As the underlying risk management process for medical devices, the ISO 14971 standard is a critical component of regulatory and quality compliance. When new versions are released and harmonized, it’s up to manufacturers to learn about the changes to update systems accordingly. However, there is often a gap between the time a new version is released and when regulatory organizations require compliance.
This is currently the case with ISO 14971:2019, which is not yet harmonized with the new EU MDR and IVDR regulations. Not surprisingly, this has caused some confusion in the industry, especially since some notified bodies are using it as a reference. IVD reclassification under IVDR is also forcing many manufacturers that used to self-certify to show evidence of compliance in their technical documentation. The fact is, if you manufacture medical devices or IVDs in any market, it’s important to understand ISO 14971:2019 requirements.
Overview of ISO 14971:2019
Published by the International Organization for Standardization (ISO), ISO 14971:2019 is the latest version of the standard that describes the application of risk management to medical devices. The standard, which also includes software and IVDs, applies to the entire life cycle of a product and describes processes for identifying hazards, estimating and evaluating the associated risks, and methods for controlling risks and monitoring the effectiveness of those controls.
Risks related to medical devices and IVDs could be associated with:
- Data and systems security
- EMC (electromagnetic compatibility)
- Moving parts
Manufacturers are expected to use the defined processes to establish objective criteria for acceptable risks and weigh them against the benefits the device provides.
The main drivers for updating the standard were to:
- Align with ISO 13485:2016, MDR, IVDR, and FDA emphasis on post-market surveillance
- Make ISO 14971 more user-friendly and easier to understand with more guidance on key focus areas
- Make the standard up-to-date with 21st century medical device technology and the application of software used in medical devices
Key Changes with the Release of ISO 14971:2019
Version 14971:2019, which was released in 2019, replaces the prior 2007 version. Although the risk management process is largely the same, there are three significant differences in the versions that manufacturers need to be aware of.
1. Expanded annexes
In an effort to simplify the primary document and make the requirements for compliance more clear, guided explanations and expanded dependencies were removed and included as annexes in the technical report (ISO TR 24971:2020). This makes the standard more user-friendly because it is easier to have a high-level view of the requirements. The annexes have been expanded to include more examples and guidance in an effort to make it easier for manufacturers to comply.
ISO 14971:2019 has become less bulky and focuses primarily on what you must implement. TR 24971:2020 was updated to create a more user-friendly reference on how to implement clauses into your risk management process. In addition to revamping and moving the annexes to a new document, there were some additions. Annex G was added to cover risk management for cybersecurity. Annex H covers how to assess and remediate risk management files of devices that previously did not comply with ISO 14971. As IVDR reclassified a lot of devices in comparison to the IVD, Annex H is a tool to help get you into compliance.
2. New focus on benefits
Although it is still fundamentally a risk management standard, the new version puts more emphasis on the benefits a product delivers relative to the associated risk. The definition of “benefit” is now included in the standard and manufacturers are expected to explain the benefits their devices provide. Examples for how to complete a benefit-risk analysis are helpfully included in the ISO/TR 24971:2020 guidance annex for this new requirement.
3. Post-market requirements
The ISO 14971 standard has always applied to the entire life cycle of a device, but the new standard has more requirements for post-market activities. This is one area that had more significant changes and additions to the content, so pay close attention when revamping systems to meet the new requirements.
The most significant change is the requirement for more proactive data collection and integration of risk management and quality systems. Now you must not only look reactively at complaints but search the risk management system you use to continuously provide feedback into your post market surveillance system. The standard now aligns more closely with ISO 13485:2016, making it more clear how to integrate your systems, create feedback loops for data, deal with complaint handling, internal auditing, customer feedback, control of nonconforming data, improvements, and data analysis. New information and data collection activities in your post-market surveillance process must be integrated into your risk management process and you must demonstrate how these systems are linked.
Challenges with Implementation
Although ISO 14971:2019 has been released and is available to manufacturers, it has not yet been harmonized with the EU. However, we have seen that many notified body reviewers are using ISO 14971:2019 as the reference for risk management when evaluating technical documentation under MDR and IVDR. ISO 14971:2019 is indeed the state of the art process for putting risk management procedures in your quality system, which is why it is being referenced even though it has not yet been harmonized. Although we don’t necessarily agree with this approach, it is the current reality and manufacturers have to be prepared for it, especially if they don’t want to get slowed down during notified body review.
Consequences of Non-Compliance
In the EU, because the standard has not been harmonized, there are no concrete consequences, but as mentioned above, it is the current de facto standard and it behooves manufacturers to comply with it when getting products approved. In the US, manufacturers must show evidence of compliance in their 510(k) submissions and during quality system audits. Non-compliance could result in 483s, audit findings, recalls, removal from the market, and most importantly, risks to patients.
The bottom line is that if you don’t comply with ISO 14971:2019 in the US, you won’t achieve 510(k) clearance. In the EU, the line is fuzzier, but there is a good chance your technical documentation won’t be approved.
Next Steps for ISO 14971:2019 Compliance
If you are currently compliant with ISO 14971:2007 and EN ISO 14971:2012, you shouldn’t have to make too many changes. Take the time to perform a gap analysis and address any weaknesses that arise. This update was done to harmonize across the IVDR and MDR and therefore will integrate into your post-market surveillance (PMS) plan, periodic safety update reports (PSURs), and your post-market surveillance report (PMSRs).
If your device is state of the art, writing the required risk-benefit analysis shouldn’t be too difficult, especially with the new examples provided in the annexes. However, this could be a challenge for legacy devices that have not kept up with the latest technology. If you are new to risk management or now have to submit technical documentation for notified body review under IVDR, you might want to employ outside help from an expert.
RQM+ is Here to Help
RQM+ has extensive experience in all clinical specialties with updating quality systems to be compliant with ISO 14971:2019 and the MDR/IVDR. We are perfectly positioned to help you create the optimal approach to communication and data transfer between departments and systems. The ideal arrangement is for RQM+ to provide support in all impacted areas—CERs/PERS, post-market surveillance, and risk management—to ensure consistency and efficiency. This process also ultimately benefits the business because it aligns the data and associated documentation that each group creates.
Many of our team members have a medical device development background, so we have deep experience with risk management at every stage in the product life cycle.