At SoftComply, we understand the importance of proper risk management.

From costly design changes to product recalls and bad press, not accounting for risks is in fact the single biggest gamble that companies are taking today.

If you are a medical device manufacturer, marketer, designer, or anyone connected with the field of healthcare, then this is a must-read for you.

We believe that a well-designed system not only ensures compliance with ISO 14971, but also drives better outcomes throughout the entire product lifecycle.

Instead of taking a reactive approach, a company must act proactively, managing risk from the early design to post market.

Let’s instill a culture of quality that goes hand-in-hand with a culture that embraces and effectively manages risk.

The Ultimate Guide to ISO 14971 Risk Management

In the field of medical science, following regulatory guidelines is not just critical, it is also a legal obligation by device manufacturers.

The same holds true for teams involved in the process of researching, designing, marketing and selling of medical devices.

The entire premise of medical devices is to improve patients’ overall wellbeing and save lives. This is why ISO 14971, the international standard for medical device risk management, acts as a critical framework for medical device manufacturers.

Issues like software glitches, design flaws, manufacturing defects and biological risks can lead to devastating consequences for patients, healthcare providers, and manufacturers alike. And for end users, poor risk management can even lead to injuries, or even death.

ISO 14971 provides a systematic approach to identifying hazards, estimating and evaluating risks, controlling risks, and monitoring effectiveness of these controls throughout a product’s lifecycle.

But implementing this standard demands a holistic management approach, one that flows from top to bottom, ensuring every stakeholder is proactively involved in the entire process.

In this guide, we’ll explore ISO 14971, understand its core components, recent updates, implementation strategies, and how you can improve risk management with SoftComply’s Risk Manager Plus on Jira.

What is Risk?

Risk has multiple meanings, depending on the context. However, in the field of medical and healthcare, risk is the possibility of injury or loss of life, or as per 14971 “[the] combination of the probability of occurrence of harm and the severity of that harm”

The entire purpose behind risk management is to identify, evaluate, analyze, assess and mitigate potential risks resulting from medical devices and life-saving equipment.

What is Safety?

There is no device that is completely risk-free. ISO 14971 defines it as “Freedom from unacceptable risk”. In addition, the concept of “acceptable risk” is relative to the “benefit” that the device provides. Life-saving devices for otherwise incurable conditions can tolerate a higher risk than devices used for simpler applications. An AED poses more risk to a patient than a thermometer, but so does its benefit.

What is ISO 14971?

The entire medical industry is built upon trust.

Patients trust medical and healthcare professionals to improve their health and quality of life. These professionals in turn trust medical devices to do what they are supposed to do in a safe and effective way. To safeguard this trust, there needs to be due diligence and a thorough safety mechanism process in place.

ISO 14971 is more than just a set of guidelines; it is a systematic approach to managing the risks associated with medical devices.

It was first published in 2000. As the time passed, rapid advancements in technology led to further iterations and updates in the standards. The current edition (2019) has become the industry’s gold standard with global regulatory requirements, in addition to the European Medical Device Regulation (MDR) and the US FDA’s Quality System Regulation.

It is applicable throughout the entire PLC (Product Life Cycle) from the initial stages of research and concept to sales and after-sales feedback.

Where You May Consider “Risk”?

The US Food and Drug Administration (FDA) believes that risk can be considered at any stage of the medical device. There are three main areas to it:

1. Design process
2. Manufacturing process
3. Use of the device until its retirement 

Key Elements of ISO 14971

To understand ISO 14971, it is important to go through its various elements:

1. Risk Management Plan: A strategic plan that describes how risks will be assessed and controlled  throughout the entire lifecycle of the product.
2. Risk Management File: A set of records and other documents that are produced by the risk management process for a specific device (or family of) [ISO 14971:2019 3.25]
3. Risk Analysis: The process of utilizing any available information to identify hazards and estimate the risk.
4. Risk Evaluation: The process of comparing the estimated risk against given risk criteria to determine the risk acceptability
5. Risk Control: The process through which decisions are made and measures implemented by which risks are reduced to, or maintained within, specified levels
6. Residual Risk Evaluation: Assessment of remaining risk after risk control measures have been implemented.
7. Risk Management Review: Systematic review of the risk management file to ensure that the plan was correctly followed, the overall risk is acceptable, and the post-market surveillance activities are in place.
8. Production and Post-Production Monitoring: the process of collecting and reviewing information about the medical device once it has entered production and real-world use. 

