- Why Us
Managing risk is one of the most important areas in medical device manufacturing today. Not only does it protect users and patients, it’s also a major requirement of most regulatory bodies around the world.
But alongside the risk management process are the equally important procedures for documenting these activities. In the US, the approach of FDA has long since been, “If you didn’t document it, it didn’t happen.”
That’s why so many medical device manufacturers turn to the international standard ISO 14971 - Application of Risk Management to Medical Devices. While there are in-depth requirements for the documentation alone, meeting the requirements of ISO 14971:2019 is not as cumbersome as it seems. In fact, when followed properly by medical device manufacturers, the result is a safer product and can result in lower total costs.
Though risk management documentation is mentioned throughout ISO 14971, our attention will focus on Sections 4.4 and 4.5 of the standard, which outline the requirements for the risk management plan and risk management file, respectively.
In ISO 14971:2019, Section 4.4, the standard states that:
Risk management activities shall be planned. For the particular medical device being considered, the manufacturer shall establish and document a risk management plan in accordance with the risk management process.
Pay special attention to the language used; the standard uses the term “shall” to denote that this is a requirement, not a suggestion. Risk management plans are crucial to effectively managing and mitigating risk. As such, there is specific documentation for alignment with ISO 14971.
Your risk management plan must include:
Scope of the planned risk management activities throughout the entire product life cycle
Assignment of risk management responsibilities and management’s role
Requirements for review of risk management activities
Criteria for risk acceptability, based on the manufacturer’s policy for determining acceptable risk, including criteria for accepting risks when the probability of occurrence of harm cannot be estimated
A method to evaluate the overall residual risk
Activities for verification of the implementation and effectiveness of risk control measures
Activities related to collection and review of relevant production and post-production information
Now that we have an idea of what’s required in the risk management plan documentation, we can turn our attention to Section 4.5, which states all risk management activities, including the risk management plan, are required to be documented and all versions placed in a risk management file (RMF).
The RMF is a convenient way of recording your risk management activities and shall contain documents identifying the results of each activity, including planning and showing how risk management activities are performed.
Per ISO 14971, your risk management file must include documentation of:
Implementation and verification of the risk control measures
Results of the evaluation of the residual risks
Another important detail to keep in mind for both the risk management plan and the risk management file is that these must be produced for each device or device family.
With such a broad range of risk management activities and various forms of documentation needed, keeping these records connected is imperative for internal and external audits, as well as for any regulatory submissions. So, it makes sense that ISO 14971 specifically mentions the need for traceability.
In Section 4.5, the standard states, “In addition to the requirements of other clauses of this document, the risk management file shall provide traceability for each identified hazard.” Traceability is explained more fully in Annex A.2.4.5, found in ISO 14971:2019:
This document uses this term to signify where the manufacturer can locate or find the locations of all the records and other documents applicable to risk management. This facilitates the risk management process and enables more efficient auditing to this document. Traceability is necessary to demonstrate that the risk management process has been applied to each identified hazard.
Traceability is also vital to ensure completeness. When a risk management activity is left incomplete, it may mean that an identified hazard and its potential risk to cause harm are not controlled. Incompleteness can occur anywhere throughout the risk management process, including:
Risks not assessed
Unspecified risk control measures
Risk control measures not implemented
Risk control measures that prove ineffective
As it usually requires multiple tools to identify all risks and to evaluate them, a tool such as a risk traceability matrix can be hugely helpful.
You can also learn more about the traceability requirements in this free, on-demand session on Documenting Risk Management to Meet Requirements of ISO 14971:2019, from the Risk Management True Quality Summit Series by Greenlight Guru.
Another hugely important risk management requirement under ISO 14971 is that all risk management files be living documents. Of course, this means keeping the documentation up-to-date, in both the production and post-production phases. Thus, you’ll need to establish a process for documenting and maintaining a risk management system for collecting and reviewing this information.
Quoting directly from ISO 14971,
The manufacturer shall collect, where applicable
information generated during production and monitoring of the production process
information generated by the user
information generated by those accountable for the installation, use and maintenance of the medical device
information generated by the supply chain
publicly available information
information related to the generally acknowledged state of the art
One of the greatest takeaways in this excerpt is the need to connect risk management files to post-production collection of customer complaints and feedback. This data can come from anywhere in the supply chain, whether it’s during shipping activities, while being installed or set up by providers, used by actual patients, or even in published articles surrounding the safety of the device type.
Quoting directly from ISO 14971,
The manufacturer shall review the information collected for possible relevance to safety, especially whether:
Previously unrecognized hazards or hazardous situations are present
An estimated risk arising from a hazardous situation is no longer acceptable
The overall residual risk is no longer acceptable in relation to the benefits of the intended use or the generally acknowledged state of the art has changed.
These guidelines connect back to the importance of establishing criteria for acceptable levels of risk. It also reminds us that this is in no way a one-and-done activity. ISO 14971 requires that the risk management file shall be kept up-to-date throughout the product lifecycle, until the last product in the field is removed from use and properly disposed of.
This is pertinent for devices that may have reached an end of their lifecycle and are being removed from circulation, and all field models being replaced by an updated or brand new device type.
In either case, the entire RMF may only be destroyed following Document Control requirements after a device is no longer available for use, and following legal and regulatory requirements.
Risk management is much more than paperwork; it’s a product-level process that can protect developers, manufacturers, providers, and actual patients from potential harm or even death.
So when you turn to your QMS solution, why not choose one that is purpose-built to keep you in compliance with ISO 14971:2019? Greenlight Guru offers the only integrated risk management software built specifically for MedTech companies and that aligns directly with ISO 14971:2019.
If you’re ready to experience the Greenlight Guru difference, get a deep dive into our Risk Management Software, ask questions, and see your risk matrix come to life with a free demo today →
Etienne Nichols is a Medical Device Guru and Mechanical Engineer who loves learning and teaching how systems work together. He has both manufacturing and product development experience, even aiding in the development of combination drug-delivery devices, from startup to Fortune 500 companies and holds a Project...