Risk Management
What should be in your MDR technical documentation
Risk management in the medical device industry extends beyond product development and manufacturing to become an integral part of your product’s life cycle. ISO 14971:2019 specifies the international requirements for medical device risk management systems, as well as best practices for the device’s entire life cycle.
You need to successfully implement a risk management system. This ensures your company brings a compliant product to the market in a timely and safe manner.
Risk Management
Risk management appears simple from a distance. You have a device; you assess its potential risks, mitigate those risks, and track them over time. Isn’t it simple? If only it were as simple as that. However, risk management is one of the more difficult aspects of regulatory compliance, simply because risk comes in various flavours and severity perceptions. Furthermore, we can estimate the likelihood of harm occurring in various ways.
The fact that we often don’t have enough real-world data to accurately quantify risks, especially for new devices, makes risk management problematic. Fortunately, you can establish a systematic process for analysing, evaluating, controlling, and monitoring risks. Before we get into that, let’s take a step back and discuss the rules and guidelines that govern how you should approach risk management.
For medical devices, we define risk and risk management as:
- Risk – the combination of probability that harm occurs and the severity of that harm.
- Risk management – the systematic application of management policies, procedures, and practices to the tasks of analysing, controlling, and monitoring risk.
Simply put, we all have a vested interest in ensuring the safety and efficacy of medical devices. Risk management is therefore not optional; it is a legal requirement all over the world. The Quality System Regulation of the United States Food and Drug Administration (FDA) requires it (21 CFR Part 820), and the Medical Device Regulation (MDR 2017/745) in Europe mandates it. Similarly, risk management is required in Japan, Canada, Australia, Brazil, and all other major markets, as stated in their national regulations or ISO 13485:2016.
The role of ISO 14971
Fortunately, national governments have not created their own rules dictating how risk management is done. Instead, they rely on ISO 14971, the international standard for risk management of medical devices. If you’re just getting started with risk management in your company, invest in the ISO 14971:2019 standard and its guidance, ISO/TR 24971:2020, which will help you get started. These are both copyrighted documents you can purchase from ISO.org and other online vendors.
ISO 14971 is a standard for identifying risks associated with medical devices at all stages of their life cycle, from product design to procurement to production and post market use. The goal is to analyse, evaluate, control, and monitor the risks associated with each stage of the life cycle in every case.
The most recent version is ISO 14971:2019, which was published by ISO and CEN/CENELEC as EN ISO 14971:2019. While there are no tectonic shifts in the risk management process, there are important changes and updates to be aware of in this version, which replaces ISO 14971:2007 and EN ISO 14971:2012.
Inputs, Outputs, Verification and Validation
Annex IX, 2.2(c) requires:
“Identification of applicable General Safety and Performance Requirements (GSPR) and solutions fulfil those requirements, taking applicable Common Specifications and, where opted for, harmonised standards or other adequate solutions into account”.
Many manufacturers currently complete the Essential Requirements Checklist (Annex I) of the Medical Device Directive (MDD), before submitting a technical file for CE marking. Annex I (GSPRs) of the MDR contains significantly updated and new requirements not included in the MDD. The GSPRs, in conjunction with the applicable Common Specifications and Harmonised Standards, will impose new device requirements and specifications.
You must address these changes as part of the design and development inputs, outputs, verification, and validation phases. Compiling data for CE mark submission will no longer be sufficient. Below are just a few of the significantly updated GSPR requirements in Annex I of the MDR.
- 10.4 (Hazardous substances: CMR: carcinogenic, mutagenic or toxic to reproduction, endocrine disrupting substances)
- 12 (Devices incorporating a substance considered a medicinal product and devices composed of substances or combinations of substances absorbed by or locally dispersed in the human body), GSPR 17 (Electronic Programmable Systems)
- 22 (Devices intended for use by laypersons)
- 23 (Label and instructions for use)
As stated in MEDDEV 2.7/1 Rev. 4: A guide for manufacturers and notified bodies under directives 93/42/EEC and 90/385/EEC, clinical evaluation must commence during medical device development. Clinical evaluation and risk management should guide pre-market research and development to define device safety and performance. This requires the manufacturer to evaluate any available clinical data, determine equivalence, and define data gaps for the device under consideration.
Evolution of ISO 14971 and the elevation of ISO/TR 24971:2020
Structure of ISO 14971:2019 and ISO/TR 24971:2020
The main body of the ISO 14971 standard is surprisingly short, with only 18 pages plus three annexes. However, the 2007 revision had many annexes moved, so this version is shorter than its predecessors.
ISO 14971:2019 | ISO/TR 24971:2020 |
1. Scope 2. Normative references 3. Terms and definitions 4. General requirements for risk management system 5. Risk analysis 6. Risk evaluation 7. Risk control 8. Evaluation of residual risk 9. Risk management review 10. Production and postproduction activities Plus Annexes: A Rationale for requirements B Risk management process for _______ medical devices C Fundamental risk concepts | Sections 1-10 correlate with ISO 14971:2019 Plus Annexes: A Identification of hazards and _________characteristics related to safety B Techniques that support risk analysis C Relation between the policy, _________criteria for risk acceptability, risk _________control, and risk evaluation D Information for safety and _________information on residual risk E Role of international standards on _________risk management F Guidance on risks related to security G Components and devices designed ________ _without using ISO 14971 H Guidance on in vitro diagnostic ________ _medical devices |
Creating your risk management procedure
Where do you start with these two documents? Risk management must be defined and managed in your QMS like any other process. ISO 13485:2016 clause 7.1 mandates that you have “one or more [documented] risk management processes.” Start with a documented risk management procedure. What should be included?