The ISO 14971 Risk Management Process: a Step-by-Step Guide

The following process is a blueprint that your organization can start following immediately in a step-by-step manner. It shows everything from risk planning to analysis and evaluation.

1. Risk Management Planning

Step 1:

This should be your first step in the overall risk management. Everything starts with a plan and each medical device should have a unique one. Similar to “one size does not fit all”, the same goes for medical devices.

Each device is different, catering to unique needs of patients and the different markets. One set of risk management cannot be applied across all devices.

This is the part where you define the scope of risk management activities, assign responsibilities, and establish a criteria for risk acceptability. It should clearly state the activities that need to be undertaken from the design phase to the post-market phase. Risk Management is a continuous process that ends only when the product is discontinued and there are no devices left in the market.

The plan lays the groundwork of who does what, but should be constantly revised and updated once new risk factors are identified. Once it is ready, now comes the second step in risk management planning.

Step 2:

This is where your organization decides how the plan will be implemented across the company including all teams. Important questions to answer in this process: 

• Who will review the plan and what will it consist of?
• What would be the acceptable levels of risk?
• How to determine the acceptability level if no numerical value can be assigned a hazard?
• What residual risk level is considered acceptable?
• How to identify and determine the residual risk level?
• How to implement risk controls to determine effectiveness?
• What sources will be used to gather post-production data?
• How will that data be reviewed?

It is important to answer these questions before implementing any plan considering all stages of the risk management process.

• Risk Acceptability Criteria: As mentioned earlier, ISO also mandates that all criteria of risk acceptability is to be developed before the implementation of the risk management plan.
• Review Requirements: ISO 14971 mandates clearly defined responsibilities for risk management activities. This includes specifying who conducts reviews, the scope of those reviews, and the necessary approvals at each phase. It is important to include technical and clinical specialists as required.
• Residual Risk Acceptance Criteria: One of the most difficult criteria to define, as not all risks are quantifiable, in particular when they are all bundled together.. It has to take into account benefits of the device, the current state of the art and the risk posed by existing similar devices.
• Verification of Risk Controls: This plan should mirror verification processes used for design changes and detail how the effectiveness of risk reduction is to be documented.
• Post-Production Information: Actual user feedback from end users provides valuable information for your organization. Medical device manufacturers that regularly incorporate post production feedback lead to lower risk and improved product performance. Plans should outline methods for gathering this information, reviewing it, and using it to inform ongoing risk management.

SoftComply Risk Manager Plus allows you to document your risk management plan directly within your project. You can assign responsibility for risk management tasks to specific team members, leveraging Jira’s existing workflow and notification capabilities.

2. Document Everything in a Risk Management File

You have come up with a great plan, now what? It is time to document with every possible detail, including date, time, revisions, the risk factors and their impact, as well as a history of actions taken to mitigate risks. This is called the RMF, short for Risk Management File.

The RMF provides information on identifying, mitigating and evaluating risks. The file should have traceability for each hazard to the different risk control mechanisms.

This means that the file needs to have references for every action taken against each risk, leading to better collaboration among all teams involved in the due process. Any and all verification reports generated should always be referenced in the RMF to develop a clear record of everything.

SoftComply Risk Manager Plus allows you to document all activities and generate an RMF as and when new activity takes place. You can generate and download the reports to view historical changes in the document.

