I agree with most of the participants on the above post. ISO 14971, major regulation detailing the Risk Management Requirements for Medical Devices. Medical device manufacturers must have a good understanding of Risk Management Process including the Risk Management Plan should be part of the Quality Management System to obtain the ISO certification. There are four key points presented as part of the risk management process described in the ISO 14971.
1) Identifying hazards associated with medical device that could place patients at risk.
2) Estimating the potential occurrence of such risks, and evaluating the consequences.
3) Developing and implementing safeguards within the device or production process to control the risks.
4) Continuous monitoring of the process to assess the effectiveness of risk management process and risk management controls
All in all, each company must set up the above mentioned key things in order to be considered to have a risk management process.
ISO 31000:2009 provides principles and generic guidelines on risk management. ISO 31000:2009 can be applied throughout the life of an organization, and to a wide range of activities, including strategies and decisions, operations, processes, functions, projects, products, services and assets. ISO 31000:2009 provides generic guidelines, it is not intended to promote uniformity of risk management across organizations. The design and implementation of risk management plans and frameworks will need to take into account the varying needs of a specific organization, its particular objectives, context, structure, operations, processes, functions, projects, products, services, or assets and specific practices employed.
It is intended that ISO 31000:2009 be utilized to harmonize risk management processes in existing and future standards. It provides a common approach in support of standards dealing with specific risks and/or sectors, and does not replace those standards.
The major ISO for risk management is ISO 14971, which is enforced onto medical device companies as a means of preventing or mitigating the hazards associated with the devices. As mentioned in lecture, risk management occurs within multiple areas of a project, which also applies to ISO 14791. These areas mainly apply to safety aspects regarding the design of the medical device itself, such as inherent safety, protective safety, and information safety. Inherent safety aims at making a device as user-friendly as possible so that any mishaps made by the user will not result in any dire consequences. These include features such as making on/off switches easier to see, color-coding connectors so they cannot be mistaken with one another, and overall making all displays that are viewed by the user more noticeable.
Protective safety under ISO 14971 requires the application of safety features that focus on the physical design of the device itself. These features include safety locks, electrical shielding, or software-hardware interlocks that prevent software glitches from falsely activating the hardware that makes up the device. These features also include warning visuals such as when a device has low battery, indicating that it should be charged immediately, especially if the device is used to sustain life. Lastly, information safety states that a device's hazards must be elaborated in the user manual such as caution statements that highlight the risk the user takes upon operating the device (i.e. a glucose reader reminding the user to sanitize the tip prior to injection).
Are there ISOs or other forms of risk management that are able to take human error into account when handling a medical device? Would a simple warning label suffice if the device was an external pacemaker or defibrillator? We learned in lecture that acceptance towards a medical device during risk management means to just chance its risks/hazards to the public upon release. Are there any examples of medical devices whose company suffered severe consequences from taking the acceptance approach?
Reference:
"Applying Human Factors and Usability Engineering to Medical Devices" (Feb. 2016) FDA website.
Medical device companies are required to have an established risk management process in compliance with ISO14971. This process includes identifying hazardous situations that may come up with the medical device being developed, evaluation of these hazardous situations, ways in which these situations can be controlled or avoided and monitoring the effectiveness of the actions taken to avoid these risks. All of this aims to provide good quality service and products to the people who will need these devices as their safety is a major concern.
ISO 14971 requires a specific risk management process for medical device companies to follow. The major phases are risk analysis, risk evaluation, risk control, residual risk evaluation, risk/benefit analysis, and evaluation of overall residual risk acceptability. A risk management report is created to organize and summarize all of the risk activities. The risk management of a medical device is a total product life cycle process. This means that even after the device exits product development, the risk management records must be keep up to date. Post production events such as complaints, product feedback, non-conformances, etc are some examples of updates that can be made to the report.
It is important to understand the process of Risk Management which includes Risk Analysis and how this is a living process that flows throughout the entire medical device development process. For more training on this, I recommend this course on medical device Risk Management.
The hint is in that link. What is the major ISO regulation governing Risk Management and what are its major requirements for a medical device company? There are some key things that each company must set up in order to be considered to have a risk management process.
ISO 14971:2007 is the major regulation governing risk management. The major risk management requirements for a medical device company include the implementation of a risk management plan, the assignment of a risk management team, and the performance of a risk assessment.
The major ISO regulation for medical device risk management would be the ISO 14971:2007 and it comes with a plethora of requirements. This regulations assist the company in establishing, documenting, and maintaining systematic risk management. On going monitoring of field experience helps company repeatedly improve and state of the art device. The specific requirements are:
- Provision of adequate resources
- Assignment of qualified personnel
- Establishment of a policy for risk acceptability criteria
- Management reviews of the Risk Management System
but inorder to provide not only risk management but also risk control they have requirements would include
- Risk management planning
- Risk analysis of the medical device
- Evaluation of the identified risks
- Identification and implementation of controls for the risks
- Evaluation of overall residual risk
- Risk management file (documentation)
- Monitoring production and post-production information to ensure safety
1. The major ISO regulation governing Risk Management is ISO 14971
2. Its major requirements for a medical device company are to have risks identified and documented, a risk management plan, and risk control.
