THE RIGHT INSTRUMENTSRisk Management for the Medical Devices Industry

ISO 14971:2007 Medical Devices Risk Management

raising standards worldwideTM

HealthcareHealthcare

2 BSI Product Services Medical Devices Risk Management

RISk MANAGEMENT

The international standard ISO 14971:2007, Medical devices - Application of risk management to medical devices, is designed to help manufacturers introduce reliable medical device products into the market. The manufacturer is responsible for identifying and controlling not only the risks accociated with their medical device, but evaluating interactions with other devices.

ISO 14971:2007 specifies a process through which medical device manufacturers can identify hazards and risks associated with their medical devices and accessories. The requirements of ISO 14971:2007 are applicable to all stages of the lifecycle of a medical device but do not apply to clinical judgments relating to the use of a medical device. ISO 14971:2007 does not specify acceptable risk levels, this is the responsibility of the manufacturer. Using ISO 14971:2007 will allow a manufacturer to:

• Identify the hazards associated with their products

• Estimate and evaluate risks

• Control risks

• Monitor the effectiveness of controls

• Establish a process based approach to managing risk

• Determine acceptable risk levels

• Provide adequate resources and personnel to manage risk

This guide will help manufacturers to implement a process approach to risk management using the ISO 14971:2007 standard.

International Standards Organization (ISO) and British Standards (BS) both created a version of 14971:2007 in the year 2007. The content of both versions are identical. This brochure will simply address both versions as ISO 14971.

RI

Sk

M

an

ag

eM

en

t

RI

Sk

a

SS

eS

SM

en

t

• Option analysis

• Implementation

• Residual risk evaluation

• Risk/benefit analysis

• Intended use/ intended purpose

• Hazard identification

• Risk estimation

RISk analySIS

RISk evaluatIOn

RISk COntROl

RISk ManageMent RePORt

OveRall RISk aCCePtanCe

• Production information and market surveillance

POSt-PRODuCtIOn InFORMatIOn

BSI Product Services Medical Devices Risk Management �

OVERVIEw OF THE RISk MANAGEMENT PROCESS

Risk management starts at product conception, extends through research and development, production, post-market surveillance, and ends with product decommissioning and safe disposal. Despite risk mitigations, there will always be residual risks associated with the use of a medical device - manufacturers must determine the acceptability of that risk level before going to market. Risks are either ‘acceptable’ or ‘unacceptable’ under the new standard. Acknowledgement of residual risk and final determination of disclosure of remaining residual risks is the manufacturer’s responsibility.

Post-production experience can be used to trigger Corrective And Preventive Action (CAPA) in addition to providing valuable information about the accuracy and appropriateness of the past risk management activities. This feedback can be used to enhance future risk management processes.

4 BSI Product Services Medical Devices Risk Management

REqUIREMENTS FOR RISk MANAGEMENT

ISO 14971:2007 GLOSSARy OF TERMS

Risk management is a process that encompasses all the activities of a company, not just the development and manufacturing. when applied to products, the process begins at product conception, extends through research and development, production, post-market surveillance, and ends with product decommissioning and safe disposal.

Risk management is a requirement of ISO 13485:2003:

• The last paragraph of Section 7.1, Planning of product realization requires: “The organization shall establish documented requirements for risk management throughout product realization. Records arising from risk management shall be maintained.”

• NOTE 3 of Section 7.1 refers to ISO 14971 directly: “See ISO 14971 for guidance related to risk management.”

• A rationale for NOTE 3 is given in Appendix B of ISO 13485:2003 “Risk management is a key activity that determines the nature and amount of activity in many of the areas addressed by the medical device organization’s quality management system.”

Risk management is a required part of the COUNCIL DIRECTIVE 93/42/EEC of June 14th, 1993 concerning medical devices (commonly known as the Medical Devices Directive). Risk management is referred to in the Directive, or MDD sections listed below:

• within 3 of the “recitals” (the preamble where every section begins with “whereas”)

• Annex I Essential Requirements: ER 1, ER 2

• Annex II EC Declaration of Conformity: Section 3.2

Harm:Physical injury or damage to the health of people, or damage to property or the environment

Hazard:Potential source of harm

Severity:Measure of the possible consequences of a hazard

Risk:Combination of the probability of occurrence of harm and the severity of that harm

Residual risk:Risk remaining after risk control measures have been taken

Risk analysis: Systematic use of available information to identify hazards and to estimate risk

