ISO/TR 24971:2020: Medical Devices — Guidance on the Application of ISO 14971
ISO/TR
24971
TECHNICAL
REPORT
Second edition
2020-05
Medical devices — Guidance on the
application of ISO 14971
Dispositifs médicaux — Directives relatives à l'ISO 14971
PROOF/ÉPREUVE
Reference number
ISO/TR 24971:2020(E)
©
ISO 2020
ISO/TR 24971:2020(E)
COPYRIGHT PROTECTED DOCUMENT
© ISO 2020
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting
on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address
below or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Fax: +41 22 749 09 47
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
PROOF/ÉPREUVE
ii © ISO 2020 – All rights reserved
ISO/TR 24971:2020(E)
Contents
Page
Foreword v
Introduction vi
..........................................................................................................................................................................................................................................
1 Scope 1
................................................................................................................................................................................................................................
2 Normative references 1
.................................................................................................................................................................................................................................
3 Terms and definitions 1
......................................................................................................................................................................................
4 General requirements for risk management system 1
.....................................................................................................................................................................................
Risk managementprocess
......................................................................................................
4.1 Top manag ement ........................................................................................................................................................1
4.2 Management responsibilities .................................. r ... i . s ... k ............................................................................................................1
4.2.1 ri scko mmmanitamgeenmt .. e ... n ... t .. .. p ... r ... o ... c .. e ... s ... s ............................................................................................1
4.2.2 Policy for establishing criteria for acceptability .......................................................................2
4R.i2s.k3 manSuaigtaebmileitnyt of the ........................................................................................2
4.3 Competence of personnel ..............................................................................................................................................................2
4.4 plrains k ... .. m ..... a ... n .... a ... g ... e ... m ...... e ... n ... t ............................................................................................................................3
4.4.1 General......................................................................................................................................................................................3
4.4.2 Scope of the risk p mlaann .. a .... g ... e ... m ..... e ... n .... t .....................................................................................4
4.4.3 Assignmentr oisf kresponsibilities and authorities ....................................................................................4
4.4.4 Requirements for review ofr esidual risk activities ...........................................................4
4.4.5 VCerirtiefriciaa tfoiorn acceptability ................................................................................................................................4
4.4.6 Method to evaluate overall and criteria for acceppotastb-ility .........................4
4.4.7 production activities ..................................................................................................................................................5
4R.i4s.k8 manAactgiveimtieens tr efillaeted to collection and review of production and
information ............................................................................................................................................5
5 Risk analysis 6
4.5 ...................................................................................................................................................................5
Riskanalysisprocess
.............................................................................................................................................................................................................
Intended use reasonably foreseeable misuse
5.1 ................................................ s ... a ... f .. e ... t ... y .......................................................................................................6
5.2 and .............................................................................................6
5.3 IdentificaHtaiozna rodf scharacteristics related to ...................................................................................................7
5.4 Identification of hazards and hazardous situations ................................................................................................7
5.4.1 Hazardo u ... s ... . s ... i .. t .. u ... a .... t .. i .. o ... n ... s ...................................................................................................................................................7
5.4.2 HHaazzaarrddoouuss s sitituuaatitoionns sin general .........................................................................................................................7
5.4.3 Hazardous situations resulting from faults ...........................................................................................8
5.4.4 Hazardous situations resulting from random faults ......................................................................8
5.4.5 resulting from systematic faults ...............................................................8
5R.i4s.k6 estimation arising from security vulnerabilities ....................................................9
5.4.7 Sequences or combinations of events ...........................................................................................................9
5.5 .................................................................................................................................................................................11
5.5.1 RGeisnkesral...................................................................................................................................................................................11
5.5.2 SPerovebraibtiylity ..........................................................................................................................................................................12
5.5.3 for which probability cannot be estimated .............................................................................12
5.5.4 ...............................................................................................................................................................................13
6 Risk evaluation 15
5.5.5 Examples ..............................................................................................................................................................................13
7 Risk control 15
.....................................................................................................................................................................................................
Risk control
..............................................................................................................................................................................................................
