1. law, govt and politics
2. legal issues
3. human rights

Risk Management and EN ISO 14971, what Medical
Device Manufacturers need to know about European
Expectations for Risk Management
Suzanne Halliday
Copyright © 2013 BSI. All rights reserved.
This Presentation
1. ISO 14971:2007
2. Risk Management – European Requirements
3. EN ISO 14971:2012 – Content Deviations
4. BSI Audits
Copyright © 2012 BSI. All rights reserved.
2
ISO 14971:2007
Copyright © 2012 BSI. All rights reserved.
3
Risk
•
Combination of the probability of occurrence of harm and the
severity of that harm
Asteroid hitting the earth
Probability = low
Severity = high
Overall risk?
Copyright © 2012 BSI. All rights reserved.
Epilation due to adhesive
bandage removal
Probability = high
Severity = low
Overall risk?
4
Risk Management
•
Systematic application of management policies, procedures and
practices to the tasks of analysing, evaluating, controlling and
monitoring risk
Update
Analyse
Risk
Benefit
Analysis
Evaluate
Control
Copyright © 2012 BSI. All rights reserved.
5
ISO 14971 – Main body (Clauses 1-3)
1
2
3
Scope
Terms and definitions
General requirements for risk management
3.1 Risk management process
Copyright © 2012 BSI. All rights reserved.
6
ISO 14971 – Main body (Clauses 1-3)
1
2
3
Scope
Terms and definitions
General requirements for risk management
3.1 Risk management process
3.2 Management responsibilities
Copyright © 2012 BSI. All rights reserved.
7
ISO 14971 – Main body (Clauses 1-3)
1
2
3
Scope
Terms and definitions
General requirements for risk management
3.1 Risk management process
3.2 Management responsibilities
3.3 Qualification of personnel
Copyright © 2012 BSI. All rights reserved.
8
ISO 14971 – Main body (Clauses 1-3)
1
2
3
Scope
Terms and definitions
General requirements for risk management
3.1 Risk management process
3.2 Management responsibilities
3.3 Qualification of personnel
3.4 Risk management plan
Copyright © 2012 BSI. All rights reserved.
9
ISO 14971 – Main body (Clauses 1-3)
1
2
3
Scope
Terms and definitions
General requirements for risk management
3.1 Risk management process
3.2 Management responsibilities
3.3 Qualification of personnel
3.4 Risk management plan
3.5 Risk management file
Copyright © 2012 BSI. All rights reserved.
10
ISO 14971 – Main body (Clauses 4-9)
Clause 4: Risk
analysis
Clause 9: Postproduction information
Clause 5: Risk
evaluation
Clause 8: Risk
management
report
Clause 6: Risk
control
Clause 7:
Residual risk
evaluation
Copyright © 2012 BSI. All rights reserved.
11
ISO 14971 – Overview of Annexes
Annex A
(informative) Rationale for requirements
Copyright © 2012 BSI. All rights reserved.
12
ISO 14971 – Overview of Annexes
Annex A
Annex B
(informative) Rationale for requirements
(informative) Overview of the risk management process for
medical devices
Copyright © 2012 BSI. All rights reserved.
13
ISO 14971 – Overview of Annexes
Annex A
Annex B
Annex C
(informative) Rationale for requirements
(informative) Overview of the risk management process for
medical devices
(informative) Questions that can be used to identify medical
device characteristics that could impact on safety
Copyright © 2012 BSI. All rights reserved.
14
ISO 14971 – Overview of Annexes
Annex A
Annex B
Annex C
Annex D
(informative) Rationale for requirements
(informative) Overview of the risk management process for
medical devices
(informative) Questions that can be used to identify medical
device characteristics that could impact on safety
(informative) Risk concepts applied to medical devices
benefit estimation
risk control qualitative analysis
“as low as reasonably practicable”
...
probability
Copyright © 2012 BSI. All rights reserved.
15
ISO 14971 – Overview of Annexes
Annex A
Annex B
Annex C
Annex D
Annex E
(informative) Rationale for requirements
(informative) Overview of the risk management process for
medical devices
(informative) Questions that can be used to identify medical
device characteristics that could impact on safety
(informative) Risk concepts applied to medical devices
(informative) Examples of hazards, foreseeable sequences of
events and hazardous situations
Copyright © 2012 BSI. All rights reserved.
16
ISO 14971 – Overview of Annexes
Annex F
(informative) Risk management plan
Copyright © 2012 BSI. All rights reserved.
17
ISO 14971 – Overview of Annexes
Annex F
Annex G
(informative) Risk management plan
(informative) Information on risk management techniques
PHA
FTA
FMEA
HACCP HAZOP
Copyright © 2012 BSI. All rights reserved.
18
ISO 14971 – Overview of Annexes
Annex F
Annex G
Annex H
(informative) Risk management plan
(informative) Information on risk management techniques
(informative) Guidance on risk management for in vitro
diagnostic medical devices
Copyright © 2012 BSI. All rights reserved.
