Medical devices - Guidance on the application of ISO 14971 (ISO/TR 24971:2020)

This document provides guidance on the development, implementation and maintenance of a risk
management system for medical devices according to ISO 14971:2019.
The risk management process can be part of a quality management system, for example one that is based
on ISO 13485:2016[24], but this is not required by ISO 14971:2019. Some requirements in ISO 13485:2016
(Clause 7 on product realization and 8.2.1 on feedback during monitoring and measurement) are
related to risk management and can be fulfilled by applying ISO 14971:2019. See also the ISO Handbook:
ISO 13485:2016 — Medical devices — A practical guide[25].

Medizinprodukte - Leitfaden zur Anwendung von ISO 14971 (ISO/TR 24971:2020)

Dispositifs médicaux - Directives relatives à l'ISO 14971 (ISO/TR 24971:2020)

Le présent document fournit des recommandations relatives au développement, à la mise en œuvre et à la tenue à jour d'un système de gestion des risques pour les dispositifs médicaux conformément à l'ISO 14971:2019.
Le processus de gestion des risques peut faire partie d'un système de management de la qualité qui s'appuie, par exemple, sur l'ISO 13485:2016[24], mais cela n'est pas requis par l'ISO 14971:2019. Certaines exigences de l'ISO 13485:2016 (Article 7 relatif à la réalisation du produit et 8.2.1[eXtyles1] relatives aux retours d'information au cours de la surveillance et du mesurage) portent sur la gestion des risques et peuvent être satisfaites en appliquant l'ISO 14971:2019. Voir également le manuel ISO: ISO 13485:2016 — Medical devices — A practical guide[25].
[eXtyles1]No section matches the in-text citation "8.2.1". Please supply the missing section or delete the citation.

Medicinski pripomočki - Navodilo za uporabo ISO 14971 (ISO/TR 24971:2020)

General Information

Status
Published
Public Enquiry End Date
19-May-2020
Publication Date
16-Aug-2020
Technical Committee
Current Stage
6060 - National Implementation/Publication (Adopted Project)
Start Date
05-Aug-2020
Due Date
10-Oct-2020
Completion Date
17-Aug-2020

Buy Standard

Technical report
SIST-TP CEN ISO/TR 24971:2020 - BARVE na PDF-str 69
English language
96 pages
sale 10% off
Preview
sale 10% off
Preview

e-Library read for
1 day
Technical report
kSIST-TP FprCEN ISO/TR 24971:2020
English language
92 pages
sale 10% off
Preview
sale 10% off
Preview

e-Library read for
1 day

Standards Content (sample)

SLOVENSKI STANDARD
SIST-TP CEN ISO/TR 24971:2020
01-september-2020
Medicinski pripomočki - Navodilo za uporabo ISO 14971 (ISO/TR 24971:2020)
Medical devices - Guidance on the application of ISO 14971 (ISO/TR 24971:2020)
Medizinprodukte - Leitfaden zur Anwendung von ISO 14971 (ISO/TR 24971:2020)
Dispositifs médicaux - Directives relatives à l'ISO 14971 (ISO/TR 24971:2020)
Ta slovenski standard je istoveten z: CEN ISO/TR 24971:2020
ICS:
11.040.01 Medicinska oprema na Medical equipment in general
splošno
SIST-TP CEN ISO/TR 24971:2020 en

2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

---------------------- Page: 1 ----------------------
SIST-TP CEN ISO/TR 24971:2020
---------------------- Page: 2 ----------------------
SIST-TP CEN ISO/TR 24971:2020
TECHNICAL REPORT
CEN ISO/TR 24971
RAPPORT TECHNIQUE
TECHNISCHER BERICHT
July 2020
ICS 11.040.01
English version
Medical devices - Guidance on the application of ISO 14971
(ISO/TR 24971:2020)

Dispositifs médicaux - Recommandations relatives à Medizinprodukte - Leitfaden zur Anwendung von ISO

l'application de l'ISO 14971 (ISO/TR 24971:2020) 14971 (ISO/TR 24971:2020)

This Technical Report was approved by CEN on 16 July 2020. It has been drawn up by the Technical Committee CEN/CLC/JTC 3.

CEN and CENELEC members are the national standards bodies and national electrotechnical committees of Austria, Belgium,

Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy,

Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Republic of North Macedonia, Romania, Serbia,

Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and United Kingdom.
CEN-CENELEC Management Centre:
Rue de la Science 23, B-1040 Brussels

© 2020 CEN/CENELEC All rights of exploitation in any form and by any means Ref. No. CEN ISO/TR 24971:2020 E

reserved worldwide for CEN national Members and for
CENELEC Members.
---------------------- Page: 3 ----------------------
SIST-TP CEN ISO/TR 24971:2020
CEN ISO/TR 24971:2020 (E)
Contents Page

European foreword ....................................................................................................................................................... 3

---------------------- Page: 4 ----------------------
SIST-TP CEN ISO/TR 24971:2020
CEN ISO/TR 24971:2020 (E)
European foreword

This document (CEN ISO/TR 24971:2020) has been prepared by Technical Committee ISO/TC 210

"Quality management and corresponding general aspects for medical devices" in collaboration with

Technical Committee CEN/CLC/JTC 3 “Quality management and corresponding general aspects for

medical devices” the secretariat of which is held by NEN.

