Key Points - The increasing regulation of medical devices means that risk management must now be a priority for all medical device manufacturers. - Risk is inherent in the use of any medical device. The calculation and management of this risk is vital to ensure that medical devices are as safe as possible. - ISO 14971, incorporating risk management standards, is now the definitive world standard for medical devices.
ISO 14971 has become the definitive world standard for medical devices. According to Alfred M Dolan and Professor Samuel Lunenfeld, a clear understanding of this standard is essential for all manufacturers striving to ensure that their devices are safe and effective.
The provision of safe and effective medical devices for patients and users forms the basis for standards and regulations throughout the world. For many years, medical device product standards identified hazards associated with a particular device, and if the risk of harm posed by a hazard was considered significant, the standard incorporated requirements to prevent that harm. Examples of such requirements include leakage limitations on medical devices and the requirement for gas-specific connectors on breathing circuits.
This system has been highly successful. However, as the sophistication of medical devices has increased and the interactions between medical devices have become more complex, the need for a more comprehensive risk management approach towards medical devices has become apparent. Recently, the Health Care Technology Task Force of the World Standards Cooperation has emphasised this point and strongly supported a risk management approach for medical device standards.
Risk Management Standard
The International Standards Organization’s ISO 14971 standard, published in December 2000, has now become the definitive standard for medical devices. The standard has been approved as a European Norm and as an industrial standard in Japan and several other countries. Currently, international medical device regulatory bodies effectively mandate the standard in various ways by incorporating requirements that are either adapted from the standard or are consistent with it. ISO 14971 has very quickly become the worldwide standard for medical device risk management and a key element in the regulation process for medical devices to ensure their safety and effectiveness.
ISO 14971 is, first and foremost, a management standard that covers all medical devices over their entire lifecycle. The standard builds on well-established risk management principles, developed over the years, as well as the work of other international risk standards, and provides a process that enables manufacturers of medical devices to manage risk. All the basic principles of risk management apply for medical devices. The standard provides a management system that must be put in place, and it specifies that the steps of hazard identification, risk estimation, risk evaluation and risk control must be included in any manufacturer’s risk management process.
Let us consider some of the background principles of risk management and how those have been incorporated into the ISO 14971 standard.
The Concept of Risk
Technically, risk is calculated by taking the likelihood of an event taking place and combining this with a measure of the seriousness of this event, to which consequences have been ascribed.
The development of risk management concepts and science as we understand them today has a long history. During the seventeenth and early eighteenth centuries scientists such as Galileo, Pascal and Bernoulli were instrumental in developing these concepts, which at the time, were revolutionary. The concept of chance and the mathematical description of the most likely outcome of an event was the subject of some of Galileo’s research, work that was further developed by Pascal and Fermat. Before the scientific and mathematical work of these pioneers, it was not thought possible to predict the outcome of any natural event.
Bernoulli was the first to discuss risk acceptability, correctly pointing out that the level of risk acceptability depends on both the subject’s willingness to accept risk and the perception of that risk. Over the years, these concepts have been widely adopted in the worlds of insurance and finance. ISO 14971 has built on these ideas and applied them to the medical devices field.
Over recent decades, the development of highly effective international technical medical device standards, which are specific to a technical area or even to a device, has greatly increased the safety of the devices covered by these standards. The need for these technical standards remains. However, in today’s healthcare climate, the increased sophistication of the patient care environment, and the hardware and software incorporated into medical devices has imposed increasing demands on medical devices as well as the manufacturers and users of those devices. Furthermore, there is increasing regulatory scrutiny of medical devices, and a trend in society to demand high levels of ‘safety’ from all technological devices.
In effect, the demand for completely safe medical devices is a demand for a zero level of risk. Among standards development committees, however, it is widely recognised that is impossible to guarantee absolute safety. This, in itself, is a recognition of the fact that the concept of risk must be addressed in standards and that some aspects of safety can only be addressed through a risk management approach.
