstrate the completion of risk estimation and
risk evaluation.
4) To the extent possible, the manufacturer should identify the design specifications that satisfy
the requirements in the standard and serve as risk control measures (6.2 of ISO 14971:2007).
NOTE For some international product safety standards, the possibility of identifying all the specific risk
control measures is limited. One example is electromagnetic compatibility testing in IEC 60601–1-2, Medical
electrical equipment — Part 1-2: General requirements for basic safety and essential performance — Collateral
standard: Electromagnetic compatibility — Requirements and tests, for complex medical devices.
5) Verification of the implementation of the risk control measures for these hazardous situations
is obtained from the design documents. Verification of the effectiveness of the risk control
measures is obtained from the tests and test results demonstrating that the device meets the
relevant requirements of the international product safety standard.
6) If the relevant requirements are met, the associated residual risk is considered acceptable.
b) Where an international product safety standard does not completely specify technical requirements
and associated tests and test acceptance criteria, the situation is more complex. In some cases, the
standard directs the manufacturer to perform specific tests related to known hazards or hazardous
situations but does not provide specific test acceptance criteria (e.g. IEC 60601-2-16, Medical
electrical equipment — Part 2-16: Particular requirements for basic safety and essential performance of
haemodialysis, haemodiafiltration and haemofiltration equipment). In some other cases, the standard
can simply direct the manufacturer to investigate specific hazards or hazardous situations in
their risk analysis (e.g. 10.2 of IEC 60601-1:2005). The range of alternatives is too large to provide
specific guidance on how to use such standards in the risk management process. Manufacturers
are encouraged, however, to use the content of such standards in their risk management of the
particular medical device.
c) For hazards or hazardous situations that are identified for the particular medical device but are
not specifically addressed in any standard, the manufacturer needs to address those hazards or
hazardous situations in the risk management process. The manufacturer is required to estimate
and evaluate the risks and, if necessary, control these risks (see 4.4 and Clauses 5 and 6 of
ISO 14971:2007).
2 © ISO 2013 – All rights reserved