3. Risk Analysis

Every device should have a unique risk analysis as it has its own unique risk plan. Any existing risk plan is great to work on, but it should not be finalized in any way. Similar to the designing aspect, the risk analysis also needs to be conducted by all team members involved to get a thorough perspective from every side.

Here is what risk analysis includes:

• Identify and mention the medical device
• The scope of analysis
• The team members involved

It is a wise idea to always split up the risks and assign them to the most experienced team members. For example, team members with clinical knowledge of the device are best suited to test the device for its applicability and other risk factors.

Similarly, the quality management team is the best for analyzing all the safety concerns and ensuring that the device design is following all regulatory guidelines.

Once this list is developed, it is time for cross functional teams to work together in identifying any possible hazardous situation arising from the use or misuse of the product. This means that any risk even with the lowest probability factor should be considered, because bench tests vary differently to that of real-world scenarios.

You can rely on Risk Manager Plus to assist you in creating a complete risk model with and automatically calculate the risk class based on your defined matrix. This ranges from Improbable to Probable in the Probability index, and Negligible to High in the Impact index.

4. Risk Evaluation

You now need to compare the estimated risks against your pre-defined risk acceptance criteria and determine which risks require mitigation. This is the most important aspect of risk evaluation, which allows you to identify and work on a risk acceptability criteria, developed in the risk management plan. You can then easily compare the estimated risk level with the pre-defined criteria.

Sometimes, all risks may not meet the acceptability criteria. At this point, it is a wise decision to have risk controls in place, which is the 5th phase that we’ll be covering.

To ensure mitigation of any possible risk factor, always apply risk controls, regardless of favorable or unfavorable outcomes. You as a device manufacturer should always be ready to mitigate risks whenever and wherever possible. Once you have strong risk controls in place, you also need to regularly revise your risk evaluation plans.

Within SoftComply Risk Manager Plus, the risk table view provides a clear overview of all identified risks and their calculated risk levels, making it easy to identify those requiring further action. You can filter and sort risks based on their class to prioritize mitigation efforts.

To further evaluate risks, you can select the Initial Impact, and Initial Probability from the drop-down menu and the Initial Risk Classwill be automatically calculated.

You can then assign Mitigation Action and Verification Action as shown in the screenshot below.

5. Risk Control

Implementing appropriate risk control measures based on the hierarchy of controls:

1. Inherent safety by design – The products designed should have safety as the core component.
2. Protective measures – Include multiple safety guards to prevent any possible hazardous situation.
3. Information for safety – Least effective but vital aspect of risk control, which is the development of operating manuals, labelling and user training.

 When you identify a risk, implement risk control measures to reduce the risk of the hazardous situation. This type of control may include training, labeling, validation, and design characteristics.

Inherent safety by design means that the materials used in manufacturing of medical devices are safe for the end user. For example, there should be toxic chemicals that could otherwise react with the skin. Another instance could be to avoid having any sharp edges. The best team for this process is the device designing team.

The next layer, protective measures include safety guards, product markings, or quality control checks. For instance, an interlocking mechanism that prevents a device such as an X ray machine from operating in a hazardous situation.

The final layer is information for safety including labeling and instructions for use, and user training. This is not as effective as the previous layers, because it relies on the end user to comply with the operating manual and instructions to avoid any hazardous situation. Therefore, the manufacturer fails to have sufficient control over user actions to ensure consistency.

This is why most of the risk control mechanisms should be focused in the first two layers as leaving anything to the end user could result in devastating consequences.

It is important that manufacturers build safety into the device rather than trying to compensate for an unsafe device later on with user training or workarounds.

SoftComply Risk Manager Plus allows you to link risk Jira issues to other Jira issues representing mitigation and verification actions.

This creates full traceability between identified risks, implemented controls, and their verification, a key requirement of ISO 14971.

6. Evaluation of Overall Residual Risk

Now that all risk control measures are implemented, it is time to evaluate any residual risk.