Attention is drawn to the possibility that some of the elements of this document may be the subject of

patent rights. CEN shall not be held responsible for identifying any or all such patent rights.

Endorsement notice

The text of ISO/TR 24971:2020 has been approved by CEN as CEN ISO/TR 24971:2020 without any

modification.
---------------------- Page: 5 ----------------------
SIST-TP CEN ISO/TR 24971:2020
---------------------- Page: 6 ----------------------
SIST-TP CEN ISO/TR 24971:2020
TECHNICAL ISO/TR
REPORT 24971
Second edition
2020-06
Medical devices — Guidance on the
application of ISO 14971
Dispositifs médicaux — Recommandations relatives à l'application de
l'ISO 14971
Reference number
ISO/TR 24971:2020(E)
ISO 2020
---------------------- Page: 7 ----------------------
SIST-TP CEN ISO/TR 24971:2020
ISO/TR 24971:2020(E)
COPYRIGHT PROTECTED DOCUMENT
© ISO 2020

All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may

be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting

on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address

below or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii © ISO 2020 – All rights reserved
---------------------- Page: 8 ----------------------
SIST-TP CEN ISO/TR 24971:2020
ISO/TR 24971:2020(E)
Contents Page

Foreword ..........................................................................................................................................................................................................................................v

Introduction ................................................................................................................................................................................................................................vi

1 Scope ................................................................................................................................................................................................................................. 1

2 Normative references ...................................................................................................................................................................................... 1

3 Terms and definitions ..................................................................................................................................................................................... 1

4 General requirements for risk management system ...................................................................................................... 1

4.1 Risk management process ........................................................................................................................................................ 1

4.2 Management responsibilities ..................................................................................................................................................... 1

4.2.1 Top management commitment ......................................................................................................................... 1

4.2.2 Policy for establishing criteria for risk acceptability ....................................................................... 2

4.2.3 Suitability of the risk management process ........................................................................................ 2

4.3 Competence of personnel .............................................................................................................................................................. 2

4.4 Risk management plan .................................................................................................................................................................. 3

4.4.1 General...................................................................................................................................................................................... 3

4.4.2 Scope of the risk management plan ............................................................................................................. 4

4.4.3 Assignment of responsibilities and authorities .................................................................................... 4

4.4.4 Requirements for review of risk management activities ........................................................... 4

4.4.5 Criteria for risk acceptability ................................................................................................................................ 4

4.4.6 Method to evaluate overall residual risk and criteria for acceptability ......................... 5

4.4.7 Verification activities .................................................................................................................................................. 5

4.4.8 Activities related to collection and review of production and post-

production information ............................................................................................................................................ 5

4.5 Risk management file ................................................................................................................................................................... 5

5 Risk analysis ............................................................................................................................................................................................................. 6

5.1 Risk analysis process ..................................................................................................................................................................... 6

5.2 Intended use and reasonably foreseeable misuse ............................................................................................. 6

5.3 Identification of characteristics related to safety ................................................................................................... 7

5.4 Identification of hazards and hazardous situations .......................................................................................... 7

5.4.1 Hazards .................................................................................................................................................................................. 7

5.4.2 Hazardous situations in general ..................................................................................................................... 8

5.4.3 Hazardous situations resulting from faults ........................................................................................... 8

5.4.4 Hazardous situations resulting from random faults ...................................................................... 8

5.4.5 Hazardous situations resulting from systematic faults ............................................................... 8

5.4.6 Hazardous situations arising from security vulnerabilities .................................................... 9

5.4.7 Sequences or combinations of events ........................................................................................................... 9

5.5 Risk estimation .................................................................................................................................................................................11

5.5.1 General...................................................................................................................................................................................11

5.5.2 Probability ..........................................................................................................................................................................12

5.5.3 Risks for which probability cannot be estimated .............................................................................13

5.5.4 Severity ...............................................................................................................................................................................13

5.5.5 Examples ..............................................................................................................................................................................13

6 Risk evaluation .....................................................................................................................................................................................................16

7 Risk control ..............................................................................................................................................................................................................16

7.1 Risk control option analysis ....................................................................................................................................................16

7.1.1 Risk control for medical device design ...................................................................................................16

7.1.2 Risk control for manufacturing processes ...........................................................................................18

7.1.3 Standards and risk control ................................................................................................................................19

7.2 Implementation of risk control measures ..................................................................................................................19

7.3 Residual risk evaluation .............................................................................................................................................................19

7.4 Benefit-risk analysis .......................................................................................................................................................................19

7.4.1 General...................................................................................................................................................................................19

