ISO 24971 : A Practical Guideline to Risk Management Process

It is impossible to deny the importance of risk management process for medical device organization and the recent publication of the updated version of ISO 24971 is a valuable tool for the use of risk management process to improve quality, safety and efficacy of the medical devices in the field. We have also discussed about risk management requirements for other life science sector, for example the pharmaceutical sectors and the related ICH Q9 guideline.

The ISO 24971 can be considered a guideline in the implementation of ISO 14971:2019.

With the publication of new European Medical Device Regulation 2017/745, the interconnection of the risk management processes with other fundamental processes of the medical device world (clinical evaluation, post-market surveillance, design and development) became more and more evident. A first revolution of the risk management process carried in 2019 with the publication of the updated version of ISO 14971, which now have been further supported by the update of the related technical report ISO 24971.

In this article we will have a deep dive in the ISO 24971, highlighting the most important requirements and the associated methodologies for the implementation of an efficient risk management process, compliant with the most significant quality management system regulations (ISO 13485, 21 CFR 820) and other applicable regulatory requirements (EU MDR 2017/745).

Management Responsibilities

It is once again important to highlight that the primary responsibility for the establishment and maintenance of a risk management process is of the top management of the organization. The commitment of the top management of the organization is always essential to have an efficient risk management process.

Competency of the Personnel

Competency of the personnel involved in risk management activities has specific requirements according to ISO/TR 24971. It is responsibility of the top management to ensure adequate education and training for the personnel involved in these types of activities.

It is very important to define for each personnel involved in risk management activities the key knowledge and experience which are necessary to perform to properly perform the process.

Risk Management File

Nobody can deny the importance of risk management in the medical device field. The regulation in the last 10 years shifted completely towards a situation where risk management process is at the core of quality management system and technical documentation for medical devices.

According to ISO/TR 24971, the risk management file is the collection of all records and documentation related to risk management activities performed during the whole lifecycle of the medical device. It is not necessary that the file physically contains all the documentation; however the risk management file shall be organised in such a way that all the related records and documentation can be easily retrieved for whatever type of needs.

It is important to have a risk traceability matrix which connects all the identified risks with the related risk mitigations and the verification activities of these risk mitigations.

Most of the documentation that needs to be included in the risk management file are available within our risk management package, an all-in-one solution that contains the following documents:

• Risk Management Procedure
• Risk Management Plan Template
• Risk Management Report Template
• Hazard Analysis Template
• Risk Analysis Template
• Traceability Matrix Template

Risk Analysis Process according to 24971

The risk analysis process can be summarised as per the scheme below:

Consideration on “Reasonably Forseeable Misuse” according to ISO 24971

The description of the medical devices shall contain a section related to the identification of reasonably foreseeable misuse. A misuse is defined as “use of the medical device in a way not intended by the manufacturer, but which can result from readily predictable human behaviour”. This can be related to a use error, a specific misuse or the intentionally use of a medical device for other medical purposes, e.g. outside its intended use.

The usability process according to IEC 62366 could highlight the possibility to misuse the device. A misuse could be be triggered by different reasons, such as poor risk perception or instructions for use not sufficiently clear.

Characteristics of the device related to safety

To help manufacturers in the identification of the characteristics, the ISO/TR 24971 provided a full list of questions in the Annex A. The goal is to support the identification of the of characteristics of the device which could have an impact to safety, thus that need to be taken in considerations for the identification of hazards and hazardous situations.

The process fo identification of Hazards and hazardous Situations according to ISO/TR 24971

The identification of the hazards is the first step for the risk analysis process. The hazard is the potential source of harm and it can be linked to the use of the medical device or to the device itself (design). In general, medical devices only cause harm if a sequence of events occurs that results in a hazardous situation, which then causes or leads to harm. 

Hazardous situation could arise also when there are no faults or can be intrinsically related to specific therapies associated to the medical device.

A different topic are the hazardous situations related to fault. Different scenario can be envisioned in this context:

The Process of Risk Estimation According to ISO/TR 24971

A discussion on the process of risk analysis and risk estimation has already been performed within 4EasyReg blog.

Each identified risks need to be estimated in terms of providing a ranking on the specific risks. The risk estimation can be performed by evaluating:

• Probability of occurrence of a harm
• Severity of that harm.

For the estimation of the probability of occurrence, two different methods can be used: quantitative and qualitative. When sufficient data are available to estimate the probability of occurrence of harm with adequate confidence, a quantitative method should be used. Otherwise, a qualitative method based is preferable over a quantitative estimate with a high level of uncertainty. 

A particular attention shall be posed to the situation where the probability of occurrence cannot be estimated. Typical examples are software failures or misuse situations.

When the probability of occurrence of harm cannot be estimated, it is necessary to evaluate the risk on the basis of the severity of harm alone. 

Risk Evaluation

All the identified risks shall be evaluated against the risk acceptability criteria defined by the manufacturer. The ISO 14971:2019 does not provide specific levels for risk acceptability, thus the manufacturers shall bear the responsibility to perform risk evaluation based on the acceptability criteria defined in the risk management plan.

Strategies for risk controls according to ISO/TR 24971

Different options for risk controls and for the reduction of the risk associated to a medical device are available. The order of priority for the implementation of the risk control measures is essential. For an overview of the risk control options, refer to the scheme below:

Overall Residual Risks Evaluation

The evaluation of the overall residual risks is an important moment of the risk management process. It consists in an overall evaluation of the residual risks, meaning the risks after the implementation of risks control measures. It is not possible to perform overall residual risks evaluation just by adding up all the single residual risks. There is no preferred way for evaluating the overall residual risk. The manufacturer is responsible for determining an appropriate method. 

The ISO 24971 provides different inputs that can be used as starting point for the evaluation of the residual risks, for examples:

• Different sequences of events can lead to different hazardous situations and risks, each contributing to the overall residual risk. 
• A particular harm can originate from different hazardous situations. 
• A comprehensive review of all operating instructions for the medical device might reveal that the instructions are inconsistent or too difficult to follow. 
• etc

Different approaches can be used for the evaluation of the residual risks; here below some examples taken from the ISO 24971 are listed:

• The benefits related to the intended use of the medical device are weighed against the overall residual risk. 
• Visual representations of the residual risks can be useful. 
• Compare the medical device under consideration to similar medical devices available on the market. 
• Use experts to support the evaluation of the overall residual risk in relation to the benefits expected from using the medical device under consideration. 

Subscribe to 4EasyReg Newsletter

4EasyReg is an online platform dedicated to Quality & Regulatory matters within the medical device industry. Have a look to all the services that we provide: we are very transparent in the pricing associated to these consulting services.

Within our WebShop, a wide range of procedures, templates, checklists are available, all of them focused on regulatory topics for medical device compliance to applicable regulations. Within the webshop, a dedicated section related to cybersecurity and compliance to ISO 27001 for medical device organizations is also present.

As one of the leading online platforms in the medical device sector, 4EasyReg offers extensive support for regulatory compliance. Our services cover a wide range of topics, from EU MDR & IVDR to ISO 13485, encompassing risk management, biocompatibility, usability, software verification and validation, and assistance in preparing technical documentation for MDR compliance.

Do not hesitate to subscribe to our Newsletter!