Are You Late to the Game?
Fourteen months ago, the updated “BS EN ISO 14971:2012 Medical Devices – Application of risk management to medical devices” standard was released and became effective immediately. Despite the recently passed anniversary for the effectivity of this updated standard, many medical device manufacturers have yet to update their risk management system to be compliant with the 2012 edition.
The reasons for this delay according to some medical device manufacturers range from resource availability to permissible extensions from notified bodies. Specifically, QA Consulting has learned through our clients that the timeline for complying with BS EN ISO 14971:2012 is being enforced differently across the various notified bodies. Our clients have also cited the following:
• “I heard it’s identical to EN ISO 14971:2007 and we are already operating under that standard.”
• “I plan to implement the 2012 edition when I make changes to my device or design a new product.”
• “The new edition is only pertinent to Europe and my device is sold only in the U.S.”
As clarification, the new standard is identical to EN ISO 14971:2007 (corrected version from October 01, 2007); however, this new edition contains information within Annexes ZA, ZB, and ZC that explains the differences between ISO 14971 and the expectations of the Medical Device Directive. There are seven such differences (referred to as deviations within the standard) between the Essential Requirements and the ISO 14971 standard that include but are not limited to 1) the use of “as far as possible” (AFAP) versus “as low as reasonably practicable” (ALRP), 2) accumulation of risk controls regardless of acceptability status, 3) prohibiting of risk reduction for user information related risk controls. Furthermore, the immediate effectiveness of BS EN ISO 14971:2012 applies to risk management files for currently marketed devices in addition to future device changes or new designs. While it is true that conformance to the requirements in the EN annexes is mandatory only for medical devices marketed within Europe, medical device manufacturers should strongly consider conforming to the 2012 edition because the deviations (or differences) are a smart, conservative approach to evaluating risk.
From our experiences, a comprehensive approach is required for applying the 2012 standard to existing risk management systems and remediating risk management files for currently marketed products to comply with the new edition. The following is recommended for updating the risk management system:
1) Perform a gap analysis of the existing risk management system to BS EN ISO 14971:2012
The gap analysis should be performed by an individual independent of responsibility for the risk management system. Consideration of any nonconformances to the body of the standard (which is identical to EN ISO 14971:2007) should be evaluated first and followed up by evaluation of the content deviations described in the Annexes. As a helpful hint, each of the annexes are specific to the three Directives (93/42/EEC, 90/385/EEC, and 98/79/EEC).
2) Generate a Quality Plan that addresses the gaps identified during the analysis
The quality plan should first define the corrective actions to any nonconformances identified in the gap analysis from a risk management system/quality management system viewpoint (i.e. procedural updates). Next, the quality plan should consider the risk management files for all currently marketed products and any products currently in the design phase and define the specific tasks required to bring them into compliance with the systematic updates. As it is not feasible to remedy all files at once, a risk-based approach is suggested for determining the order in which the risk management files shall be addressed and a timeline for implementation should be documented. Lastly, a robust quality plan will also evaluate other areas within the quality management system where risk should be incorporated.
3) Document the outcomes of the Quality Plan in a Quality Plan Report
Implementation of all requirements from the quality plan and any associated deviations or additions should be documented within the quality plan report. All effectiveness checks required by the quality plan should be documented as well. Where appropriate, objective evidence of implementation shall be attached or referenced. Implementation of the quality plan can potentially take several weeks to several months to complete and as such, a series of quality reports may be generated to document implementation in phases.
In summary, it is important that medical device manufacturers begin planning implementation of BS EN ISO 14971:2012 within their risk management and quality management systems as some of the changes can have a large impact on how the risk profile is defined for their medical device(s). If medical device manufacturers rely on the timeline for enforcement by their notified bodies or for their entry into the European market, they risk market delays and/or remediation expenses.