7.4.2 Benefit estimation .......................................................................................................................................................20

© ISO 2020 – All rights reserved iii
---------------------- Page: 9 ----------------------
SIST-TP CEN ISO/TR 24971:2020
ISO/TR 24971:2020(E)

7.4.3 Criteria for benefit-risk analysis ....................................................................................................................21

7.4.4 Benefit-risk comparison........................................................................................................................................21

7.4.5 Examples of benefit-risk analyses ................................................................................................................21

7.5 Risks arising from risk control measures ...................................................................................................................22

7.6 Completeness of risk control ................................................................................................................................................22

8 Evaluation of overall residual risk ...................................................................................................................................................22

8.1 General considerations .................................................................................................................................................................22

8.2 Inputs and other considerations ..........................................................................................................................................23

8.3 Possible approaches ........................................................................................................................................................................24

9 Risk management review ..........................................................................................................................................................................25

10 Production and post-production activities..............................................................................................................................25

10.1 General ........................................................................................................................................................................................................25

10.2 Information collection ...................................................................................................................................................................25

10.3 Information review ..........................................................................................................................................................................27

10.4 Actions .........................................................................................................................................................................................................28

Annex A (informative) Identification of hazards and characteristics related to safety ................................30

Annex B (informative) Techniques that support risk analysis ................................................................................................38

Annex C (informative) Relation between the policy, criteria for risk acceptability, risk

control and risk evaluation ......................................................................................................................................................................43

Annex D (informative) Information for safety and information on residual risk ...............................................48

Annex E (informative) Role of international standards in risk management .........................................................51

Annex F (informative) Guidance on risks related to security ..................................................................................................56

Annex G (informative) Components and devices designed without using ISO 14971 ...................................61

Annex H (informative) Guidance for in vitro diagnostic medical devices .....................................................................63

Bibliography .............................................................................................................................................................................................................................86

iv © ISO 2020 – All rights reserved
---------------------- Page: 10 ----------------------
SIST-TP CEN ISO/TR 24971:2020
ISO/TR 24971:2020(E)
Foreword

ISO (the International Organization for Standardization) is a worldwide federation of national standards

bodies (ISO member bodies). The work of preparing International Standards is normally carried out

through ISO technical committees. Each member body interested in a subject for which a technical

committee has been established has the right to be represented on that committee. International

organizations, governmental and non-governmental, in liaison with ISO, also take part in the work.

ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of

electrotechnical standardization.

The procedures used to develop this document and those intended for its further maintenance are

described in the ISO/IEC Directives, Part 1. In particular the different approval criteria needed for the

different types of ISO documents should be noted. This document was drafted in accordance with the

editorial rules of the ISO/IEC Directives, Part 2 (see www .iso .org/ directives -and -policies).

Attention is drawn to the possibility that some of the elements of this document may be the subject of

patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of

any patent rights identified during the development of the document will be in the Introduction and/or

on the ISO list of patent declarations received (see www .iso .org/ patents).

Any trade name used in this document is information given for the convenience of users and does not

constitute an endorsement.

For an explanation on the voluntary nature of standards, the meaning of ISO specific terms and

expressions related to conformity assessment, as well as information about ISO’s adherence to the

World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT), see the following

URL: www .iso .org/ iso/ foreword .html.

This document was prepared jointly by Technical Committee ISO/TC 210, Quality management and

corresponding general aspects for medical devices, and Subcommittee IEC/SC 62A, Common aspects of

electrical equipment used in medical practice.

This second edition cancels and replaces the first edition, which has been technically revised. The main

changes compared to the previous edition are as follows:

— The clauses of ISO/TR 24971:2013 and some informative annexes of ISO 14971:2007 are merged,

restructured, technically revised, and supplemented with additional guidance.

— To facilitate the use of this document, the same structure and numbering of clauses and subclauses

as in ISO 14971:2019 is employed. The informative annexes contain additional guidance on specific

aspects of risk management.

Any feedback or questions on this document should be directed to the user’s national standards body. A

complete listing of these bodies can be found at www .iso .org/ members .html.
© ISO 2020 – All rights reserved v
---------------------- Page: 11 ----------------------
SIST-TP CEN ISO/TR 24971:2020
ISO/TR 24971:2020(E)
Introduction

This document provides guidance to assist manufacturers in the development, implementation and

maintenance of a risk management process for medical devices that aims to meet the requirements

of ISO 14971:2019, Medical devices — Application of risk management to medical devices. It provides

guidance on the application of ISO 14971:2019 for a wide variety of medical devices. These medical

devices include active, non-active, implantable, and non-implantable medical devices, software as medical

devices and in vitro diagnostic medical devices.

The clauses and subclauses in this document have the same structure and numbering as the clauses

and subclauses of ISO 14971:2019, to facilitate the use of this guidance in applying the requirements

of the standard. Further division into subclauses is applied where considered useful. The informative

annexes contain additional guidance on specific aspects of risk management. The guidance consists of

the clauses of ISO/TR 24971:2013 and some of the informative annexes of ISO 14971:2007, which are

merged, restructured, technically revised, and supplemented with additional guidance.

