a
.
    FDA QMSR and ISO 14971: What you need to know
    FDA QMSR and ISO 14971: What you need to know
    12:13

    Risk 02 (16)-1-1

    Don't believe everything you read about ISO 14971!

    The FDA's 'Medical Devices; Quality System Regulation Amendments' website explicitly states: All sections of ISO 13485 apply to device manufacturers.  While there is much mention of 'incorporating by reference' and many misguided interpretations of that phrase, don't let anyone mislead you. To reiterate, the FDA's website explicitly states that all sections of ISO 13485 apply to device manufacturers.

    What then of ISO 14971, Medical devices - Application of risk management to medical devices, which is mentioned in a note to Clause 7.1 of ISO 13485? The note states: 'Further information can be found in ISO 14971.'  To use an old-fashioned expression, that's as clear as mud! Does it apply or does it not?

    Let's unpick this confusing situation.

    Treat all commentary on ISO 14971 with care

    ISO 13485 requires that a risk-based approach be adopted for all processes of a quality management system. In addition to this general requirement, there are two Clauses of the Standard where 'full-blown' risk management is required: Clause 7.1, Planning for Product Realization, and Clause 7.3.3, Design and Development Inputs.

    The wording of Clause 7.1 of ISO 13485 is open to interpretation. The first two sentences read: 

    The organization shall plan and develop the processes needed for product realization. Planning of product realization shall be consistent with the requirements of the other processes of the quality management system. 
    The organization shall document one or more processes for risk management in product realization.
    Records of risk management activities shall be maintained (see 4.2.5). 

    Certification Body Auditors seek risk assessment and risk treatment records for operational processes as evidence of compliance here. They also ensure that threats to patient and end-user safety arising from operational processes are identified.

    The note regarding ISO 14971 is included in this Clause.

    The wording of Clause 7.3.3 begins:

    Inputs relating to product requirements shall be determined and records maintained (see 4.2.5). These inputs shall include:
    1. functional, performance, usability and safety requirements, according to the intended use;
    2. applicable regulatory requirements and standards;
    3. applicable output(s) of risk management;
    4. etc.

    In this Clause,  there is no mention of ISO 14971.

    Conclusion:  Formal risk management is required by two clauses of ISO 13485, namely, Clause 7.1 and 7.3.3.

    ISO 14971 is NOT mandatory

    While ISO 14971 was developed specifically to provide guidance for the application of risk management methods to the manufacture of medical devices, its use when implementing a quality management system to comply with ISO 13485 requirements is not mandatory. You may choose to use it or not.

    And unless and until a regulatory body says otherwise, that will remain the situation worldwide in the use of ISO 14971.

    Don't mention ISO 14971 in your documentation unless you mean to implement it

    This may seem a trite and obvious statement. However, you would be surprised at how many times the mention of ISO 14971 is included in Quality Manuals submitted, as it is mandatory when seeking ISO 13485 certification, and then ignored or only partially implemented.

    If you reference ISO 14971 in your Quality Manual,  your Certification Body will audit you against its requirements. ISO 14971 requires that risk management methods be applied to the entire product life cycle, from initial concept through manufacture,  use, and end-of-life disposal. The use of a single risk management tool is insufficient to meet the requirements.

    Using FMEA alone is a lazy choice and is no longer acceptable

    Historically, ISO 14971 has been frequently misapplied. If your ISO 13485 QMS Manual claims to use ISO 14971, it is essential to use it properly.

    As the publication of ISO 14971:2019 and the associated Technical Report (a guide),  ISO 24971:2020,  attests, some bastardized versions of FMEA alone will no longer be accepted. External Auditors will want to see that both standards have been adequately applied to the entire product lifecycle.

    Risk Management Courses offer assessment tools and techniques, as well as unique insights into the practical application of risk management. However, the variety, complexity, and wide range of applicability of these tools can be confusing, especially for those new to risk management.

    Too often, those responsible for overseeing an organization's risk planning, monitoring, and response limit themselves to using basic Failure Modes and Effects Analysis (FMEA) or even a denatured version of FMEA. This is an error and does not comply with ISO 14971. External Auditors expect, as a minimum, that two or more risk management tools be used.

    ISO 14971 Risk Management - Foundation Course

    How to Avoid Making Common Mistakes When Using ISO 14971

    As emphasized in our ISO 14971 courses ...