Safety:Freedom from unacceptable risk

Risk management:Systematic application of management policies, procedures, and practices to the tasks of analyzing, evaluating, controlling and monitoring risk

life cycle:All phases in the life of a medical device, from initial concept to final decommissioning and disposal

BSI Product Services Medical Devices Risk Management �

THE wORLDwIDE LEADER IN MEDICAL DEVICES qUALITy

BSI Product Services-Healthcare contributes to our clients’ success in the global medical device industry by accelerating access to international markets. As a world class Notified Body, BSI provides rigorous quality system reviews and product certification, delivering confidence to regulators, manufacturers and consumers.

Our responsive team includes product specialists, engineers, microbiologists and regulatory affairs experts, enabling us to speak your language all over the world. with operations in over 100 countries and over 100 years of experience, BSI is a respected partner that understands your challenges, offers flexible solutions and earns your trust.

BSI ISO 14971:2007 CERTIFICATION PROGRAM

ISO 14971:2007 is recognized as an International state-of-the-art standard for risk management in the life-cycle of medical devices. while medical devices are never without some level of risk, this BSI Certification Program helps to ensure that medical manufacturers minimize risks so product benefits clearly outweigh risks.

Certification Benefits include:

• First Certification Program developed to ISO 14971:2007 standard

• Provides independent 3rd party validation and objective evidence of compliance

• Suppliers can gain a competitive advantage which is recognized by manufacturers and regulatory authorities

• Demonstrates that risk process conforms to ISO 13485:2003 and IEC 60601-1 for electromedical devices

• Increase speed-to-market with the establishment of robust risk management processes for new product development

RISk ANALySIS TECHNIqUES APPLICABLE TO MEDICAL DEVICES

ISO 14971:2007 describes techniques for Risk Analysis in Annex G. These techniques include: Preliminary Hazard Analysis (PHA), Fault Tree Analysis (FTA), Failure Mode and Effects Analysis (FMEA), Hazard and Operability study (HAZOP), and Hazard Analysis and Critical Control Point (HACCP).

Fault tree analysis

FTA is a top-down, deductive process starting from an undesired condition called the TOP event (such as death or injury to the patient, caregiver or personnel responsible for manufacturing, disposing of or decommissioning the device). Possible fault modes that could cause these higher level, undesired conditions are identified at the next lower functional level. This process is repeated in ever finer detail until component or module level is reached. The results are represented pictorially in the form of a tree of fault modes. At each level in the tree, combinations of fault modes are combined using logical operators (such as AND and OR).

Failure mode and effects analysis

FMEA is a bottom-up, inductive process in which the effects, at the next highest level, of a component failure are systematically evaluated. FMEA attempts to answer the question, “what happens to the output if component ‘X’ fails in a given way?”

Failure Modes, Effects and Criticality Analysis (FMECA) is an enhancement of the FMEA methodology in which a criticality analysis is performed. Criticality analysis involves assigning a probability to each failure mode and a severity to each failure effect.

Risk analysis efficiency tips:

• Use FTA to guide FMECA/FMEA

• Use FTA from the TOP down to identify critical modules

• Use FMEA from the BOTTOM up on the critical modules

� BSI Product Services Medical Devices Risk Management� BSI Product Services Medical Devices Risk Management

5. Determined level of risk and action

The manufacturer must determine what action to take and when to take it. This action and the level of risk must be defined. we check that methods for considering the severity, occurrence, and/or detection (if appropriate) is being implemented.

BSI also looks to see if an RPN number is being calculated for each risk item. Action on a defined RPN is very subjective. To implement “best practice”, we recommend taking action on your company’s highest RPN risk items. The RPN should then be recalculated allowing for further assessment of appropriate action.

6. Reduction of risk

The manufacturer must recalculate the RPN or risk after action has been taken to show risk reduction. This is the main purpose of risk analysis pertaining to the design clause. Risk analysis should be applied to several other areas outside of the design process.

7. Risk assessment application

Risk assessment should be used in determining:

• which complaints or non-conformities to address within the CAPA system (ISO 13485 Sections 8.5.2 & 8.5.3)

• If the controls of subcontractors are adequate for the risks that may be encountered (ISO 13485 Section 7.4.1)

• The disposition of non-conforming material — used to determine the risks if product is reworked, used as is, or is scrapped

1. Documented requirements for risk analysis

Product realization encompasses much more than just the design of the process (e.g. purchasing, production, etc). If risk analysis is required throughout product realization, the manufacturer must do more than just risk analysis on the product design.