Risk control medical device
7.1 Risk ocpotniotrno alnalysis .............................. p .... r ... o ... c .. e ... s ... s ... e ... s ..............................................................................................15
7.1.1 forr isk control design ...................................................................................................15
7.1.2 ris fko rc omnatnroulfacturing ...........................................................................................17
7R.e1s.3id ualS rtaisnkdards and ................................................................................................................................18
7.2 IBmenpelefmit-ernistaktion of measures ..................................................................................................................18
7.3 evaluation .............................................................................................................................................................18
7.4 Ben eafnitalysis .......................................................................................................................................................................18
7.4.1 General...................................................................................................................................................................................18
7.4.2 estimation ..... P ... R .... O ... O .... F ... / ... É ... P ... R .... E ... U .... V ... E ..........................................................................................................19
© ISO 2020 – All rights reserved iii
ISO/TR 24971:2020(E)
benefit-risk
Benefit-risk
7.4.3 Criteria for benefit-risk analysis ....................................................................................................................20
7R.i4s.k4s ris cko cmopnatrrioslon........................................................................................................................................20
7.4.5 Examplersi oskf control analyses ................................................................................................................20
7.5 arising from measures ...................................................................................................................21
8 Evaluation of overall residual risk 21
7.6 Completeness of ................................................................................................................................................21
...................................................................................................................................................
8.1 General considerations .................................................................................................................................................................21
8.2 Inputs and other considerations ..........................................................................................................................................22
9 Risk management review 24
8.3 Possible approaches ........................................................................................................................................................................23
10 Production and post-production activities 24
..........................................................................................................................................................................
..............................................................................................................................
10.1 General ........................................................................................................................................................................................................24
10.2 Information collection ...................................................................................................................................................................24
10.3 Information review ..........................................................................................................................................................................26
Annex A Identification of hazards and characteristics related to safety 29
10.4 Actions .........................................................................................................................................................................................................27
Annex B Techniques that support risk analysis 37
(informative) ................................
Annex C Relation between the policy, criteria for risk acceptability,risk
(informative) ................................................................................................
control and risk evaluation 42
(informative)
Annex D Information for safety and information on residual risk 47
......................................................................................................................................................................
Annex E Role of international standards in risk management 50
(informative) ...............................................
Annex F Guidance on risks related to security 55
(informative) .........................................................
Annex G Components and devices designed without using ISO 14971 60
(informative) ..................................................................................................
Annex H Guidance for in vitro diagnostic medical devices 62
(informative) ...................................
Bibliography 85
(informative) .....................................................................
.............................................................................................................................................................................................................................
PROOF/ÉPREUVE
iv © ISO 2020 – All rights reserved
ISO/TR 24971:2020(E)
Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards
bodies (ISO member bodies). The work of preparing International Standards is normally carried out
through ISO technical committees. Each member body interested in a subject for which a technical
committee has been established has the right to be represented on that committee. International
organizations, governmental and non-governmental, in liaison with ISO, also take part in the work.
ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of
electproroteccehdunriceasl standardization.
The used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular the different approval criteria needed for the
different types of ISO documents should be noted. This document was drafted in accordance with the
editorial rules of the ISO/IEC Directives, Part 2 (see www .iso .org/ directives -and -policies).
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of
any patent rights identified during the development of the document will be in the Introduction and/or
on the ISO list of patent declarations received (see www .iso .org/ patents).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation on the voluntary nature of standards, the meaning of ISO specific terms and
expressions related to conformity assessment, as well as information about ISO’s adherence to the
World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT), see the following
URL: www .iso .org/ iso/ foreword .html. Quality management and
corresponding general aspects for medical devices Common aspects of
Telhecist rdicoaclu emqueinptm wenats upseredp inar mede djiocianl tplyra bcyti cTeechnical Committee ISO/TC 210,
, and Subcommittee IEC/SC 62A,
.
This second edition cancels and replaces the first edition, which has been technically revised. The main
changes compared to the previous edition are as follows:
— The clauses of ISO/TR 24971:2013 and some informative annexes of ISO 14971:2007 are merged,
restructured, technically revised, and supplemented with additional guidance.
— To facilitatrei stkh em uasnea ogfe mtheisn tdocument, the same structure and numbering of clauses and subclauses
as in ISO 14971:2019 is employed. The informative annexes contain additional guidance on specific
aspects of .
Any feedback or questions on this document should be directed to the user’s national standards body. A
complete listing of these bodies can be found at www .iso .org/ members .html.
PROOF/ÉPREUVE
© ISO 2020 – All rights reserved v
ISO/TR 24971:2020(E)
Introduction
manufacturers
risk management process medical devices
This document provMidedesic aglu dideavniccees t—o aAspspislitc ation of risk m ainn atgheem deenvt etloo pmmeednicta, li mdepvleicmesentation and
maintenance of a for that aimmesd itcoa lm deeevti ctehse requirmemedeinctasl
odef vIiScOes 14971:2019, medical devices . It pmroevdiidceasl
gdeuvidicaensce onin t vhiet raop dpialigcnatoisotnic omf eIdSiOca 1l 4d9ev7i1c:e2s019 for a wide variety of . These
include active, non-active, implantable, and non-implantable , software as
and .
