The third edition of ISO 14971 is now available as a draft (FDIS).
This new version of ISO 14971 will probably be published as ISO 14971:2019. It will represent an evolutionary development of ISO 14971:2007, rather than a break with the concepts used previously.
Overview of contents
Nevertheless, manufacturers should familiarize themselves with the new and the amended requirements this standard defines.
The third edition of ISO 14971 follows its predecessor ISO 14971:2007 (“second edition”). This second edition is also the basis for EN ISO 14971:2012, the standard harmonized for the EU medical device directives.
At the same time, ISO has also revised ISO 24971, which is also available as a draft. This “explanatory standard” is becoming more important because it now contains some of the non-normative annexes of the old ISO 14971.
The first thing that stands out is the new chapter structure. ISO 14971:2019 now follows the usual structure, which starts with the chapters:
The new chapter with the normative references changes the numbering: ISO 14971:2019 now has ten chapters.
Fig. 1: New chapter structure of the third edition of ISO 14971 (ISO 14971:2019). (Click to enlarge)
The chapter structure reveals another difference: The requirements for the downstream phase are more comprehensive and divided into four sections (10.1 to 10.4).
ISO 14971:2019 claims to place even greater emphasis on demonstrating that the benefits outweigh the risks. It adds the missing definition of the term “benefit”.
“Positive impact or desirable outcome of the use of a medical device on the health of an individual, or a positive impact on patient management or public health”
Source: ISO 14971, 3rd edition
Examples of these benefits are:
This makes it clear that the benefit refers to a medical benefit and not, for example, a higher economic benefit for the operator.
The standard does not really establish any new requirements. It continues to state that it is the management's job to define the risk policy. This must be based on the state of the art. The third edition of ISO 14971:2019 at least adds a definition of the term “state of the art”.
“Developed stage of technical capability at a given time as regards products, processes and services, based on the relevant consolidated findings of science, technology and experience”
Source: ISO 14971, 3rd edition
This state of the art cannot be compared with the state of the science. Instead, it is more in line with generally accepted technical and medical “good practices”.
One new feature of the third edition of ISO 14971 is that the manufacturers can define acceptance criteria for the evaluation of individual risks that are different to those used for the evaluation of the overall residual risk. The acceptance criteria for the individual risks can be used to decide on the need for risk control measures. The acceptance criteria for the overall risk can be used to decide whether the product can be marketed.
The third edition of ISO 14971 explicitly includes risks resulting from inadequate “data and system security”. However, it does not define any specific requirements.
In German-speaking countries in particular, there is a risk that manufacturers will be able to distinguish precisely between safety and security because both terms are translated as “Sicherheit” in German.
While weighing medical benefits against “safety risks” makes sense, weighing medical benefits against “security risks” can lead to confusion. An increase in security can even have negative effects on safety.
ISO 14971:2019 adds the explicit requirement to analyze reasonably foreseeable misuse. It defines this “reasonably foreseeable misuse” as follows:
“Use of a product or system in a way not intended by the manufacturer, but which can result from readily predictable human behavior”
Source: ISO 14971, 3rd edition
Such misuse can be intentional or unintentional. An example would be, for example, using a medical device without reading the instructions for use carefully first.
It is just the chapter that is new; the requirements regarding safety-related characteristics are not. The manufacturers must record these characteristics, which are essential for the safety of the device, qualitatively and quantitatively - preferably with limits. All IEC 60601-1 experts will immediately think of the essential performance characteristics. And rightly so!
The Johner Institute recommends looking into the system requirements in particular, in order to determine if there might be a risk if these requirements are not met or not met to the specified extent.
The most obvious change relates to risk management in production and the post-production phase, i.e., the post-market phase. The requirements are very similar to those of the MDR:
Both the MDR and the third edition of ISO 14971 require proactive collection and evaluation of data from post-development phases. The MDR talks about a process, ISO 14971 about a system.
Fig. 2: ISO 14971:2019 requires the active collection and analysis of data and, if necessary, corresponding action.
Like the MDR, the standard also defines the sources of information that always have to be taken into consideration, such as public information, information on the state of the art, and information generated during the installation, use and maintenance of the device.
The information must be used to determine whether:
The manufacturer must then act based on the results of this evaluation. Specifically, the third edition of ISO 14971 lists actions relating to the medical device (e.g., implementation of new risk-minimizing actions) and actions that relate to risk management (e.g., risk management process).
The third edition of ISO 14971 makes the already good second edition even better. A lot of changes are editorial in nature and provide more clarity and make it more rigorous.
Particularly noteworthy are the more precise requirements for the post-production phase. Nevertheless, the scope of the changes remains so limited that “Version 2.1” would perhaps have been more appropriate. The following are particularly regrettable:
In spite of these downsides, manufacturers should be able to easily live with this third edition of ISO 14971. Sometimes less is more.