The third edition of ISO 14971 was finally released in December 2019 and it replaces ISO 14971:2007. The risk management process itself remains largely unchanged.Revise ISO 14971 as follows:
- Maintain the key concepts of and the core approach To risk Management
- Clarify the normative requirements, particularly concerning thefollowing topics:
- production and post-production information,
- clinical benefits and risk-benefit analysis,
- update the guidance in the annexes;
- Revise ISO TR 24971 (or optionally to merge this TR with the standard)
ISO TR 24971 is the Technical Report on implementation of ISO 14971 and is not widely known or understood by industry ISO TC 210 and IEC 62A Charges (ISO TC 210 and IEC SC 62A are parent committees of the Technical Committee JWG1 that is responsible for ISO 14971)
ISO 14971:2019 compared to 2007 with comments on ISO TR 24971:2020
There are important clarifications and updates in ISO 14971:2019 that you should be aware of.
Requirements | Requirements | Informative Text |
ISO 14971:2007 | ISO 14971:2019 | ISO 24971:2019 |
Clause 1- Scope | Clause 1- Scope | Clause 1- Scope |
Clause 2- Terms and Definitions | Clause 2- Normative References | Clause 2- Normative References |
Clause 3- General Requirements | Clause 3-Terms and Definitions | Clause 3-Terms and Definitions |
Clause 4- Risk Analysis | Clause 4-General Requirements for risk management system | Clause 4-General Requirements for risk management system |
Clause 5-Risk Evaluation | Clause 5-Risk Analysis | Clause 5-Risk Analysis |
Clause 6-Risk Control | Clause 6-Risk Evaluation | Clause 6-Risk Evaluation |
Clause 7-Evalaution of Overall Residual Risk Acceptability | Clause7 -Risk Control | Clause7 -Risk Control |
Clause 8-Risk Management Report | Clause 8-Evalaution of Overall Residual Risk Acceptability | Clause 8-Evalaution of Overall Residual Risk |
Clause 9-Production and Post-production Information | Clause 9-Risk Management Review | Clause 9-Risk Management Review |
Clause 10-Production and Post-production Activities | Clause 10-Production and Post-production Activities |
ISO TR 24971:2020 compared with comments on ISO TR 24971:2013 and ISO 14971:2007
Informative Annexes (not requirements) | |||
ISO 14971:2007 | ISO 14971:2019 | ISO TR 24971:2013 | ISO TR 24971:2020 |
Annex A-Rationale for requirements | Annex A-Rationale for Requirements | ||
Annex B-Overview of risk management process for medical devices | Annex B-Risk management process for medical devices (Additional detail comparing 2007 and 2019) | ||
Annex C-Questions that can be used to identify medical device characteristics that could impact on safety | Annex A-Identification of hazards and characteristics of safety | ||
Annex D-Risk concepts applied to medical devices | Content of this annex appears in appropriate numbered clauses of ISO TR 24971 | ||
Annex E-Examples of hazards, foreseeable sequences of events and hazardous situations, | Annex C-Fundamental risk concepts (Informative) | Included in Clause 5.4-Identification of hazards and hazardous situations and Clause 5.5-RiskEstimation | |
Annex F-Risk management plan | Clause 4.4 Risk Management Plan | ||
Annex G-Information on risk management techniques | Annex B- Techniques that support risk analysis | ||
Annex H-Guidance on risk management for in vitro diagnostic medical devices | Annex H-Guidance on risk management for in vitro diagnostic medical devices | ||
Annex I-Guidance on risk analysis process for biologic hazards | [Removed-Now in ISO 10993-1] | ||
Annex J-Information for safety and information about residual risk | Clause 5-Differention of information for safety and disclosure of residual risk | Annex D-Differentiation Of Information for safety and information on about residual risk | |
1-Scope | 1-Scope | ||
2- The role of international product safety and process standards in risk management | Annex E-The role of international product safety and process standards in risk management | ||
3-Developing the policy for determining the criteria for risk acceptability | Annex C-Relation between the policy, criteria for risk acceptability, risk control and risk evaluation | ||
4-Production and post-production feedback loop | Clause 10-Production and post-production feedback loop activities | ||
New Annexes | |||
Annex F-Guidance on risks related to [cyber/data] security | |||
Annex G-Components and devices designed without using ISO 14971 [remediation] |
- The process described in this document can also be applied toproducts that are not necessarily medical devices in somejurisdictions and can also be used by others involved in the medicaldevice life cycle.