Annex H was prepared in cooperation with Technical Committee ISO/TC 212, Clinical laboratory testing

and in vitro diagnostic test systems.

This document describes approaches that manufacturers can use to develop, implement and maintain

a risk management process conforming to ISO 14971:2019. Alternative approaches can also satisfy the

requirements of ISO 14971:2019.

When judging the applicability of the guidance in this document, one should consider the nature of

the medical device(s) to which it will apply, how and by whom these medical devices are used, and the

applicable regulatory requirements.
vi © ISO 2020 – All rights reserved
---------------------- Page: 12 ----------------------
SIST-TP CEN ISO/TR 24971:2020
TECHNICAL REPORT ISO/TR 24971:2020(E)
Medical devices — Guidance on the application of ISO 14971
1 Scope

This document provides guidance on the development, implementation and maintenance of a risk

management system for medical devices according to ISO 14971:2019.

The risk management process can be part of a quality management system, for example one that is based

[24]

on ISO 13485:2016 , but this is not required by ISO 14971:2019. Some requirements in ISO 13485:2016

(Clause 7 on product realization and 8.2.1 on feedback during monitoring and measurement) are

related to risk management and can be fulfilled by applying ISO 14971:2019. See also the ISO Handbook:

[25]
ISO 13485:2016 — Medical devices — A practical guide .
2 Normative references

The following documents are referred to in the text in such a way that some or all of their content

constitutes requirements of this document. For dated references, only the edition cited applies. For

undated references, the latest edition of the referenced document (including any amendments) applies.

ISO 14971:2019, Medical devices — Application of risk management to medical devices

3 Terms and definitions

For the purposes of this document, the terms and definitions given in ISO 14971:2019 apply.

ISO and IEC maintain terminological databases for use in standardization at the following addresses:

— ISO Online browsing platform: available at https:// www .iso .org/ obp
— IEC Electropedia: available at http:// www .electropedia .org/
[20]

NOTE The defined terms in ISO 14971:2019 are derived as much as possible from ISO/IEC Guide 63:2019

which was developed specifically for the medical device sector.
4 General requirements for risk management system
4.1 Risk management process

ISO 14971:2019 requires that the manufacturer establishes, implements, documents and maintains an

ongoing risk management process throughout the life cycle of the medical device. The required elements

in this process and the responsibilities of top management are given in ISO 14971:2019 and explained in

further detail in this document.
4.2 Management responsibilities
4.2.1 Top management commitment

Top management has the responsibility to establish and maintain an effective risk management process.

It is important to note the emphasis on top management in ISO 14971:2019 Top management has the

power to assign authorities and responsibilities, to set priorities and to provide resources within the

organization. Commitment at the highest level of the organization is essential for the risk management

process to be effective.
© ISO 2020 – All rights reserved 1
---------------------- Page: 13 ----------------------
SIST-TP CEN ISO/TR 24971:2020
ISO/TR 24971:2020(E)

If the manufacturer’s organization consists of separate entities, for example business units or divisions,

then top management can refer to those individuals who direct and control the entity implementing the

risk management process. Each entity can have its own risk management process (and its own quality

management system).
4.2.2 Policy for establishing criteria for risk acceptability

ISO 14971:2019 requires top management to define and document the policy for establishing criteria

for risk acceptability. Annex C provides detailed guidance on how to define such a policy and which

elements should be included, such as applicable regulations, relevant international standards, the

generally acknowledged state of the art and known stakeholder concerns. Annex C also explains the

relation between the policy and the criteria for risk acceptability and how these criteria are used in risk

control and risk evaluation.

The policy can allow specific criteria for each type of medical device (or medical device family). This

can depend on the characteristics of the medical device and its intended use (including the intended

patient population). ISO 14971:2019 requires that the policy provides guidelines on how to establish the

criteria for acceptability of the overall residual risk.
4.2.3 Suitability of the risk management process

ISO 14971:2019 requires top management to review the suitability of the risk management process at

planned intervals. The review of the suitability is a high-level review of the risk management process

and can include reviewing the following aspects, for example:
— the effectiveness of the implemented risk management procedures;

— the adequacy of the criteria for risk acceptability, which can imply the need for an adaptation of the

criteria for risk acceptability for specific medical devices; and

— the effectiveness of the feedback loop of the production and post-production information (see 10.4).

4.3 Competence of personnel

Ensuring the assignment of competent personnel is a responsibility of top management. Examples of

the personnel that can be involved in specific risk management tasks and the relevant knowledge and

experience supporting effective completion of the associated tasks are given in Table 1.