The clauses and subclauses in this document have the same structure and numbering as the clauses
and subclauses of ISO 14971:2019, to facilitate the use of thriissk g muiadnaangceem ienn atpplying the requirements
of the standard. Further division into subclauses is applied where considered useful. The informative
annexes contain additional guidance on specific aspects of . The guidance consists of
the clauses of ISO/TR 24971:2013 and some of the informative annexes of ISO 14971:2007, which are
merged, restructured, technically revised, and supplemented with additional gCuliindicaanlc lea.boratory testing
and in vitro diagnostic test systems
Annex H was prepared in cooperation with Technical Committee ISO/TC 212,
. manufacturers
risk management process
This document describes approaches that can use to develop, implement and maintain
a conforming to ISO 14971:2019. Alternative approaches can also satisfy the
requirements of ISO 14971:2019.
medical device(s) medical devices
When judging the applicability of the guidance in this document, one should consider the nature of
the to which it will apply, how and by whom these are used, and the
applicable regulatory requirements.
PROOF/ÉPREUVE
vi © ISO 2020 – All rights reserved
TECHNICAL REPORT ISO/TR 24971:2020(E)
Medical devices — Guidance on the application of ISO 14971
1 Scope
risk
management medical devices
This document provides guidance on the development, implementation and maintenance of a
risk man asgyesmteemnt foprro cess according to ISO 14971:2019.
The can be part of a quality management system, for example one that is based
[24]
on ISO 134r8is5k:2 m0a1n6age,m beunt tthis is not required by ISO 14971:2019. Some requirements in ISO 13485:2016
(ISCOla 1u3s4e 875 :2o0n1 6prod Muecdt icraeal dliezvaitcieosn an Ad p 8ra.2c.t1ic aoln g ufeideedback during monitoring and measurement) are
related to and can be fulfilled by applying ISO 14971:2019. See also the ISO Handbook:
[25]
— — .
2 Normative references
Medical devices — Application of risk management to medical devices
ISO 14971:2019,
3 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO 14971:2019 apply.
ISO and IEC maintain terminological databases for use in standardization at the following addresses:
— ISO Online browsing platform: available at https:// www .iso .org/ obp
— IEC Electropedia: available at http:// www .electropedia .org/
medical device
[20]
NOTE The defined terms in ISO 14971:2019 are derived as much as possible from ISO/IEC Guide 63:2019
which was developed specifically for the sector.
4 General requirements for risk management system
4.1 Risk management process
manufacturer
risk management process life cycle medical device
ISO 149p7r1o:c2e0ss19 requires that the top ma neasgtaebmliesnhtes, implements, documents and maintains an
ongoing throughout the of the . The required elements
in this and the responsibilities of are given in ISO 14971:2019 and explained in
further detail in this document.
4.2 Management responsibilities
4.2.1 Top management commitment
Top management risk managementprocess
top management Top management
has the responsibility to establish and maintain an effective .
It is important to note the emphasis on in ISO 14971:2019 risk mana hgaesm tehnet
pproowceerss to assign authorities and responsibilities, to set priorities and to provide resources within the
organization. Commitment at the highest level of the organization is essential for the
m aton ubfea cetfufercetri’vse.
top management
Irfi stkh em anagement pro ocersgsanization consists of separate enrtiistkie ms,a fnoar geexmamenptlep rboucseisnsess units or divisions,
then can refer to those individuals who direct and control the entity implementing the
. Each entity can have its own (and its own quality
management system).
PROOF/ÉPREUVE 1
© ISO 2020 – All rights reserved
ISO/TR 24971:2020(E)
4.2.2 Policy for establishing criteria for risk acceptability
top management
risk
ISO 14971:2019requires to define and document the policy for establishing criteria
for acceptability. Annsteaxt eC opf rtohvei daerst detailed guidance on how to define such a policy and which
elements should be included, such as applicarbilsek regulations, relevant international standards, rtihsek
cgoennterroallly acrkisnko ewvlaeldugaetido n and known stakeholder concerns. Annex C also explains the
relation between the policy and the criteria for acceptability and how these criteria are used in
and . medical device medical device
medical device intended use
The policy can allow specific criteria for each type of (or family). This
can depend on the characteristics of trhesei dual risk and its (including the intended
patient population). ISO 14971:2019requires that the policy provides guidelines on how to establish the
criteria for acceptability of the overall .
4.2.3 Suitability of the risk management process
top management risk management process
risk management process
ISO 14971:2019requires to review the suitability of the at
planned intervals. The review of the suitability is a high-level review of the
and can include reviewing the following arsipsekc mtsa, nfoarg eemxaemntp pler:ocedures
— the effectiveness of the implemernistked ;
risk medical devices
— the adequacy of the criteria for acceptability, which can imply the need for an adaptation of the
criteria for acceptability for specific ; andpost-production
— the effectiveness of the feedback loop of the production and information (see 10.4).