3. The comprehensive risk management system puts forward the overall framework of risk management for companies. Under this framework, companies can flexibly formulate risk solutions according to their own management level and stage and specific risks. Through the risk strategy, risk organization function, risk information system, the management efficiency and effect of specific risks can be improved.
As the previous comments have pointed out, ISO 14971 governs risk management in medical device companies.
The major requirements ISO 14971 sets for medical device companies are a safe design of the medical device to remove risk, protective measures for both the medical device itself as well as for the manufacturing process of the medical device, and safety information to provide warnings and train individuals in safe use to reduce risk.
The ISO regulation that governs risk management is ISO 14971. A medical device company is required to perform a risk assessment. This includes performing risk analysis to identify hazards and their level of risk. Then a risk estimation must be performed. The probability of the occurrence of a risk, along with the level of harm, is determined. This estimated risk is then compared with pre-existing situations that are considered equivalent to the risk your situation presents. This is called a risk evaluation. These constitute the risk management process. In addition, all of these steps must be documented.
Risk management for medical devices is set for by ISO 14971 as the consensus standard of the U.S. Food and Drug Administration (FDA), but is also indirectly bolstered by ISO 13485, which is followed by the European Medical Device Regulation (EU MDR). Hence, medical device companies have a responsibility to implement at risk management process that includes:
- Risk Assessment - the process involving risk analysis and risk evaluation (ISO 14971 2.18)
- Risk Analysis - a systematic use of available information and data to identify potential hazards and to estimate risk (ISO 14971 2.17)
- Risk Estimation - the process used to assign values to the probability of occurrence of harm and the correlating severity of that harm (ISO 14971 2.20)
- Risk Evaluation - the process of comparing estimated risk against real-world data of actual risk criteria to determine the acceptability of risk (ISO 14971 2.21)
However, these components of risk form a dynamic and continuous process, not a static one. From a project management perspective, the risk management process is likely to proceed in the following steps before being repeated, if necessary, after a device has been launched in the marketplace:
- Implementation of a risk management plan
- Assignment of risk management team
- Analysis and identification of potential risks
- Evaluation of risks and their associated costs and benefits
- Elimination and/or mitigation of risks
These steps culminate into a risk management document that is comprised of the risk management plan, risk analysis documents, any documents regarding changes in risk management policy and procedures, a risk management questionnaire if one was used, and minutes from meetings of the risk management team. These documents with be stored in the Design History File (DHF).
According to ISO 14971, the principles for Risk Management requires that risk be reduced as low as reasonably-practicable. The primary objective of the ISO 14971 is to provide protection primarily to patients and also to the operator, other persons, equipment and the environment.
Medical Device industry, Risk Management places special focus on product safety and quality. Therefore the 3 pillars of the Medical Devices needed in every company are: Safety, Quality, and Efficacy. These are the guiding principles of regulatory framework and market approval requirements. They each go hand in hand in risk reduction like: Hazards, Defects, Malfunction or Failure and Side Effects. When risk management is applied in a Medical device company, it maximize the benefit in clinical performance and therapeutic purpose.
In summary, Manufacturers in Medical Device companies guided by the ISO 14971 regulatory, MUST demonstrate that all activities involved in the design, testing, production, and distribution of a medical device are aimed at minimizing risks and ensuring product safety.
Reference:
ISO 14971 is the ISO regulation governing Risk Management and its major requirements for medical devices are:
- Identify risks
- Estimate the potential occurrence of risk and evaluate extent of consequences
- Put in safeguards to control risks
- Regularly review and monitor risk management controls and processes
The major ISO regulation governing Risk Management is the ISO 14971 adopted in 2007. Risk management is a design input and is a part of the product design lifecycle. Evaluation of risk for a medical device includes apparent risks and those that are not so apparent (extended use of the product). Safety measures are designed to avoid, eliminate, or mitigate risk and keep the patient/consumer safe. The three pillars of medical devices are safety, efficacy, and quality. Risk management must be integrated into product design and applied as early as possible. The major requirements for a medical device company for risk management are risk identification, a risk management plan, and risk control measure. A medical device company must demonstrate key components of risk management to have a risk management process.
Risk management Process:
- Implementation of a risk management plan
- Assignment of the risk management team
- Analysis and identification of potential risks
- Evaluation of risks and their associated costs and benefits
- Elimination and/or mitigation of risks
The more effective a company's Risk Management team is at identifying and eliminating risk in the product design setting up safety barriers and setting safety procedures for medical devices the greater the reward or benefit. ( It is better to invest in a good risk management team on the front end instead of paying for a team of lawyers to fight lawsuits)
ISO 14971 is well-recognized by FDA around the world for risk Management. This standard sets forth vital requirements for establishing a robust risk management process throughout the entirety of the medical device development cycle. Essential elements include developing a documented risk management process seamlessly integrated into the overall development, identifying potential hazards in both regular and misuse scenarios, analyzing the likelihood and severity of hazards, assessing the acceptability of risks, and implementing mitigation strategies for unacceptable risks. Continuous monitoring and updates to the risk management process are critical. ISO 14971 also underscores the significance of having a competent individual overseeing risk management, clear documentation of the process, and maintaining records for a specified period. Adherence to these requirements ensures that medical device companies can effectively navigate and manage risks, guaranteeing the safety and efficacy of their products.
