Medical devices - Application of risk management to medical devices

This document specifies terminology, principles and a process for risk management of medical devices, including software as a medical device and in vitro diagnostic medical devices. The process described in this document intends to assist manufacturers of medical devices to identify the hazards associated with the medical device, to estimate and evaluate the associated risks, to control these risks, and to monitor the effectiveness of the controls.
The requirements of this document are applicable to all phases of the life cycle of a medical device. The process described in this document applies to risks associated with a medical device, such as risks related to biocompatibility, data and systems security, electricity, moving parts, radiation, and usability.
The process described in this document can also be applied to products that are not necessarily medical devices in some jurisdictions and can also be used by others involved in the medical device life cycle.
This document does not apply to:
- decisions on the use of a medical device in the context of any particular clinical procedure; or
- business risk management.
This document requires manufacturers to establish objective criteria for risk acceptability but does not specify acceptable risk levels.
Risk management can be an integral part of a quality management system. However, this document does not require the manufacturer to have a quality management system in place.
NOTE Guidance on the application of this document can be found in ISO/TR 24971[9].

Dispositifs médicaux - Application de la gestion des risques aux dispositifs médicaux

Le présent document spécifie la terminologie, les principes et un processus de gestion des risques relatifs aux dispositifs médicaux, y compris les logiciels utilisés en tant que dispositifs médicaux et les dispositifs médicaux de diagnostic in vitro. Le processus décrit dans le présent document vise à aider les fabricants de dispositifs médicaux à identifier les dangers associés au dispositif médical, à estimer et évaluer les risques correspondants, à maîtriser ces risques et à surveiller l'efficacité des moyens de maîtrise.
Les exigences du présent document s'appliquent à tous les stades du cycle de vie d'un dispositif médical. Le processus décrit dans le présent document s'applique aux risques associés à un dispositif médical, tels que les risques concernant la biocompatibilité, la sécurité des données et des systèmes, l'électricité, les parties en mouvement, le rayonnement et l'aptitude à l'utilisation.
Le processus décrit dans le présent document peut aussi s'appliquer aux produits qui ne sont pas nécessairement des dispositifs médicaux dans certaines juridictions et peut être utilisé par d'autres personnes impliquées dans le cycle de vie de dispositifs médicaux.
Le présent document ne s'applique pas à ce qui suit:
- les décisions relatives à l'utilisation d'un dispositif médical au cours d'une procédure clinique particulière; ou
- la gestion des risques commerciaux.
Le présent document impose aux fabricants d'établir des critères objectifs d'acceptabilité des risques, mais ne spécifie pas de niveaux de risque acceptables.
La gestion des risques peut faire partie intégrante d'un système de management de la qualité. Cependant, le présent document n'exige pas du fabricant qu'il mette en place un système de management de la qualité.
NOTE Des recommandations relatives à l'application du présent document sont données dans l'ISO/TR 24971[9].

General Information

Status
Published
Publication Date
09-Dec-2019
Current Stage
PPUB - Publication issued
Completion Date
18-Feb-2020
Ref Project

Buy Standard

Standard
ISO 14971:2019 - Medical devices - Application of risk management to medical devices
English language
36 pages
sale 15% off
Preview
sale 15% off
Preview

Standards Content (sample)

INTERNATIONAL ISO
STANDARD 14971
Third edition
2019-12
Medical devices — Application of risk
management to medical devices
Dispositifs médicaux — Application de la gestion des risques aux
dispositifs médicaux
Reference number
ISO 14971:2019(E)
ISO 2019
---------------------- Page: 1 ----------------------
ISO 14971:2019(E)
COPYRIGHT PROTECTED DOCUMENT
© ISO 2019

All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may

be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting

on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address

below or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Fax: +41 22 749 09 47
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii © ISO 2019 – All rights reserved
---------------------- Page: 2 ----------------------
ISO 14971:2019(E)
Contents Page

Foreword ........................................................................................................................................................................................................................................iv