ISO/TR 24971:2013(E)
See Figure 1 for a flowchart and an example outlining the use of international product safety standards.
Identify Hazards/Hazardous situations Hazardous situation identi€ied: patient (and medical device)
(H/HS)
needs to be transfered from one room to another; if put in
(4.3 of ISO 14971:2007).
transport position, equipment overbalances and patient falls
2 c) Input the identi€ied Are the H/HS
hazards and hazardous addressed in international
No Yes: IEC 60601-1:2005, Subclause 9.4.2.1
situations into the risk product safety
management process. standard(s)?
Yes
2 b) Use the identi€ied hazards,
hazardous situations, test How is it
methods, or other relevant 2 b) addressed? Choose between 2 a)
information in the risk 2 a) and 2 b).
management process.
2 a)
Yes: there is a speci€ied requirement:
2 a): International product
The equipment shall not overbalance when placed in any
safety standard speci€ies
transport position of normal use on a plane inclined at an angle
requirements and provides
of 10° from the horizontal plane, and speci€ic acceptance criteria
speci€ic test acceptance
(de€ined test). If the equipment overbalances, it does not comply
criteria.
with the requirement.
Use the identi€ied hazards,
Do
hazardous situations, test
requirement(s) fully match Yes, equipment is transportable, and it can be transported with
methods, or other relevant No
the design including the patient on it to accommodate patient transfers.
information in the risk
intended use?
management process.
Yes
No need to estimate (4.4) Risk is not estimated nor evaluated prior to implementation of
or evaluate risk (5) risk control measure.
Identify the design
speci€ications that achieve
Identi€ied in the risk management €ile
the requirement in the
standard (6.2).
Verify the effectiveness Test performed: equipment placed on a plane inclined at an
(6.3) by performing test(s) angle 10º from the horizontal plane. Result: medical device does
according to the standard. not overbalance
If the test is passed,
related residual risks Medical device does not overbalance, so the related residual risk
are considered is considered acceptable.
acceptable (6.4).
Figure 1 — Use of international product safety standards and example of such standard that
specifies requirements and provides specific test acceptance criteria
ISO/TR 24971:2013(E)
2.3 International process standards and ISO 14971
International process standards, as shown in the examples below, can often be used in conjunction with
ISO 14971. This is performed in one of two ways:
— The international process standard requires application of ISO 14971 as part of the implementation
of the international process standard, e.g. IEC 62304 on software life cycle processes; or
— The international process standard is intended to be used in risk management, e.g. IEC 62366 on
usability engineering and the ISO 10993 series on biological evaluation.
In either case, proper use of the international process standard requires attention to the interfaces
between that standard and ISO 14971 in order to achieve acceptable levels of risk for the medical device.
The two standards should work together such that inputs, outputs and their timing are optimized. Three
examples are given below to demonstrate this ideal situation.
a) IEC 62304, Medical device software — Software life cycle processes
The relationship between IEC 62304 and ISO 14971 is well-described in the introduction to IEC 62304:
As a basic foundation it is assumed that medical device software is developed and maintained
within a quality management system (see 4.1 of IEC 62304:2006) and a risk management process
(see 4.2 of IEC 62304:2006). The risk management process is already very well addressed by the
International Standard ISO 14971. Therefore IEC 62304 makes use of this advantage simply by a
normative reference to ISO 14971. Some minor additional risk management requirements are
needed for software, especially in the area of identification of contributing software factors related
to hazards. These requirements are summarized and captured in Clause 7 of IEC 62304:2006 as
the software risk management process.
Whether software is a contributing factor to a hazard is determined during the hazard identification
activity of the risk management process. hazards that could be indirectly caused by software
(for example, by providing misleading information that could cause inappropriate treatment to be
administered) need to be considered when determining whether software is a contributing factor.
The decision to use software to control risk is made during the risk control activity of the risk
management process. The software risk management process required in this standard has to
be embedded in the device risk management process according to ISO 14971.
IEC 62304 makes a normative reference to ISO 14971 and specifically requires:
— software development planning (5.1 of IEC 62304:2006) that is consistent with the risk
management plan required by ISO 14971; and
— a software risk management process (Clause 7 of IEC 62304:2006) based upon ISO 14971.
b) IEC 62366, Medical devices — Application of usability engineering to medical devices
The flow diagram in Figure A.1 of IEC 62366:2007 demonstrates the relationship and interconnection
of the two parallel and interconnecting processes. In addition to making a normative reference to
ISO 14971, IEC 62366:2007 identifies three specific clauses where the usability engineering process
can supplement and interact with risk management as described in ISO 14971:
— 5.3.1 of IEC 62366:2007 requires: “An identification of characteristics related to safety (part of
a risk analysis) that focuses on usability shall be performed according to ISO 14971:2007, 4.2.”
— 5.3.2 of IEC 62366:2007 requires: “The manufacturer shall identify known or foreseeable
hazards (part of a risk analysis) related to usability according to ISO 14971:2007, 4.3.”
— 5.9 of IEC 62366:2007 on Usability Validation makes several references to activities that would
be undertaken as part of risk management.
4 © ISO 2013 – All rights reserved

ISO/TR 24971:2013(E)
c) ISO 10993 (all parts), Biological evaluation of medical devices
The introduction to ISO 10993-1 states that ISO 10993-1 is intended to be a guidance document
for the biological evaluation of medical devices within risk management, as part of the overall
evaluation and development of each device.
Annex B of ISO 10993-1:2009 applies ISO 14971 to provide guidance on the risk management approach
for identification of biological hazards associated with medical devices, estimation and evaluation of
the risks, control of the risks, and monitoring the effectiveness of the risk control measures.
This approach combines the review and evaluation of existing data from all sources, with the
selection and application of additional tests (where necessary), thus enabling a full evaluation to be
made of the biological responses to each medical device, relevant to its safety in use.
ISO 10993-1:2009 aligns itself explicitly within risk management as described in ISO 14971.
The biological evaluation should be conducted in a manner similar to that used for other product
risks, and should include:
— Risk analysis (What are the hazards and associated risks?)
— Risk evaluation (Are they acceptable?)
— Risk control (How will they be controlled?)
— Overall residual risk/benefit evaluation
Following the processes defined in ISO 14971, if the overall residual risk evaluation concludes from
existing data that t
...