    1. DO NOT use FMEA alone: A single FMEA, usually a process FMEA, is typically used. This is unacceptable as the Standard requires risk management throughout the product lifecycle, from initial product concept to end-of-life disposal.
    2. DO NOT use a pFMEA focused on component failure alone: This completely misses the point of Clause 7.1 of ISO 13485, where it is the threat to patient/user safety in regular use and possible misuse of the product that is the primary concern.
    3. DO NOT neglect to maintain a Risk Management File (RMF). This file is required in addition to the requirements of Clauses 4.2.3 and 7.3.10 of ISO 13485.
    4. DO NOT forget to make periodic or adverse event-driven updates of Risk Management Tools/Methods: Risk management throughout the lifecycle of the product/device is required.
    5. DO NOT forget to keep a history of updates in the RMF: The reasons why updates were made to risk management records should be documented or referenced in the RMF.
    6. DO NOT be complacent about gathering Post-Market Surveillance data, and make sure to update Risk Management records accordingly (in addition to other actions that may be required). 

    ISO 14971 Risk Management - Advanced Course

    When to Apply Risk Assessment Tools in the Product Lifecycle

    It is not immediately apparent to the reader of ISO 14971 where each tool should be applied in a product's lifecycle. The table below maps each tool against the lifecycle stage at which it is typically used.

    Risk Assessment Tools in the Product Life Cycle

     
    Tools and Techniques Life Cycle Stage Comment
    Design and Development Production Operation and Use
    Preliminary Hazard Analysis (PHA) X     It is most commonly carried out early in a project's development when there is little information on design details or operating procedures, and it can often be a precursor to further studies.

    It can be helpful when analyzing existing systems or prioritizing hazards,  especially when circumstances prevent the use of a more extensive technique.
    Hazard and Operability Studies (HAZOP)   X  

    While HAZOP studies in the chemical industry focus on deviations from design intent, there are alternative applications for a medical device developer. A HAZOP can be applied to:

    • the operation/function of the medical device (e.g., to the existing methods/processes used for the diagnosis, treatment, or alleviation of disease as the "design intent"), or
    •  
    • a process used in the manufacture,  maintenance/service of the medical device (e.g., sterilization) that can significantly impact the medical device's function.
    Hazard Analysis and Critical Control Points (HACCP)   X  

    A systematic approach to the identification, evaluation, and control of hazards and is best applied to established processes, particularly manufacturing
    processes.

    Applied to medical devices, HACCP controls and monitors the initiating causes of product hazards originating in the processes themselves.

    Design FMEA X    

    During all stages of product design and development.

     

    Process FMEA X X X During the design and development process, it continues throughout the product life cycle. Production and post-production feedback is often used to update FMEAs and/or verify them.
    Administrative FMEA   X X

    While Design and Process FMEAs are based on individual product components, FMEAs can also be applied to processes.

    Here, the risks associated with the individual activities that make up a process are examined, and the associated risks are evaluated. Then, steps are taken to reduce unacceptable risks to an acceptable level.

    User or Patient FMEA X   X

    In this case, product or component failure effects during use or unintended misuse are considered.

    While most frequently applied to patient safety considerations, application to consumer or end-user satisfaction is also possible.

    Fault Tree Analysis   X  

    A systematic approach to identifying and evaluating fault conditions based on an analysis of possible causes. It is most effective when applied to established processes, particularly those in manufacturing.

    A thorough understanding of the process's history is necessary, as significant time and effort can be wasted without it.

    Event Tree Analysis   X   An event tree is an analytical, diagrammatic representation of a chronological series of subsequent events or consequences based on the analysis of an initiating event.

    Event tree analysis provides a model for examining the possible outcomes of a single event.

    Risk management tools do not only apply to medical devices

    While we focus on the risks associated with Medical Device manufacturing, you can undoubtedly find analogous opportunities to apply these tools to your organization. They are not limited to manufacturing; they are applicable to all business activities, both the public and private sectors. 

    The management of risk is fundamental to business improvement. So, be sure to give these tools a try.

    Training is essential if you are to implement these Risk Management Tools successfully.

    Check out our Risk Management Courses to learn more.

    View our Risk Assessment & Risk Management Courses


    Related Articles


    deGRANDSON Global is an ISO-Certified Educational Organization

    New call-to-actionIn October 2021, we secured certification to three education-related ISO Standards. We now have a university-grade management system in place that conforms to the requirements of …

    • ISO 21001, Educational Organizational Management System,
    • ISO 29993, Learning Services outside formal Education,  and
    • ISO 29994, Learning Services – additional requirements for Distance Learning.

    We have chosen ISO 21001 certification because it is based on an independent third-party assessment, unlike IRCA and Exemplar badges (which we believe are commercially compromised). It is a 'university grade' standard globally by schools, colleges, and universities to demonstrate their competence.

    We provide Courses for ISO 9001, ISO 13485, ISO 14001, ISO 17025, ISO 27001, Iso 45001, Data Protection, Risk Management, and more.


     

    Written by Dr John FitzGerald

    Director & Founder of deGRANDSON Global. Spent 15 years in the manufacturing industry and 25 years training, consulting & auditing management systems
    Find me on:
     

    FDA QMSR and ISO 14971: What you need to know