Risk Management for MDR: Extending Beyond ISO 14971:2019

Medical device risk management is an iterative process that starts at the beginning of product development and evolves throughout the lifecycle of the device. Following the requirements set out in EN ISO 14971:2019 “medical devices – application of risk management to medical devices”, medical device risk management aims to:

• Identify, quantify, and evaluate all risks
• Reduce these through effective control measures
• Ensure patient safety through determining whether the benefits of the device outweigh the residual risks
• Ensure new or emerging risks are identified and evaluated through the medical device risk management process

Whilst ISO 14971 provides a framework to ensure adequate medical device risk assessment is conducted, it is in the implementation of the standard, and specifically when applied to Europe and the Medical Device Regulation (MDR) (EU) 2017/745, that common mistakes are made.  

Some of the most frequent points raised by Notified Bodies relating to medical device risk management:

• Not all risks have been identified/assessed
• Risks are not reduced as far as possible
• Use of risk acceptance means that not all possible control measures have been considered
• Individual risks do not have a benefit/risk assessment

So why are these gaps occurring if a manufacturer follows ISO 14971:2019? To understand this, we need to understand the difference between the international standard, ISO 14971:2019, and the European MDR.

Difference Between International Standards and European-Specific Requirements

ISO 14971:2019 is an international standard intended to be applicable in jurisdictions all over the world. It is not intended to specifically address all the requirements of the EU MDR. For medical devices to be placed on the European market, they must comply with MDR requirements.

The MDR (Article 8) sets out the use of European harmonized standards as a means for demonstrating conformity (“presumption of conformity”). With regards to medical device risk management for Europe, EN ISO 149714:2019+A11:2021 is the harmonized standard, as published in the Official Journal of the European Union.

European harmonized standards contain informative Annexes (Z) that set out the clauses of the standard, and any limitations, that allow a presumption of conformity with the specified General Safety and Performance Requirements (GSPR). Aside from the addition of Annex Z, the text of the International (ISO) and European (EN ISO) 14971:2019 standard is identical. However, to comply with the European MDR, the requirements in Annex Z must be applied.

Most importantly, the European harmonized standard states that in case of any differences between the standard and the MDR, the requirements of the MDR shall prevail.

Presumption of Conformity and How EN ISO 149714:2019+A11:2021 Supports GSPR Requirements

Presumption of conformity” is where compliance with specific clauses of the standard demonstrates that the related GSPR is met. The European harmonized standard contains an amendment to the international standard in the form of Annex ZA for the MDR (EU) 2017/745. This annex contains a table indicating which GSPR is supported by which clause of the standard:  

• GSPRs 1 to 2 are not addressed by the European standard
• GSPRs 3 to 5, 8 are demonstrated by application of the standard
• GSPR 9 is also demonstrated by application of the standard (Devices with a non-medical purpose)

The key difference between the international standard (ISO 14971:2019) and the MDR requirements relate to the level of risk reduction required–as far as possible (AFAP) vs. as low as reasonably practicable (ALARP) and the manufacturer’s policy for risk acceptance.

As always, the details are crucial. The previous version of EN ISO 14971:2012, summarized the key differences between the standard and the outgoing Medical Device Directive (MDD) (93/42/EEC) and described the requirements for MDD compliance within Annex ZA. This has not been translated into the current version of EN ISO 14971:2019 because the risk analysis process is written directly into the MDR. GSPRs 1 to 8 (GSPR 9 if applicable) detail the risk requirements which were not present in the MDD Essential Requirements (ER). Instead, EN ISO 14971:2019 refers to the MDR and addresses these differences through a blanket statement that where differences exist, the MDR takes precedence.

Differences Between ISO 14971:2019 and MDR

Most of the specific requirements (content deviations) of EN ISO 14971:2012 have not changed with the legislation change. These remain requirements for the MDR but are addressed through the GSPRs. The principal differences between the international standard, ISO 14971:2019, and the MDR are summarized below:

EN ISO14971:2012 – Annex ZA (Superseded)	International Standard  ISO 14971:2019	MDR	EU Perspective
Treatment of negligible risks:
All risks must be reduced and assessed, regardless of size of risk.	The manufacturer may discard negligible risks.   Whilst not stipulated in ISO 14971:2019, ISO/TRT 24971:2020 C.4 states risk control can consider the magnitude of the residual risk. The risk acceptability policy can choose to not conduct further risk reduction for insignificant or negligible risks.	GSPR 1: Requires that any risks are acceptable risks when weighed against the benefits.   GSPR 2: Requires risks to be reduced as far as possible.   MDR states risk reduction is required, even for insignificant or negligible risks.	Divergence between international standard and MDR. For MDR, all risks must be assessed, reduced as far as possible, and part of the benefit-risk analysis, regardless of the size of the risk. The international standard allows negligible risks to not require risk reduction.
Discretionary power of manufacturers as to the acceptability of risks:
Criteria for risk acceptability may not be applied, so that all risks must be reduced as far as possible and included in the overall benefit-risk.	Clause 6: The manufacturer can set a threshold for risk acceptability and only unacceptable risks require risk control and a benefit-risk analysis. Clause 7.3: Evaluation of residual risk acceptability. Only unacceptable risks required further risk control. Further risk reduction is not required for an acceptable risk, even if it could be lowered. Clause 7.4: Benefit-risk analysis. This is only conducted for unacceptable risks.	GSPR 1: Requires that any risks are acceptable risks when weighed against the benefits.   GSPR 2: Requires risks to be reduced as far as possible.   GSPR 3: Requires risks to be estimated and evaluated and then eliminated or controlled. It does not provide the option to accept the risk level without further action. GSPR 8: Requires all known and foreseeable risks, and any undesirable side-effects, to be minimised and acceptable when weighed against the evaluated benefits	Divergence between international standard and MDR. For MDR, risk acceptability is not sufficient to avoid further risk control measures. All risks must be reduced as far as possible. All individual risks require a benefit-risk analysis, as well as being part of the overall benefit-risk analysis. The international standard does not require acceptable risks to need further risk reduction or an individual benefit-risk analysis.
Risk reduction “as far as possible” (AFAP) vs “as low as reasonably practicable (ALARP)”:
Risks must be reduced as far as possible and without any economic consideration.   Manufacturers may not apply an ALARP concept for economic considerations.	Clause 4.2 refers to the manufacturer’s policy for establishing risk acceptability and refers to the use of ALARP as one possible policy. The ISO standard does not set a requirement on the level of risk reduction required (ALARP, reducing risk as low as reasonably achievable, or AFAP).	GSPR 2: Risks must be reduced as far as possible without adversely affecting the benefit-risk ratio.	Divergence between international standard and MDR. The MDR clearly states that risks must be reduced as far as possible. The international standard does allow for risks to reduced as low as reasonable or practical, if they are reduced to an acceptable level.
Discretionary whether a benefit-risk analysis is required:
A benefit-risk assessment must be undertaken for all individual risks, as well as an overall benefit-risk.	Clause 6: The manufacturer can set a threshold for risk acceptability, and only unacceptable risks require risk control and a benefit-risk analysis. Clause 7.4: Benefit-risk analysis. This is only conducted for unacceptable risks to determine if the residual risk can be accepted when considering the device benefits, or if the device needs modification from its current design/use. Clause 8: Evaluation of overall residual risk. Combination of all residual risks to evaluate the overall residual risk against the benefit of the device.	GSPR 1: Requires that any risks are acceptable risks when weighed against the benefits. i.e., not just an overall risk, but the individual risk. GSPR 4: Manufacturers shall manage risks so that the residual risk associated with each hazard as well as the overall residual risk is judged acceptable. GSPR 8: All known and foreseeable risks, and any undesirable side-effects, shall be minimized and be acceptable when weighed against the evaluated benefits.	Divergence between international standard and MDR. For MDR, each risk must have an individual benefit-risk analysis and an overall benefit-risk analysis. The international standard uses the benefit-risk assessment only for the individual unacceptable risks. Same as for the MDR, the standard does require an overall benefit-risk analysis.
Discretionary as to application of risk control:
All possible control options must be applied to reduce the risk as far as possible.   Risk reduction cannot stop, even if it meets an acceptable level, if there are further control options that could be applied to improve the safety.	Clause 7.1: Risk Control Option Analysis. Refers to risk control for reducing risks to an acceptable level. It provides the same priority order of risk control methods as the MDR:   1: Safe design and manufacture 2: Protective measures 3: Information for safety If, during risk control analysis for an unacceptable risk, the manufacturer determines that risk reduction is not practicable, the manufacturer shall conduct a benefit-risk analysis of the residual risk.	GSPR 2: Requires risks to be reduced as far as possible without adversely affecting the benefit-risk ratio.   GSPR 4: Provides a priority order for risk control measures: 1: Safe design and manufacture 2: Protective measures 3: Information for safety It does not state that risk reduction can be stopped once the risk is acceptable, and it does not state only one control measure can be applied.	Divergence between international standard and MDR. For MDR, all possible risk control measures should be applied if they do not adversely affect the benefit-risk ratio. Risk control measures should be applied in the order stated in GSPR 4, but multiple risk control options can apply. The international standard does not require risks to be reduced as far as possible. Risk reduction can stop once the risk is acceptable, even if there are additional control measures that could be applied to reduce it further.
Definition of first risk control option:
The first risk control option (safety by design), defines that risks must be eliminated or reduced as far as possible by “inherently safe design and construction”.	Clause 7.1: Risk Control Option Analysis. Describes the first priority control as “a) inherently safe design and manufacture.”   This is an amendment of the previous version of the standard, EN ISO 14971:2012 (ISO 14971:2007), which previously only stated “a) inherently safe design.”	GSPR 4: Describes the first priority control as “a) eliminate or reduce risks as far as possible through safe design and manufacture”	Alignment of international standard and MDR. With the international standard updated, both the MDR and EN ISO 14971:2019 (ISO 14971:2019) require that design and manufacture are used as the highest order of control measures.
User information influencing the residual risk:
Users shall be informed of residual risk (i.e. the remaining risk after application of controls). Therefore, no further risk reduction can be attributed to informing users of the residual risk.	Clause 7.1: Risk Control Option Analysis. Describes risk control measures for reducing the risk and states the third priority risk control measure as “c) information for safety and, where appropriate, training to users.”   Information for safety is a control measure that reduces the risk to generate the residual risk.	GSPR 4: Manufacturers shall reduce all individual risks so that the individual residual risk is acceptable, as well as the overall risk. The above three control measures are provided in a priority order. The third priority control is identical to the standard, “c) provide information for safety (warnings/ precautions/contra-indications) and, where appropriate, training to users”. “Manufacturers shall inform users of any residual risks.”   Information for safety is a control measure that reduces the risk to generate the residual risk. The residual risk is the remaining risk after application of all three risk control measures and is disclosed to the user. ___________________________________ Note: The MDD wording around priority control is subtly different: ER 2: “In selecting the most appropriate solutions, the manufacturer must apply the following principles in the following order…   a)  eliminate or reduce risks as far as possible (inherently safe design and construction), b) where appropriate take adequate protection measures including alarms, if necessary, in relation to risks that cannot be eliminated, c) inform users of the residual risks due to any shortcomings of the protection measures adopted.”	Alignment of international standard and MDR. The MDR uses information for safety as a control measure to generate the residual risk (i.e. risk reduction can be attributed to the information for safety). When no further control measures can be applied to reduce the risk further, this remaining, residual, risk is then informed to the user. The international standard states the residual risk is the remaining risk after application of the control measures, and the standard includes information for safety as one of these control measures. Therefore, the standard allows information for safety to be used to reduce the risk. ___________________________________ Previously, EN ISO 14971:2012 (ISO 14971:2007) and the MDD were not aligned on this point.   The MDD would not allow risk reduction to be attributed to the information given to the user (Content deviation 7). The third point of ER2 required informing the users of the residual risk. Meaning the risk reduction had already been completed by the risk control measures relating to design and construction, and protection measures. The third point related to disclosure of the residual risk and therefore risk reduction could not be attributed to informing the user. The principles around risk control measures have not changed from EN ISO 14971:2012 (ISO 14971:2007) and the current standard. The change in the MDR wording has brought the standard and EU requirements into line.