TECHNICAL ISO/TR
REPORT 24971
First edition
2013-07-01
Medical devices — Guidance on the
application of ISO 14971
Dispositifs médicaux — Directives relatives à l’ISO 14971

Reference number
ISO/TR 24971:2013(E)
©
ISO 2013
ISO/TR 24971:2013(E)
© ISO 2013
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form
or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior
written permission. Permission can be requested from either ISO at the address below or ISO’s member body in the country of
the requester.
ISO copyright office
Case postale 56 • CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Published in Switzerland
ii © ISO 2013 – All rights reserved

ISO/TR 24971:2013(E)
Contents Page
Foreword .iv

Introduction .v

1 Scope . 1

2 The role of international product safety and process standards in risk management .1

2.1 Overview . 1

2.2 Use of international product safety standards in risk management . 2

2.3 International process standards and ISO 14971 . 4

3 Developing the policy for determining the criteria for risk acceptability .6
4 Production and post-production feedback loop . 6
4.1 Overview . 6
4.2 Observation and transmission . 7
4.3 Assessment . 9
4.4 Action . 9
5 Differentiation of information for safety and disclosure of residual risk .10
5.1 Difference between “information for safety” and “disclosure of residual risk” .10
5.2 Information for safety .10
5.3 Disclosure of residual risk .10
6 Evaluation of overall residual risk .11
6.1 Overview .11
6.2 Inputs and other considerations for overall residual risk evaluation .11

ISO/TR 24971:2013(E)
Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards

bodies (ISO member bodies). The work of preparing International Standards is normally carried out

through ISO technical committees. Each member body interested in a subject for which a technical

committee has been established has the right to be represented on that committee. International
orga nizations, governmental and non-governmental, in liaison with ISO, also take part in the work.
ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of
electrotechnical standardization.

The procedures used to develop this document and those intended for its further maintenance are

described in the ISO/IEC Directives, Part 1. In particular the different approval criteria needed for the
different types of ISO documents should be noted. This document was drafted in accordance with the
editorial rules of the ISO/IEC Directives, Part 2. www.iso.org/directives
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of any
patent rights identified during the development of the document will be in the Introduction and/or on
the ISO list of patent declarations received. www.iso.org/patents
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
ISO/TR 24971 was prepared jointly by Technical Committee ISO/TC 210, Quality management and
corresponding general aspects for medical devices, and Technical Committee IEC/SC 62A, Common aspects
of electrical equipment used in medical practice. The draft was circulated for voting to the national bodies
of both ISO and IEC.
iv © ISO 2013 – All rights reserved

ISO/TR 24971:2013(E)
Introduction
Experience indicates that manufacturers have difficulty with practical implementation of some clauses

of the risk management International Standard, ISO 14971:2007, Medical devices — Application of risk

management to medical devices. This Technical Report provides guidance to assist in the development,

implementation and maintenance of risk management for medical devices that aim to meet the
requirements of ISO 14971. It provides guidance for specific aspects of ISO 14971 for a wide variety
of medical devices. These medical devices include active, non-active, implantable, and non-implantable
medical devices and in vitro diagnostic medical devices.

This Technical Report is not intended to be an overall guidance document on the implementation of

ISO 14971 for organizations. It supplements the guidance contained in the informative annexes of
ISO 14971 related to the following areas.
— Guidance on the role of international product safety and process standards in risk management
— Guidance on developing the policy for determining the criteria for risk acceptability
— Guidance on how the production and post-production feedback loop can work
— Guidance on the differentiation of information for safety as a risk control measure and disclosure of
residual risk
— Guidance on the evaluation of overall residual risk
This Technical Report provides some approaches that an organization can use to implement and maintain
some aspects of a risk management system that conforms to ISO 14971. Alternative approaches can be
used if these satisfy the requirements of ISO 14971.
When judging the applicability of the guidance in this Technical Report, one should consider the nature
of the medical device(s) to which it will apply, the risks associated with the use of these medical devices,
and the applicable regulatory requirements.