Introduction ................................................................................................................................................................................................................................vi

1 Scope ................................................................................................................................................................................................................................. 1

2 Normative references ...................................................................................................................................................................................... 1

3 Terms and definitions ..................................................................................................................................................................................... 1

4 General requirements for risk management system ...................................................................................................... 7

4.1 Risk management process ........................................................................................................................................................ 7

4.2 Management responsibilities ..................................................................................................................................................... 8

4.3 Competence of personnel .............................................................................................................................................................. 9

4.4 Risk management plan .................................................................................................................................................................. 9

4.5 Risk management file ................................................................................................................................................................10

5 Risk analysis ..........................................................................................................................................................................................................10

5.1 Risk analysis process ..................................................................................................................................................................10

5.2 Intended use and reasonably foreseeable misuse ..........................................................................................10

5.3 Identification of characteristics related to safety ................................................................................................11

5.4 Identification of hazards and hazardous situations ......................................................................................11

5.5 Risk estimation .................................................................................................................................................................................11

6 Risk evaluation ....................................................................................................................................................................................................12

7 Risk control .............................................................................................................................................................................................................12

7.1 Risk control option analysis ....................................................................................................................................................12

7.2 Implementation of risk control measures ..................................................................................................................13

7.3 Residual risk evaluation .............................................................................................................................................................13

7.4 Benefit-risk analysis .......................................................................................................................................................................14

7.5 Risks arising from risk control measures ...................................................................................................................14

7.6 Completeness of risk control ................................................................................................................................................14

8 Evaluation of overall residual risk ..................................................................................................................................................14

9 Risk management review ..........................................................................................................................................................................15

10 Production and post-production activities..............................................................................................................................15

10.1 General ........................................................................................................................................................................................................15

10.2 Information collection ...................................................................................................................................................................15

10.3 Information review ..........................................................................................................................................................................16

10.4 Actions .........................................................................................................................................................................................................16

Annex A (informative) Rationale for requirements ...........................................................................................................................17

Annex B (informative) Risk management process for medical devices ...........................................................................26

Annex C (informative) Fundamental risk concepts ............................................................................................................................30

Bibliography .............................................................................................................................................................................................................................36

© ISO 2019 – All rights reserved iii
---------------------- Page: 3 ----------------------
ISO 14971:2019(E)
Foreword

ISO (the International Organization for Standardization) is a worldwide federation of national standards

bodies (ISO member bodies). The work of preparing International Standards is normally carried out

through ISO technical committees. Each member body interested in a subject for which a technical

committee has been established has the right to be represented on that committee. International

organizations, governmental and non-governmental, in liaison with ISO, also take part in the work.

ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of

electrotechnical standardization.

The procedures used to develop this document and those intended for its further maintenance are

described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the

different types of ISO documents should be noted. This document was drafted in accordance with the

editorial rules of the ISO/IEC Directives, Part 2 (see www .iso .org/ directives).

Attention is drawn to the possibility that some of the elements of this document may be the subject of

patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of

any patent rights identified during the development of the document will be in the Introduction and/or

on the ISO list of patent declarations received (see www .iso .org/ patents).

Any trade name used in this document is information given for the convenience of users and does not

constitute an endorsement.

For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and

expressions related to conformity assessment, as well as information about ISO's adherence to the

World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT) see www .iso .org/

iso/ foreword .html.

This document was prepared by Technical Committee ISO/TC 210, Quality management and

corresponding general aspects for medical devices, and IEC/SC 62A, Common aspects of electrical

equipment used in medical practice.

This third edition cancels and replaces the second edition (ISO 14971:2007), which has been technically

revised. The main changes compared to the previous edition are as follows:

— A clause on normative references has been included, in order to respect the requirements for fixed

in Clause 15 of ISO/IEC Directives, Part 2:2018.

— The defined terms are updated and many are derived from ISO/IEC Guide 63:2019. Defined terms

are printed in italic to assist the reader in identifying them in the body of the document.

