Progress Report: February 2010
Risk Management Applied to Medical Devices: Complying with EN ISO 14971:2009
by: Marc-Henri Winter, Technical Director
LNE/G-MED America
With revised standards taking effect on March 1, 2010, now is the perfect time to review the risk management process and changes under EN ISO 14971:2009 (European version of ISO 14971:2007).
Whether a medical device aims at diagnosing a disease, treating the cause or alleviating a handicap, the expectation is that it achieves this goal without harming the patient/user nor presenting an unacceptable risk. The word "risk" and variations of "safe" are cited a combined 105 times in the European Medical Device Directive. Clearly, the demonstration of a medical device’s safety is central to compliance with international medical device regulations.
Editor’s Note: Boost your knowledge of EN ISO 14971 at Risk Management as Applied to Medical Devices – a 1-day training presented by LNE/G-MED. This event takes place in the Washington DC area on June 25, 2010 and is limited to a very small class size.Reserve your spot today by emailing bruce.seidel(at)lne-gmed.com or calling 301-495-0477. See program details.
The Risk Management Approach (ISO 14971) was developed in 2000 to support safety by defining the detailed objectives, requirements and methods relative to this approach. By March 1, manufacturers should have transitioned to the new European version of EN ISO 14971, which was re-issued in November 2009 with modifications affecting the European appendices). Note that the requirements of the European standard are identical to the ones for ISO 14971:2007.
Risk Management Objectives
Risk Management is defined as the systematic application of management policies, procedures and practices to the tasks of analysis, evaluation, supervision and risk control. Its goal is to enable medical device manufacturers to identify all foreseeable hazards and hazardous situations relevant to a particular device and demonstrate that related risk has been reduced to an acceptable level.
Implementing Risk Management
An evolution of the standard, Risk Management now interacts with nearly all of a manufacturer’s activities, including design, engineering, production, purchasing, sales, quality assurance and regulatory affairs. It’s also a perpetual process, beginning with product design and development and continuing in the field, where user feedback can reveal actual performance. The chart on the following page outlines these steps, which are further explained below:
- Risk Analysis aims at identifying all foreseeable hazardous situations, considering the characteristics of the device, the way it is used and how it is disposed.
>> Will people use the device correctly?
>> Where in the production process might variations impact the conformity of the device to its intended product specifications?
>> Each of these risks is then weighted, often by a multidisciplinary team, to consider its probability of occurrence and the seriousness of its potential effects.
- Risk Evaluation consists of the judgment of the acceptability of the risk, based on pre-established criteria.
- Risk Control aims at reducing risk through available control measures. While the complete elimination of all risks may not be realistic, its reduction must be consistent with the state of the art, a measure that naturally shifts as science progresses. In this evaluation, expected patient benefits are compared to the level of residual risk, including risk factors arising from intended risk-control measures.
- Overall Residual Risk is eventually reviewed for acceptance, looking at the big picture. This includes the verification of consistency, the relevance of the risk reduction solutions and that the sequence of dysfunction does not generate additional risks.
- Risk Management Report: This set of records generated along the risk management process, are reviewed and signed by the qualified person or team to confirm that:
-- The risk management plan has been appropriately implemented;
-- The overall residual risk is acceptable.
-- Appropriate methods are in place to obtain relevant production and post-production information.
- Production and Post Production: During this stage, data is collected and analyzed proactively to verify if the evolution of scientific and medical knowledge may suggest new arising risks or that a risk/benefit balance is becoming less favorable.
This step is linked with the new European requirement for actively updating the clinical evaluation of the device. It may include the review of customer complaints (individually and their trends), published literature and public databases on adverse events experienced on similar medical devices and post market clinical follow up. The review of the actual variability of the manufacturing process and the deviations or non-conformities may also be an appropriate way to confirm the corresponding risks.
Risk Management vs. FMEA
To incorporate Risk Management into their Quality Management System, most manufacturers apply methods based on Failure Mode and their Effect Analysis (FMEA), which may be split into Design (DFMEA), Process (PFMEA) and Use (UFMEA). While FMEA is a risk management technique mentioned by the standard, it does not alone address all the requirements of EN ISO 14971.
For a particular device, a risk management file regroups the:
- Risk management plan and the confirmation of its implementation
- Results of the identification of the hazardous situation and the evaluation of the corresponding risks
- Evidence of the mitigation of each individual risk
- Acceptation of these risks, individually and globally
- Records of the reviews of the risk controls, prior to the commercial release of the device and during the post production phase, as new information arises.
By examining various stages of the product and taking into account both hazards and hazardous situations, EN ISO 14971:2009 seeks to better identify areas of increased risk, allowing manufactures the opportunity to implement effective controls.