TECHNICAL REPORT ISO/TR 24971:2013(E)

Medical devices — Guidance on the application of ISO 14971

1 Scope
This Technical Report provides guidance in addressing specific areas of ISO 14971 when implementing

risk management.
The guidance is intended to assist manufacturers and other users of the standard to:

— understand the role of international product safety and process standards in risk management;
— develop the policy for determining the criteria for risk acceptability;
— incorporate production and post-production feedback loop into risk management;
— differentiate between “information for safety” and “disclosure of residual risk”; and
— evaluate overall residual risk.
2 The role of international product safety and process standards in risk manage-
ment
2.1 Overview
International product safety and process standards play a significant role in risk management as
described by ISO 14971. In principle, these standards are developed using a type of risk management
that can include identifying hazards and hazardous situations, estimating risks, evaluating risks,
and specifying risk control measures. More information on a process for developing medical device
standards using a type of risk management can be found in documents such as ISO/IEC Guide 51 and
ISO/IEC Guide 63. International product safety and process standards are developed by experts in the
field and represent the generally accepted state of the art (see D.4 of ISO 14971:2007).
These standards can have an important role in risk management. When performing risk management,
the manufacturer first needs to consider the medical device being designed, its intended use and the
hazards/hazardous situations related to it. Manufacturers can, if they choose, identify standard(s) that
contain specific requirements that help manage the risks related to those hazards/hazardous situations.
For medical devices that satisfy the requirements and compliance criteria of these standards, the
residual risks related to those hazards/hazardous situations can be considered acceptable unless there

is objective evidence to the contrary. Some potential sources of objective evidence to the contrary can
include reports of adverse events, product recalls and complaints. The requirements of International
Standards, such as engineering or analytical processes, specific output limits, warning statements, or
design specifications, can be considered risk control measures established by the standards writers
that are intended to address the risks of specific hazardous situations that have been identified and
evaluated as needing risk control.
In many cases, the standards writers have taken on and completed elements of risk management
and provided manufacturers with answers in the form of design requirements and test methods for
establishing conformity. When performing risk management activities, manufacturers can take
advantage of the work of the standards writers and need not repeat the analyses leading to the
requirements of the standard. International standards, therefore, provide valuable information on risk
acceptability that has been validated during a worldwide evaluation process, including multiple rounds
of review, comment, and voting.
ISO/TR 24971:2013(E)
2.2 Use of international product safety standards in risk management

An international product safety standard can establish requirements that, when implemented, result in

acceptable risk for specific hazardous situations (e.g. safety limits). The manufacturer can apply these

requirements in the following way when managing risk.

a) Where an international product safety standard specifies technical requirements addressing
particular hazards or hazardous situations, together with specific acceptance criteria, compliance

with those requirements is presumed to establish that the residual risks have been reduced to

acceptable levels unless there is objective evidence to the contrary. For example, in IEC 60601-1,

Medical electrical equipment — Part 1: General requirements for basic safety and essential performance,

leakage current must be controlled to achieve an acceptable level of risk. IEC 60601-1 provides