- This document does not apply to:This document does not apply to:
- decisions on the use of a medical device in the context of anyparticular clinical procedure; or
- business risk management
- class I devices
The Standard
- Clause 2 is now “Normative References” as required by ISO TMBeven though it states “There are no normative references in thisdocument”.
- Clauses starting with “Terms and Definitions” are now renumberedand incremented by “1”. E.g. Terms and Definitions is now Clause 3. Now 10 Clauses instead of 9 as in 2007 edition.
- New definitions for :
- 3.2 Benefit (not defined anywhere else in standards or regulations)
- 3.15 Reasonably foreseeable misuse (not defined elsewhere)
- 3.28 State of the art (not defined elsewhere)
- 3.3 harm physical injury or damage to the health of people, or damage to property or the environment
- Many definitions updated due to updates to sources including ISO9000 (2015) AND ISO GUIDE 63 (2019) as well as others
- Clause 4.1 Figure 1 diagram has been changed to include “Risk Management plan” and standard title changes in various steps indescribing the risk management process-May need to revise yourprocess drawings
- Clause 5.4 Risk Analysis reworded
- The manufacturer shall identify and document known and foreseeablehazards associated with the medical device based on the intended use,reasonably foreseeable misuse and the characteristics related to safety in both normal and fault conditions.-Requires use of multiple risk analyses tools as many tools only are “fault condition” analyses-See Annex B1 paragraph2.
- Clause 7.4 retitled to Benefit-risk analysis to align with regulatorychanges. 14971 only requires that risks deemed to be unacceptableare analyzed, it is up to manufacturer to determine if there areregulatory requirements otherwise they must meet (Such as MDR).
- Nearly three pages in ISO TR 24971:2020 Clause 7.4 of extensivediscussion on benefit and benefit-risk analysis, including thatbenefit does not include economic or business advantages.(Clause 7.4.5 includes 3 specific examples of benefit-riskanalysis conclusions.)
- 7.4.2 has extensive discussion of clinical benefits
- Clause 9 retitled to Risk management review to emphasize that areview process prior to release for distribution is necessary to answerthe following three questions
- The risk management plan has been appropriately implemented;
- The overall residual risk is acceptable; and
- Appropriate methods are in place to collect and review informationin the production and post-production phases.
- Reviewers must be identified in the Risk Management Plan (in advance of the review)and must have appropriate authority and may benecessary after device is in distribution
- Risk Management Report is a summary of review and part of RiskManagement File and is different from Management Review of Risk Management process in Clause 4.2 (See ISO TR 24971 Clauses 4.2.3 & 9)
- Clause 10 retitled to Production and post-production activities. This section has been extensively revised and aligns with Clause 8Measurement analysis and improvement in ISO 13485. Both ISO 13485 and ISO 14971 developed these sections from the GHTF SG3/N18:2010 Quality management system –Medical Devices – Guidance on corrective action and preventive action and related QMS processes
- Emphasizes a need for an active process for gaining information as Opposed to just waiting for complaints. Aligns with post market Surveillance requirements by regulators
- Requires inclusion of risk management in post market surveillance
- Went from ½ page in 2007 to 1-1/2 pages of requirements in 2019, Plus 4 pages guidance in ISO TR 24971:2020 as opposed to 1 page In ISO TR 24971:2013
The Guidance
- Added new annex, Annex F, 4-1/2 pages which covers risk Management for cyber and data security and the process Relationship to ISO 14971
- Developed with members of ISO/IEC software committees
- Added new annex, Annex G, to cover components and devicesthat were designed without meeting ISO 14971 requirements
- Discusses process that may be appropriate for remediating Risk Management File in 2+ pages of guidance
- Annex H for IVDs extensively revised by ISO TC212 committee on IVDs and includes valuable information for all medical devices, not just IVDs.
- It is important to understand that all information in ISO TR 24971:2020is guidance and is NOT REQUIREMENTS
- Additionally Annexes A, B, C in ISO 14971:2019 is guidance and not Requirements
- Annex A in ISO 14971:2019 is the Rationale for the requirements in The standard and should be read by anyone using the standard to Improve understanding of the reason for the requirements