By Edwin Bills, Consultant
On Dec. 8, 2021, CEN, the European standards body, released an amendment to the European edition of the medical device risk management standard, EN ISO 14971:2019, amendment A11:2021. This edition, with its amendment, was submitted by CEN to be added to the list of harmonised standards published for both the MDR and the IVDR regulations for European medical devices and in vitro medical devices, respectively. Unfortunately, the lists were already in the publication process without the 14971 amended edition, so it did not appear in the early January listing of harmonised standards that the Official Journal of the European Union published for both types of devices. It is rumored that the next listing will appear in either March or April and will contain the amended EN ISO 14971:2019+A11:2021 standard as harmonised for both listings.
The harmonisation process now only applies to MDR and IVDR regulations; the listings for the Medical Device Directive (MDD), Active Implantable Medical Device Directive (AIMDD), and In Vitro Device Directive (IVDD) are no longer being maintained and are far out of date. But with the pending withdrawal of the directives, and with the limited resources available to the European government, it may be the right decision. It took some time for the EC to reach agreement with the European standards organizations on the harmonisation process. Harmonised standards only began to be available nearly four years after the MDR and IVDR were published, and over a year after the MDR was supposed to become effective. And even then, two of the most important horizontal standards, EN ISO 13485:2016 and EN ISO 14971:2019, which affect a large number of products, were not included in the initial list and are just now reaching the harmonisation stage.
With harmonisation, EN ISO 14971:2019 will become the only standard for medical device risk management in the EC and has already replaced the previous harmonised EN ISO 14971:2012, which only was harmonised for the three directives, MDD, AIMDD, and IVDD. EN ISO 14971:2012 was withdrawn by CEN with the publication of EN ISO 14971:2019 even before the amendment. EN ISO 14971:2019 was considered to be the state of the art medical device risk management standard by some, but not by all Notified Bodies before the release of the amendment. Some have not yet recognized the amended version of EN ISO 14971:2019, and part of the confusion exists as the national authorities have until June 30, 2022, to publish a national version or endorse the standard as well as to withdraw any conflicting versions.
What does this all mean? Compliance with a harmonised standard can indicate presumed compliance with certain regulatory requirements under the covered regulation, MDR or IVDR, as indicated in the appropriate Z Annex. The annex will describe limitations on the coverage of the regulation, in this case in some notes and a Correspondence Table. The use of a section called “Content Deviation” is not part of the harmonised standard anymore. There was much confusion in the previous edition of EN ISO 14971:2012 on the use of this section, which had errors within the cited Content Deviation, causing many problems for companies in compliance with the regulations. There was also disagreement between Notified Bodies, which further aggravated the situation. EN ISO 14971:2012 did not lead to safer devices over ISO 14971:2007, which was its intent.
Today the situation is clearer to some extent with the new amendment; however, the way in which harmonisation is implemented is confusing at the very least, and it will not lead to a “quick and easy” solution for the manufacturer implementing risk management for the regulations.
First of all, the harmonised version only covers most of Chapter I of the GSPRs, and none of Chapter II or Chapter III. None of the rest of the MDR or IVDR is described as covered in the amendment. As the Z Annex is written, to achieve compliance with the regulations you must exactly comply with the requirements of the standard and, unfortunately, a number of companies reviewed by the author have not been in compliance with the requirements in ISO 14971. People often do not read the entire standard, do not understand the terms and definitions printed in the standard, misunderstand the requirements, or do not completely read the requirements of the standard, and they only “cherry pick” what they are doing to comply.
Let us look at the introductory section in the Annex ZA (for the sake of brevity in this article we will not cover ZB, but it is substantially the same).
1. The scope is limited to medical devices and accessories for a medical device as defined in that Regulation and to products regulated as a device under that Regulation;
EN ISO 14971:2019 states, in the Introduction:
This document could be used as guidance in developing and maintaining a risk management process for other products that are not necessarily medical devices in some jurisdictions and for suppliers and other parties involved in the medical device life cycle.
The Annex ZA statement made clear the EC objection to that statement and removed it from consideration by the medical device user of the standard.
Next, Annex ZA states, in the introductory section:
2. In case of differences between terms defined in this European standard and terms defined in that Regulation, the terms defined in the Regulation shall prevail;
This is not a major issue, except that the regulations are lacking in notable definitions. However, there is one major point of agreement in that the regulations adopted the definition of “risk” from ISO 14971; they just did not attribute the source. In the last of the introductory items, another important statement is made:
3. The manufacturer’s policy for establishing criteria for risk acceptability (see 4.2 of this European standard) shall ensure that the criteria comply with the General Safety and Performance Requirements of that Regulation.
