YOUR SELEON SPECIALIST

Anne Matousek
Senior Consultant QM & RA, Regulatory Affairs Expert

Tel.: 07131 2774-40
regulatoryaffairs(at)seleon.de

Questions on this topic?

Send us a message!

 

20.10.2020

Risk management standard for medical devices not yet harmonised

Although the EU Commission updated the list of harmonized standards for the MDD in March of this year, there is still no list of harmonized standards for the Medical Device Regulation and therefore no harmonized risk management standard.

risikomanagementnorm-fuer-medizinprodukte
risikomanagementnorm-fuer-medizinprodukte
risikomanagementnorm-fuer-medizinprodukte
risikomanagementnorm-fuer-medizinprodukte

In order to prevent the wind from taking to your face in the form of stricter guidelines and to ensure that you are not faced with unexpected hurdles, the seleon experts have done some research for you: Since December 2019, the third version of ISO 14971:2019, the risk management standard for medical devices, has been public. What has changed since then? What is there for you to do?

Although the European Commission updated the list of harmonised standards for the Medical Devices Directive MDD (93/42 EEC) in March of this year, there is not yet a list of harmonised standards for the Medical Devices Regulation (EU 2017/745) and thus no harmonised risk management standard. This poses a challenge for the development and presumption of conformity of medical devices according to MDR EU (2017/745).

According to a recent decision of the European Commission, the list of harmonised standards of the Medical Devices Directive MDD may NOT be used to document the ESPR (Essential Safety and Performance Requirements) of the MDR. In order to show that the ESPR are met, manufacturers of medical devices must therefore make an additional effort and check for each point individually to what extent it is covered by existing standards - be it risk management, quality management or other relevant requirements.

Nevertheless, a harmonisation of the risk management standard for medical devices, ISO 14971:2019, can be strongly expected. By way of comparison, the FDA has already listed the standard under "Recognised Consensus Standards", meaning that it can be applied there.

 

Guide published: ISO/TR 24971

Approximately six months after the publication of the risk management standard for medical devices ISO 14971:2019, the related guidance document ISO/TR 24971:2020-06 was published in June.

The guide can be seen as a long commentary, as it concretizes the requirements of ISO 14971 and provides assistance for manufacturers of medical devices in the implementation. The first 30 pages comment the ISO 14971:2019 chapter by chapter. This is followed by eight appendices of 55 pages:

  • Annex A: Identification of hazards and characteristics related to safety
  • Annex B: Techniques that support risk analysis
  • Annex C: Relation between the policy, criteria for risk acceptability, risk control and risk evaluation
  • Annex D: Information for safety and information on residual risk
  • Annex E: Role of international standards in risk management
  • Annex F: Guidance on risks related to security
  • Annex G: Components and devices designed without using ISO 14971
  • Annex H: Guidance for in vitro diagnostic medical devices

 

Annex on cyber and data security

Following the inclusion of software as a medical device in the third edition of ISO 14971, Annex F of ISO/TR 24971 deals for the first time with data security and cybersecurity.

The Annex introduces six important terms:

  1. Security: The system is invulnerable to hostile acts.
  2. Threat: Potential that could breach security and cause damage
  3. Vulnerability: Flaws or weaknesses in design that could be exploited to damage a system
  4. Confidentiality: Only authorised persons have access to the data.
  5. Integrity: Accurate and complete data
  6. Availability: Accessibility of data

In addition, there is information on hazards, sequences of events and damage. Those who have not yet dealt with the topic of cybersecurity will get a first idea of the topic here. (TIP: Please also have a look at our newsletter on the topic of cybersecurity).

 

Risk management requirements for medical devices according to MDR proposes ISO 14971

The principle of "upper beats lower" is important for international medical device manufacturers, but also for all those who read standards only from chapter 3 onwards. The stubborn application of ISO 14971:2019 and its guide ISO/TR 24971:2020 may come as a nasty surprise. This is because ISO 14971:2019 is broader than the risk management guidelines for medical devices according to MDR. This was already the case with the second version of ISO 14971 from 2012. What is still "allowed" in ISO 14971 can be considered "illegal" by MDR. For the application of the harmonised EN ISO 14971:2012, this meant that the specifications of the MDD overruled some of the principles of ISO 14971.

But the rule is: upper beats under or: MDR beats ISO 14971.

 

ALARP/ALARA and the risk management standard for medical devices MDR

For example, although the principles ALARA (As low as reasonably achievable) and ALARP (As low as reasonably practicable) are mentioned in ISO/TR 24971, they clearly contradict the requirements of the EU Medical Device Directive MDR, Annex I:

"(2) The requirement in this Annex to reduce risks as far as possible means the reduction of risks as far as possible without adversely affecting the benefit-risk ratio."

Even if nothing has yet been achieved in the harmonisation of ISO 14971:2019, ISO/TR 24971 is certainly worth a look!

Have you noticed that the wind is not only blowing from the MDR direction, but that risk management is also giving you turbulent times? You are in the middle of a development process and are wondering which standards are finally applicable for you and how to establish the presumption of conformity? We will be happy to give you support in these turbulent times and provide you with competent assistance in minimising your risks. Please contact us.

 

Please note that all details and listings do not claim to be complete, are without guarantee and are for information purposes only.

Every product is unique – the mandatory tasks and measures for entering the market need to be specified individually. seleon advises you on your individual questions without any obligation.

CONTACT YOUR SELEON SPECIALIST

Further entries from the "Regulatory Affairs" category

Regulatory Affairs
10.02.2021

Trade with the United Kingdom will become more complicated after Brexit, also with regard to the medical devices sector. Among other things, every company must mandate a UK responsible person in order to achieve the UKCA.

Regulatory Affairs
08.02.2021

With a focus on the essentials, the one or other extra pound (not only on the scales, but also in the company process) becomes clear. Put your risk management in order, get an overview of clinical data and more.

Regulatory Affairs
14.01.2021

About a year ago we reported for the first time on the changeover from MEDDEV to MDCG. Time to take a look at what has happened so far.

In 2020, the MDCG published a total 28 documents. The topics are varied.

Clinical Affairs

Clinical affairs of medical devices requires numerous evidences and evaluations. What we know about it …

 

> Clinical Affairs

Quality Management

Medical devices are governed by stringent requirements on quality assurance. We know the details …

 

> Quality Management

Development Excellence

Product development of medical devices is subject to its own rules. We bring light into the darkness …

 

> Development Excellence