Some risk management activities can be performed by external consultants or specialists. The

required competence should be documented as well as the objective evidence of the fulfilment of these

requirements.
Table 1 — Examples of competent personnel and relevant knowledge and experience
Personnel or function Knowledge and experience
Risk management owner Medical device risk management process
Engineer or scientist Medical device technologies, design and
operating principles
Operations Manufacturing processes
Supply-chain management Sources of material and services, in-
cluding outsourced processes
Medical or clinical expert Clinical evaluation methodologies and
requirements
Use in medical practice, including ben-
efits, hazardous situations and possible
harm
2 © ISO 2020 – All rights reserved
---------------------- Page: 14 ----------------------
SIST-TP CEN ISO/TR 24971:2020
ISO/TR 24971:2020(E)
Table 1 (continued)
Personnel or function Knowledge and experience
Regulatory affairs Regulatory requirements pertaining to
safety and risk management in coun-
tries/regions where the medical device
is intended to be marketed
Quality assurance Quality management systems and qual-
ity practices
Packaging, storage, handling Hazards and risk control measures in
and distribution relation to packaging, storage, handling
and distribution
Service engineer, biomedical Hazards and risk control measures in
engineer or medical physicist relation to installation, maintenance,
repair, calibration, service and support
processes and practices
Post-production Customer complaints and adverse event
reporting, post-market surveillance
Information services Data mining processes, methodologies
for literature search
All individuals involved in the Expertise in the functional area for
review and approval of the which they are reviewing and approving
records
Consider the need to include the following topics in the educati
...

SLOVENSKI STANDARD
kSIST-TP FprCEN ISO/TR 24971:2020
01-maj-2020
Medicinski pripomočki - Navodilo za uporabo ISO 14971 (ISO PRF/TR 24971:2020)

Medical devices - Guidance on the application of ISO 14971 (ISO PRF/TR 24971:2020)

Medizinprodukte - Leitfaden zur Anwendung von ISO 14971 (ISO PRF/TR 24971:2020)

Dispositifs médicaux - Directives relatives à l'ISO 14971 (ISO PRF/TR 24971:2020)

Ta slovenski standard je istoveten z: FprCEN ISO/TR 24971
ICS:
11.040.01 Medicinska oprema na Medical equipment in general
splošno
kSIST-TP FprCEN ISO/TR 24971:2020 en

2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

---------------------- Page: 1 ----------------------
kSIST-TP FprCEN ISO/TR 24971:2020
---------------------- Page: 2 ----------------------
kSIST-TP FprCEN ISO/TR 24971:2020
TECHNICAL ISO/TR
REPORT 24971
Second edition
2020-05
Medical devices — Guidance on the
application of ISO 14971
Dispositifs médicaux — Directives relatives à l'ISO 14971
PROOF/ÉPREUVE
Reference number
ISO/TR 24971:2020(E)
ISO 2020
---------------------- Page: 3 ----------------------
kSIST-TP FprCEN ISO/TR 24971:2020
ISO/TR 24971:2020(E)
COPYRIGHT PROTECTED DOCUMENT
© ISO 2020

All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may

be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting

on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address

below or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Fax: +41 22 749 09 47
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii PROOF/ÉPREUVE © ISO 2020 – All rights reserved
---------------------- Page: 4 ----------------------
kSIST-TP FprCEN ISO/TR 24971:2020
ISO/TR 24971:2020(E)
Contents Page

Foreword ..........................................................................................................................................................................................................................................v

Introduction ................................................................................................................................................................................................................................vi

1 Scope ................................................................................................................................................................................................................................. 1

2 Normative references ...................................................................................................................................................................................... 1

3 Terms and definitions ..................................................................................................................................................................................... 1

4 General requirements for risk management system ...................................................................................................... 1

4.1 Risk management process ........................................................................................................................................................ 1

4.2 Management responsibilities ..................................................................................................................................................... 1

4.2.1 Top management commitment ......................................................................................................................... 1

4.2.2 Policy for establishing criteria for risk acceptability ....................................................................... 2

4.2.3 Suitability of the risk management process ........................................................................................ 2

4.3 Competence of personnel .............................................................................................................................................................. 2

4.4 Risk management plan .................................................................................................................................................................. 3

4.4.1 General...................................................................................................................................................................................... 3

4.4.2 Scope of the risk management plan ............................................................................................................. 4

4.4.3 Assignment of responsibilities and authorities .................................................................................... 4

4.4.4 Requirements for review of risk management activities ........................................................... 4

4.4.5 Criteria for risk acceptability ................................................................................................................................ 4

4.4.6 Method to evaluate overall residual risk and criteria for acceptability ......................... 4

4.4.7 Verification activities .................................................................................................................................................. 5

4.4.8 Activities related to collection and review of production and post-

production information ............................................................................................................................................ 5

4.5 Risk management file ................................................................................................................................................................... 5

5 Risk analysis ............................................................................................................................................................................................................. 6

5.1 Risk analysis process ..................................................................................................................................................................... 6

5.2 Intended use and reasonably foreseeable misuse ............................................................................................. 6

5.3 Identification of characteristics related to safety ................................................................................................... 7