leakage current limits that are considered to result in an acceptable level of risk when measured
under the conditions stated in 8.7 of IEC 60601-1:2005. For this example, further risk management
would not be necessary. The following steps need to be taken in this case.
1) Implement 4.2 and 4.3 of ISO 14971:2007 to identify characteristics related to safety and
identify hazards and hazardous situations associated with the device as completely as possible.
2) Identify those hazards and hazardous situations relevant to the particular medical device that
are exactly covered by the international product safety standard.
3) For those identified hazards and hazardous situations exactly covered by the international
product safety standard, the manufacturer may choose not to estimate (4.4 of ISO 14971:2007) or
evaluate (Clause 5 of ISO 14971:2007) the risks so identified but rather rely on the requirements
contained in the international standard to demonstrate the completion of risk estimation and
risk evaluation.
4) To the extent possible, the manufacturer should identify the design specifications that satisfy
the requirements in the standard and serve as risk control measures (6.2 of ISO 14971:2007).
NOTE For some international product safety standards, the possibility of identifying all the specific risk
control measures is limited. One example is electromagnetic compatibility testing in IEC 60601–1-2, Medical
electrical equipment — Part 1-2: General requirements for basic safety and essential performance — Collateral
standard: Electromagnetic compatibility — Requirements and tests, for complex medical devices.
5) Verification of the implementation of the risk control measures for these hazardous situations
is obtained from the design documents. Verification of the effectiveness of the risk control
measures is obtained from the tests and test results demonstrating that the device meets the
relevant requirements of the international product safety standard.
6) If the relevant requirements are met, the associated residual risk is considered acceptable.
b) Where an international product safety standard does not completely specify technical requirements
and associated tests and test acceptance criteria, the situation is more complex. In some cases, the
standard directs the manufacturer to perform specific tests related to known hazards or hazardous
situations but does not provide specific test acceptance criteria (e.g. IEC 60601-2-16, Medical
electrical equipment — Part 2-16: Particular requirements for basic safety and essential performance of
haemodialysis, haemodiafiltration and haemofiltration equipment). In some other cases, the standard
can simply direct the manufacturer to investigate specific hazards or hazardous situations in
their risk analysis (e.g. 10.2 of IEC 60601-1:2005). The range of alternatives is too large to provide
specific guidance on how to use such standards in the risk management process. Manufacturers
are encouraged, however, to use the content of such standards in their risk management of the
particular medical device.
c) For hazards or hazardous situations that are identified for the particular medical device but are
not specifically addressed in any standard, the manufacturer needs to address those hazards or
hazardous situations in the risk management process. The manufacturer is required to estimate
and evaluate the risks and, if necessary, control these risks (see 4.4 and Clauses 5 and 6 of
ISO 14971:2007).
2 © ISO 2013 – All rights reserved

ISO/TR 24971:2013(E)
See Figure 1 for a flowchart and an example outlining the use of international product safety standards.

Identify Hazards/Hazardous situations Hazardous situation identi€ied: patient (and medical device)

(H/HS)
needs to be transfered from one room to another; if put in
(4.3 of ISO 14971:2007).
transport position, equipment overbalances and patient falls

2 c) Input the identi€ied Are the H/HS

hazards and hazardous addressed in international
No Yes: IEC 60601-1:2005, Subclause 9.4.2.1
situations into the risk product safety

management process. standard(s)?

Yes
2 b) Use the identi€ied hazards,
hazardous situations, test How is it
methods, or other relevant 2 b) addressed? Choose between 2 a)
information in the risk 2 a) and 2 b).
management process.
2 a)
Yes: there is a speci€ied requirement:
2 a): International product
The equipment shall not overbalance when placed in any
safety standard speci€ies
transport position of normal use on a plane inclined at an angle
requirements and provides
of 10° from the horizontal plane, and speci€ic acceptance criteria
speci€ic test acceptance
(de€ined test). If the equipment overbalances, it does not comply
criteria.
with the requirement.
Use the identi€ied hazards,
Do
hazardous situations, test
requirement(s) fully match Yes, equipment is transportable, and it can be transported with
methods, or other relevant No
the design including the patient on it to accommodate patient transfers.
information in the risk
intended use?
management process.
Yes
No need to estimate (4.4) Risk is not estimated nor evaluated prior to implementation of
or evaluate risk (5) risk control measure.
Identify the design
speci€ications that achieve
Identi€ied in the risk management €ile
the requirement in the
standard (6.2).
Verify the effectiveness Test performed: equipment placed on a plane inclined at an
(6.3) by performing test(s) angle 10º from the horizontal plane. Result: medical device does
according to the standard. not overbalance
If the test is passed,
related residual risks Medical device does not overbalance, so the related residual risk
are considered is considered acceptable.
acceptable (6.4).
Figure 1 — Use of international product safety standards and example of such standard that
specifies requirements and provides specific test acceptance criteria
ISO/TR 24971:2013(E)
2.3 International process standards and ISO 14971

International process standards, as shown in the examples below, can often be used in conjunction with

ISO 14971. This is performed in one of two ways:

— The international process standard requires application of ISO 14971 as part of the implementation
of the international process standard, e.g. IEC 62304 on software life cycle processes; or

— The international process standard is intended to be used in risk management, e.g. IEC 62366 on

usability engineering and the ISO 10993 series on biological evaluation.