4.3 Competence of personnel
top management
risk management
Ensuring the assignment of competent personnel is a responsibility of . Examples of
the personnel that can be involved in specific tasks and the relevant knowledge and
experierniscke smuapnpaogretminegn etffective completion of the associated tasks are given in Table 1.
objective evidence
Some activities can be performed by external consultants or specialists. The
required competence should be documented as well as the of the fulfilment of these
requirements.
Table 1 — Examples of competent personnel and relevant knowledge and experience
Personnel or function Knowledge and experience
Risk management Medical device risk management process
Medical device
owner
Engineer or scientist technologies, design and
processes
operating principles
Operations Manufacturing
processes
Supply-chain management Sources of material and services, in-
cluding outsourced
Medical or clinical expert Clinical evaluation methodologies and
ben-
requirements
efits hazardous situations
Uhasrem in medical practice, including
, and possible
safety risk management
Regulatory affairs Regulatory requirementms peedrictaali ndienvgic teo
and in coun-
tries/regions where the
is intended to be marketed
Quality assurance Quality management systems and qual-
ity practices
2 PROOF/ÉPREUVE
© ISO 2020 – All rights reserved
ISO/TR 24971:2020(E)
Table 1 (continued)
Personnel or function Knowledge and experience
Hazards risk control
Packaging, storage, handling and measures in
and distribution relation to packaging, storage, handling
Hazards risk control
and distribution
Service engineer, biomedical and measures in
engineer or medical physicist rperloacteiossne sto installation, maintenance,
repair, calibration, service and support
Post-production
and practices
Customer complaints and adverse event
processes
reporting, post-market surveillance
Information services Data mining , methodologies
for literature search
Arelcl oinrddsividuals involved in the Expertise in the functional area for
review and approval of the which they are reviewing and approving
risk management
Consider the need to inricslku dmea tnhaeg feomlleonwting topics in tmheed eidcaulc daetivoince osf experts:
— managesmafeetnyt of a program for ;
— ethics, r,i sske,cruisrkity and liability; benefit-risk
— concepts of acceptabriilsitky m aannda gement analysis;
— rpirsokb mabainlaitgye amnedn sttatistics for and reliability;
— and reliability in design and development;
— rreislke veastnitm sattainodnards and regulations; severity harm
— risk assessment including methods to determine the and probability of occurrence of ;
— ris kmethodology;
— methods for control; risk control
— methods for verifying the effectivenessp oofs t-production measures;
— methods for analysing production and information.
4.4 Risk management plan
4.4.1 General
risk management risk management
risk post-production
The plan describes the scope omf ethdeic al device r iasckt mivaitnieasg,e tmheen rtesponsibilities
and authorities of those involved, the criltiefer ciay cfloer raicscke mpatanbaiglietmy,e tnhte production and
information to be collected and reviewed for the , and all activities that
are carried out during the entire product . The plan can be a separate document,
or it can be integrated with other dpoocsut-mpreondtuatcitoionn, e.g. quality management system documentation. It
can be self-contained or it can reference other documents, such as planning of clinical, biological or
usabriilsitky m evaanlaugaetmioennst or planning of activities. life
cycle medical device
The plan is a “living domcuemdiecnatl ”d tehvaicte will be reviewed and updated throughout the
of the asr nisekw m iannfoargmemateinotn becomes available. Ther iisnkf omramnaatgioemn esnhto fuillde be collected
on a continuous basis, even after the last is sold and placed on the market. ISO 14971:2019
requires that changes to the plan be recorded in ther isk management .
risk medical device
The extent of planned activities and the level of detail of the plan should be
commensurate with the level of associated with the . The requirements in
PROOF/ÉPREUVE 3
© ISO 2020 – All rights reserved
ISO/TR 24971:2020(E)
risk management Manufacturers
risk analysis risk
ISO 14971:2019 are the minimum requirements for a plan. can include
other items such as time-schedule, tools, or a rationale for the choice of specific
acceptability criteria.
4.4.2 Scope of the risk management plan
medical device life cycle
The scope identifies and describes the and the phases for which each element of
the plan is applicable. risk management process
medical device
Spoomst-ep roof dtuhcet eiolenments of the plan can apply to the product realization (design,
dmeevdeilcoapl mdeevnict eand production of the ). Other elements can apply to the production and
phase (such as installation, use, maintenance, decommissioning and disposal of the
).