ISO/TC 210, covering quality management and corresponding general aspects for medical devices, was created in 1994. In recognition of the need for a risk management approach to medical devices, a working group on risk management was established. The first task assigned to it was to develop a standard describing the principles of application risk analysis for medical devices. This resulted in the publication of ISO 14971, covering medical devices risk management and risk application analysis.
In 1996, work began on a comprehensive risk management standard for medical devices, which became ISO 14971:2000, covering medical devices, risk management and the application of risk management to medical devices, which was published in 2000.
Setting the Standard
The current standard clearly has parallels with other management standards, such as ISO 9000 or ISO 13485. Management responsibility is identified as the first and the key requirement for the successful management of risk. Management is required to:
The risk management process should contain the elements set. The process must include risk analysis and risk evaluation, which together form the risk assessment part of the process. The mitigation of those risks that are determined to require control can be achieved through three well-accepted measures, in priority order:
The final requirement in the risk management process is the establishment of a system for the generation of market feedback based on in-service experience. This information is useful in assessing the effectiveness of risk control measures. It can also serve as the basis for the modification of risk analysis or evaluation, and as a source of information for future risk management plans.
A risk management plan for each specific device must be developed in accordance with the above risk management process. The plan should describe how each element in the risk management process is to be achieved – for example, how the assessment can be carried out and who will have responsibility for each step in the process. Setting the level of acceptable risk for a device will be a critical part of the plan. This must be based on the approved corporate process for setting risk acceptability.
ecords provide the information on which the effective management of risk is based. Specified records must be generated during the analysis, evaluation and control stages of the risk management process. These records may be incorporated into an existing record system, such as a quality management system.
The ISO 14971 risk management standard has become the definitive worldwide standard for medical devices. It was developed by the joint ISO/TC 210-IEC/SC62A committee, and was unanimously approved for publication as an international standard by four bodies: ISO, IEC, CEN and CENELEC.
International regulatory bodies around the world are using the standard in various ways to meet their regulatory mandate. As the standard has been approved as a European Norm, it can be used in meeting medical device requirements there. Internationally, ISO 14971 has been incorporated or integrated into a wide variety of medical device standards, and is arguably the most efficient and effective method of harmonising risk management concepts for medical devices.
The ISO 13485 standard,covering quality systems in medical devices and system requirements for regulatory purposes, incorporates risk management as a requirement for product realisation. Throughout the third edition of IEC 60601-1 (Medical Electric Equipment Part 1: General equirements for Basic Safety and Essential Performance) risk management – and ISO 14971 specifically – is cited in many clauses. The standard is also cited in requirements or referenced in specific clauses in other standards, covering such diverse areas as programmable medical electrical systems (IEC60601-1-2), usability (IEC 60601-1-06), biological evaluation of medical devices (ISO 10993-18), clinical investigation for human subjects (ISO 14155), cardiac valve prosthesis (ISO 5840) and anaesthetic equipment.
Revision of ISO 14971
All ISO or IEC international standards are required to be reviewed periodically, typically on a five-year cycle. Accordingly, ISO 14971 is in the final stages of revision, and it is anticipated that publication will be in early 2007.
As ISO 14971 has become widely accepted, it is intended that there will be little revision to the normative sections of the standard. However, it was recognised early on that it needs a greatly expanded set of annexes – for example, a greatly extended discussion on the risk concepts incorporated in the standard and information on risk management techniques were deemed necessary. Since this standard covers in vitro diagnostic devices, a major addition in the annex needed to be made relating to this field. This has now been accomplished in tandem with ISO TC 212 WG 3. In their current draft form, the annexes are extensive and comprehensive, and they will provide helpful guidance for users of the revised standard.
It is intended that there be no substantive changes to ISO 14971 in terms of requirements, but substantial improvement in the ease with which the standard can be used by manufacturers to provide assurance on the safety and effectiveness of medical devices. It must be emphasised again that this standard applies to all medical devices, is applicable over the lifecycle of these devices and covers their application in the healthcare environment.
Hospitals will play a vital part in the risk management process required in ISO 14971 by providing feedback on the safety and effectiveness of medical devices. They can also use the concepts incorporated into ISO 14971 to manage risk throughout the life cycle of a product within the hospital itself.