Marcelo Antunes

Addicted to standards
Staff member
Administrator
#1
Although ISO 14971 has been used for some years now (if you count the first version, it´s more than a decade), it still creates some confusion around users. This can be seen by the identified need of guidance documents, such as ISO 24971, and, in the case of the Elsmar Cove, by the different questions the Covers have been putting over the years.

With this in mind, I would propose that we develop an FAQ regarding the ISO 14971 risk management process, a continuing questions and answers thread where we can discuss and get and obtain discussion and guidance on this important aspect of the regulatory medical device lifecycle.

The idea is that this can be an open FAQ, with discussions providing a great deal of the guidance we have (using the experience of the Cove users of the standard can give us a great feedback to start with).

Update 1 - the idea of this thread is to focus on two aspects, in order:

1 -try to explain some aspects of ISO 14971 as a standard, meaning, what is expected by the standard as written

2 - try to explain some aspects of ISO 14971 as used in regulatory/certification systems.

If a questions does not mention any regulatory or certification system, it was probably written thinking about what the standard requires, so it´s a more generic answer. This does not mean that what is expected by a particular regulatory/certification system regarding risk analysis / risk management (regulatory systems usually have a requirement for risk analysis or risk management, and using ISO 14971 can help in fulfilling those).

An example is Question 1, which is directly related to the standard "roots", but id somewhat different from what a lot of regulatory systems expect of risk management.
 
Last edited:

Marcelo Antunes

Addicted to standards
Staff member
Administrator
#2
Question 1 - Does ISO 14971 apply to hazards/hazardous situations other than the ones affecting people/property/environment? For example, does it applies to faults or failure modes which does not result in harm to people/property/environment?

Answer - The simple answer is - no, those situations are not expected to be part of a risk management process per ISO 14971.

A better explanation follows:

Hazardous situations are circumstance in which people, property, or the environment are exposed to one or more hazard(s) (ISO 14971, 2.4).

They are related to the "outputs' of the device, meaning, the interaction between the device and people/property/environment.



Failures modes are related to internal components. They do not themselves created any harm. Some failure modes can be part of a sequence of events which results in a hazardous situation. Some failure modes do not result in any hazardous situation.



ISO 14971 is only worried about hazardous situations, so it´s only worried about the failures modes which are part of a sequence of events which has a potential to result in a hazardous situation.



Contributors : Marcelo Antunes
 
Last edited:

Marcelo Antunes

Addicted to standards
Staff member
Administrator
#3
Question 2 - Does FMEA = risk management per ISO 14971?

Answer - No.

This is a popular misconception.

Manufacturers of medical devices have been using some form of risk analysis or management for a lot of time (I usually say, if they didn´t, things would already exploded a long time ago :)). One of the tools commonly used is FMEA. The basic idea of FMEA that you can estimate what happens when some part/component/function of a device fails. FMEA can be extented to processes or application of a device.

FMEA, as well as FTA, HAZOP, etc., are, in the view of ISO 14971 and other ISO and IEC publications, "techniques" which might be used to help in the risk management process. For example, you can use them to identify some of the information of clause 4 - risk analysis of ISO 14971, as seen o nthe flowchart below (which does not cover all requirements of ISO 14971). However, it cannot be used for the whole process




One example of the when FMEA and such failure-dependent techniques cannot be used - ISO 14971 requires that hazards and hazardous situations be analysed in NORMAL and fault conditions. The best example is devices which use x-radiation. Even in normal use, those devices presents hazards and hazardous situations. There´s no need for a failure mode for them to present a hazard, it´s INTENDED use presents a hazard. And this have to be treated by the ISO 14971 risk management process.

Remember, tools are tools and should be used inside their boundary conditions. The risk management process of ISO 14971 is a process which can be helped by tools, but not be equated to it.

Contributors - Marcelo Antunes
 
Last edited:

Marcelo Antunes

Addicted to standards
Staff member
Administrator
#4
Question 3 - Can I apply ISO 14971 if I´m the supplier/distributor/performer of part of the process of medical device manufacturing?