5.4 Identification of hazards and hazardous situations ................................................................................................ 7

5.4.1 Hazards .................................................................................................................................................................................. 7

5.4.2 Hazardous situations in general ......................................................................................................................... 7

5.4.3 Hazardous situations resulting from faults ........................................................................................... 8

5.4.4 Hazardous situations resulting from random faults ...................................................................... 8

5.4.5 Hazardous situations resulting from systematic faults ............................................................... 8

5.4.6 Hazardous situations arising from security vulnerabilities .................................................... 9

5.4.7 Sequences or combinations of events ........................................................................................................... 9

5.5 Risk estimation .................................................................................................................................................................................11

5.5.1 General...................................................................................................................................................................................11

5.5.2 Probability ..........................................................................................................................................................................12

5.5.3 Risks for which probability cannot be estimated .............................................................................12

5.5.4 Severity ...............................................................................................................................................................................13

5.5.5 Examples ..............................................................................................................................................................................13

6 Risk evaluation .....................................................................................................................................................................................................15

7 Risk control ..............................................................................................................................................................................................................15

7.1 Risk control option analysis ....................................................................................................................................................15

7.1.1 Risk control for medical device design ...................................................................................................15

7.1.2 Risk control for manufacturing processes ...........................................................................................17

7.1.3 Standards and risk control ................................................................................................................................18

7.2 Implementation of risk control measures ..................................................................................................................18

7.3 Residual risk evaluation .............................................................................................................................................................18

7.4 Benefit-risk analysis .......................................................................................................................................................................18

7.4.1 General...................................................................................................................................................................................18

7.4.2 Benefit estimation .......................................................................................................................................................19

© ISO 2020 – All rights reserved PROOF/ÉPREUVE iii
---------------------- Page: 5 ----------------------
kSIST-TP FprCEN ISO/TR 24971:2020
ISO/TR 24971:2020(E)

7.4.3 Criteria for benefit-risk analysis ....................................................................................................................20

7.4.4 Benefit-risk comparison........................................................................................................................................20

7.4.5 Examples of benefit-risk analyses ................................................................................................................20

7.5 Risks arising from risk control measures ...................................................................................................................21

7.6 Completeness of risk control ................................................................................................................................................21

8 Evaluation of overall residual risk ...................................................................................................................................................21

8.1 General considerations .................................................................................................................................................................21

8.2 Inputs and other considerations ..........................................................................................................................................22

8.3 Possible approaches ........................................................................................................................................................................23

9 Risk management review ..........................................................................................................................................................................24

10 Production and post-production activities..............................................................................................................................24

10.1 General ........................................................................................................................................................................................................24

10.2 Information collection ...................................................................................................................................................................24

10.3 Information review ..........................................................................................................................................................................26

10.4 Actions .........................................................................................................................................................................................................27

Annex A (informative) Identification of hazards and characteristics related to safety ................................29

Annex B (informative) Techniques that support risk analysis ................................................................................................37

Annex C (informative) Relation between the policy, criteria for risk acceptability,risk

control and risk evaluation ......................................................................................................................................................................42

Annex D (informative) Information for safety and information on residual risk ...............................................47

Annex E (informative) Role of international standards in risk management .........................................................50

Annex F (informative) Guidance on risks related to security ..................................................................................................55

Annex G (informative) Components and devices designed without using ISO 14971 ...................................60

Annex H (informative) Guidance for in vitro diagnostic medical devices .....................................................................62

Bibliography .............................................................................................................................................................................................................................85

iv PROOF/ÉPREUVE © ISO 2020 – All rights reserved
---------------------- Page: 6 ----------------------
kSIST-TP FprCEN ISO/TR 24971:2020
ISO/TR 24971:2020(E)
Foreword

ISO (the International Organization for Standardization) is a worldwide federation of national standards

bodies (ISO member bodies). The work of preparing International Standards is normally carried out

through ISO technical committees. Each member body interested in a subject for which a technical

committee has been established has the right to be represented on that committee. International

organizations, governmental and non-governmental, in liaison with ISO, also take part in the work.

ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of

electrotechnical standardization.

The procedures used to develop this document and those intended for its further maintenance are

described in the ISO/IEC Directives, Part 1. In particular the different approval criteria needed for the

different types of ISO documents should be noted. This document was drafted in accordance with the

editorial rules of the ISO/IEC Directives, Part 2 (see www .iso .org/ directives -and -policies).

Attention is drawn to the possibility that some of the elements of this document may be the subject of

patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of

any patent rights identified during the development of the document will be in the Introduction and/or

on the ISO list of patent declarations received (see www .iso .org/ patents).

Any trade name used in this document is information given for the convenience of users and does not

constitute an endorsement.

For an explanation on the voluntary nature of standards, the meaning of ISO specific terms and

expressions related to conformity assessment, as well as information about ISO’s adherence to the

World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT), see the following

URL: www .iso .org/ iso/ foreword .html.