— Definitions of benefit, reasonably foreseeable misuse and state of the art have been introduced.

— More attention is given to the benefits that are expected from the use of the medical device. The term

benefit-risk analysis has been aligned with terminology used in some regulations.

— It is explained that the process described in ISO 14971 can be used for managing risks associated

with medical devices, including those related to data and systems security.

— The method for the evaluation of the overall residual risk and the criteria for its acceptability are

required to be defined in the risk management plan. The method can include gathering and reviewing

data and literature for the medical device and for similar medical devices and similar other products

on the market. The criteria for the acceptability of the overall residual risk can be different from the

criteria for acceptability of individual risks.

— The requirements to disclose residual risks have been moved and merged into one requirement,

after the overall residual risk has been evaluated and judged acceptable.

— The review before commercial distribution of the medical device concerns the execution of the risk

management plan. The results of the review are documented as the risk management report.

iv © ISO 2019 – All rights reserved
---------------------- Page: 4 ----------------------
ISO 14971:2019(E)

— The requirements for production and post-production activities have been clarified and restructured.

More detail is given on the information to be collected and the actions to be taken when the collected

information has been reviewed and determined to be relevant to safety.

— Several informative annexes are moved to the guidance in ISO/TR 24971, which has been revised

in parallel. More information and a rationale for the requirements in this third edition of ISO 14971

have been provided in Annex A. The correspondence between the clauses of the second edition and

those of this third edition is given in Annex B.

Any feedback or questions on this document should be directed to the user’s national standards body. A

complete listing of these bodies can be found at www .iso .org/ members .html.
© ISO 2019 – All rights reserved v
---------------------- Page: 5 ----------------------
ISO 14971:2019(E)
Introduction

The requirements contained in this document provide manufacturers with a framework within which

experience, insight and judgment are applied systematically to manage the risks associated with the

use of medical devices.

This document was developed specifically for manufacturers of medical devices on the basis of

established principles of risk management that have evolved over many years. This document could be

used as guidance in developing and maintaining a risk management process for other products that are

not necessarily medical devices in some jurisdictions and for suppliers and other parties involved in the

medical device life cycle.

This document deals with processes for managing risks associated with medical devices. Risks can be

related to injury, not only to the patient, but also to the user and other persons. Risks can also be related

to damage to property (for example objects, data, other equipment) or the environment.

Risk management is a complex subject because each stakeholder can place a different value on the

acceptability of risks in relation to the anticipated benefits. The concepts of risk management are

particularly important in relation to medical devices because of the variety of stakeholders including

medical practitioners, the organizations providing health care, governments, industry, patients and

members of the public.
It is generally accepted that the concept of risk has two key components:
— the probability of occurrence of harm; and
— the consequences of that harm, that is, how severe it might be.

All stakeholders need to understand that the use of a medical device involves an inherent degree of risk,

even after the risks have been reduced to an acceptable level. It is well known that in the context of a

clinical procedure some residual risks remain. The acceptability of a risk to a stakeholder is influenced

by the key components listed above and by the stakeholder’s perception of the risk and the benefit. Each

stakeholder’s perception can vary depending upon their cultural background, the socio-economic and

educational background of the society concerned and the actual and perceived state of health of the

patient. The way a risk is perceived also takes into account other factors, for example, whether exposure

to the hazard or hazardous situation seems to be involuntary, avoidable, from a man-made source, due

to negligence, arising from a poorly understood cause, or directed at a vulnerable group within society.

As one of the stakeholders, the manufacturer reduces risks and makes judgments relating to the safety

of a medical device, including the acceptability of residual risks. The manufacturer takes into account

the generally acknowledged state of the art, in order to determine the suitability of a medical device

to be placed on the market for its intended use. This document specifies a process through which the

manufacturer of a medical device can identify hazards associated with the medical device, estimate and

evaluate the risks associated with these hazards, control these risks, and monitor the effectiveness of

the controls throughout the life cycle of the medical device.

