Application of Risk Management to Medical Devices in the EU

For medical devices, ISO (International Organization for Standardization) is one of the most significant organizations. ISO issues international standards. Often, national or regional standards organizations adopt the international standards and change their designations. The current international standard for medical device risk management is ISO 14971:2007.  The European Union adopted the standard, added additional information, and changed the designation to EN ISO 14971:2012.¹

In the case of EN ISO 14971:2012, while the normative text is the same as the ISO standard, the requirements are not, because the EEC directives add a further level of compliance in key areas of risk assessment. The Annex Z requirements of the EN version are more stringent as compared to the ISO version; therefore, compliance with the ISO 14971 standard alone is not sufficient in the European arena. You must comply with the country-specific EN ISO 14971 standard for each country in which you plan to market your product.²

Annex ZA of EN ISO 14971:2012 identifies the aspects where the ISO standard deviates or might be understood as deviating from the Essential Requirements of the EU Directive 93/42/EEC on Medical Devices.  These include:³

1. Treatment of negligible risks: According to ISO 14971, the manufacturer may discard negligible risks. However, Directive 93/42/EEC requires that all risks, regardless of their dimension, need to be reduced as much as possible and need to be balanced, together with all other risks, against the benefit of the device.
2. The discretionary power of manufacturers as to the acceptability of risks: ISO 14971 seems to imply that manufacturers have the freedom to decide upon the threshold for risk acceptability and that only non-acceptable risks have to be integrated into the overall risk-benefit analysis. However, Directive 93/42/EEC requires that all risks have to be reduced as far as possible and that all risks combined, regardless of any “acceptability” assessment, need to be balanced, together with all other risks, against the benefit of the device.
3. Risk reduction “as far as possible” versus “as low as reasonably practicable”: ISO 14971 contains the concept of reducing risks “as low as reasonably practicable” (ALARP concept) which contains an element of economic consideration. However, Directive 93/42/EEC and various particularly essential requirements require risks to be reduced “as far as possible” without there being room for economic consideration.
4. Discretion as to whether a risk-benefit analysis needs to take place: ISO 14971 states: “If the residual risk is not judged acceptable using the criteria established in the risk management plan and further risk control is not practicable, the manufacturer may gather and review data and literature to determine if the medical benefits of the intended use outweigh the residual risk.” Additionally, ISO 14971 states that: “If the overall residual risk is not judged acceptable using the criteria established in the risk management plan, the manufacturer may gather and review data and literature to determine if the medical benefits of the intended use outweigh the overall residual risk.” Both statements imply that an overall risk-benefit analysis does not need to take place if the overall residual risk is judged acceptable when using the criteria established in the risk management plan. However, Directive 93/42/EEC states, an overall risk-benefit analysis must take place in any case, regardless of the application of criteria established in the risk management plan of the manufacturer. Accordingly, the manufacturer must undertake the risk-benefit analysis for the individual risk and the overall risk-benefit analysis (weighing all risks combined against the benefit) in all cases.
5. Discretion as to the risk control options/measures: ISO 14971 obliges the manufacturer to “use one or more of the following risk control options in the priority order listed:

(a) inherent safety by design;

(b) protective measures in the medical device itself or in the manufacturing process;

(c) information for safety”

and leaves a discretion as to the application of these three options: shall the second or third control option still be used when the first was used? This indicates that further risk control measures do not need to be taken if, after applying one of the control options, the risk is judged acceptable according to the criteria of the risk management plan. However, Directive 93/42/EEC requests “to conform to safety principles, taking account of the generally acknowledged state of the art” and “to select the most appropriate solutions” by applying cumulatively what has been called “control options” or “control mechanisms” in the standard.  Accordingly, the manufacturer must apply all the “control options” and may not stop their endeavors if the first or the second control option has reduced the risk to an “acceptable level”.

6. Deviation as to the first risk control option: ISO 14971 obliges the manufacturer to “use one or more of the following risk control options in the priority order listed: (a) inherent safety by design …” without determining what is meant by this term. However, Directive 93/42/EEC requires to “eliminate or reduce risks as far as possible (inherently safe design and construction)”. Accordingly, as the Directive is more precise than the standard, manufacturers must apply the former and cannot rely purely on the application of the standard.
7. Information of the users influencing the residual risk: The residual risk in ISO 14971 is defined as the risk remaining after the application of the risk control measures. ISO 14971 regards “information for safety” to be a control option. However, Directive 93/42/EEC states that users shall be informed about the residual risks. This indicates that according to Directive 93/42/EEC and contrary to the concept of the standard, the information given to the users does not reduce the (residual) risk any further. Accordingly, manufacturers shall not attribute any additional risk reduction to the information given to the users.

Having trouble building your risk management program? Give us a call at 248-987-4497 or email us at info@emmainternational.com.

¹ Ombu Enterprises LLC (Dec 2016) Understanding the Versions of Risk Management Standards retrieved on 03/12/2019 from http://www.ombuenterprises.com/LibraryPDFs/Understanding_the_Versions_of_Risk_Management_Standards.pdf

²NAMSA- Impact of EN ISO 14971:2012 on Medical Device Risk Assessment in the EU retrieved on 03/12/2019 from https://www.namsa.com/wp-content/uploads/2015/10/Impact-of-EN-ISC-2013-11-6-2013.pdf

³ANSI- Medical Devices. Application of Risk Management To Medical Devices (British Standard) retrieved on 03/12/2019 from https://webstore.ansi.org/Standards/BSI/BSENISO149712012