In December, the 3rd version of ISO 14971 has been published.
Even though there are no major changes in the risk management process itself, this version brings some clarifications and adds some definitions.
The 3 main changes in this new version are:
- New/adapted definitions
- Overall risk acceptability can have its own criteria
- More information has been transferred to the technical report ISO/TR 24971
Benefit - new definition
Manufacturers have been spending lots of time thinking about risk/benefit ratios, but the definition of benefit was not part of the standard. This definition has now been added.
“Positive impact or desirable outcome of the use of a medical device on the health of an individual, or a positive impact on patient management or public health”
It's clear that benefit focuses on medical benefits, not economic benefits.
State-of-the-Art - new definition
Risk policies were supposed to and still are supposed to be based on the "state-of-the-art". Now we have a definition for it.
“Developed stage of technical capability at a given time as regards products, processes and services, based on the relevant consolidated findings of science, technology and experience”
Harm includes also data breaches and systems security
The definition of Harm used to refer to physical injury or damage to the health of people. The word physical has been deleted from the definition so it becomes:
“Injury or damage to the health of people, or damage to property or the environment”
Annex A explains further that also data breaches and system security issues can harm people. This means manufacturers should take IT-related risks into account as well.
Reasonably foreseeable misuse
Where the 2007 version of ISO 14971 already referred to reasonably foreseeable misuse, now a definition has been added.
“Use of a product or a system in a way not intended by the manufacturer, but which can result from readily predictable human behaviour.”
This misuse can be intentional or unintentional and can therefore fall under use error or abnormal use.
Different criteria for risk acceptability
The ISO 14971:2007 version mentions “criteria defined in the risk management plan” as basis for the evaluation of individual and overall residual risks, while the 2019 version makes a distinction which suggests that the manufacturers can have different criteria for evaluating the residual risks of individual risks as compared to the overall residual risk.
ISO/TR 24971 - More information in the guidance
ISO 14971:2007 contained 10 annexes of which many consisted of examples. The new version only has 3 annexes. This means that much of the explanations and examples have been transferred tot he new version of ISO/TR 24971. Unfortunately, we are still waiting for the updated version to be published.
What else is new?
Not that much. There are some textual changes, but no major differences in concepts.
One thing to pay attention to however, is that there is an additional paragraph added to the text:
- Normative references
Even though this doesn’t change anything in terms of requirements, it does create a shift in numbering throughout the standard. This could be annoying if your documentation refers to specific clauses in the paragraph as you will have to update all references.