The decision to use a medical device in the context of a particular clinical procedure requires the residual

risks to be balanced against the anticipated benefits of the procedure. Such decisions are beyond the

scope of this document and take into account the intended use, the circumstances of use, the performance

and risks associated with the medical device, as well as the risks and benefits associated with the clinical

procedure. Some of these decisions can be made only by a qualified medical practitioner with knowledge

of the state of health of an individual patient or the patient’s own opinion.

For any particular medical device, other standards or regulations could require the application of

specific methods for managing risk. In those cases, it is necessary to also follow the requirements

outlined in those documents.
vi © ISO 2019 – All rights reserved
---------------------- Page: 6 ----------------------
ISO 14971:2019(E)

The verbal forms used in this document conform to the usage described in Clause 7 of the ISO/

IEC Directives, Part 2:2018. For the purposes of this document, the auxiliary verb:

— “shall” means that compliance with a requirement or a test is mandatory for compliance with this

document;

— “should” means that compliance with a requirement or a test is recommended but is not mandatory

for compliance with this document;

— “may” is used to describe permission (e.g. a permissible way to achieve compliance with a

requirement or test);
— “can” is used to express possibility and capability; and

— “must” is used to express an external constraint that is not a requirement of the document.

© ISO 2019 – All rights reserved vii
---------------------- Page: 7 ----------------------
INTERNATIONAL STANDARD ISO 14971:2019(E)
Medical devices — Application of risk management to
medical devices
1 Scope

This document specifies terminology, principles and a process for risk management of medical devices,

including software as a medical device and in vitro diagnostic medical devices. The process described in

this document intends to assist manufacturers of medical devices to identify the hazards associated with

the medical device, to estimate and evaluate the associated risks, to control these risks, and to monitor

the effectiveness of the controls.

The requirements of this document are applicable to all phases of the life cycle of a medical device. The

process described in this document applies to risks associated with a medical device, such as risks related

to biocompatibility, data and systems security, electricity, moving parts, radiation, and usability.

The process described in this document can also be applied to products that are not necessarily medical

devices in some jurisdictions and can also be used by others involved in the medical device life cycle.

This document does not apply to:

— decisions on the use of a medical device in the context of any particular clinical procedure; or

— business risk management.

This document requires manufacturers to establish objective criteria for risk acceptability but does not

specify acceptable risk levels.

Risk management can be an integral part of a quality management system. However, this document does

not require the manufacturer to have a quality management system in place.
[9]
NOTE Guidance on the application of this document can be found in ISO/TR 24971 .
2 Normative references
There are no normative references in this document.
3 Terms and definitions
For the purposes of this document, the following terms and definitions apply.

ISO and IEC maintain terminological databases for use in standardization at the following addresses:

— ISO Online browsing platform: available at https:// www .iso .org/ obp
— IEC Electropedia: available at http:// www .electropedia .org/
3.1
accompanying documentation

materials accompanying a medical device (3.10) and containing information for the user or those

accountable for the installation, use, maintenance, decommissioning and disposal of the medical device

(3.10), particularly regarding safe use

Note 1 to entry: The accompanying documentation can consist of the instructions for use, technical description,

installation manual, quick reference guide, etc.
© ISO 2019 – All rights reserved 1
---------------------- Page: 8 ----------------------
ISO 14971:2019(E)

Note 2 to entry: Accompanying documentation is not necessarily a written or printed document but could involve

auditory, visual, or tactile materials and multiple media types.
3.2
benefit

positive impact or desirable outcome of the use of a medical device (3.10) on the health of an individual,

or a positive impact on patient management or public health

Note 1 to entry: Benefits can include positive impact on clinical outcome, the patient’s quality of life, outcomes

related to diagnosis, positive impact from diagnostic devices on clinical outcomes, or positive impact on

public health.
3.3
harm

injury or damage to the health of people, or damage to property or the environment

[SOURCE: ISO/IEC Guide 63:2019, 3.1]
3.4
hazard
potential source of harm (3.3)
[SOURCE: ISO/IEC Guide 63:2019, 3.2]
3.5
hazardous situation

circumstance in which people, property or the environment is/are exposed to one or more hazards (3.4)

Note 1 to entry: See Annex C for an explanation of the relationship between hazard and hazardous situation.