4.4.3 Assignment of responsibilities and authorities
risk management
risk management risk management
The plan identifies the personnel or functions with respornisskib miliatnya fgoerm tehnet execution
of specific activities related to (see Table 1). In addition, the plan
imdeednitciafile ds etvhiec eindivimduedailcsa wl ditehv aicpepropriate authority to review and approves afety decisions
and actions. This can entail assignment of personnel familiar with ltihfee cuyncileque characteristics of the
(or family) and their possible relevance to . This assignment can
be included in a resource allocation matrix defined for the specific phase and the activities
covered in the scope of the plan.
4.4.4 Requirements for review of risk management activities
risk management risk management
medical device medical device
The plan details how and when the activities will be reviewed for a
specific (or family). rTihskis m shaonualgde imnecnlutde the review method, the responsible
irnisdki vmidaunaalgse omre fnutnctions, who is required to participate in the review, and hroiswk mthaen raegveimewen rtesults are
managed. The results of the review of planned activities will be consolidated in the
report (see Clause 9). The requirements for the review of activities
can be part of other quality system review requirements, such as design and development review (see
[24]
ISO 13485 ).
4.4.5 Criteria for risk acceptability
risk manufacturer’s
risk harm
Criteria for acceptability are establishreisdk according to the psoelviceryi tfyor dheatremrmining
acceptable . This includes criteria for situations wmheerdeic tahle d pevroicbeasbilitmy eodf ioccacl udrerveicnece of cannot
be estimated, in which case the criteria for acceptability can be based on the of alone.
The criteria can be common for categories of simrisiklar (or fraimski laiesss)e.ssment
risk assessment
It is important to establish the criteria for acceptability before starting the .
Otherwise, the results of the could influence the decision when establishing the criteria.
risk evaluation
See Annex C for further guidance and examples of criteria that are derived from the policy and applied
in .
4.4.6 Method to evaluate overall residual risk and criteria for acceptability
residual risk
manufacturer’s risk
The method to evaluate the overall ris akn md atnhaeg cermiteenrtia for its acceptability arem deedriicvael dd fervoicme
the policy for establishing criteria for acceptability. ISO 14971:201r9es rideuqauli rreissk that
the method and the criteria be stated in the plan for the particular
under development. Some inputs for and considerations on the evaluation of overall are
listed in Clause 8.
4 PROOF/ÉPREUVE
© ISO 2020 – All rights reserved
ISO/TR 24971:2020(E)
4.4.7 Verification activities
risk management verification
risk management verification
The plan specifies how the two activities required per 7.2 of ISO 14971:2019
are carried out. The plan can detail the activities explicitly or by reference
tVoe roitfihceart ipolnans. risk control
verification verification
of implementation of measures can be part of design review, approval of
specifications, design and development in a quality management system, or other
aVcetriivfiictaietsio inn a quality management syrsitsekm c.ontrol
verification
of the effectiveness of measures can be part of design and development
in a quality management system. It can require the collection of clinical data, usability
studies, etc., as part of design and development validation in a quality management system.
4.4.8 Activities related to collection and review of production and post-production information
manufacturer
medical device post-production
ISO 14971:2019 requires thes afety to establish a systermis kt om aancatigveemlye nctollect and review
information about the in the pMroadnuucfaticotnu raenrds phases and to review this
information for relevance to . Thus, it is important that the plan inclpurdoecse stshees
activities necessary to establish this system. should understand that the information to
be collected can be voluminous and comes from many disparate sources. Consequently, robust
should be used to analyse the information and to identify trends that could otherwise go undiscovered,
so that appropriate conclusions and actions can be taken. Statistical techniques should be considered to
assist in the processing of the collected data.
The system to actively collect and review information includes monitomrianngu afancdt urreecreiving feedback such
as complaints and adverse event reports. In addition, the system should include active msoeldiciciatal tdieovni coef
feedback from users and collection of other relevant information. The should consider the
extent of these activities and determine which activities armee adpipcarol pdreivaitcee sfor the particular .
risks medical devices intended uses
For example, limited monitoring might be sufficient for risks with a long history of use and
well understood . For involving novel treatments (for example new ) or
innovative technologies and mpoesdsicibally d weviitche less understood , more elaborate monitoring including
post-market clinical follow-up (PMCF) studies could be warranted to understand the issues that can
arise in the actual use of the . Fuprotsht-eprr goudiudcatniocne is provided in Clause 10.
processes
The methodp rfoocre dcuorlleecting production and information can be part omf eedsictaalb dliesvhiecde
[24]
quality management system (see for examprlies k8 .m2 aonf aISgOem 13en4t85:2016 ). While a reference to
an existing can be sufficient in some cases, any requirementrsi sskp mecainfiacg teom tehnet
under consideration should be documented in the plan. Details of the monitoring
activities and any planned PMCF studies should also be specified in the plrainsk.
medical devices
Tsehvee rfirteyquehnacrym of review of the collected information should be commensurate with the and can
alsom deedpiecnald d oenv itchee number of on the market, the number of incidents reported and the
of reported. The collection and review should continue during the expected lifetime of
the .