This document was prepared jointly by Technical Committee ISO/TC 210, Quality management and

corresponding general aspects for medical devices, and Subcommittee IEC/SC 62A, Common aspects of

electrical equipment used in medical practice.

This second edition cancels and replaces the first edition, which has been technically revised. The main

changes compared to the previous edition are as follows:

— The clauses of ISO/TR 24971:2013 and some informative annexes of ISO 14971:2007 are merged,

restructured, technically revised, and supplemented with additional guidance.

— To facilitate the use of this document, the same structure and numbering of clauses and subclauses

as in ISO 14971:2019 is employed. The informative annexes contain additional guidance on specific

aspects of risk management.

Any feedback or questions on this document should be directed to the user’s national standards body. A

complete listing of these bodies can be found at www .iso .org/ members .html.
© ISO 2020 – All rights reserved PROOF/ÉPREUVE v
---------------------- Page: 7 ----------------------
kSIST-TP FprCEN ISO/TR 24971:2020
ISO/TR 24971:2020(E)
Introduction

This document provides guidance to assist manufacturers in the development, implementation and

maintenance of a risk management process for medical devices that aims to meet the requirements

of ISO 14971:2019, Medical devices — Application of risk management to medical devices. It provides

guidance on the application of ISO 14971:2019 for a wide variety of medical devices. These medical

devices include active, non-active, implantable, and non-implantable medical devices, software as medical

devices and in vitro diagnostic medical devices.

The clauses and subclauses in this document have the same structure and numbering as the clauses

and subclauses of ISO 14971:2019, to facilitate the use of this guidance in applying the requirements

of the standard. Further division into subclauses is applied where considered useful. The informative

annexes contain additional guidance on specific aspects of risk management. The guidance consists of

the clauses of ISO/TR 24971:2013 and some of the informative annexes of ISO 14971:2007, which are

merged, restructured, technically revised, and supplemented with additional guidance.

Annex H was prepared in cooperation with Technical Committee ISO/TC 212, Clinical laboratory testing

and in vitro diagnostic test systems.

This document describes approaches that manufacturers can use to develop, implement and maintain

a risk management process conforming to ISO 14971:2019. Alternative approaches can also satisfy the

requirements of ISO 14971:2019.

When judging the applicability of the guidance in this document, one should consider the nature of

the medical device(s) to which it will apply, how and by whom these medical devices are used, and the

applicable regulatory requirements.
vi PROOF/ÉPREUVE © ISO 2020 – All rights reserved
---------------------- Page: 8 ----------------------
kSIST-TP FprCEN ISO/TR 24971:2020
TECHNICAL REPORT ISO/TR 24971:2020(E)
Medical devices — Guidance on the application of ISO 14971
1 Scope

This document provides guidance on the development, implementation and maintenance of a risk

management system for medical devices according to ISO 14971:2019.

The risk management process can be part of a quality management system, for example one that is based

[24]

on ISO 13485:2016 , but this is not required by ISO 14971:2019. Some requirements in ISO 13485:2016

(Clause 7 on product realization and 8.2.1 on feedback during monitoring and measurement) are

related to risk management and can be fulfilled by applying ISO 14971:2019. See also the ISO Handbook:

[25]
ISO 13485:2016 — Medical devices — A practical guide .
2 Normative references

ISO 14971:2019, Medical devices — Application of risk management to medical devices

3 Terms and definitions

For the purposes of this document, the terms and definitions given in ISO 14971:2019 apply.

ISO and IEC maintain terminological databases for use in standardization at the following addresses:

— ISO Online browsing platform: available at https:// www .iso .org/ obp
— IEC Electropedia: available at http:// www .electropedia .org/
[20]

NOTE The defined terms in ISO 14971:2019 are derived as much as possible from ISO/IEC Guide 63:2019

which was developed specifically for the medical device sector.
4 General requirements for risk management system
4.1 Risk management process

ISO 14971:2019 requires that the manufacturer establishes, implements, documents and maintains an

ongoing risk management process throughout the life cycle of the medical device. The required elements

in this process and the responsibilities of top management are given in ISO 14971:2019 and explained in

further detail in this document.
4.2 Management responsibilities
4.2.1 Top management commitment

Top management has the responsibility to establish and maintain an effective risk management process.

It is important to note the emphasis on top management in ISO 14971:2019 Top management has the

power to assign authorities and responsibilities, to set priorities and to provide resources within the

organization. Commitment at the highest level of the organization is essential for the risk management

process to be effective.

If the manufacturer’s organization consists of separate entities, for example business units or divisions,

then top management can refer to those individuals who direct and control the entity implementing the

risk management process. Each entity can have its own risk management process (and its own quality

management system).
© ISO 2020 – All rights reserved PROOF/ÉPREUVE 1
---------------------- Page: 9 ----------------------
kSIST-TP FprCEN ISO/TR 24971:2020
ISO/TR 24971:2020(E)
4.2.2 Policy for establishing criteria for risk acceptability

ISO 14971:2019 requires top management to define and document the policy for establishing criteria

for risk acceptability. Annex C provides detailed guidance on how to define such a policy and which

elements should be included, such as applicable regulations, relevant international standards, the

generally acknowledged state of the art and known stakeholder concerns. Annex C also explains the

relation between the policy and the criteria for risk acceptability and how these criteria are used in risk

control and risk evaluation.

