The document discusses the current state and future needs of medical device risk management, emphasizing the importance of compliance with ISO 14971:2019. It highlights existing deficiencies in organizations' adherence to updated standards and the necessity for comprehensive risk management practices throughout the product lifecycle. The text outlines steps for aligning with best practices and the critical timelines for adopting the revised standards.

1. Moving Up to State of the Art in
Medical Device Risk Management
Edwin Bills, Member ISO TC 210 JWG1
11/1/2022 (c) Edwin Bills Consultant 2022 1

2. Medical Device Risk Management
• Where we are today?
• Where we should be today?
• Where will we be tomorrow?
11/1/2022 (c) Edwin Bills Consultant 2022 2

3. Risk Management is not
a checkbox activity or
just documents to file, it
is a product safety
process.
What if you are the first
patient? How would you
perform risk
management?
Risk Safety
11/1/2022 (c) Edwin Bills Consultant 2022 3

4. Where are we
today?
It is now 11/2022 and
nearly three years after
the release of ISO
14971:2019 3rd edition
11/1/2022 (c) Edwin Bills Consultant 2022 4

5. Where are we today?
• Lots of procedures still point to editions other than
the 2019 edition of ISO 14971
• Procedures still not up to date with requirements,
especially Production and Post-production activities
• Risk Management does not start early enough-
Outputs of Process are Design Inputs (ISO
13485:2016 7.3.3 (c)
11/1/2022 (c) Edwin Bills Consultant 2022 5

6. Where are we today?
• No or Wrong Risk Management Policy
• Many see it as irritating documentation activity
• Product Safety takes a back seat to Schedule and Cost
• Overreliance and misunderstanding of FMEA as a Risk
tool (doesn’t meet all requirements for Risk Analysis)
• Lack of understanding of the process-lack of decision
making skills and good judgement
• Procedures overly complicated
11/1/2022 (c) Edwin Bills Consultant 2022 6

7. Where are we today?
• Lack of statistically valid data to support
quantitative Probabilities of Harm
• Risk Management Plans do not contain Risk
Acceptability Criteria or identify Review Team
• Risk Management File not Traceable
• EC now accepts EN ISO 14971:2019/A11:2021
Harmonised Standard for MDR and IVDR
11/1/2022 (c) Edwin Bills Consultant 2022 7

8. Where are we today?
• Lack of Management support and understanding of risk
management’s importance to success of company
• Many have not yet implemented ISO 14971:2019 and are still
on 2007 or worse EN ISO 14971:2012 (not ISO 14971:2012)
• FDA drops the acceptability of submissions with 2007
edition on December 25, 2022
• 2007 Edition no longer acceptable as of December 2022 as
ISO also drops this standard under 3-year transition
11/1/2022 (c) Edwin Bills Consultant 2022 8

9. INFORMATION FOR
SAFETY
Risk control allowed in
MDR GSPR 4c and
IVDR 4c
1/18/2022 © Edwin Bills Consultant 2022 9

10. Where should we
be?
Time is marching on
and in less than 60 days
we will need to be fully
compliant with ISO
14971:2019
11/1/2022 (c) Edwin Bills Consultant 2022 10

11. Where should we be today?
• ISO 14971:2019 (3rd Edition) was
published in December of 2019
and has been adopted/recognized worldwide
• Required implementation dates vary
– ISO has three year implementation for most standards
• EN ISO 14971:2019/A11:2021 was Harmonised for
the MDR and IVDR (only) in May 2022
• The unamended EN version was recognized as
“state of the art” shortly after publication
11/1/2022 (c) Edwin Bills Consultant 2022 11

12. Where should we be today?
• Given all that background, companies should
have been updating risk management system
documentation to the 3rd edition (ISO or EN
as appropriate)
• Many are not there or not all the way there
• Should have audited RMS and updated
to correct any shortcomings
• Should have audited projects to understand
which Edition to use
11/1/2022 (c) Edwin Bills Consultant 2022 12

13. State of the Art
• In 2020 BSI in their Compliance Monitor
indicated that EN ISO 14971:2019 was the “State of
the Art” medical device risk management process
standard
What is ”state of the art”? Where is it defined?
The only definition is in ISO 14971
11/1/2022 (c) Edwin Bills Consultant 2022 13

14. ISO 14971 Definition
• 3.28 state of the art
• developed stage of technical capability at a given time as
regards products, processes (3.14) and services, based on
the relevant consolidated findings of science, technology and
experience
• Note 1 to entry: The state of the art embodies what is
currently and generally accepted as good practice in
technology and medicine. The state of the art does not
necessarily imply the most technologically advanced solution.
The state of the art described here is sometimes referred to
as the “generally acknowledged state of the art”.
11/1/2022 (c) Edwin Bills Consultant 2022 14

15. What to do?
11/1/2022 (c) Edwin Bills Consultant 2022 15

16. ISO TR 24971:2020 Gives a Hint
• Annex G Components and devices designed without
using ISO 14971 can be used as a
guide for updating to latest standard
– First, find the gaps-perform audits, be critical
• Review Policy, procedures, product files
– Second, establish a plan to update
• Responsibilities, dates, criticalities, reviews, projects
– Finally, Monitor progress
• Make changes in plan as required
11/1/2022 (c) Edwin Bills Consultant 2022 16

17. ISO 14971:2019/EN ISO 14971:2019 /A11:2021
Requirements are all the same in all versions of 3rd Edition
• 1 Scope (read the scope-important information)
• 2 Normative references (no normative references)
• 3 Terms and definitions Important to understand terms
• 4 General requirements for risk management system (part of
QMS)
• 5 Risk analysis Most misapplied requirement from misuse of
tools- More than one tool usually required for risk analysis
11/1/2022 (c) Edwin Bills Consultant 2022 17