4.5 Risk management file
manufacturer risk management file
records risk management medical device
ISO 14971:2019lifere cqyuclieres the to establish and maintain a , which
contains and other documents crreecaoterdds during activities for the
throruisgkh omuat nitasg ement fi lferom inirtiisakl cmoanncaegpetmioenn ut nftiliel final decommissioning and disposal. The individual
clauses in ISOr 1is4k9 m71a:n2a0g1e9msepnetc pifryo cwehssat and relatemd eddoiccuaml deenvticse a’sreli fteo c bycel emaintained as part of
the . The should provide the information necessary for the
revierwisk o mf tahnea gement file at any phase in the m edical d.evice medical
device risk management records
The life cycle can be smtreudcictaulr edde vainced organized for one type of or for al ife cycle
family. It is important that the can be assembled in a timely fashion
throughout the of the , as the information could be used during the
PROOF/ÉPREUVE 5
© ISO 2020 – All rights reserved
ISO/TR 24971:2020(E)
post-
production medical device
to support other activities and decision making, for example during review of production and
risk ma innafgoermmeantito fnil,e evaluation of the effect of a change to the risk man, aogr edmuernint gfi laeudits.
records records
The is a logical construct. It is not mneacneusfsaacrtyu rtehra’st the physically
creocnotradinss all the required and related documents. The and related dorceucmorednsts can be
part of files required by other systems such as the quality management system. The
and related documents can exist in any format or mheadziaa r(dhard copyri, sekl eacntraolynsiics risk ev, aeltuca.)t.ion
verification risk control residual risk
ISO 14971:2019 requires traceability for each identified hazards to the , ,
implreismke mntaantaiogne maenndt process of measures, and the evaluation of .
Tracreiaskb imlitayn aisg eam reenqtu fiirleement to prove that all identified hhaazvaer dbeen completely addressed in
the risk . A traceability tool can be used to phroavzaidred san index to each document in
the providing information orne stihdeu aidl ernistkified . Such an index can be uspeofsut-l
ipnr otdhuec mtioannagement of knowledge concerning the identified . This index could be used in
later activmiteiedsic asul cdhe vaicse the evaluation of overall and the review of production and
information. Traceability should be updated as new information becomes available and
when the is changed. risk management file medical devices
See Annex G for guidance on building a for that were designed
without using ISO 14971:2019.
5 Risk analysis
5.1 Risk analysis process
risk analysisprocess
The consists of the following steps, which are explained in further detail in the next
subclauses: intended use medical device reasonably foreseeable misuse
— description of the of the medical de avnicde safety ;
— identification of thhaez acrhdasracterhiasztiacrsd oofu tsh seit uations that are relatemde tdoic al dev;ice
— identification roifs ks andh azardous situation associated with the ;
— estimation of for each .
5.2 Intended use and reasonably foreseeable misuse
intended use
The should take into account information such as:
— the intended medical indication, e.g. treatment or diagnosis of type 2 diabetes mellitus, cardiovascular
disease, bone fracture, infertility;
— patient population, e.g. age groups (adults, children, adolescent, elderly), gender (male, female), or
disease state;
— part of the body or type of tissue interacted with, e.g. leg or arm;
— user profile, e.g. patient, lay person, health care provider;
— use environment, e.g. home, hospital, intensive care unit; and
— operating principle, e.g. mechanical piston driven syringe, X-ray imaging, MR imaging, subcutaneous
Reasdornuagb ldye lfiovreersye.eable misuse medical device
manufacturer
use error is defined as use of the in a way not intmeneddiecda l bdye vtihcee
, but which can result from readily predmicatanbulfea chtuurmearn behaviourer.a sTohniasb lcya nfo rreesleaetea btloe
misuse (slip, lapse or mistake), intentional acts of misuse, and intentional use of the
for other (medical) applications than intended by the . Cases of
can be identified during design and development by an analysis of simulated use, for example
6 PROOF/ÉPREUVE
© ISO 2020 – All rights reserved
ISO/TR 24971:2020(E)
process post-production
Reasonably foreseeable misuse life cycle medical device
by applying a usability engineering , or during tmhea nufacturer’s phase by an analysis of
actual use. can be identified throughout the of a ,
including iterations of design activities, during which the ability to anticipate potential
misuse progressively increapsreosc.ess
The usability engineering m ceadnic ahle dlpe vtioc edetermine whether a particular misusem isa nruefaascotnuraebrl’ys
foreseeable or not, for example by observation during usability testing. The usarbisiklity test might reveal
that users could routinely use the in a mparnonceedr uthreast is not according to the
instructions. This misuse can occur due to poor working culture, inadequate perception, limited
knowledge of the consequences, or because operreaatsionnga bly foresee aarbele n omti csulesaer.
