ISO 14971 Certification

Overview of ISO 14971 Certification

ISO 14971 is a recognised risk management standard for all types of medical devices, including software as a medical device & in vitro diagnostic medical devices. It contains a structured framework for manufacturers within which experience, insight & judgement are applied to manage the risks associated with the use of the medical devices. It is an established principle of risk management and is also used as guidance in developing and maintaining a risk management process for products other than medical devices in some jurisdictions and for the suppliers and other parties involved in the life cycle of a medical device.

It deals with processes for managing risks associated with medical devices. Risks are related to injury, not only to the patient but to the user and other persons. Risks are also related to damage to property such as objects, data, other equipment or the environment. Risk management is important in relation to medical devices because of various stakeholders, including the medical practitioners, organisations providing health care, governments, industry, patients and members of the public. The concept of risks has the following two components:

• The probability of occurrence of harm
• The consequences of harm

It is well known that there is an inherent degree of risk involved with the use of medical devices even after the risks have been reduced to an acceptable level. In the context of a clinical procedure, some residual risks remain. This ISO standard requires manufacturers to establish objective criteria for risk acceptability but does not specify acceptable risk levels. Risk Management is an integral part of a quality management system; however, this ISO does not require the manufacturer to have a quality management system in place.

The ISO 14971 does not apply to the followings:

• Decisions on the use of a medical device in the context of any particular clinical procedure
• Business risk management

The recent version of ISO 14971 was released in December 2019, and it has replaced the previous versions of the standard, i.e., ISO 14971:2007 and EN ISO 14971:2012. This new version of Medical Device Risk Management requires top management involvement, and so the organisation must establish a Risk Management Policy.

And the purpose of this ISO 14971 is to help medical device manufacturers ste up risk management that such manufacturers can use, as follows:

• Identify the hazard
• Estimate and Evaluate risks
• Develop, implement and monitor the Risk effectiveness
• Control Measures.

ISO 24971 provides guidance on developing, implementing and maintaining a risk management system for all medical devices according to ISO 14971:2019. It describes approaches manufacturers can use to develop, implement and maintain a risk management process conforming to ISO 14971:2019.

Benefits of ISO 14971 Certification

Following are the benefits of obtaining ISO 14971 Certification:

• The positive impact or desired outcome of using a medical device on an individual's health or a positive impact on public health or patient management.
• The positive impact of clinical outcome, the quality of patient's life, outcomes related to diagnosis, positive impact from diagnostic devices on the clinical outcomes or positive impact on the public health.
• It proves internationally recognised methods to reduce the risk for all the stakeholders.
• It supports ensuring that the medical device is complaints with European Union (EU) Regulations.
• It assists in bringing a medical device to the global market efficiently and safely.
• Implement ideal methods for reducing risk
• Develop effective devices and therapies within the industry
• Optimising the speed of iteration

General Requirements of ISO 14971 Certification

Following is the General Requirements under the Risk Management System and for obtaining the Certification of ISO 14971:

Risk Management Process:

The manufacturer must establish, implement, Document and maintain the ongoing process in the organisation for the followings:

• Identifying the hazard and the hazardous situation related to the medical device
• Estimating and evaluating the related risks
• Controlling such risks
• Monitoring the effectiveness of risk control measures

And this whole process includes the following elements:

Risk Analysis

• Intended use and reasonably foreseeable misuse
• Identification of characteristics related to safety
• Identification of hazards and hazardous situations
• Risk estimation

• Risk Evaluation
• Risk Controls

• Risk control option analysis
• Implementation of risk control measures
• Residual risk evaluation
• Benefits risk analysis
• Risks arising from risk control measures
• Completeness of risk control

• Evaluation of Overall Residual Risk
• Risk Management Review
• Production and Post-Production Activities

• General
• Information collection
• Information review
• Actions
• Management Responsibilities

The top management of an organisation provides evidence of its commitment to the risk management process by ensuring the following:

• Provision of adequate resources
• Assignment of a competent personnel for the risk management

It defines and Documents a policy for establishing criteria for risk acceptability. The policy provides a framework to ensure that criteria are based upon applicable national or regional regulations and International Standards. The management reviews the suitability of the whole risk management process at intervals to ensure the effectiveness of the risk management process and then Documents any decision and action taken.

The manufacturer's policy in establishing the criteria for risk acceptability defines the approaches to risk control:

• Reducing risk as low as reasonably practicable
• Reducing risk as low as reasonably achievable
• Reducing risk as far as possible without negatively affecting the benefit-risk ratio.

The result of reviewing production and post-production information is an input to review the suitability of the risk management process. Documents may be incorporated within necessary papers produced for the quality management system. Compliance is checked by conducting an inspection of the appropriate Documents.

Competence of Personnel

Those who are performing risk management tasks must be competent based on education, training, skills and appropriate experience in the tasks assigned to them. Such a person must have the knowledge and experience related to a particular medical device (or any similar medical device) and its use, technology involved or risk management techniques employed. Records must be maintained. Representatives of several functions perform the risk management task, each contributing their special knowledge. Compliance is checked by inspection of all the records.

Risk Management Plan

Risk management includes planned activities. For any particular medical device being considered manufacturer must establish and Document a risk management plan in accordance with the risk management process. The risk management plan must be part of the risk management files. The Risk Management Plan must include the following:

• Scope of planned risk management activities, identifying and describing the medical device and life cycle phases for which each element of the plan is applicable.
• Assignment of responsibilities and authorities.
• Requirements for review of risk management activities.
• Criteria of risk acceptability on the basis of the manufacturer's policy for determining acceptable risk, including the criteria for accepting the risk when the probability of occurrence of harm is not estimated.

Criteria for risk accessibility are important for the ultimate effectiveness of the risk management process. For each risk management plan, the manufacturer requires to establish risk acceptability criteria that are appropriate for the particular medical device.

• A methodology to evaluate the overall residual risk and also criteria for the acceptability of overall residual risk based on the manufacturer's policy to determine the acceptable risk.

Methodology to evaluate overall residual risk is indulged in gathering and reviewing data and literature for the medical device being considered and any similar device on the market and involves judgement by a cross-functional team of experts with application knowledge and clinical expertise.

• Activities for verification of the effectiveness and implementation of risk control measures.
• Activities that are related to the collection and review of relevant production and post-production information.

If the risk management plan changes during the medical device's life cycle, then a record of such changes shall be maintained in the risk management file. Compliances are checked by way of inspection of the risk management file.

Risk Management File

The manufacturer establishes and maintains the risk management file for a particular medical device being considered. The risk management file must provide traceability for each identified hazard to the followings:

• Risk analysis
• Risk evaluation
• Implementation and verification of risk control measures
• Result of evaluation of residual risks

Records and other Documents that are part of the risk management file form part of other Documents and files required, such as the manufacturer's quality management system. The risk management file needs to contain at least the references or pointers to all required paper works so that the manufacturer will be able to assemble information referenced in the risk management file in a timely manner.

Procedure to obtain ISO 14971 Certification

There are 4 essential steps to be followed while obtaining ISO 14971 Certification:

Optional Preliminary Audit

A voluntary Site inspection is conducted, and quality management Documents are reviewed, assessing the organisation's readiness for scale I and II Auditing Phase.

Audit: Stage I

Assessment of the eligibility for Certification is understood as well as determined by results of on-site Auditing, business assessment and risk management (maybe, quality management also) necessary papers analysis.

Audit: Stage II

On-site evaluation of the Risk Management System for excellence in areas where practice & efficiency are applied.

Certification

An official confirmation certifies the risk management system's integrity and compliance with the Indian Standards.