May 27, 2020 EU MDR

ISO 14971:2019 – Updates & older Version Differences

The third edition of ISO 14971 was finally released in December 2019 and it replaces ISO 14971:2007. The risk management process itself remains largely unchanged.

Revise ISO 14971 as follows:

  1. Maintain the key concepts of and the core approach To risk Management
  2. Clarify the normative requirements, particularly concerning thefollowing topics:
    • production and post-production information,
    • clinical benefits and risk-benefit analysis,
    • update the guidance in the annexes;
    • Revise ISO TR 24971 (or optionally to merge this TR with the standard)

ISO TR 24971 is the Technical Report on implementation of ISO 14971 and is not widely known or understood by industry ISO TC 210 and IEC 62A Charges (ISO TC 210 and IEC SC 62A are parent committees of the Technical Committee JWG1 that is responsible for ISO 14971)

ISO 14971:2019 compared to 2007 with comments on ISO TR 24971:2020

There are important clarifications and updates in ISO 14971:2019 that you should be aware of.

Requirements Requirements Informative Text
ISO 14971:2007 ISO 14971:2019 ISO 24971:2019
Clause 1- Scope Clause 1- Scope Clause 1- Scope
Clause 2- Terms and Definitions Clause 2- Normative References Clause 2- Normative References
Clause 3- General Requirements Clause 3-Terms and Definitions Clause 3-Terms and Definitions
Clause 4- Risk Analysis Clause 4-General Requirements for risk management system Clause 4-General Requirements for risk management system
Clause 5-Risk Evaluation Clause 5-Risk Analysis Clause 5-Risk Analysis
Clause 6-Risk Control Clause 6-Risk Evaluation Clause 6-Risk Evaluation
Clause 7-Evalaution of Overall Residual Risk Acceptability Clause7 -Risk Control Clause7 -Risk Control
Clause 8-Risk Management Report Clause 8-Evalaution of Overall Residual Risk Acceptability Clause 8-Evalaution of Overall Residual Risk
Clause 9-Production and Post-production Information Clause 9-Risk Management Review Clause 9-Risk Management Review
Clause 10-Production and Post-production Activities Clause 10-Production and Post-production Activities

ISO TR 24971:2020 compared
With comments on ISO TR 24971:2013 and ISO 14971:2007

Informative Annexes (not requirements)
ISO 14971:2007 ISO 14971:2019 ISO TR 24971:2013 ISO TR 24971:2020
Annex A-Rationale for requirements Annex A-Rationale for Requirements
Annex B-Overview of risk management process for medical devices Annex B-Risk management process for medical devices (Additional detail comparing 2007 and 2019)
Annex C-Questions that can be used to identify medical device characteristics that could impact on safety Annex A-Identification of hazards and characteristics of safety
Annex D-Risk concepts applied to medical devices Content of this annex appears in appropriate numbered clauses of ISO TR 24971
Annex E-Examples of hazards, foreseeable sequences of events and hazardous situations, Annex C-Fundamental risk concepts (Informative) Included in Clause 5.4-Identification of hazards and hazardous situations and Clause 5.5-RiskEstimation
Annex F-Risk management plan Clause 4.4 Risk Management Plan
Annex G-Information on risk management techniques Annex B- Techniques that support risk analysis
Annex H-Guidance on risk management for in vitro diagnostic medical devices Annex H-Guidance on risk management for in vitro diagnostic medical devices
Annex I-Guidance on risk analysis process for biologic hazards [Removed-Now in ISO 10993-1]
Annex J-Information for safety and information about residual risk Clause 5-Differention of information for safety and disclosure of residual risk Annex D-Differentiation Of Information for safety and information on about residual risk
1-Scope 1-Scope
2- The role of international product safety and process standards in risk management Annex E-The role of international product safety and process standards in risk management
3-Developing the policy for determining the criteria for risk acceptability Annex C-Relation between the policy, criteria for risk acceptability, risk control and risk evaluation
4-Production and post-production feedback loop Clause 10-Production and post-production feedback loop activities
New Annexes
Annex F-Guidance on risks related to [cyber/data] security
Annex G-Components and devices designed without using ISO 14971 [remediation]
  • The process described in this document can also be applied toproducts that are not necessarily medical devices in somejurisdictions and can also be used by others involved in the medicaldevice life cycle.
  • This document does not apply to:This document does not apply to:
    • decisions on the use of a medical device in the context of anyparticular clinical procedure; or
    • business risk management
    • class I devices