In either case, proper use of the international process standard requires attention to the interfaces

between that standard and ISO 14971 in order to achieve acceptable levels of risk for the medical device.
The two standards should work together such that inputs, outputs and their timing are optimized. Three
examples are given below to demonstrate this ideal situation.
a) IEC 62304, Medical device software — Software life cycle processes
The relationship between IEC 62304 and ISO 14971 is well-described in the introduction to IEC 62304:
As a basic foundation it is assumed that medical device software is developed and maintained
within a quality management system (see 4.1 of IEC 62304:2006) and a risk management process
(see 4.2 of IEC 62304:2006). The risk management process is already very well addressed by the
International Standard ISO 14971. Therefore IEC 62304 makes use of this advantage simply by a
normative reference to ISO 14971. Some minor additional risk management requirements are
needed for software, especially in the area of identification of contributing software factors related
to hazards. These requirements are summarized and captured in Clause 7 of IEC 62304:2006 as
the software risk management process.
Whether software is a contributing factor to a hazard is determined during the hazard identification
activity of the risk management process. hazards that could be indirectly caused by software
(for example, by providing misleading information that could cause inappropriate treatment to be
administered) need to be considered when determining whether software is a contributing factor.
The decision to use software to control risk is made during the risk control activity of the risk
management process. The software risk management process required in this standard has to
be embedded in the device risk management process according to ISO 14971.
IEC 62304 makes a normative reference to ISO 14971 and specifically requires:
— software development planning (5.1 of IEC 62304:2006) that is consistent with the risk
management plan required by ISO 14971; and
— a software risk management process (Clause 7 of IEC 62304:2006) based upon ISO 14971.
b) IEC 62366, Medical devices — Application of usability engineering to medical devices

The flow diagram in Figure A.1 of IEC 62366:2007 demonstrates the relationship and interconnection
of the two parallel and interconnecting processes. In addition to making a normative reference to
ISO 14971, IEC 62366:2007 identifies three specific clauses where the usability engineering process
can supplement and interact with risk management as described in ISO 14971:
— 5.3.1 of IEC 62366:2007 requires: “An identification of characteristics related to safety (part of
a risk analysis) that focuses on usability shall be performed according to ISO 14971:2007, 4.2.”
— 5.3.2 of IEC 62366:2007 requires: “The manufacturer shall identify known or foreseeable
hazards (part of a risk analysis) related to usability according to ISO 14971:2007, 4.3.”
— 5.9 of IEC 62366:2007 on Usability Validation makes several references to activities that would
be undertaken as part of risk management.
4 © ISO 2013 – All rights reserved

ISO/TR 24971:2013(E)
c) ISO 10993 (all parts), Biological evaluation of medical devices

The introduction to ISO 10993-1 states that ISO 10993-1 is intended to be a guidance document

for the biological evaluation of medical devices within risk management, as part of the overall

evaluation and development of each device.

Annex B of ISO 10993-1:2009 applies ISO 14971 to provide guidance on the risk management approach

for identification of biological hazards associated with medical devices, estimation and evaluation of

the risks, control of the risks, and monitoring the effectiveness of the risk control measures.

This approach combines the review and evaluation of existing data from all sources, with the

selection and application of additional tests (where necessary), thus enabling a full evaluation to be

made of the biological responses to each medical device, relevant to its safety in use.
ISO 10993-1:2009 aligns itself explicitly within risk management as described in ISO 14971.
The biological evaluation should be conducted in a manner similar to that used for other product
risks, and should include:
— Risk analysis (What are the hazards and associated risks?)
— Risk evaluation (Are they acceptable?)
— Risk control (How will they be controlled?)
— Overall residual risk/benefit evaluation
Following the processes defined in ISO 14971, if the overall residual risk evaluation concludes f
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.

Loading comments...