First, ISO 14971 clause 4.2 details two important responsibilities for your top management. Management must:
- Ensure the right resources are available and responsible for conducting risk management activities
- Define a risk policy that guides how the company sets up the risk acceptability criteria for each of their devices.
Risk management teams should use your company’s risk policy to serve as a single point of reference to ensure the establishment of risk acceptability criteria for a device. The policy includes information that ensures that the acceptability criteria meets all applicable national or regional regulations, and relevant International Standards. As well as topics such as the generally accepted state of the art and the interests of the device’s stakeholders. Your risk policy usually includes statements like “reduce the risk as far as possible” or “reduce the risk as low as reasonably practicable”.
Make sure to include information on how top management will assess the suitability of the risk management process (this usually happens during Management Review).
Next, Clause 4.1 of ISO 14971:2019 states that you must have an ongoing process for doing these things for each device or device family you manufacture:
- Identifying hazards and hazardous situations associated with a medical device.
- Estimating and evaluating the associated risks.
- Controlling these risks.
- Monitoring the effectiveness of the risk control measures.
These are the fundamental steps taken throughout the life cycle of every device you create. One thing to remember is that risk management for your device never ends!
Basic steps in the medical device risk management process
You will repeat these basic steps for each device/device family you have.
Create a risk management plan for your device
We want to start our activities with a plan, just like any other good process. If your company only has one device or device family, your risk management procedure can serve as your risk management plan. If you make various devices, you. must tailor your risk management strategy to each device/device family. All the appropriate steps you defined in the risk management procedure should be included in the information in your plan.
General Procedure | Specific Plan |
A top-level procedure for all risk management projects per written risk procedures. You may want to include this in the template you prepare in your risk management standard operating procedure (SOP). | How you will conduct a risk management project for a specific product or process, per the general risk procedures. You may integrate these details into, or replace, parts of your generic “boilerplate”. |
Our plan lays out the specific steps we will take to manage risk for a specific device, including risk analysis, risk evaluation, risk control, review, and reporting.
- Assemble your risk management team: Assemble a qualified team of people who know how your device is constructed, its manufacturing processes, how it is used in the field, etc.
Use risk analysis tools to identify risks
Choose the tools you will use to measure risk, and then use them to identify risks posed by your processes, users, suppliers, maintenance tasks, shipping, production equipment, etc.
Device design risk management analysis consolidating harms to comply with MDR and IVDR.
According to the ISO 14971:2019 Section 5, characteristics related to the safety of the device need to be identified, as well as hazards (hazardous situations, also known as patient harms of adverse events). This implies that the known and foreseeable device deficiencies need to be mapped against harms. This poses a new challenge for engineering teams to bridge technical skills to clinical skills in defining clinical hazards, where manufacturers do not have a Clinical Affairs department to map out the clinical setting controls and potential patient/user harms.
The bow tie analysis is a highly visual and helpful methodology for meeting the IVDR and MDR regulations in mapping and linking device risks with potential patient harms (see Figure 1). In Figure 1, the cause, hazard and effect are mapped to link the Clinical Evaluation data for performance and safety to show compliance with GSPR.
Control risks
The goal here is to reduce risks to an acceptable level, as defined in your risk policy, using design features, protective measures like alarms, and, of course, information, such as warning labels. Again, the extended bow tie analysis (Figure 2) is helpful to map out your controls for engineering, but also the clinical environment, which should align with your IFU warnings and preventive measures.
Weigh the risks versus the benefits
Now that the risks and clinical harms are clear, you can match your clinical benefits and the rates that harms occur from your Clinical Evaluation, which your Clinical Affairs team can provide. Your Clinical Affairs team works closely with your Quality Affairs team to compile post market surveillance which includes vigilance data of the rates of device deficiencies and user harms for your device and similar devices, to help benchmark the benefit-to-risk against similar devices.
The end goal is to ensure that the clinical benefits of your device outweigh residual risks. This needs to be reassessed throughout the life of the device. Your clinical affairs team should be driving the writing of this assessment, as it heavily relies on clinical data, clinical research know-how and medical writing skills. In accordance with MEDDEV 2.7.1 rev4, the writer and signee of the benefit-to-risk assessment for the CER should be clinically qualified and experienced to be valid to show conformance to GSPR.
Review the risk management outcomes and create a report
This is where you give yourself credit for everything you’ve done. Reconnect everything to your original strategy. Did you stick to the plan? Did you keep track of any deviations and justify them? It’s critical that you write clear and simple conclusions, such as “The risk management process outcomes support that the implemented risk control measures reduce the residual risks of my device compared to the clinical benefits.” This goes a long way toward establishing your method’s credibility.
It’s a good idea to finalise your plans for risk monitoring throughout the device life cycle at this point. Last but not least, all the documentation you create during these three basic steps becomes the content of your device’s risk management file.
CLIN-r+ top tips on being compliant:
One resource that we highly recommend you use is the range of on-demand webinars offered by BSI. They can be accessed here for free.
We hope this document has answered your questions. Should you have any other questions or need professional assistance, CLIN-r+ have a wealth of experience in risk management and what should be in your MDR technical file. Get in touch!