ISO 14971 Risk Management and How Updates Impact Usability Engineering
Imagine your loved one is in a situation where their life depends on the accuracy of results coming from a medical device. You’re going to want to know if that device performance and results can be trusted, or not. You would expect that the device is regulated, is compliant with current regulations and standards, and not at risk of any malfunction. This is why industry standards that govern the development and manufacture of medical devices, such as ISO 14971, are vital.
The third edition of risk management process standard ISO 14971 is now available. This version replaces the former version, ISO 14971:2019. The risk management process definition in the standard remains largely unchanged. However, there are clarifications in the standard that are important to note. The most current edition of the international standard ISO 14971 has been expanded to include more guidance, exploration, and examples of the risk management process requirements.
Below are a summary of the changes of note to ISO 14971.
Breakdown of Definitions
Reasonably foreseeable misuse (3.15) – “Use of a product or system in a way not intended by the manufacturer, but which can result from readily predictable human behaviors.”
This new definition states that if any misuse of the product can come from “predictable human behavior,” then it needs to be accounted for in your use-related risk analysis. The term, “reasonably foreseeable” can either be intentional or unintentional. Which includes scenarios that could leave you thinking, “Why in the world would anyone ever do that?” Risk control measures have to be applied and evidence must be collected during usability testing to prove that these mitigations are effective.
Benefit (3.2) – “Positive impact or desirable outcome of the use of a medical device on the health of an individual, or a positive impact on patient management or public health.”
This term and definition were minimally covered in ISO 14971:2007 and EN ISO 14971:2012 and are updated and clarified in the third edition. The understanding of the benefits of a device falls on the manufacturer’s shoulders. It includes assessing clinical data, administering a review of literature, or speaking with health care providers and patients to fully comprehend all beneficial aspects of the device. These include, but are not limited to clinical, financial, and perceived benefits. Compiled feedback of benefits should be taken into consideration when determining whether the risks are acceptable for the device. The clarified definition now lines up with the terminology that is used in many regulations.
State of the art (3.28) – “Developed stage of technical capability at a given time as regards products, processes and services, based on the relevant consolidated findings of science, technology and experience.”
This term can be ambiguous and is concerning that it has never been defined before as it appears 12 times in the EU MDR and 20 times in the IVDR. ISO 14971:2019 borrowed the newly coined definition found in ISO/IEC Guide 63:2019 which defines “state of the art” as, “Developed stage of technical capability at a given time as regards products, processes and services, based on the relevant consolidated findings of science, technology and experience.”
State of the art embodies what is currently and generally accepted good practice in technology and medicine. It doesn’t necessarily mean “most technologically advanced.” It can include published data surrounding the application of the medical device under development, the availability of alternative methods, or similar devices on the market.
Production and Post-Production Activities
The majority of the new additions and changes to requirements made were related to production and post-production activities and clauses. To put into perspective, the requirements in this section have gone from just under a half of a page to nearly a page and half. It now interlocks with the ISO 13485:2016 section 8 requirements for feedback, analysis of data and CAPA. (ISO 13485 is a standard governing change management.) ISO 14971 adds more stringent requirements specific to the collection and review of information about your device.
Simply put, manufacturers need to be more regular and proactive about gathering data on the usability of their devices once they go to market and return that data back into their risk assessment to give a more comprehensive view of residual risks.
How Can We Help?
Do you have questions about the changes in the latest edition of ISO 14971? Are you confused on whether or not your risk analysis covers all the definitions and requirements of ISO 14971? RND Group is here to help. Please feel free to reach out to us.