19
ISO 14971 – Overview of Annexes
Annex F
Annex G
Annex H
Annex I
(informative) Risk management plan
(informative) Information on risk management techniques
(informative) Guidance on risk management for in vitro
diagnostic medical devices
(informative) Guidance on risk analysis process for biological
hazards
Copyright © 2012 BSI. All rights reserved.
20
ISO 14971 – Overview of Annexes
Annex F
Annex G
Annex H
Annex I
Annex J
(informative) Risk management plan
(informative) Information on risk management techniques
(informative) Guidance on risk management for in vitro
diagnostic medical devices
(informative) Guidance on risk analysis process for biological
hazards
(informative) Information for safety and information about
residual risk
Copyright © 2012 BSI. All rights reserved.
21
Risk Management
– European Requirements
Copyright © 2012 BSI. All rights reserved.
22
Medical Devices – European Regulatory Requirements


Benefits
Risks
Risks
Benefits
Copyright © 2012 BSI. All rights reserved.
23
The Medical Device Directives – Where is ‘Risk’?
MDD
93/42/EEC
“Risk”
Essential Requirements:
1
2
6
7.2, 7.4, 7.5, 7.6
8.1, 8.6
9.2, 9.3
11.2, 11.4
12.1, 12.5, 12.6, 12.7
13.5, 13.6
41
Copyright © 2012 BSI. All rights reserved.
AIMDD
90/385/EEC
Essential Requirements:
1
5
8
9
10
11
15
18
IVDD
98/79/EC
Essential Requirements:
A–1
2
B – 1.2
2.1, 2.2, 2.5, 2.7
3.2, 3.3, 3.4
5.3
6.2, 6.3, 6.4
7.1
8.6, 8.7
24
24
EN ISO 14971:2012
• European harmonised standard for Risk Management
• Allows the presumption of conformity to MDD, AIMD, and IVD
• Published July 2012 & harmonised as of 30 August 2012.
Copyright © 2012 BSI. All rights reserved.
25
Copyright © 2012 BSI. All rights reserved.
• The previous
version of the
European
Harmonised
Standard
• Obsolete as of
30 August
2012
EN ISO 14971:2012
• The current
International
Standard
EN ISO 14971:2009
ISO 14971:2007
What is the difference?
• Changes within
Foreword &
Annex Zs only
• No change to
requirements
(Normative
Text)
• i.e. clauses or
requirements of
the standard
are exactly the
same
26
Why was EN ISO 14971:2012 created?
• A solution to formal objections raised by Swedish Competent
Authority & European Commission on the harmonised status of a
number of European Standards
• Revision of Annex Z’s was made to provide greater clarity on
applicability & alignment of ISO 14971 clauses with requirements of
AIMDD, MDD & IVDD
Copyright © 2012 BSI. All rights reserved.
27
Example – EN ISO 14971:2012 Annex ZA (MDD)
• “Explains to which requirements, under which conditions and to what extent
presumption of conformity can be claimed.”
Copyright © 2012 BSI. All rights reserved.
28
EN ISO 14971:2012
– Content Deviations
Copyright © 2012 BSI. All rights reserved.
29
EN ISO 14971:2012 – Content Deviations
Essential Requirements (ERs) Impacted
Deviation
MDD
AIMDD
IVDD
1 – Treatment of negligible risks
1, 2, 6, 7.1
1, 5, 9
A.1, A.2, B.1.1
2 – Discretionary power of mfr as to acceptability of
risks
1, 2, 6, 7.1
1, 5, 9
A.1, A.2, B.1.1
3 – Risk reduction “as far as possible” vs. “as low as
reasonably practicable”
1, 2, 6, 7.1
1, 5, 6, 9
A.1, A.2, B.1.1
4 – Discretion as to whether a risk-benefit analysis
needs to take place
1, 6, 7.1
5&9
A.1 & B.1.1
5 – Discretion as to the risk control options / measures
2 & 7.1
-
A.2 & B.1.1
6 – Deviation as to the first risk control option
2 & 7.1
-
A.2 & B.1.1
7 – Information of the users influencing the residual risk
2 & 7.1
-
A.2 & B.1.1
Copyright © 2012 BSI. All rights reserved.
30
Deviation No. 1
MDD
(AIMD)
IVD
‘...all risks, regardless of their
dimension, need to be reduced
as much as possible (and need
to be balanced, together with
all other risks, against the
benefit of the device).’
‘D.8.2 ...the
manufacturer may
discard negligible risks.’
ISO 14971
Copyright © 2012 BSI. All rights reserved.
31
Deviation No. 3
‘....risks to be reduced "as far
as possible" without there
being room for economic
considerations.’
MDD
AIMD
IVD
‘3.4 & D.8 …contains
the concept of
reducing risks "as low
as reasonably
practicable.”
ISO 14971
The ALARP concept
contains an element of
economic
consideration.’
Copyright © 2012 BSI. All rights reserved.
32
Have all risks been reduced as far as possible?
Extent of damage
10
9
8
7
Probability of occurrence
6
5
4
3
There must another step – ALARP
concept cannot be applied in
isolation, risks must be reduced as
far as possible
Copyright © 2012 BSI. All rights reserved.
2
1
1
2
3
4
5
6
7
8
9
10
33
Have all risks been reduced as far as possible?
