4 General requirements                 pdca p

 

4.1 Risk management

Requirements of ISO 14971, clauses, process

Requirements 1 to 11 (see also the quiz)

risk management 

The requirementsexplicit or implicit need or expectation (see also ISO 9000, 3.1.2) of ISO 14971 in clauses 4 to 10 are shown in figure 4-1:

 4-1
Figure 4-1. Requirements of ISO 14971

These requirementsexplicit or implicit need or expectation (see also ISO 9000, 3.1.2) allow MD manufacturers to:

Risk is everyone’s business

Integrating risk management into all company processes is a key objective.

The requirementsexplicit or implicit need or expectation (see also ISO 9000, 3.1.2) apply to all stages of the life cycle of MDs and to the risks associated with a MD such as:

When a requirementexplicit or implicit need or expectation (see also ISO 9000, 3.1.2) is linked to a risk control measure, it becomes a safety requirementexplicit or implicit need or expectation (see also ISO 9000, 3.1.2) for the medical device.

The “Manage risks of a medical device” processactivities which transform inputs into outputs (see also ISO 9000, 3.4.1) and the clauses of ISO 14971 are shown in figure 4-2, cf. annex 04record processus

manage risks

Figure 4-2. Manage risks of an MD

The “Risk management” procedure allows you to follow the essential steps, cf. annex 09

The “Risk Support”, in Excel format, allows you to identify, analyze, evaluate and treat DM risks, cf. annex 10record

The “Address MD risks” processactivities which transform inputs into outputs (see also ISO 9000, 3.4.1) can also be represented as follows (figure 4.3): processus

address

Figure 4-3. The process Address MD risks

As we will see in the following chapters, some processes include activities or sub-processes. A description of the processactivities which transform inputs into outputs (see also ISO 9000, 3.4.1) activities in the form of a flow diagram is shown in annex B.2, figure B.1 of ISO 14971 with details of the relevant paragraphs.

The “Address MD risks” processactivities which transform inputs into outputs (see also ISO 9000, 3.4.1) allows you to:

A list of risks is proposed in annex 11record

A risk manager should always assume that the list of risks considered, no matter how extensive, is incomplete. Douglas Hubbard

Risk management is dynamic, iterative and responsive to any change.

The “Address MD risks” processactivities which transform inputs into outputs (see also ISO 9000, 3.4.1) includes the following elements:

 The MD processes are described in clause 7 of ISO 13485, cf. the T 22v16 training. explications

True story

A manufacturer of connected pacemakers identified a hacking risk, which could lead to:

•    modification of parameters (danger to the patient)
•    theft of medical data
•    non-compliance with the GDPR and the FDA

Proposed corrective actions:

•    review of regulatory requirements (FDA, GDPR)
•    enhanced encryption of communications (AES-256)
•    vulnerability analysis of the embedded software and its automatic update
•    penetration testing (simulated cyberattacks)
•    external security audit (ISO 27001 certification)
•    training of teams in cyber security best practices
•    creation of a cyber-crisis committee (incident response)

Results achieved:

•    zero reported cyber security incidents
•    full compliance with the FDA and the GDPR
•    increased patient and physician confidence

Good practices
Bad practices

Top of the page

 

4.2 Top management responsibilities

Commitment, risk policy, management review

Requirements 12 to 19

documentstop management

Give freedom, you will get responsibility. Reed Hastings

Top management commitment to the “Address MD risks” processactivities which transform inputs into outputs (see also ISO 9000, 3.4.1) consists, among other things, of ensuring the availability of the necessary resources and staff with in-depth expertise in risk management.

Top management establishes a risk policy (risk management policy), cf. annex 12 in order to: record

The risk policy may include:

The policy is updated once a year.

One possibility for the risk acceptability criteria is to choose as a risk reduction approach, without modifying the benefit-risk ratio, between as many as:

True story

The Manhattan military project (the creation of the atomic bomb) was moving too slowly. Secrecy was required for security reasons and the very nature of the project was hidden from all staff.

To move up a gear, project manager Robert Oppenheimer decided to inform all members of the team of the nature of the project, its extreme urgency and its crucial importance for the end of the war. An unsuspected energy was released; the work progressed by leaps and bounds.

