ISO 14971:2019 Risk Management Process

For the CE marking of the medical devices, risk management is an essential requirement as per the EU Medical Device Regulation. According to the new edition of the risk management standard, ISO 14971:2019 the following are six steps in risk management.

Risk Management Plan: Planned risk management activities with the identification of the risk acceptability. Review the execution of the risk management plan during the design and development validation and before the product release to market.

Risk Assessment: This contain the two steps – Risk analysis and Risk Evaluation. Risk Analysis includes the identification of use and misuse of the device during the Normal and Abnormal use of the device, identification of risks related to the operating characteristics of the device, identifying the hazards, the reasonably foreseeable sequence of events and hence the hazardous situation and finally the estimation of risk in terms of probability and severity.

Risk Evaluation: This contains the assessment of the estimated risks using the risk acceptability criteria, and the residual risks are identified.

Risk Control: Apply the risk control measures on the identified unacceptable risks to reduce the risks As Low As Possible. The first option is to make changes in the design of the medical device, second option to provide the protective measures to reduce the occurrence of a hazardous situation; the third option is to provide the information to the user about the risks in the form of the warnings, contraindications, etc. The verification and validation of the implementation of the risk control measures is also part of this step. Still, the reevaluation results in the residual risks for which the risk-benefit analysis to be performed. If the benefits overweigh the risks considering all the alternative methods too, then those risks will be acceptable.

Overall Residual Risk Evaluation: Instead of the individual residual risk, the impact of overall residual risk has to be evaluated. After the application of all the control measures, benefit-risk analysis to apply and provide the user with the information.

Risk Management Review: Review of the risk management activities to verify the implementation of the risk management plan. The risk management report is the output of this stage.

Production and Post: Production activities- Develop a system to collect and review the relevant production and post-production information, collect that information from the users, similar device information. Review the relevancy of that information to the safety of the device. If any new risk exists, it has to be assessed, or any old risk has to be reassessed. Again, the risk control measures to apply and review the suitability of the risk management process.

How can we estimate the overall residual risk? Is the information on the residual risk passed to the customer will reduce the estimated risk?