[SOURCE: ISO/IEC Guide 63:2019, 3.3, modified — Note 1 to entry added.]
3.6
intended use
intended purpose

use for which a product, process (3.14) or service is intended according to the specifications, instructions

and information provided by the manufacturer (3.9)

Note 1 to entry: The intended medical indication, patient population, part of the body or type of tissue interacted

with, user profile, use environment, and operating principle are typical elements of the intended use.

[SOURCE: ISO/IEC Guide 63:2019, 3.4]
3.7
in vitro diagnostic medical device
IVD medical device

device, whether used alone or in combination, intended by the manufacturer (3.9) for the in vitro

examination of specimens derived from the human body solely or principally to provide information for

diagnostic, monitoring or compatibility purposes and including reagents, calibrators, control materials,

specimen receptacles, software, and related instruments or apparatus or other articles

[SOURCE: ISO 18113-1:2009, 3.27, modified — NOTE deleted.]
3.8
life cycle

series of all phases in the life of a medical device (3.10), from the initial conception to final

decommissioning and disposal
[SOURCE: ISO/IEC Guide 63:2019, 3.5]
2 © ISO 2019 – All rights reserved
---------------------- Page: 9 ----------------------
ISO 14971:2019(E)
3.9
manufacturer

natural or legal person with responsibility for the design and/or manufacture of a medical device (3.10)

with the intention of making the medical device (3.10) available for use, under his name, whether or not

such a medical device (3.10) is designed and/or manufactured by that person himself or on his behalf by

another person(s)

Note 1 to entry: The natural or legal person has ultimate legal responsibility for ensuring compliance with all

applicable regulatory requirements for the medical device in the countries or jurisdictions where it is intended to

be made available or sold, unless this responsibility is specifically imposed on another person by the Regulatory

Authority (RA) within that jurisdiction.

Note 2 to entry: The manufacturer’s responsibilities are described in other GHTF guidance documents. These

responsibilities include meeting both pre-market requirements and post-market requirements, such as adverse

event reporting and notification of corrective actions.

Note 3 to entry: “Design and/or manufacture” may include specification development, production,

fabrication, assembly, processing, packaging, repackaging, labelling, relabelling, sterilization, installation, or

remanufacturing of a medical device; or putting a collection of devices, and possibly other products, together for

a medical purpose.

Note 4 to entry: Any person who assembles or adapts a medical device that has already been supplied by another

person for an individual patient, in accordance with the instructions for use, is not the manufacturer, provided

the assembly or adaptation does not change the intended use of the medical device.

Note 5 to entry: Any person who changes the intended use of, or modifies, a medical device without acting on

behalf of the original manufacturer and who makes it available for use under his own name, should be considered

the manufacturer of the modified medical device.

Note 6 to entry: An authorised representative, distributor or importer who only adds its own address and

contact details to the medical device or the packaging, without covering or changing the existing labelling, is not

considered a manufacturer.

Note 7 to entry: To the extent that an accessory is subject to the regulatory requirements of a medical device, the

person responsible for the design and/or manufacture of that accessory is considered to be a manufacturer.