Informing about the mission, giving meaning to the work and trusting the staff are guarantees of success for any project.

Top management and auditors regularly check the effectiveness of the “Address MD risks” processactivities which transform inputs into outputs (see also ISO 9000, 3.4.1), cf. annex 13. Any decision taken or action carried out in relation to the processactivities which transform inputs into outputs (see also ISO 9000, 3.4.1) is documented, cf. annex 14record

When the manufacturer has implemented a quality management systemset of processes allowing the achievement of the quality objectives (see also ISO 9000, 3.2.3), which is almost always the case, checking the effectiveness of the “Address MD risks” processactivities which transform inputs into outputs (see also ISO 9000, 3.4.1) is part of the management review.

Good practices
Bad practices

Top of the page

 

4.3 Competence of personnel

Education, training, experience, knowledge

Requirements 20 to 23

competence

To succeed in life, you must find a domain, a skill, or something that you love to do and for which you are naturally gifted. Bob Davids 

People carrying out activities linked to the “Address MD risks” processactivities which transform inputs into outputs (see also ISO 9000, 3.4.1) are competent thanks to their:

These people have for the use of MD:

Top management assigns specific responsibilities and authorities to the risk manager in relation to the “Address MD risks” processactivities which transform inputs into outputs (see also ISO 9000, 3.4.1), cf. annex 15record

(Almost) true story

The story of the three stonecutters conveys a great deal. When asked about their work: 

  • the first replied that he is cutting stones for a living
  • the second that he tries to be the best stonemason in the country
  • while the third answered that he is building a cathedral

Hence the three main types of relationship to work: 

  • livelihood 
  • career
  • vocation

A record of the skills required of the people involved, including experts and consultants, is kept up to date (personal files). record

smileMinute of relaxation. Cf. the “Gold contract” joke

Good practices
Bad practices

Top of the page

 

4.4 Risk management plan

Get organized, remain objective

Requirements 24 to 35

plan

The tiles which protect from the rain were all installed in good weather. Chinese proverb

The risk management plan is part of the risk management file, cf. § 4.5 and annex 16record

True story

The power supply to the computer room must be interrupted due to maintenance work. This is an opportunity to simulate a power outage. The staff is notified in order to observe how the shutdown of the servers will take place.

The planned day arrives: the power is cut off and the power goes to inverters, which provide around 50 minutes of autonomy. Operators initiate machine shutdown procedures in the computer room. But some machines are in a locked cabinet, which was not planned! We end up finding the bunch of keys, but they are not clearly identified, which wastes time trying them one by one. In the end, what remains is a machine that cannot be accessed: the cabinet key is found but not the second one needed to activate the keyboard. The machine ends up stopping due to lack of power, which was not planned! But it turns out that this machine is rightly considered critical.

Conclusion: a small oversight almost ruined everything! Concerning critical machines, it is better to analyze all potential problems in advance and in detail. 

The plan allows, among other things, to get organized, to remain objective and not to forget any significant element.

The risk management plan includes at least:

explicationsAnnex C of ISO/TR 24971 contains, among other things, examples and recommendations on risk policy and risk acceptability criteria.

Any change to the risk management plan is recorded in the risk management file, cf. § 4.5 and annexes 16 and 25record

Good practices
Bad practices

Top of the page

 

4.5 Risk management file

File, records, traceability

Requirements 36 to 40

rism management file

If it's not documented, it didn't happen. Milt Dentch

For each MD throughout its life cycle, the manufacturer establishes and maintains a risk management file, cf. annex 17record

Records included may only be referenced, but readily available, if needed.

The risk management file makes it possible to maintain traceability of each hazard identified in relation to:

To do this, each document is indexed (or includes a version number).

Concerning medical devices that include software, the IEC 62304 standard requires traceability:

The risk management file includes, among other things: record

Any incomplete activity in the “Address MD risks” processactivities which transform inputs into outputs (see also ISO 9000, 3.4.1) such as an unidentified hazard, non evaluated risk or ineffective risk control measure can result in significant harm.

The risk management file is available to all staff.

Good practices
Bad practices

Top of the page