The Standard

  • Clause 2 is now “Normative References” as required by ISO TMBeven though it states “There are no normative references in thisdocument”.
  • Clauses starting with “Terms and Definitions” are now renumberedand incremented by “1”. E.g. Terms and Definitions is now Clause 3. Now 10 Clauses instead of 9 as in 2007 edition.
  • New definitions for :
    • 3.2 Benefit (not defined anywhere else in standards or regulations)
    • 3.15 Reasonably foreseeable misuse (not defined elsewhere)
    • 3.28 State of the art (not defined elsewhere)
    • 3.3 harm physical injury or damage to the health of people, or damage to property or the environment
  • Many definitions updated due to updates to sources including ISO9000 (2015) AND ISO GUIDE 63 (2019) as well as others
  • Clause 4.1 Figure 1 diagram has been changed to include “Risk Management plan” and standard title changes in various steps indescribing the risk management process-May need to revise yourprocess drawings
  • Clause 5.4 Risk Analysis reworded
    • The manufacturer shall identify and document known and foreseeablehazards associated with the medical device based on the intended use,reasonably foreseeable misuse and the characteristics related to safety in both normal and fault conditions.-Requires use of multiple risk analyses tools as many tools only are “fault condition” analyses-See Annex B1 paragraph2.
  • Clause 7.4 retitled to Benefit-risk analysis to align with regulatorychanges. 14971 only requires that risks deemed to be unacceptableare analyzed, it is up to manufacturer to determine if there areregulatory requirements otherwise they must meet (Such as MDR).
    • Nearly three pages in ISO TR 24971:2020 Clause 7.4 of extensivediscussion on benefit and benefit-risk analysis, including thatbenefit does not include economic or business advantages.(Clause 7.4.5 includes 3 specific examples of benefit-riskanalysis conclusions.)
    • 7.4.2 has extensive discussion of clinical benefits
  • Clause 9 retitled to Risk management review to emphasize that areview process prior to release for distribution is necessary to answerthe following three questions
    • The risk management plan has been appropriately implemented;
    • The overall residual risk is acceptable; and
    • Appropriate methods are in place to collect and review informationin the production and post-production phases.
  • Reviewers must be identified in the Risk Management Plan (in advance of the review)and must have appropriate authority and may benecessary after device is in distribution
  • Risk Management Report is a summary of review and part of RiskManagement File and is different from Management Review of Risk Management process in Clause 4.2 (See ISO TR 24971 Clauses 4.2.3 & 9)
  • Clause 10 retitled to Production and post-production activities. This section has been extensively revised and aligns with Clause 8Measurement analysis and improvement in ISO 13485. Both ISO 13485 and ISO 14971 developed these sections from the GHTF SG3/N18:2010 Quality management system –Medical Devices – Guidance on corrective action and preventive action and related QMS processes
  • Emphasizes a need for an active process for gaining information as Opposed to just waiting for complaints. Aligns with post market Surveillance requirements by regulators
  • Requires inclusion of risk management in post market surveillance
  • Went from ½ page in 2007 to 1-1/2 pages of requirements in 2019, Plus 4 pages guidance in ISO TR 24971:2020 as opposed to 1 page In ISO TR 24971:2013

The Guidance

  • Added new annex, Annex F, 4-1/2 pages which covers risk Management for cyber and data security and the process Relationship to ISO 14971
    • Developed with members of ISO/IEC software committees
  • Added new annex, Annex G, to cover components and devicesthat were designed without meeting ISO 14971 requirements
    • Discusses process that may be appropriate for remediating Risk Management File in 2+ pages of guidance
  • Annex H for IVDs extensively revised by ISO TC212 committee on IVDs and includes valuable information for all medical devices, not just IVDs.
  • It is important to understand that all information in ISO TR 24971:2020is guidance and is NOT REQUIREMENTS
  • Additionally Annexes A, B, C in ISO 14971:2019 is guidance and not Requirements
  • Annex A in ISO 14971:2019 is the Rationale for the requirements in The standard and should be read by anyone using the standard to Improve understanding of the reason for the requirements

Browse by Topic