ISO Standards – Part 3: Is Your Understanding of Risk Management a Risk?

Welcome back to this final instalment of this three part blog series on Quality Management and supporting processes.  One of the critical components of any quality management system today is the need to develop a robust risk management programme.  As such, this final blog will focus on ISO 14971:2012 Medical Devices – Application of risk management to medical devices, and its companion document ISO TR 24971 Medical Devices – Guidance on the application of ISO 14971.

ISO TR 24971 is a technical report first published in 2013 by ISO to provide organisation with guidance on implementing the requirements of ISO 14971.  Now, you would be forgiven for scratching your head and wondering why you haven’t heard of this document before but let me reassure you that you would not be alone in your thinking. ISO TR 24971 was developed by the ISO TC 210 working groups and one of its own members was quoted as saying that ISO TR 24971 was not widely known about due to a failure in marketing.

However, before you rush out and purchase your own copy of the document, please be aware that both ISO 14971 and ISO TR 24971 are currently under revision which will see some major changes to the structure and content of both documents. First things first though let me give you a very brief outline of the type of content contained in the current ISO TR 24971, the guidance includes information on:

• The role of international product safety and process standards in risk management 
• Developing the policy for determining the criteria for risk acceptability 
• Evaluation of overall residual risk

In 2016 the ISO TC 210 working groups were charged with making the following changes to 14971 and 24971:

• Informative annexes to be removed from ISO 14971 and placed in ISO TR 24971 
• ISO 14971 to include a clause 2 (normative references) 
• Inclusion of cybersecurity risks in 14971
• Consideration of the application of ISO 31000 – Risk Management Guidelines

Please note THERE IS NO CHANGE TO THE RISK MANAGEMENT PROCESS.

Table 1 below outlines the proposed changes to both documents:

Table 2 outlines the current and proposed new structure of ISO 14971:

Table 3 outlines the current and proposed new structure of ISO TR 24971:

As well as the items outlined in the tables above, there are some other noteworthy additions to ISO 24971 that will aid users in interpreting the requirements of ISO 14971. The newly proposed annexes F & G are of particular interest.

Annex F is titled “Guidance on risks related to (cyber)Security”, although the term cybersecurity does not appear in either the current or proposed revision of ISO 14971 the standard does make reference to “data systems security”. Annex F also provides guidance on the relationship and the differences between health risk and cybersecurity risks.

Annex G is titled “Components and devices not designed using ISO 14971” and provides guidance on those devices that were manufactured prior to 2000 (the year ISO 14971 was first published). This annex provides guidance on the collation of a risk management file for pre 2000 products i.e.:

• Collection of post-production data, collection of safety related data, forming the basis for building of a risk management file.

Timelines, which may be subject to change, for issue of the revised ISO 14971 and ISO TR 24971 are outlined below:

• ISO 14971 FDIS (final draft) work expected to be completed in Oct 2019
• New version of 14971 expected to be published in Nov 2019
• ISO TR 24971 is expected to be issued around 2 months later, Jan 2020

I hope that this series of blogs has shown that there is help & guidance available, even in the form of other ISO standards and their guidance documents,  when trying to translate the requirements of ISO 9001:2015 into actionable items that your organisation can undertake to help implement and attain an internationally recognised and accredited quality management system.

I will end this series by leaving you with a quote from historian Yuval Noah Harari, “In a world deluged by irrelevant information, clarity is power.”

Stuart Hardie, Quality Management Consultant