What are the Changes to ISO 14971_2019 & TR 24971_

Proper risk management is a key process throughout the entire life cycle of a medical device. This is the process that enables companies to develop safe and effective devices that improve and save lives. 

ISO 14971, the ISO standard on risk management for medical devices, was recently updated to bring improvements to the risk management process. The changes to ISO 14971:2019 and the technical report that accompanies it, ISO TR 24971:2020 (upcoming release), are quite extensive and relevant to all medical device manufacturers.

It is important to note that the basic risk management process has not changed, but that interpretations have been updated. The standard also now discusses a “risk management system” and not just a risk management process.

At Greenlight Guru, we were one of the first to address these changes by hosting an exclusive webinar on the subject. Our webinar was presented by a member of the technical committee responsible for the 2019 version of the ISO 14971 risk management standard.

The industry’s interest in learning about these changes was so high that this presentation became the most-viewed webinar in the history of the medical device industry.

We felt it was important to summarize the information covered in this webinar to help companies understand the scope and nature of the updates to the international risk management standard for medical devices.

ON-DEMAND RECORDING: Access the free recording of ISO 14971:2019 technical committee member presenting on this topic at the Greenlight Guru True Quality Virtual Summit.

Table of Contents

Why was ISO 14971 Updated?
Overview of ISO 14971:2019 and ISO TR 24971 Changes
ISO 14971:2019 - Specific Changes
ISO TR 24971 - Specific Changes
Risk Standard and Technical Report - Version Comparison Table
ISO 14971:2019 Impact in Europe
Managing Risk with ISO 14971:2019

 

Why was ISO 14971 Updated?

One pain point with previous versions of the ISO 14971 standard was that finding information was inefficient, and documentation was difficult to navigate. There was a perceived lack of guidance on risk management, and several definitions used in the documentation were outdated. The standard was also updated to align with requirements in EU MDR and IVDR, ISO 13485:2016, and new emphasis to post-market at FDA.

Two groups are responsible for the changes: the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). These groups also contributed to the updates being made to ISO TR 24971. This technical report is not as widely known as the standard itself and provides useful guidance information for medical device manufacturers to follow.

In 2016, the ISO and IEC groups took a vote that resulted in comments requesting more information on the standard. Because of this vote, the ISO and IEC committees decided to update the standard to better address the issues raised in these comments. Both committees opted to maintain the key concepts and core approach associated with risk management.

The new version of the ISO 14971:2019 standard was released on December 18, 2019, along with the EN version. You can purchase the ISO 14971:2019 standard through your standards supplier in PDF or print format, as preferred. We recommend opting for the PDF version to ensure that you have a digital copy of the standard available to reference at all times.

ISO TR 24971:2020 release was delayed due to some editorial requirements of ISO requiring a revote. The latest information from ISO (Prior to Coronavirus) expects release by mid-summer 2020.

 

Overview of ISO 14971 and ISO TR 24971 Changes

The newly updated documentation has been reorganized and contains new terms and definitions, additional risk management guidance, and more detailed requirements.

Once published, ISO TR 24971 will contain guidance on risk management for in vitro diagnostic devices, risk management plans, risk concepts and techniques, and guidance on hazard identification, among other topics. This information was in ISO 14971 prior to the 2019 update. The technical committee (JWG1) decided, with input from the ISO Technical Management Board (TMB), that Informative Annexes would be listed primarily in ISO TR 24971.

While a lot of information has been cut from ISO 14971:2019, this standard now also contains two pages of additional requirements, primarily Production and post-production in Clause 10 and an added clause, the below mentioned Clause 2 on Normative References.

 

ISO 14971:2019 - Specific Changes

We’ll begin with the changes to ISO 14971:2019 compared to the 2007 version. Several clauses have been amended in the new version, and a new clause has been inserted as Clause 2, incrementing all subsequent clauses by one. There are now 10 clauses instead of 9. We’ve listed the changes to individual clauses and annexes below.

 

Normative References

Clause 2 is an entirely new clause dealing with Normative References as required by the ISO Technical Management Board and their standards formatting requirements. Clause 2 states that there are “no normative references” which has always been the case with ISO 14971 since its original release in 2000. Clauses in the 2012 version of ISO 14971 are renumbered and incremented by 1 from this point on.

 

Terms and Definitions

The Terms and Definitions clause, Clause 3, contains new definitions for the following terms:

  • 3.2 defines “Benefit” as “Positive impact or desirable outcome of the use of a medical device in the health of an individual, or a positive impact on patient management or public health.”
  • 3.15 defines “Reasonably foreseeable misuse” as “Use of a product or system in a way not intended by the manufacturer, but which can result from readily predictable human behavior.”
  • 3.28 defines “State of the art” as “Developed state of technical capability at a given time as regards products, processes, and services, based on the relevant consolidated findings of science, technology, and experience.”
  • 3.3 defines “Harm” as “physical injury or damage to the health of people, or damage to property or the environment.”