18. ISO 14971:2019/EN ISO 14971:2019 /A11:2021
• 6 Risk evaluation Must apply Individual Risk Acceptability Criteria
• 7 Risk control Risk Controls are Design Inputs for Safety
Requirements
• 8 Evaluation of overall residual risk Benefit-Risk Analysis (difficult
concept)
• 9 Risk management review (Review of product risk and risk
process leads to Risk Management Report)
• 10 Production and post-production activities (Biggest change to
3rd Ed.)
• Annexes are not requirements of standard, but guidance
11/1/2022 (c) Edwin Bills Consultant 2022 18

19. ISO 14971:2019/EN ISO
14971:2019 /A11:2021
4 General requirements for risk management system
• 4.1 Risk Management Process (Closed Loop process depicted in Figure 1)
• 4.2 Management Responsibilities (Risk Policy, resources, competent
personnel, Risk Management Review [part of QMS Review])
• 4.3 Competence of Personnel (requires documented team of various
disciplines that can provide judgement in decision making)
• 4.4 Risk Management Plan (for each product/product family)
• 4.5 Risk Management File (for each product/product family provides
traceability for all documentation of entire process)
11/1/2022 (c) Edwin Bills Consultant 2022 19

20. ISO 14971:2019/EN ISO
14971:2019 /A11:2021
5 Risk analysis
• 5.1 Risk analysis process (does it comply with 14971?)
• 5.2 Intended use and reasonably foreseeable misuse (need
medical/clinical input and regulatory)
• 5.3 Identification of characteristics related to safety (Annex A
EXAMPLE questions)
• 5.4 Identification of hazards and hazardous situations (Normal
condition & all hazards, not just single fault-here is where FMEA is
weak, need more tools than one. Read this section closely)
• 5.5 Risk estimation (probability of HARM, and Severity of HARM)
11/1/2022 (c) Edwin Bills Consultant 2022 20

21. ISO 14971:2019/EN ISO
14971:2019 /A11:2021
10 Production and post-production activities (Most
changed part of 2019 edition)
• 10.1 General (sets the stage)
• 10.2 Information collection (active process, must go look for
information including internet)
• 10.3 Information review (what is the information telling you about
risk performance of your product?
• 10.4 Actions (Do you need to do anything? What do you need to do?
How urgent is the action needed? Look at both product and risk
management process for issues)
11/1/2022 (c) Edwin Bills Consultant 2022 21

22. ISO 14971:2019/EN ISO 14971:2019
/A11:2021-Move Up to State of the Art
For any product risk management process-
• Start EARLY, should begin by the time of the Design
Plan/Risk Management Plan, maybe even during
concept, and certainly if any clinical trials, that is start
as Risk Analysis required
• Remember, Output of Risk Management is a Design
Input*, establishes Safety Requirements for the product
– * ISO 13485 7.3.3 (c)
11/1/2022 (c) Edwin Bills Consultant 2022 22

23. End of recognition of ISO
14971:2007 is December 2022!
11/1/2022 (c) Edwin Bills Consultant 2022 23

24. Thanks for your attention!
Create a good implementation of medical
device risk management under
ISO 14971:2019 or EN ISO 14971:2019
Amd11:2021
Questions may be
addressed to:
Edwin Bills
elb@edwinbillsconsultant.com
Edwin Bills, Consultant
and Member, ISO TC 210 JWG1
10/28/2022 24
(c)Edwin Bills Consultant 2022

25. References
© Edwin Bills Consultant 2021 25
Criteria for Risk Acceptability, Stan Mastrangelo, Lifecycle Risk Management for Healthcare Products:
from Research Through Disposal; Edited by Edwin Bills and Stan Mastrangelo, PDA ,Bethesda, MD,
DHI Publishing LLC River Grove, IL , 2016
Engineering a Safer World: Systems Thinking Applied to Safety, Nancy G. Leveson, Massachusetts
Institute of Technology, MIT Press, Cambridge, Massachusetts, 2011
Foundations of Quality Risk Management, Jayet Moon, American Society for Quality, Quality Press,
Milwaukee, WI 2020s
Safety Risk Management for Medical Devices Second Edition; Bijan Elahi; Academic Press, , London,
UK, 2022
Below may be accesses at www.iso.org:
ISO 14971:2019 Medical devices-Application of risk management to medical devices
ISO TR 24971:2020 Medical devices-Guidance on the application of ISO 14971
ISO 13485:2016 Medical devices-Quality management systems-Requirements for regulatory
purposes

26. References
The Use and Misuse of FMEA in Risk Analysis, Mike Schmidt, Medical Device and Diagnostic Industry,
March 1, 2004, https://www.mddionline.com/testing/use-and-misuse-fmea-risk-analysis , Accessed
Feb 6, 2021
ISO TR 24971:2020 — Bringing Clarity To Risk Acceptability In ISO14971, Med Device Online |
November 19, 2020, Edwin L. Bills, member, ISO TC 210 JWG1
https://www.meddeviceonline.com/doc/iso-tr-bringing-clarity-to-risk-acceptability-in-iso-0001
Closing the Loop on Risk Management ISO 14971, Edwin L. Bills, member, ISO TC 210 JWG1, Med
Device Online, January 22, 2021 https://www.meddeviceonline.com/doc/iso-clarifying-benefit-risk-
benefit-risk-0001
ISO 14971:2019 — Clarifying Benefit, Risk, & Benefit-Risk, Edwin L. Bills, member, ISO TC 210
JWG1. Med Device Online, February 8, 2021
https://www.meddeviceonline.com/doc/iso-clarifying-benefit-risk-benefit-risk-0001
11/1/2022 (c) Edwin Bills Consultant 2022 26