Answer - the generic answer is no.

ISO 14971 is worried with the interaction between the final device and people/property/environment, as seen in the figures of the first question of this FAQ. If you do not have the "full picture" of the device design (and lifecycle design) you really cannot perform a medical device risk management process by ISO 14971.

However, you can conribute to the device risk management as performed by the device "owner". For example, if you perform a third party sterilization process, your process will have to be included in the risk management process of the device "owner" and for it to be effective you need to give your inputs to the device "owner". The same rationale can be applied to a distributor or supplier of components or parts.

Contributors : Marcelo Antunes
 
Last edited:

somashekar

Super Moderator
Staff member
Super Moderator
#5
Question: I do not have the "full picture" of the device design (and lifecycle design). I am a contract manufacturer for an electronic medical device and it has no sterilization. Do I really perform a medical device risk management process by ISO 14971 ? Can it be said as "Not Applicable" ?
 

Marcelo Antunes

Addicted to standards
Staff member
Administrator
#6
Question 4: I do not have the "full picture" of the device design (and lifecycle design). I am a contract manufacturer for an electronic medical device and it has no sterilization. Do I really perform a medical device risk management process by ISO 14971 ? Can it be said as "Not Applicable" ?

Answer: the straightforward answer here is the same from Question 3, meaning, no, you really cannot perform risk management as expected by ISO 14971, in which case it's really not applcable to you.

However, we might take care with some thinngs.

First, it might be clear that, for each medical device, regulations expect that "someone" performs risk management activities per ISO 14971. This "someone" is the organization with responsibility for fulfilling regulatory requirements for the device - this changes in each regulatory system, but can be generally seem as the "owner" (I will use this from now on) of the device idea and design and who wil sell the device. Just as an example, a lot of regulations call this entity the "manufacturer" of the device. If we make a quick link to ISO 13485, this entity is also responsible for the system.

Being responsible does not mean that you yourself need to perform the expected action (the right to perfom is authority, and it can be delegated - in this case you are still responsible, but someone will act on your behalf).

So, what's the case of a contract manufacturer?

Generally, contract manufacturers perform manufacturing activities in behalf of the device owner. The owner is stil responsible for the manufacturing process, however the contract manufacturer performs this process. The owner has to control the process, for example, in his quality system, as this "external" process is really the same as a process performed at the owner plant.

And how do we see this in terms of ISO 14971? ISO 14971 (and the risk management process it detaisl) is to be applied by the device owner. The owner is the only one which has:

1 - responsibility for performing this process,
2 - responsibility for the deice lifecycle
3 - a full view of the device lifecycle, including it's intented use, which is required by the risk management process as the focus of the risk management process is - what harm can happen during device use that will harm people/property/environment?

So, the owner is responsible for the risk management process, and, although he can delegate the authority to perform the risk management process, the ones which perform the delegated process have to have the same "level" of knowledge as the owner or use the knowledge of the owner to perform the process.

On another hand, the manufacturing process the contract manufacturer performs has to be part of the risk management process of the full device (meaning, from an ISO 14971 perspective, it's expected that this process does not create other hazards/hazardous situations for the device, nor modify already estimated risks). As the contract manufacturer is the expert in his process, it's really expected that the owner requires the help of the contract manufacturer to perform his risk management process.


Another problem here, and that might be related to the original question, is related to certification.

If you are a contract manufacturer and is, for some reason, seeking or having been certified by ISO 13485, it might be seen that YOU have to perform risk management activities, for example, as per ISO 14971.

The main problem with this is - nor ISO 13485, nor ISO 14971 are really intented to be applied by entities other than the device owner. For certification purposes, the CBs "bend" a little the objective of the the standards to make it possible that entitites other then device owners apply them, which creates a lot of those problems.