Well, the General Safety and Performance Requirements (GSPR) has lots of confusion in this area as they use a number of terms to identify what they expect the manufacturer to follow:
NOTE 1 Where a reference from a clause of this standard to the risk management process is made, the risk management process needs to be in compliance with Regulation (EU) 2017/745. This means that risks have to be ‘reduced as far as possible’, ‘reduced to the lowest possible level’, ‘reduced as far as possible and appropriate’, ‘removed or reduced as far as possible’, ‘eliminated or reduced as far as possible’, ‘removed or minimized as far as possible’, or ‘minimized’, according to the wording of the corresponding General Safety and Performance Requirement.
Which one is it? Reduced as far as possible, reduced to the lowest possible level, reduced as far as possible and appropriate, or as it says in GSPR 2:
2. The requirement in this Annex to reduce risks as far as possible means the reduction of risks as far as possible without adversely affecting the benefit-risk ratio.
Part of the confusion for the reader will be that it talks about the General Safety and Performance Requirements in one note and then “this Annex” in the next note. The General Safety and Performance Requirements and Annex I are exactly the same thing. Why not just say it one way to eliminate the confusion?
To continue, Note 2 lists the points in the GSPR that must be addressed by the Risk Management Policy the manufacturer lists, which must be in compliance with all the items listed in Note 1 above. It would be easier to list those not required to be addressed, which are GSPRs 6, 7, 12, 13, and 15.
Finally, Note 3 addresses Normative Requirements, of which there are none in EN ISO 14971:2019, and Note 4 addresses those GSPRs that do not appear in the table, ZA.1 or ZB.1 for MDR or IVR, respectively. Note 4 states that if the GSPR is not listed, then it is not covered by the standard. This becomes very important as EN ISO 14971:2019 does not cover a number of GSPRs, including all of Annex I Chapter II and Chapter III. Those are largely product design or manufacture specific. Since EN ISO 14971:2019 is a horizontal standard covering all medical devices including IVDs and is not prescriptive, it leaves flexibility to address those issues that are prescriptively addressed in the regulations.
Where Does That Leave Us?
EN ISO 14971:2019 A11:2021 gives us a risk management system, that IF we fully comply with the standard, we will meet the requirements for a risk management system in the regulations. It also gives us the particular processes in risk analysis, risk evaluation, risk control, and overall residual risk that meet the requirements of the regulations. This assumes, of course, that we comply with the standard. If we then use those processes to develop and maintain a device, we have the necessary risk processes in place to support the other requirements in the regulations for risk decision-making and documentation. That requires us to fully understand EN ISO 14971:2019 A11:2021 and have implemented it correctly. We must also follow the documentation requirements of the standard and have a Risk Management File that is fully compliant with the standard.
Both the MDR and IVDR have many more requirements of the manufacturer in the area of risk and risk management – witness the more than 240 mentions of the word risk in the two regulations. The harmonisation of EN ISO 14971:2019 with the release of A11:2021 only provides us with the basic framework to address the rest of the requirements, like post-market surveillance, clinical evaluation, summary of safety and clinical performance, clinical investigations, and a number of other requirements in the two regulations.
Harmonisation of the medical device risk management standard is only the beginning of the journey toward compliance with the regulations, but EN ISO 14971:2019+A11:2021 gives the medical device manufacturer the framework, if fully implemented, to meet the requirements for risk in the EU Medical Device Regulation and the EU In Vitro Device Regulation.
Until harmonisation for the risk management standard is completed with publication in the Official Journal of the EU, EN ISO 14971:2019+A11:2021 is the state of the art medical device risk management standard and has replaced all earlier editions of the EN ISO 14971 standard; it should now be used by medical device manufacturers for meeting medical device risk management regulations in Europe. Additionally, all earlier editions have been withdrawn by the European standards body CEN, and national standards bodies must make available a copy of the amended 2019 version not later than June 30, 2022. It is currently available through BSI and the Estonian Standardization Organization in English. DIN is in the process of creating the German version. At the European national level, the existence of the new standard must be announced by March 31, 2022, according to the CEN website here.
About The Author:
Edwin L. Bills, RAC, ASQ Fellow, CQE, CQA, CMQ/OE, has been a member of ISO TC 210 JWG1 for more than 20 years. This is the ISO group responsible for medical device risk management and the creation and maintenance of ISO 14971:2019, the risk management standard for medical devices, and ISO TR 24971:2020, the accompanying risk management guidance.