[SOURCE: ISO/IEC Guide 63:2019, 3.6]
3.10
medical device

instrument, apparatus, implement, machine, appliance, implant, reagent for in vitro use, software,

material or other similar or related article, intended by the manufacturer (3.9) to be used, alone or in

combination, for human beings, for one or more of the specific medical purpose(s) of

— diagnosis, prevention, monitoring, treatment or alleviation of disease,

— diagnosis, monitoring, treatment, alleviation of or compensation for an injury,

— investigation, replacement, modification, or support of the anatomy or of a physiological process,

— supporting or sustaining life,
— control of conception,
— disinfection of medical devices (3.10),

— providing information by means of in vitro examination of specimens derived from the human body,

and which does not achieve its primary intended action by pharmacological, immunological or metabolic

means, in or on the human body, but which may be assisted in its function by such means

Note 1 to entry: Products which can be considered to be medical devices in some jurisdictions but not in others

include:
© ISO 2019 – All rights reserved 3
---------------------- Page: 10 ----------------------
ISO 14971:2019(E)
— disinfection substances;
— aids for persons with disabilities;
— devices incorporating animal and/or human tissues;
— devices for in vitro fertilization or assisted reproduction technologies.
[SOURCE: ISO/IEC Guide 63:2019, 3.7]
3.11
objective evidence
data supporting the existence or verity of something

Note 1 to entry: Objective evidence can be obtained through observation, measurement, test or by other means.

[SOURCE: ISO 9000:2015, 3.8.3, modified — Note 2 to entry deleted.]
3.12
post-production

part of the life cycle (3.8) of the medical device (3.10) after the design has been completed and the medical

device (3.10) has been manufactured

EXAMPLE Transportation, storage, installation, product use, maintenance, repair, product changes,

decommissioning and disposal.
3.13
procedure
specified way to carry out an activity or a process (3.14)
Note 1 to entry: Procedures can be documented or not.
[SOURCE: ISO 9000:2015, 3.4.5]
3.14
process

set of interrelated or interacting activities that use inputs to deliver an intended result

Note 1 to entry: Whether the “intended result” of a process is called output, product or service depends on the

context of the reference.

Note 2 to entry: Inputs to a process are generally the outputs of other processes and outputs of a process are

generally the inputs to other processes.

Note 3 to entry: Two or more interrelated and interacting processes in series can also be referred to as a process.

[SOURCE: ISO 9000:2015, 3.4.1, modified — Notes to entry 4, 5 and 6 are deleted.]

3.15
reasonably foreseeable misuse

use of a product or system in a way not intended by the manufacturer (3.9), but which can result from

readily predictable human behaviour

Note 1 to entry: Readily predictable human behaviour includes the behaviour of all types of users, e.g. lay and

professional users.

Note 2 to entry: Reasonably foreseeable misuse can be intentional or unintentional.

[SOURCE: ISO/IEC Guide 63:2019, 3.8]
4 © ISO 2019 – All rights reserved
---------------------- Page: 11 ----------------------
ISO 14971:2019(E)
3.16
record
document stating results achieved or providing evidence of activities performed

Note 1 to entry: Records can be used, for example, to formalize traceability and to provide evidence of verification,

preventive action and corrective action.
Note 2 to entry: Generally records need not be under revision control.
[SOURCE: ISO 9000:2015, 3.8.10]
3.17
residual risk
risk remaining after risk control (3.21) measures have been implemented
[SOURCE: ISO/IEC Guide 63:2019, 3.9]
3.18
risk

combination of the probability of occurrence of harm (3.3) and the severity (3.27) of that harm (3.3)

[SOURCE: ISO/IEC Guide 63:2019, 3.10, modified — Note 1 to entry deleted.]
3.19
risk analysis

systematic use of available information to identify hazards (3.4) and to estimate the risk (3.18)

[SOURCE: ISO/IEC Guide 63:2019, 3.11]
3.20
risk assessment

overall process (3.14) comprising a risk analysis (3.19) and a risk evaluation (3.20)

[SOURCE: ISO/IEC Guide 51:2014, 3.11]
3.21
risk control

process (3.14) in which decisions are made and measures implemented by which risks (3.18) are reduced

to, or maintained within, specified levels
[SOURCE: ISO/IEC Guide 63:2019, 3.12]
3.22
risk estimation
process (3.14) used to ass
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.