ISO TR 24971:2013 provides comprehensive guidance that enhances the implementation of ISO 14971, which focuses on the essential aspects of risk management specific to medical devices. The standard's scope effectively addresses critical areas that are often challenging for manufacturers and users, ensuring a better understanding of international product safety and process standards within the realm of risk management. One of the significant strengths of ISO TR 24971:2013 is its focus on the risk management policy, emphasizing the criteria for determining risk acceptability. This guidance is invaluable for manufacturers as it aids in establishing a robust framework for evaluating and managing risks associated with medical devices effectively. Additionally, the incorporation of a production and post-production feedback loop into risk management processes is a key strength, providing a systematic approach to address evolving risks throughout the product lifecycle. The differentiation between "information for safety" and "disclosure of residual risk" outlined in the standard is another vital component that enriches its relevance. This clarification supports manufacturers in communicating critical safety information accurately, which is essential for maintaining compliance with regulatory requirements and fostering user trust. Furthermore, the standard encourages the evaluation of overall residual risk, promoting a more thorough assessment process that is crucial for ensuring the safety and effectiveness of medical devices. By offering clear guidance on these elements, ISO TR 24971:2013 significantly contributes to the improvement of risk management practices within the industry. Overall, ISO TR 24971:2013 stands out as an essential resource for manufacturers and stakeholders in the medical device sector, as it delineates a clear pathway for the application of ISO 14971. Its strengths in addressing key areas of risk management make it an influential standard that underscores the importance of safety and compliance in the development and lifecycle management of medical devices.

Die ISO TR 24971:2013 bietet umfassende Leitlinien zur Anwendung von ISO 14971 im Bereich des Risikomanagements für Medizinprodukte. Der Umfang dieses Dokuments erstreckt sich auf die Klärung spezifischer Bereiche, die für Hersteller und andere Anwender von Bedeutung sind, um die internationalen Produkt- und Prozessstandards im Kontext der Produktsicherheit zu verstehen. Eine der Hauptstärken der ISO TR 24971:2013 ist ihr strukturierter Ansatz zur Entwicklung von Richtlinien, die es Herstellern ermöglichen, klare Kriterien für die Akzeptanz von Risiken festzulegen. Dies fördert nicht nur die Sicherheit der Medizinprodukte, sondern auch das Vertrauen der Anwender in deren Zuverlässigkeit. Zudem unterstützt die Norm die Integration von Produktions- und Nachproduktions-Rückmeldeschleifen in das Risikomanagement, was die kontinuierliche Verbesserung der Produkte ermöglicht. Ein weiterer zentraler Aspekt der Norm ist die Differenzierung zwischen „Information für die Sicherheit“ und der „Offenlegung von verbleibenden Risiken“. Diese Unterscheidung ist wesentlich, um die Transparenz und Kommunikationsstrategie gegenüber Nutzern und Aufsichtsbehörden zu verbessern und somit die Einhaltung der Sicherheitsstandards zu gewährleisten. Darüber hinaus bietet die ISO TR 24971:2013 wertvolle Hinweise zur Bewertung des verbleibenden Gesamtrisikos, was für Hersteller entscheidend ist, um fundierte Entscheidungen über Sicherheitsmaßnahmen zu treffen. Die Relevanz von ISO TR 24971:2013 im Kontext des Risikomanagements für Medizinprodukte kann nicht genug betont werden. In einer Branche, in der Sicherheit und Effizienz von größter Bedeutung sind, stellt diese Norm ein entscheidendes Instrument dar, um die notwendigen Rahmenbedingungen für ein effektives Risikomanagement zu schaffen. Durch ihre praxisnahen Empfehlungen kommt die Norm den Bedürfnissen der Industrie entgegen und stellt sicher, dass alle Beteiligten über die erforderlichen Informationen und Verfahren verfügen, um die Herausforderungen im Bereich der Produktsicherheit zu bewältigen.

ISO TR 24971:2013은 ISO 14971의 적용에 대한 지침을 제공하며, 의료 기기 분야에서 위험 관리의 중요성을 강조합니다. 이 표준은 위험 관리 구현 시 주의 깊게 다루어야 할 특정 영역에 대한 명확한 지침을 제공하여 제조업체와 표준 사용자들이 국제 제품 안전 및 프로세스 표준의 역할을 이해하는 데 도움을 줍니다. 이 표준의 가장 큰 강점은 위험 수용 가능성 기준을 결정하기 위한 정책 개발을 지원하는 것입니다. 이는 의료 기기 제조업체에게 필수적인 요소로, 효과적인 위험 관리 프로세스를 위해 필수적인 요소입니다. 또한, ISO TR 24971:2013은 생산 후 피드백 루프를 위험 관리에 통합하는 방법을 안내하여 지속적인 개선을 촉진합니다. 특히, "안전을 위한 정보"와 "잔여 위험의 공개"를 구분하는 부분은 위험 관리에서 매우 중요한 요소입니다. 이는 제품의 안전성을 보장하고 소비자에게 정확한 정보를 전달하는 데 기여합니다. 또한, 전반적인 잔여 위험을 평가하는 방법도 포함되어 있어 제조업체가 시장 출시 전 후로 차별화된 위험 관리를 수행할 수 있도록 돕습니다. 결론적으로, ISO TR 24971:2013은 의료 기기 분야의 위험 관리에 있어 실용적이고 포괄적인 지침을 제공함으로써, 사용자들이 보다 효과적으로 위험을 관리하고 안전성을 유지할 수 있도록 지원합니다. 이 표준은 현대 의료 기기 개발에 있어 매우 중요한 참고 자료로 자리잡고 있습니다.