Key Takeaways and Conclusion

1. Application of ISO 14971:2019 does not mean the medical device risk management file is fully compliant with the European MDR.
2. The ISO 14971:2019 standard does not fully address the requirements of GSPR 1 and 2.
3. In addition to applying the basic principles of the standard, manufacturers need to ensure that:
   • All individual risks, whether negligible or not, are fully analysed and controlled through the medical device risk management process
   • Risk acceptability criteria cannot be applied to avoid risk reduction
   • The concept of reducing risks to as low as reasonably practicable is not acceptable
   • All risks must be reduced as far as possible
   • All possible risk control measures should be applied (multiple risk control options can be applied)
   • Information for safety can be used to reduce the individual risk
     • Once the individual risk is reduced as low as possible, this is the residual risk, and it is the residual risk that should be disclosed to the user (i.e. residual risks cannot be reduced further)
   • Each risk needs its own individual benefit-risk analysis

Even low, acceptable risks must be reduced as far as possible, all possible control measures must be applied (unless it adversely affects the benefit-risk ratio) and they must have an individual benefit risk analysis. These are the main differences between the application of ISO 14971:2019 and the MDR requirements.

But if you remember only one thing, remember that every risk must be reduced as far as possible.

Rachel Gibbs has 15 years of experience in the medical device and pharmaceutical industry and also as a senior auditor for a leading European Notified Body. Rachel started her career at the MHRA working on drug variation and renewal licensing, before moving back into academia to conduct a PhD in Immunology. Thereafter, Rachel moved into the pharmaceutical industry, joining 3M Healthcare, working on the development of metered dose inhalers and nasal sprays for FDA and EMEA drug applications. With the opening of 3M’s Skin and Wound care laboratory, Rachel transitioned into the medical device industry, and was actively involved in New Product Development for a range of wound care devices, where she specialized in design control, risk management, manufacturing upscaling and process validation. Rachel moved to BSI in 2015 as a senior auditor and clinical evaluation specialist involved in product conformity assessment to the Medical Device Directive (93/42/EEC) and subsequently audits against the Medical Device Regulation ((EU) 2017/475). Rachel joined NAMSA in 2021 and has used her knowledge of MDR auditing to advise clients regarding their regulatory and clinical strategies, undertaking gaps assessments and writing MDR submission documents.