process
The following example illustrates a case of that was identified and
analysed by application of a usability engineering . More information on usability engineering
[16] [17]
medical device
can be found in IEC 62366-1 and IEC TR 62366-2 .
medical device
EXAMPLEha rm A single-use is designed to baec cuosmedp aonnylyin ogn dcoec, ubmute intt iast iroenasonably foreseeable that
some users might attempt to reuse the . Therefore, warnings againsts arfeeutsye and indications of the
possible resulting from reuse were included in threis k medical devic.e Application of usability
[16]
engineering according to IEC 62366-1 demonstrated that this information for would be effective, i.e.
umseedrisc awl oduelvdi ckenow the correct use and understand the of reusing the . However, the usability
evaluation alpsroo csehsoswed that some users are likely to disregard this information and intentionally reuse the
. Intentional reuse can be considered abnormal user, ewashoinchab ilsy bfoeryeosnedea tbhlee msciosupsee of ther iuskssability
engineering , because threis ka smsoacniaagteemd ernistkpsr occaensnsot be controlled in the user interface (rsieske 3.1 and 3.26
[16]
of IEC 62366-1:2015 ). Since this behaviour can be considererdis k control , the from
such reuse are analysed in the and evaluated against the criteria for acceptability
according to ISO 14971:2019. It could be necessary to implement measures outside the user interface.
5.3 Identification of characteristics related to safety
medical device safety
It is important to identify the mchedaircaaclt deervisictiecss of the that could affect . These
chasraafecttyeristics can be qualitative or quantitative and can be bound by certain limits. The questions in
Annex A cover many aspects of hazards haanzda cradnou ass ssiitsuta itni oidnesntifying the charactemriesdtiiccas lr deelavticeed
to . For every question, it is indicated which factors should be considered in further detail, with
the ultimate goal of identifying all and associated wmitehd tihcael devices .
The list of questions in Annex A should not be used as a check list. It can also be helpful to review
avmaialanbulfea cintuforremr ation and literature, including adverse event reports, mfoerd siicmali ldaerv ice .
intended use safety hazardous situations
A can identify the performance or the functions of the that are necessary
to achieve its or that could affect , and consider whether any
could occur, if any of these functions did not perform properly.
5.4 Identification of hazards and hazardous situations
5.4.1 Hazards
hazard harm hazards
hazards
A is a potential source of a . Depending on the specific situation, can have different
origins/natures. Examples of are electricity, moving parts, infectious bacteria, chemicals,
gHaaszeasr,d ssharp edges, high currenmtse,d tiecmalp deervaitcuere, and ionising radiation. intended use reasonably
foreseeable misuse safety
associated with the can be deduced from the hazards and
as dehtaezramrdinoeuds siintu 5a.t2i oannsd the characteristics related to asI VdDet meremdiicnaeld d einv i5ce.3s.
Annex C of ISO 14971:2019provides guidance that can helrpi sikns identifying and sequences of
events that can lead to . Annex H provides similar guidance for ,
where incorrect diagnostic information can lead to indirect to patients.
5.4.2 Hazardous situations in general
Medical devices harm hazardous situation
harm
only cause if a sequence of events occurs that results in a ,
which then causes or leads to . Sequences of events can include a chronological series of causes
PROOF/ÉPREUVE 7
© ISO 2020 – All rights reserved
ISO/TR 24971:2020(E)
hazardous situation
hazards
and effects, as well as combinations of concurrent events. A occurs when people,
pHraozpaerrdtoyu os rs itthuea teinovnisronment are exposed to one or more . medical
device Hazardous situations
can arise even when there are no faults, i.e. in the normal condition for the
when it is performing as intended. can be intrinsic aspects of certain
therapies. For example, an automated external defibrillator (AED) delivers an electric shock to the
patient as part of its normal operation. Similarly, wound cauterization involves the application of high
energy to a wound site, and a scalpel has a sharp blade intended to make incisions. medical device
safety hazards hazardous situations
Annex A provides guidance in the form of questions on the characterirsitsikc sa noaf ltyhseis that
could affect . Those charachtaezraisrdtiscs canh ahzealrpd oinu si dsietnutaitfiyoinnsg in vitr oanddia gnostic (IVD) medical.
dAenvniceexs B provides guidance on several techniques that can support a . Annex H provides
specific guidance on identifying and for
.
