Since the EN version of ISO 14971 was released in 2012 I have received lots of requests from clients to help address nonconformities from Notified Body auditors. In the past year the frequency of this nonconformity has increased substantially.

The FDA only requires documentation of risk management in a 510k submission if the product contains software and the risk is at least a “moderate concern.” Even then, the 510k submission only requires submission of a design risk analysis. Therefore, it is not uncommon for a product that is already 510k cleared to receive audit nonconformities related to the risk management documentation during a technical file review by a Notified Body.

The FDA recognizes ISO 14971:2007 as the standard for risk management of medical devices. CE Marking also requires compliance with ISO 14971, but specifically the European national version of the standard (i.e., EN ISO 14971:2012). The most common technical file deficiencies related to risk management during a CE Marking application include the following:

compliance with ISO 14971:2007 instead of EN ISO 14971:2012
reduction of risks as low as reasonably practicable (ALARP) instead of reducing risks as far as possible (AFAP)
reducing risks by notifying users and patients of residual risks in the IFU
only addressing unacceptable risks with risk controls instead of all risks–including negligible risks

Each of these deficiencies is also explained in Annex ZA, ZB and ZC of EN ISO 14971:2012. I also wrote seven blogs in 2014 explaining each of the 7 deviations–including practical recommendations to address each deviation.

Using a Risk Traceability Matrix
Almost every company I work with is using a design FMEA for documenting risk analysis. However, I no longer recommend using a dFMEA for the following reasons:

– risk analysis is organized by failure mode instead of by hazard, which makes it more difficult to review and update in response to complaints and adverse events
– hazards are more difficult to trace to the information disclosed to users in the IFU

Instead I recommend using a risk traceability matrix that is integrated with your design traceability matrix. I have included a copy of this with my procedure. I have used it for several design projects so far and it saves a lot of time in documenting risk analysis and ensuring 100% of the residual risks are addressed in your product IFU.

Procedures & Templates
The first step in responding to correcting deficiencies in your risk management process is to update your procedure. The following basic elements need to be included in the procedure:
– risk management plan
– hazard identification
– risk analysis
– risk control option analysis
– verification of risk control effectiveness
– risk / benefit analysis
-risk management report

Many of the procedures I review focus on the risk analysis process, and the most common tool for risk analysis is a failure modes and effects analysis. This is an excellent tool for process risk analysis, but it is only one of many possible tools and it is not ideally suited for design risk analysis. In addition, your procedure is not adequate as a risk management plan. You need risk management plans that are product-specific or specific to a product family. Your risk management plan must also change and adapt as products progress from the design and development process to post-market surveillance. Finally, many of the procedures only require a risk / benefit analysis to be performed when risks are not acceptable, while the European MDD requires that all CE Marked products include a risk / benefit analysis for each risk identified in the risk analysis and the overall risk of the product or product family.

This weekend I also finished updating my own risk management procedure for compliance with EN ISO 14971:2012. Please click here if your are interested in learning more (http://medicaldeviceacademy.com/risk-management-procedure/).

source: https://www.linkedin.com/groups/2070960/2070960-6061868945462345730