There must another step – ALARP &
Broadly Acceptable do not meet the
requirements of the Directives.
Copyright © 2012 BSI. All rights reserved.
34
Deviation No. 2
MDD
(AIMD)
IVD
‘....all risks have to be reduced
as far as possible (and that all
risks combined, regardless of
any "acceptability" assessment,
need to be balanced, together
with all other risks, against the
benefit of the device).’
‘5, 6.4, 6.5 & 7
...manufacturers have
the freedom to decide
upon the threshold for
risk acceptability.’
‘D.6.1 …only nonacceptable risks have
to be integrated into
the overall risk-benefit
analysis.’
ISO 14971
Copyright © 2012 BSI. All rights reserved.
35
Deviation No. 4
MDD
AIMD
(IVD)
‘....an overall risk-benefit analysis
must take place in any case,
regardless of the application of
criteria established in the
management plan of the
manufacturer....(and requires
undesirable side effects to "constitute
an acceptable risk when weighed
against the performance intended“).’
‘6.5 ...an overall riskbenefit analysis does not
need to take place if the
overall residual risk is
judged acceptable when
using the criteria
established in the risk
management plan.
ISO 14971
D.6.1 "A risk/benefit
analysis is not required by
this International Standard
for every risk.“’
Copyright © 2012 BSI. All rights reserved.
36
Has a risk benefit analysis been conducted for all risks?
Frequent
Probable
Occasional
2
6
Conduct Risk v Benefit
4
Acceptable
3
Remote
Consider Risk v Benefit
3
Improbable
2
There must be a risk benefit
analysis for all risks and an
overall risk benefit analysis
Copyright © 2012 BSI. All rights reserved.
37
Deviation No. 5
‘....”to select the most appropriate
solutions”.....by applying cumulatively
what has been called "control
options” or "control mechanisms" in
the standard.’
MDD
IVD
‘6.2 ...obliges the
manufacturer to "use one
or more of the following
risk control options in the
priority order listed.’
‘6.4 …indicates that further
risk control measures do
not need to be taken if,
after applying one of the
options, the risk is judged
acceptable according to the
criteria of the risk
management plan.’
ISO 14971
Copyright © 2012 BSI. All rights reserved.
38
Deviation No. 6
‘..."eliminate or reduce risks as
far as possible (inherently safe
design and construction)".’
MDD
IVD
‘6.2.... obliges the
manufacturer to "use
one or more of the
following risk control
options in the priority
order listed: (a)
inherent safety by
design (b) protective
measures (c)
information …" without
determining what is
meant by this term.’
ISO 14971
Copyright © 2012 BSI. All rights reserved.
39
Have risks been designed out if possible?
Part
Number
7
5
35
IFU instructs
not to cut
mesh and
not to place
sutures
closer than
5mm to edge
Updated
Rating
RPN
Revision
Risk
Reduction
Action
PRO
Failed
repair
Initial
Rating
SEV
Design of mesh
/ cutting edge
System
Effect
RPN
Suture pulls
out on the
edge
Local
Effect
PRO
Cause of Failure
SEV
Mesh
Failure
Mode
7
3
21
Risks must be designed out if possible. All risk control options must be
applied until risks have been reduced as much as possible and any
additional control option(s) do not improve the safety
Copyright © 2012 BSI. All rights reserved.
40
Deviation No. 7
‘....users shall be informed
about the residual risks. This
indicates that....the information
given to the users does not
reduce the (residual) risk any
further.’
MDD
IVD
‘2.15 & 6.4 …residual
risk is defined as the
risk remaining after
application of risk
control measures.’
‘6.2 …regards
"information for safety"
to be a control option.’
ISO 14971
Copyright © 2012 BSI. All rights reserved.
41
Have residual risks been incorrectly reduced?
Device
IFU warning
RPN
12
PRO
3
Updated
Rating
SEV
4
Risk Control
RPN
Death
Initial Rating
PRO
Emboli
Effect
SEV
Implant
Failure Mode
4
1
4
A warning does not reduce
the probability of occurrence
of an emboli.
Copyright © 2012 BSI. All rights reserved.
42
BSI Audits
Copyright © 2012 BSI. All rights reserved.
43
Conformity Assessment
Quality
System
External
Resource
n=70 Americas
n=50 EMEA
n=40 AsiaPacific
Microbiologist
n=20
Copyright © 2012 BSI. All rights reserved.
Technical
Specialist
n=80
44
BSI Audit – Key Questions
• Are you aware of EN ISO 14971:2012?
How are you ensuring you meet the
directive requirements?
• Have you reviewed your existing Risk
Management files, if needed?
Is there a plan in place to do so?
Copyright © 2012 BSI. All rights reserved.
45
BSI Audit – Key Questions
• Have all risks been reduced as far as
possible?
• Has a risk benefit analysis been conducted
for all risks?
• Have all risks been designed out if
possible?
• Have risks been incorrectly reduced by
warnings placed on IFUs or provided in
training?
Copyright © 2012 BSI. All rights reserved.
46
Questions?
Copyright © 2012 BSI. All rights reserved.
47