Other definitions changed due to changes in source documents such as ISO 9000:2015 and ISO Guide 63.

 

Risk Management Plan

The Clause 4.1 Figure 1 diagram has been changed to include “Risk management plan” and standard title changes in various steps when describing the risk management process.

As a medical device manufacturer, you may need to revise your own process drawings accordingly.

 

Risk Analysis

Clause 5.4 on Risk Analysis has been reworded to be more clear and specific. Here’s the updated section:

The manufacturer shall identify and document known and foreseeable hazards associated with the medical device based on the intended use, reasonably foreseeable misuse and the characteristics related to safety in both normal and fault conditions.

This newly worded section requires the use of multiple risk analysis tools, as many tools are only “fault condition” analysis. Take a look at Annex B1, paragraph 2, for more details on risk analysis tools.

 

Benefit-Risk Analysis

Clause 7.4 has been retitled to Benefit-Risk Analysis.

ISO 14971:2019 only requires that risks deemed as unacceptable are to have benefit-risk analysis. As such, it is up to the manufacturer to determine if there are regulatory requirements they must meet beyond that. One example would include EU MDR where additional requirements may apply beyond what’s stated in this standard.

Nearly three pages have been added in ISO TR 24971:2019 Clause 7.4 to include extensive coverage of benefit and benefit-risk analysis, including that benefit does not encompass economic or business advantages. Clause 7.4.5 mentions three specific examples of benefit-risk analysis conclusions, and Clause 7.4.2 provides an extensive overview of clinical benefits.

 

Production and Post-production Activities

Clause 10 has been retitled to “Production and post-production activities.” This section has been extensively revised and now aligns with Clause 8 on Measurement Analysis and Improvement in ISO 13485. This ISO 13485 clause deals with complaint handling, customer feedback, internal auditing, control of nonconforming products, data analysis, and improvements.

Clause 10 of ISO 14971:2019 emphasizes the need for an active process for gaining information, as opposed to just waiting for complaints. This aligns with post-market surveillance requirements by regulators. Clause 10 outlines how to establish a system to collect production and post-production information and other relevant information, how to review this information with safety in mind, when action may need to be taken, and how to do so.

Clause 10 requires the inclusion of risk management in post-market surveillance. This clause is three times longer in the 2019 version than in the 2007 version. Risk management in post-market surveillance is now covered by an additional four pages of guidance in ISO TR 24971:2020, as opposed to one page in ISO TR 24971:2013.

In the next section we cover the informative annexes that are found in ISO 14971:2019. Other informative annexes were moved to ISO TR 24971:2020 and will be discussed later. All sections identified by an alphabetic character are not requirements, but are information to aid in implementation of the standard.

 

Rationale for Requirements - Annex A

Annex A remains in ISO 14971:2019 because it clarifies Rationale for the requirements in the standard. This annex should be read by anyone using the standard to improve their understanding of the reason for the requirements.

 

Risk Management Process - Annex B

This annex previously contained a flowchart giving an overview of the risk management process. Annex B now contains the Risk Management Process for Medical Devices and table of correspondence between standard from 2007 and 2019.

 

Examples of Hazards, Foreseeable Sequences, Events, and Hazardous Situations - Annex C

Annex C in ISO 14971:2019 is a different topic from 2007; the information now covers guidance information on Examples of Hazards, Foreseeable Sequences, Events, and Hazardous Situations, which was originally contained in Annex E of ISO TR 24971. Annex C was previously used to identify Medical Device Characteristics, and has been moved to Annex A in ISO TR 24971.

 

ISO TR 24971 - Specific Changes

New annexes have been included to cover various topics throughout the guidance. The guidance information does not constitute the requirements of the standard but simply outlines information you may need to implement the standard and meet compliance.

ISO TR 24971 now contains the annexes listed below.

 

Risk Concepts - Annex D

Annex D refers to Risk Concepts Applied to Medical Devices. This annex was removed from the 14971 standard entirely and redistributed throughout ISO TR 24971 as numbered clauses instead. More details on the distribution can be found in our free on-demand webinar on the new changes to ISO 14971:2019.

 

Risk Management for Cybersecurity - Annex F (New Annex)

Annex F is over four pages long and covers risk management for cyber and data security, along with the cybersecurity process relationship to ISO 14971. This particular annex was developed with members of the ISO and IEC software committee.

 

Risk Management File - Annex G (New Annex)

Annex G covers components and devices that were designed without meeting ISO 14971 requirements. Annex G discusses processes that may be appropriate for remediating the risk management file. The section may be useful as companies update their risk management system to meet requirements of the new edition of ISO 14971.