Anyway, even if you as a contract manufacturer is applying ISO 13485, I would say that you can define (and should try to convince your manufacturer) that risk management as required by ISO 13485 (which is fpr the whole medical device) is not your responsibility, and so you cannot really perform it. As a suggestion, you might perform a risk analysis of the process you perform to be used by an input from the device owner, if the owner wants your input to perform his device risk management process.

Contributors - Somashekar, Marcelo Antunes
 
Last edited:

treesei

Inactive Registered Visitor
#7
I am a contract manufacturer of electronic assemblies used in medical devices. Some of them are finished (accessories, eg, leadwires); some a not. What is my best approach? What kind of risk-management documentation should I have? I am 13485 certified.
 

Marcelo Antunes

Addicted to standards
Staff member
Administrator
#8
Question 5 - I am a contract manufacturer of electronic assemblies used in medical devices. Some of them are finished (accessories, eg, leadwires); some a not. What is my best approach? What kind of risk-management documentation should I have? I am 13485 certified.

Answer - the idea here is the same as Question 4

The best approach would be to help the device owner create his risk management process, including the manufacturing of the assemblies you do (to make it clear, what you do i something that the owner should do, but he can't or don't want to, and them he delegates the authority to do so to you, however it's still his responsibility).

With this in mind, you does not need to have any risk management documentation (per ISO 14971), unless the risk management process of the device owner requires you do to so.

Anyway, it would be a good pratice if you would have, for example, risk analysis of your processes, focusing in what you do (because, if you would focus in the final device, you yourself really cannot estimate the impact of any problems of your process on the device use - meaning, what might happen to to the user/patient, for example. You might have an idea, but not the whole picture).

Update 1: for the US FDA interpretation of risk management requirements related to contract manufacturers, please also refer to comment by Miregmgr on this thread.

Contributors: Treesei, Marcelo Antunes
 
Last edited:

Marcelo Antunes

Addicted to standards
Staff member
Administrator
#9
Question 6 - What is required to be in a ISO 14971 risk management file (RMF)?

Answer - A comprehensive list is given below. It´s based on what is directly required by the standard. Please note that the RMF is per device.

1 - Reference to the qualification of people performing the risk management activities

2 - Risk management plan for the evaluated device

3 - Intended use (suggestion - verify IEC 62366) including answers to questions that can be used to identify medical device characteristics that could impact on safety

4 - Reasonable foreseeable misuse (suggestion - verify IEC 62366)

5 - Identification of essential performance (if for medical electical equipment)

6 - Identification of hazards and hazardous situations, including all the relevant information for all identified hazards and hazardous situations; this includes foreseeable sequence or combination of events that can result in hazardous situations. This also includes P1 and P2 (see annex E)

7 - Data used and the sources (e.g. accident history, experience gained from risk reduction applied to similar medical devices, etc.)

8 - Any relevant assumption that have been made (e.g. users, environment, safety factors, means of protection)

9 -Tools for failure analysis and result of failure analysis (list of different tools used and explanation of how they are been used)

10 - Explanation of the system used to categorize quantitatively or qualitatively the probability of ocurrence and severity of the harm

11 - Estimation of the risk of each hazardous situation

12 - Risk evaluation

13 - Acceptability levels, if used

14 - Risk control information, including list of control measure, evaluation if controls are not of level 1 - inherit safe or 2 - protective measures, procedures to verify implementation and effectivesses of risk control measures

15 - The uncertainty associated with the data used and its impact on the risk evaluation

16 - Risk reduction (residual risk evaluation for control measures not derived from an international standard) + decisions regarding information on residual risk. Review of risks originating from risk control measures

17 - Overall risk control evaluation

18 - Overall risk acceptability evaluation (+ methods, risk/benefit analysis if needed, and information about overall residual risk)

19 - Risk management report

20 - Production and post production information gatherer system

Contributors - Marcelo Antunes
 
Last edited:

treesei

Inactive Registered Visitor
#10
Which functional group would be the best to take responsibility for each of the 20 tasks listed, and which group(s) would be the supporting contributor(s)? A matrix?
 
Top