|
INTERNATIONAL ISO
STANDARD 14971
Third edition
2019-12
Medical devices — Application of risk
management to medical devices
Dispositifs médicaux — Application de la gestion des risques aux
dispositifs médicaux
Reference number
©
ISO 2019
© ISO 2019
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting
on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address
below or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Fax: +41 22 749 09 47
Email: [email protected]
Website: www.iso.org
Published in Switzerland
ii © ISO 2019 – All rights reserved
Contents Page
Foreword .iv
Introduction .vi
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 General requirements for risk management system . 7
4.1 Risk management process . 7
4.2 Management responsibilities . 8
4.3 Competence of personnel . 9
4.4 Risk management plan . 9
4.5 Risk management file .10
5 Risk analysis .10
5.1 Risk analysis process .10
5.2 Intended use and reasonably foreseeable misuse .10
5.3 Identification of characteristics related to safety .11
5.4 Identification of hazards and hazardous situations .11
5.5 Risk estimation .11
6 Risk evaluation .12
7 Risk control .12
7.1 Risk control option analysis .12
7.2 Implementation of risk control measures .13
7.3 Residual risk evaluation .13
7.4 Benefit-risk analysis .14
7.5 Risks arising from risk control measures .14
7.6 Completeness of risk control .14
8 Evaluation of overall residual risk .14
9 Risk management review .15
10 Production and post-production activities.15
10.1 General .15
10.2 Information collection .15
10.3 Information review .16
10.4 Actions .16
Annex A (informative) Rationale for requirements .17
Annex B (informative) Risk management process for medical devices .26
Annex C (informative) Fundamental risk concepts .30
Bibliography .36
Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards
bodies (ISO member bodies). The work of preparing International Standards is normally carried out
through ISO technical committees. Each member body interested in a subject for which a technical
committee has been established has the right to be represented on that committee. International
organizations, governmental and non-governmental, in liaison with ISO, also take part in the work.
ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of
electrotechnical standardization.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the
different types of ISO documents should be noted. This document was drafted in accordance with the
editorial rules of the ISO/IEC Directives, Part 2 (see www .iso .org/ directives).
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of
any patent rights identified during the development of the document will be in the Introduction and/or
on the ISO list of patent declarations received (see www .iso .org/ patents).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and
expressions related to conformity assessment, as well as information about ISO's adherence to the
World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT) see www .iso .org/
iso/ foreword .html.
This document was prepared by Technical Committee ISO/TC 210, Quality management and
corresponding general aspects for medical devices, and IEC/SC 62A, Common aspects of electrical
equipment used in medical practice.
This third edition cancels and replaces the second edition (ISO 14971:2007), which has been technically
revised. The main changes compared to the previous edition are as follows:
— A clause on normative references has been included, in order to respect the requirements for fixed
in Clause 15 of ISO/IEC Directives, Part 2:2018.
— The defined terms are updated and many are derived from ISO/IEC Guide 63:2019. Defined terms
are printed in italic to assist the reader in identifying them in the body of the document.
— Definitions of benefit, reasonably foreseeable misuse and state of the art have been introduced.
— More attention is given to the benefits that are expected from the use of the medical device. The term
benefit-risk analysis has been aligned with terminology used in some regulations.
— It is explained that the process described in ISO 14971 can be used for managing risks associated
with medical devices, including those related to data and systems security.
— The method for the evaluation of the overall residual risk and the criteria for its acceptability are
required to be defined in the risk management plan. The method can include gathering and reviewing
data and literature for the medical device and for similar medical devices and similar other products
on the market. The criteria for the acceptability of the overall residual risk can be different from the
criteria for acceptability of individual risks.
— The requirements to disclose residual risks have been moved and merged into one requirement,
after the overall residual risk has been evaluated and judged acceptable.
— The review before commercial distribution of the medical device concerns the execution of the risk
management plan. The results of the review are documented as the risk management report.
iv © ISO 2019 – All rights reserved
— The requirements for production and post-production activities have been clarified and restructured.
More detail is given on the information to be collected and the actions to be taken when the collected
information has been reviewed and determined to be relevant to safety.
— Several informative annexes are moved to the guidance in ISO/TR 24971, which has been revised
in parallel. More information and a rationale for the requirements in this third edition of ISO 14971
have been provided in Annex A. The correspondence between the clauses of the second edition and
those of this third edition is given in Annex B.
Any feedback or questions on this document should be directed to the user’s national standards body. A
complete listing of these bodies can be found at www .iso .org/ members .html.
Introduction
The requirements contained in this document provide manufacturers with a framework within which
experience, insight and judgment are applied systematically to manage the risks associated with the
use of medical devices.
This document was developed specifically for manufacturers of medical devices on the basis of
established principles of risk management that have evolved over many years. This document could be
used as guidance in developing and maintaining a risk management process for other products that are
not necessarily medical devices in some jurisdictions and for suppliers and other parties involved in the
medical device life cycle.
This document deals with processes for managing risks associated with medical devices. Risks can be
related to injury, not only to the patient, but also to the user and other persons. Risks can also be related
to damage to property (for example objects, data, other equipment) or the environment.
Risk management is a complex subject because each stakeholder can place a different value on the
acceptability of risks in relation to the anticipated benefits. The concepts of risk management are
particularly important in relation to medical devices because of the variety of stakeholders including
medical practitioners, the organizations providing health care, governments, industry, patients and
members of the public.
It is generally accepted that the concept of risk has two key components:
— the probability of occurrence of harm; and
— the consequences of that harm, that is, how severe it might be.
All stakeholders need to understand that the use of a medical device involves an inherent degree of risk,
even after the risks have been reduced to an acceptable level. It is well known that in the context of a
clinical procedure some residual risks remain. The acceptability of a risk to a stakeholder i
...