ISO 14971 is an international standard that covers the risk management system used for medical devices. While it can be used as a voluntary standard, ISO 14971 can also be used as a mandatory legal requirement in some countries. For example, all countries within the European Union are required by the Medical Device Directive to have domestic laws forcing device manufacturers to follow the standard.
One of the key principles of ISO 14971 is that no medical device can be entirely risk-free. It therefore works on the basis of limiting risk, taking into account both the likelihood of a device causing harm, and the severity of such harm if it does occur. It does not lay down a specific acceptable level of risk but rather covers the way in which manufacturers can assess risk and make informed decisions.
Although the standard deals primarily with the risk to patients, it does cover the potential risk to other people, equipment and the environment. It specifically deals with the risk management of the manufacturer. The standard does not deal with the risk management of decisions of other parties, for example the way medical professionals weigh the potential risk of equipment against the potential benefit to patients.
The main requirement of ISO 14971 to manufacturers is to set up a risk management process. This process must be ongoing throughout the life of the device. This means simply ensuring acceptable risk at the point of manufacturer and sale will be insufficient.
The risk management process must include four elements: analysis, evaluation, control and information. Analysis involves looking at the device, its safety features, its potential hazards and the consequential risks. Evaluation involves taking the data from analysis and deciding if it is acceptable or indicated a need for modifications. Risk control involves examining how risks can be mitigated and whether the actions required to bring about mitigation will themselves bring fresh risks. Information involves compiling the details from the rest of the process in a clear manner for future reference.
ISO 14971 also includes several requirements about how the risk management process is conducted. Senior management staff at the manufacturer are required to make sure adequate resources are made available to carry out the process. They are also required to determine the acceptable level of risk in the device. Those who actually carry out the risk management process must be adequately qualified or experienced, which can involve both understanding of risk management and expert knowledge of the device itself.