 

In Vitro Diagnostic (IVD) Devices - Annex H

Annex H is for in vitro diagnostic (IVD) devices and was extensively revised by the ISO Technical Committee 212, the committee responsible for IVD standards. This new annex includes valuable information for all medical devices, not just IVD devices, and we recommend taking a look at it to check its relevance with any devices you’ve developed. Some areas that may be of interest is how to handle false positives and false negatives within the risk management system.

 

Risk Standard and Technical Report - Version Comparison Table

Here is a table demonstrating the reorganization of information in the 2019 version of the standard and technical report.

 

Informative Annexes (not requirements)

ISO 14971:2007

ISO 14971:2019

ISO TR 24971

ISO TR 24971 (Updated)

Annex A: Rationale for requirements

Annex A: Rationale for requirements

 

Numbered clauses (1 - 10) in ISO contain informative guidance listed under the clause number

Annex B: Overview of risk management process for medical devices

Annex B: Risk management for medical devices

   

Annex C: Questions that could be used to identify medical device characteristics that could impact safety

   

Annex A: Identification of hazards and characteristics of safety

Annex D: Risk concepts applied to medical devices

   

Contents of this clause appear in numbered clauses throughout TR 24971

Annex E: Examples of hazards, foreseeable sequences of events, and hazardous situations

Annex C: Fundamental risk concepts

 

Included in Clause 5.4 and 5.5 of Technical Report 

Annex F: Risk management plan

   

Clause 4.3 of Technical Report

Annex G: Information on risk management techniques

   

Annex B: Risk analysis techniques

Annex H: Guidance on risk management for in vitro diagnostic medical devices

   

Annex H: Guidance on in vitro diagnostic medical devices

Annex I: Guidance on risk analysis process for biological hazards

   

Removed: Now in ISO 10993-1

Annex J: Information on safety and information on residual risk

 

Clause 5: Differentiation of information for safety and disclosure about residual risk

Annex D: Information on safety and information on residual risk

   

Clause 1: Scope

Clause 1

   

Clause 2: The role of international product safety and process safety standards in risk management

Annex E: Role of international safety standards in risk management

   

Clause 3: Developing the policy for determining the criteria for risk acceptability

Annex C: Risk acceptability conditions

   

Clause 4: Production and post-production feedback loop

Clause 10 Production and post-production activities

     

Annex F: Guidance on risks related to cyber and data security (new annex)

     

Annex G: (New annex) Components and devices not designed using ISO 14971

Source: Med Device Online

 

ISO 14971:2019 Impact in Europe

ISO 14971 is an international standard. While the standard cannot be revised by other bodies, some regions amend the informative annexes as they see fit, changing the guidance information. In the EU, a regional version of the standard called EN ISO 14971:2019 was published on December 18, 2019. While the previous EN ISO 14971:2012 still exists, it is no longer “state of the art” as a risk management standard for medical devices, with the release of the 2019 edition.

The European Committee for Standardization (CEN) added informative annexes (Z Annexes) to the standard in 2012 to address issues it found in the risk management process around Medical Devices, Active Implantable, and In Vitro Diagnostic Directives. This was a controversial move that many in the international medical device community felt was a misinterpretation of the documentation.

EU MDR addresses these controversial points to an extent, and a new version of EN ISO 14971:2019 has been voted on and approved. Together these two documents have addressed issues raised in the EN ISO 14971:2012 edition.

The EN version of ISO 14971:2019 will not be harmonized with the Medical Devices Directive (MDD). However, it is not yet harmonized with EU MDR, though BSI has declared it to be the “state of the art” risk management standard for medical devices and therefore replaces the 2012 EN version. The European Commission is currently in the process of establishing a process to harmonize the EN guidance with 14971 requirements.

ON-DEMAND RECORDING: Access the free recording of ISO 14971:2019 technical committee member presenting on this topic at the Greenlight Guru True Quality Virtual Summit.

Managing Risk with ISO 14971:2019

We created this article to serve as a guide to allow you to familiarize yourself with the changes to ISO 14971:2019 and ISO TR 24971:2020. If you'd like to learn more about the changes in an interactive format, you can view our on-demand webinar recording and slides presented by Edwin Bills, a member of the ISO Technical Committee responsible for updating the ISO risk management standard.

We designed Greenlight Guru to enable best practices of risk management throughout the entire product lifecycle. Our QMS software solution seamlessly connects design controls with risk using our risk management software aligned to best practices from the latest version of the ISO 14971 standard. You can click here to get a free demo of our MDQMS platform.


Looking for a design control solution to help you bring safer medical devices to market faster with less risk? Click here to take a quick tour of Greenlight Guru's Medical Device QMS software g