Residual risk is any risk that still remains after implementing risk mitigation techniques and control measures.

The residual risk is evaluated by considering the device’s expected benefits when used as intended, and then comparing this risk against pre-defined acceptability criteria. This process should be objective by having the criteria established early in the risk management plan.

The overall residual risk, including any significant risks, must be documented. If the residual risk doesn’t meet acceptability criteria, additional risk control iterations are required to bring the risk levels down to an acceptable level.

If risk reduction is unfeasible, the unacceptable residual risk is documented, and the device does not proceed to the manufacturing stage.

It is also important to have clinical experts weigh into the decision of acceptability of the residual risk.

7. Risk Management Review

Before a device is released, there’s a final review of the entire risk management process. This is like a quality or regulatory audit to make sure everything was done correctly. Make sure that the Quality Management Team or the Regulatory Team is in charge of this process. The review checks that a risk management plan was followed correctly.

It also checks if adequate processes are in place for ongoing risk management after the device is released (post-production). The review should include any possible ways to collect and review data after release are set up, as well as the final assessment of remaining risks (residual risk) is documented and acceptable.

Essentially, this review ensures all the risk management activities are complete and the device is safe before it goes to market.

SoftComply Risk Manager Plus provides reporting capabilities that can be used to generate reports for risk management reviews, showing the status of risks across different projects and iterations. To generate these reports, head over to Risk Models> and click the View Risk Model Report icon under More actions.

You will be asked to specify the elements required within the report. Click View Report.

You will now see a risk matrix similar to Risk Analysis, that allows you to study the report for each type of risk.

 

8. Production and Post-Production Activities

This is the final and the most important part of the entire process. Once your device enters production and available for the end user, the company will start receiving “feedback” from the market. Some of this may be related to device malfunction or risks.

This is also called the ongoing risk management process. Here are some sources on how you can gather information from the market and use it to refine your risk management plan:

• Information from the device users such as patients, healthcare staff and family members of the patient.
• Information from suppliers and wholesalers that distribute your product.
• Information from publicly available published scientific literature.

One of the most “recent” aspects is cybersecurity surveillance. Unlike the standard, more reactive, surveillance process, cybersecurity must be more proactive. A company must have means to monitor the cybersecurity landscape, assess potential threats and evaluate new vulnerabilities discovered in the code. A device considered “secure” today may not be such tomorrow when new vulnerabilities in SOUP are found and published. The SoftComply Risk Manager Plus features ISMS and product cybersecurity management, including frameworks such as ISO 27001 (with statement of applicability), NIST SP, CVSS.

Jira, at its core, is a collaboration platform ideal for managing feedback and issues reported during production and post-market phases. By linking these issues to existing risks within SoftComply Risk Manager Plus, you can ensure that post-market information is systematically integrated into your ongoing risk management activities.

For optimal effectiveness, risk management should be integrated with your existing quality management system, particularly if you’re already compliant with ISO 13485.

Final Takeaways

1. Ongoing activity – Effective risk management is not a one-time activity but a continuous journey of improvement. As new technologies emerge and regulatory landscapes evolve, your risk management processes should adapt accordingly.
2. Build a Solid plan – Your risk management plan is everything, and hence it should serve as a solid foundation for identifying and mitigating risks. The more you invest in the initial stages, the less you have to waste on product recalls in the long run.
3. Document all activities – Everything including plan, process, review, adjustments, updates, comments should be documented for teams to access.

With SoftComply Risk Manager Plus, medical device manufacturers can:

• Improve team accountability and transparency in risk management activities.
• Streamline the risk management process through integrated workflows and traceability.
• Enhance the quality and consistency of risk assessments through customizable risk models and centralized data.
• Facilitate comprehensive documentation within the Risk Management File.
• Improve the integration of post-market surveillance data into ongoing risk management.

Want to Learn More

Join the weekly Live Demo sessions or book a dedicated live demo callwith SoftComply.

This article was originally published on SoftComply blog.