In order to prevent the wind from taking to your face in the form of stricter guidelines and to ensure that you are not faced with unexpected hurdles, the seleon experts have done some research for you: Since December 2019, the third version of ISO 14971:2019, the risk management standard for medical devices, has been public. What has changed since then? What is there for you to do?
Although the European Commission updated the list of harmonised standards for the Medical Devices Directive MDD (93/42 EEC) in March of this year, there is not yet a list of harmonised standards for the Medical Devices Regulation (EU 2017/745) and thus no harmonised risk management standard. This poses a challenge for the development and presumption of conformity of medical devices according to MDR EU (2017/745).
According to a recent decision of the European Commission, the list of harmonised standards of the Medical Devices Directive MDD may NOT be used to document the ESPR (Essential Safety and Performance Requirements) of the MDR. In order to show that the ESPR are met, manufacturers of medical devices must therefore make an additional effort and check for each point individually to what extent it is covered by existing standards - be it risk management, quality management or other relevant requirements.
Nevertheless, a harmonisation of the risk management standard for medical devices, ISO 14971:2019, can be strongly expected. By way of comparison, the FDA has already listed the standard under "Recognised Consensus Standards", meaning that it can be applied there.
Guide published: ISO/TR 24971
Approximately six months after the publication of the risk management standard for medical devices ISO 14971:2019, the related guidance document ISO/TR 24971:2020-06 was published in June.
The guide can be seen as a long commentary, as it concretizes the requirements of ISO 14971 and provides assistance for manufacturers of medical devices in the implementation. The first 30 pages comment the ISO 14971:2019 chapter by chapter. This is followed by eight appendices of 55 pages:
- Annex A: Identification of hazards and characteristics related to safety
- Annex B: Techniques that support risk analysis
- Annex C: Relation between the policy, criteria for risk acceptability, risk control and risk evaluation
- Annex D: Information for safety and information on residual risk
- Annex E: Role of international standards in risk management
- Annex F: Guidance on risks related to security
- Annex G: Components and devices designed without using ISO 14971
- Annex H: Guidance for in vitro diagnostic medical devices
Annex on cyber and data security
Following the inclusion of software as a medical device in the third edition of ISO 14971, Annex F of ISO/TR 24971 deals for the first time with data security and cybersecurity.
The Annex introduces six important terms:
- Security: The system is invulnerable to hostile acts.
- Threat: Potential that could breach security and cause damage
- Vulnerability: Flaws or weaknesses in design that could be exploited to damage a system
- Confidentiality: Only authorised persons have access to the data.
- Integrity: Accurate and complete data
- Availability: Accessibility of data
In addition, there is information on hazards, sequences of events and damage. Those who have not yet dealt with the topic of cybersecurity will get a first idea of the topic here. (TIP: Please also have a look at our newsletter on the topic of cybersecurity).
Risk management requirements for medical devices according to MDR proposes ISO 14971
The principle of "upper beats lower" is important for international medical device manufacturers, but also for all those who read standards only from chapter 3 onwards. The stubborn application of ISO 14971:2019 and its guide ISO/TR 24971:2020 may come as a nasty surprise. This is because ISO 14971:2019 is broader than the risk management guidelines for medical devices according to MDR. This was already the case with the second version of ISO 14971 from 2012. What is still "allowed" in ISO 14971 can be considered "illegal" by MDR. For the application of the harmonised EN ISO 14971:2012, this meant that the specifications of the MDD overruled some of the principles of ISO 14971.
But the rule is: upper beats under or: MDR beats ISO 14971.
ALARP/ALARA and the risk management standard for medical devices MDR
For example, although the principles ALARA (As low as reasonably achievable) and ALARP (As low as reasonably practicable) are mentioned in ISO/TR 24971, they clearly contradict the requirements of the EU Medical Device Directive MDR, Annex I:
"(2) The requirement in this Annex to reduce risks as far as possible means the reduction of risks as far as possible without adversely affecting the benefit-risk ratio."
Even if nothing has yet been achieved in the harmonisation of ISO 14971:2019, ISO/TR 24971 is certainly worth a look!
Have you noticed that the wind is not only blowing from the MDR direction, but that risk management is also giving you turbulent times? You are in the middle of a development process and are wondering which standards are finally applicable for you and how to establish the presumption of conformity? We will be happy to give you support in these turbulent times and provide you with competent assistance in minimising your risks. Please contact us.
Please note that all details and listings do not claim to be complete, are without guarantee and are for information purposes only.