If the manufacturer claims compliance to ISO 14971:2007, they are subject to being audited to this standard and documentation must be provided.

2. Outputs of risk management

The manufacturer is required to include the outputs of risk management as design and development inputs. This is a requirement of ISO 13485:2003 (Section 7.3.2.e).

3. Risk consideration

The manufacturer must consider any and all risks associated with their medical device, including, but not limited to the:

• Patient• Caregivers• Environment• Design of product• Manufacturing & delivery process

4. Appropriate action

Appropriate actions must be taken on all high risk items. we look to see if error-proofing methods have been employed and that all actions are appropriate to the risks encountered.

THE 7 kEyS TO SUCCESSwhat we look for when assessing risk management...

BSI Product Services Medical Devices Risk Management 7BSI Product Services Medical Devices Risk Management 7

TRAINING

we offer a comprehensive program of training courses for ISO 14971:2007, ISO 13485:2003, CE Marking and much more.

understanding ISO 14971:2007 This course is designed to provide participants with a greater knowledge of ISO 14971:2007. Professionals gain an understanding of how ISO 14971:2007 can improve their business and risk management efforts and will also understand how ISO 14971:2007 applies to ISO 13485:2003.

Implementing 1�48�:200� This course introduces the concepts needed to understand, develop, and implement a quality management system as outlined in the medical devices standard ISO 13485:2003. This course also discusses the use of ISO 14971:2007, which contains key principles and guidance for risk management.

understanding ISO 1�48�:200� An ideal introduction to the ISO 13485:2003 including the proposed revisions to the standard.

ISO 1�48�:200� Internal auditor Provides the knowledge and skills required to conduct ISO 13485:2003 quality Management Systems Internal Audits.

ISO 9001:2000 lead auditor Course with emphasis on ISO 1�48�:200� This course begins with a review of ISO 13485:2003 and continues to teach the principles of process auditing in accordance with quality management system standards and ISO 19011:2002. In addition, the concepts of risk management are introduced.

Medical Devices Ce Marking Through our CE Marking course students will gain knowledge of the Medical Device Directive and CE Marking approach to provide leadership for their organizations when placing medical devices on the market in the European Union.

wEBINARS

BSI also offers a selection of webinars – interactive online presentations that allow participants to hear the instructor through a telephone conference call while following the presentation element via a webpage. The following are some of the offered classes in our webinar suite:

• Overview of ISO 14971:2007

• Overview of CE Marking

• Overview of ISO 13485:2003

• Overview of CMDR and CMDCAS

• Recorded webinar: Japan - New Regulations for Medical Devices Manufacturers

Visit our medical devices public training pages for more details on who should attend, the benefits of each course, and course dates and locations at: www.bsiamericas.com/Medtraining

BSI

/USA

/78

/MS/

07

07

/E

BSI Group: Standards • CE Marking • Training • Inspection • Testing • Assessment • Certification

BSI Management Systems12110 Sunset Hills Road, Suite 200Reston, VA 20190-5902USATel: 1 800 862 4977Fax: 1 703 437 9001Email: inquiry.msamericas@bsi-global.com www.bsiamericas.com

BSI Management Systems Canada6205 Airport Road, Suite 102Mississauga, ONL4V 1E1CanadaTel: 1 800 862 6752Fax: 416 620 9911Email: inquiry.canada@bsi-global.com www.bsiamericas.com

BSI Management Systems - BrazilAvenida Eng Luis BerriniN.° 1400 – 1° Andar – CEP: 04571-000Brookline, Sao PauloSPBrasilTel: +55 13 3223 5770Fax: +55 13 3223 3851Email: informacao.msamericas@bsi-global.comwww.bsibrasil.com.br

BSI Management Systems - MéxicoTorre MayorAv. Paseo de la Reforma No. 505Piso 41 -Suite C-Col. Cuauhtemoc, C.P. 06500México, D.F.MéxicoTel: +52 55 5241 1370Fax: +52 55 5241 1374 Email: informacion.msamericas@bsi-global.comwww.bsiamericas.com/Mexico

The BSI certification mark can be used on your stationery, literature and vehicles when you have successfully achieved certification.