New ISO 14971: Updates for Risk Management

ISO 14971 for medical device risk management was approved in December 2019. Although no significant changes on the risk management process was defined, a substantial re-organization of the standard was performed.

Click here for a Risk Management Procedure aligned with the new ISO 14971:2019.

This includes new terms and more detailed requirements on post-market risk management have been included. 

One big substantial changes is related to the annexes of the standard. The last revision contains only three annexes, whereas the remaining ones have been moved to Technical Report (TR) 24971, which is expected to be published in 2020. Specifically, the annexes that remained within ISO 14971 are:

  1. rationale for requirements,
  2. risk management process,
  3. and fundamental risk concepts.

It is expected that TR 24971 will become essential for risk management for medical devices and it will contain all the annexes which are not currently present on ISO 14971.

Particular attention was paid on the newly updated ISO 14971:2019 on the benefit-risk analysis of medical devices, so to align the standard with EU MDR (2017/745) and IVDR (2017/746). The new ISO 14971 now requires to perform an assessment of overall residual risk and to determine the criteria for risk acceptability. The methodology to assess the acceptability of the overall residual risk can be different from the acceptability criteria of individual risks. 

New terms and definition was also added in the new standard, including benefit, state of the art and reasonably foreseeable misuse.

Important updates was given on cybersecurity side, reinforcing the importance to evaluate the security-related risks that come from connected devices. This attention to cybersecurity is aligned with FDA and other regulatory agency behavior, that in last years have increased the focus on medical device cybersecurity. 

The most important updates on the newly ISO 14971 is the post-market risk management section. Specifically clause 10 of the standard have been renamed Production and post-production activities and it is now more aligned with Clause 8  of ISO 13485. Clause 10 highlights the necessity of an active process for post-market risk management. It establishes a system to collect production and post-production information  and evaluate this information from risk point of view.

 A very interesting document on postmarked risk management is the one published by AAMI .

The updated ISO 14971 along with New ISO 20471 on labelling requirements will become important tools for Medtech companies to foster product safety and regulatory compliance.