The policy can allow specific criteria for each type of medical device (or medical device family). This

can depend on the characteristics of the medical device and its intended use (including the intended

patient population). ISO 14971:2019 requires that the policy provides guidelines on how to establish the

criteria for acceptability of the overall residual risk.
4.2.3 Suitability of the risk management process

ISO 14971:2019 requires top management to review the suitability of the risk management process at

planned intervals. The review of the suitability is a high-level review of the risk management process

and can include reviewing the following aspects, for example:
— the effectiveness of the implemented risk management procedures;

— the adequacy of the criteria for risk acceptability, which can imply the need for an adaptation of the

criteria for risk acceptability for specific medical devices; and

— the effectiveness of the feedback loop of the production and post-production information (see 10.4).

4.3 Competence of personnel

Ensuring the assignment of competent personnel is a responsibility of top management. Examples of

the personnel that can be involved in specific risk management tasks and the relevant knowledge and

experience supporting effective completion of the associated tasks are given in Table 1.

Some risk management activities can be performed by external consultants or specialists. The

required competence should be documented as well as the objective evidence of the fulfilment of these

requirements.
Table 1 — Examples of competent personnel and relevant knowledge and experience
Personnel or function Knowledge and experience
Risk management owner Medical device risk management process
Engineer or scientist Medical device technologies, design and
operating principles
Operations Manufacturing processes
Supply-chain management Sources of material and services, in-
cluding outsourced processes
Medical or clinical expert Clinical evaluation methodologies and
requirements
Use in medical practice, including ben-
efits, hazardous situations and possible
harm
Regulatory affairs Regulatory requirements pertaining to
safety and risk management in coun-
tries/regions where the medical device
is intended to be marketed
Quality assurance Quality management systems and qual-
ity practices
2 PROOF/ÉPREUVE © ISO 2020 – All rights reserved
---------------------- Page: 10 ----------------------
kSIST-TP FprCEN ISO/TR 24971:2020
ISO/TR 24971:2020(E)
Table 1 (continued)
Personnel or function Knowledge and experience
Packaging, storage, handling Hazards and risk control measures in
and distribution relation to packaging, storage, handling
and distribution
Service engineer, biomedical Hazards and risk control measures in
engineer or medical physicist relation to installation, maintenance,
repair, calibration, service and support
processes and practices
Post-production Customer complaints and adverse event
reporting, post-market surveillance
Information services Data mining processes, methodologies
for literature search
All individuals involved in the Expertise in the functional area for
review and approval of the which they are reviewing and approving
records

Consider the need to include the following topics in the education of risk management experts:

— management of a risk management program for medical devices;
— ethics, safety, security and liability;
— concepts of risk, risk acceptability and benefit-risk analysis;
— probability and statistics for risk management and reliability;
— risk management and reliability in design and development;
— relevant standards and regulations;

— risk estimation including methods to determine the severity and probability of occurrence of harm;

— risk assessment methodology;
— methods for risk control;
— methods for verifying the effectiveness of risk control measures;
— methods for analysing production and post-production information.
4.4 Risk management plan
4.4.1 General

The risk management plan describes the scope of the risk management activities, the responsibilities

and authorities of those involved, the criteria for risk acceptability, the production and post-production

information to be collected and reviewed for the medical device, and all risk management activities that

are carried out during the entire product life cycle. The risk management plan can be a separate document,

or it can be integrated with other documentation, e.g. quality management system documentation. It

can be self-contained or it can reference other documents, such as planning of clinical, biological or

usability evaluations or planning of post-production activities.

The risk management plan is a “living document” that will be reviewed and updated throughout the life

cycle of the medical device as new information becomes available. The information should be collected

on a continuous basis, even after the last medical device is sold and placed on the market. ISO 14971:2019

requires that changes to the risk management plan be recorded in the risk management file.

The extent of planned activities and the level of detail of the risk management plan should be

commensurate with the level of risk associated with the medical device. The requirements in

© ISO 2020 – All rights reserved PROOF/ÉPREUVE 3
---------------------- Page: 11 ----------------------
kSIST-TP FprCEN ISO/TR 24971:2020
ISO/TR 24971:2020(E)

ISO 14971:2019 are the minimum requirements for a risk management plan. Manufacturers can include

other items such as time-schedule, risk analysis tools, or a rationale for the choice of specific risk

acceptability criteria.
4.4.2 Scope of the risk management plan

The scope identifies and describes the medical device and the life cycle phases for which each element of

the plan is applicable.

Some of the elements of the risk management plan can apply to the product realization process (design,

development and production of the medical device).
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.