La norme ISO TR 24971:2013 offre une orientation précieuse pour les fabricants de dispositifs médicaux en matière de gestion des risques. Son champ d'application se concentre sur des aspects spécifiques de la norme ISO 14971, en fournissant des conseils clairs qui aident à la mise en œuvre efficace de la gestion des risques. Parmi les forces notables de cette norme, on trouve son approche systématique qui permet de mieux comprendre le rôle des normes de sécurité des produits et des processus au niveau international. Cela est crucial pour garantir non seulement la conformité, mais aussi la sécurité des dispositifs médicaux sur le marché. La norme facilite également le développement de politiques pour déterminer les critères d'acceptabilité du risque, un aspect essentiel pour assurer que les produits respectent les exigences de sécurité. De plus, ISO TR 24971:2013 encourage l'intégration d'une boucle de rétroaction entre la production et la post-production dans le système de gestion des risques. Cette approche proactive aide à identifier et à corriger rapidement les problèmes potentiels, améliorant ainsi la sécurité et la fiabilité des dispositifs médicaux. Une autre caractéristique importante de cette norme est sa capacité à aider à la différenciation entre "les informations pour la sécurité" et "la divulgation des risques résiduels". Cela permet aux fabricants de communiquer de manière plus transparente avec les utilisateurs finaux tout en assurant le respect des réglementations en matière de sécurité. Enfin, la norme incite à une évaluation rigoureuse du risque résiduel global, ce qui est fondamental pour une gestion des risques efficace et un développement sûr de nouveaux dispositifs médicaux. Dans l'ensemble, ISO TR 24971:2013 se présente comme un outil indispensable pour les acteurs du secteur médical, garantissant que les pratiques de gestion des risques sont non seulement conformes aux normes, mais également adaptées à l’évolution rapide des technologies et des exigences du marché.

ISO TR 24971:2013は、医療機器のリスク管理におけるISO 14971の適用に関するガイダンスを提供する重要な標準です。この標準の主な範囲は、製造業者や利用者がリスク管理を実施する際に直面する特定の領域を扱うことにあります。この標準は、国際的な製品安全性およびプロセス標準がリスク管理において果たす役割を理解するのに役立ちます。 ISO TR 24971:2013の強みの一つは、リスク受容性の基準を決定するための方針を開発する過程において、製造業者が必要とする具体的な指針を提供している点です。これにより、医療機器のリスクを適切に管理し、安全性を確保するための基盤が構築されます。 さらに、この標準は、製造とポストプロダクションのフィードバックループをリスク管理に組み込むことを推奨しており、実際の運用における洞察を取り入れることで、リスク管理を支援しています。これにより、リスクの特定や評価がより効果的に行えるようになります。 この標準は「安全のための情報」と「残余リスクの開示」を区別するための明確なフレームワークも提供しており、ユーザーが消費者や規制当局とのコミュニケーションを円滑に行う際の指針となります。また、全体的な残余リスクの評価に関するガイダンスも含まれており、医療機器業界におけるリスク管理の重要性を再認識させます。 ISO TR 24971:2013は、医療機器のリスク管理における実用的なガイダンスを提供し、製品の安全性を確保する上での不可欠なリソースとなります。その内容は、業界標準としての権威を持ち、医療機器の製造及び運用に関与するすべての関係者にとって、非常に関連性の高いものです。