5.4.3 Hazardous situations resulting from faults
hazardous situation
harm
In cases where a hazardous osintluya oticocnurs hdauzea trod oa ufas usilttu, tahteio pnrobability of a fault occurrhinagr mis not
the same as the probability of the occurrence of . A fault can initiate a sequence of events but does
not necessarily result in a . A does not always result inh azard.ous
situation
It is important to understand that there are generally two types of fault that can lead to a
: random and systematic faults.
5.4.4 Hazardous situations resulting from random faults
Random faults are typically due to physical or chemical causes such as corrosion, contamination,
thermal stress, and wear-out. For many random faults, a numerical value can be given for the probability
that the fault will occur. Some examples of random faults are:
— the failure of a part such as an integrated circuit in an electronic assembly;
— the contamination of an IVD reagent leading to incorrect rmeseudlitcsa;l device
— the presence of an infectious or toxic substance in or on a risks .
hazard hazardous situation
NOTE A quantitative estimate can only be applied to biological if sufficient information is known about
the and the circumstances affecting the probability of the occurring, for example in
the use of sterility assurance levels.
5.4.5 Hazardous situations resulting from systematic faults
A systematic fault can be caused by an error in any activity. It will systematically give rise to a failure
when some particular combination of inputs or environmental conditions arises, but will otherwise
remain latent. medical device
medical devices use errors
Errors lmeaeddiincag l tdoe svyicsetematic faults can occur in any part of the such asm headricdawl adreev iacned
software in electro-mechanical . Systematic faults in labelling can lead to
for any . These systematic faults can be introduced at any time during a ’s
development, manufacture or maintenance. Someh eaxzaamrdpoluess osift suyasttioenmatic faults are:
— an incorrectly rated fuse fails to prevent a : the fuse rating could have been
incorrectly specified during design;
— a software database does not provide for the condition of full database: if the database is full, it is
not clear what the software will do, with possible consequence that the system will simply replace
existing data with new data; medical device
— a fluid, used during the production of a , has a boiling point lower than body
temperature: residues of the fluid can, in certain circumstances, be introduced into the blood,
8 possibly leading to an embolism; PROOF/ÉPREUVE
© ISO 2020 – All rights reserved
ISO/TR 24971:2020(E)
— the antibody in a hepatitis assay does not detect some variants of the virus;
— inadequately designed environmental control leads to contamination with a toxic substance or an
infectious agent;
— the user’s manual is written so that if a maintenance routine is performed according to the
instructions, the user could be injured (e.g. by a sharp probe).
The accurate estimation of the probability of occurrence of systematic faults is difficult. This is
primarily for the following reasons.
— Threi fsrke cqounetnrocyl of systematic faults is laborious to measure. Achieving a reasonable level of confidence
in the result will not be possible without extensive data on systematic faults or parameters relevant
to .
— Consensus does not exist for a method to quantitatively estimate the probability of occurrence of
systermisakt iec sftaiumlatst.ion manufacturer
risk
Because is difficult ihna ztahredsoeu sc isritcuuamtisotnasncesh, atrhme should not focus on
estimating the of systematic faults but rather on implementing robust systems to prevent
systematic faults which could lead to or .
5.4.6 Hazardous situations arising from security vulnerabilities
Sreeccourrditsy in this document includes cybersecurity and data and systems security. Security vhualnrmerabilities
can lead to loss of data, disclosure of personal health information, unauthorized access to patient
, etc. Such situations can initiate sequences of events, which can ultimately lead to (patient
injury or damage to property). For example:
— loss of confidentiality can lead to the disclosure of personal health information; medical device
— loss of integrity can lead to incorrectly represented lab results or mmaeldfiucnacl tdieovni coef the ;
medical device
— loss of availability can prevent the use of critical functionality of a or can stop the use
of a altogether.
See Annex F for further guidance on security.
5.4.7 Sequences or combinations of events
hazardous situation
P hazardous situation
The can be the result of a sequence or combinations of independent events. This
is illustrated in Figure 1. Theh parzoabradboiulsit syi tu1a toifo nthse occurring is then givheanz abryd othues
psirtoudauticotn of the probabilities of occurrence of the independent events. A sequence of events can have
branches leading to different and different events can lead to the same
. These complexities are not shown ihna Fziagrudre 1.
The example in Figure 1 is for an electricity and is related to an insulated wire inside a medical
electrical device. There is a smamll epdricoabla dbeilviticye that the insulation material is degraded and becomes
damaged by cracks, and that the cracks lead to an exposed wire. The next possible events are that the
uhasezra rcdoonunse scittsu aatniodn turns on the , and that (depending on choices in the user interface)
the exposed wire now has line voltage.P When the user subsequently opens the protective cover, the
occurs, namely that the user is exposed to the line voltage of 220 V. The combined
probability of this sequence of events is 1.
P
The probability that the user actually touches the exposed wire is estimated to be 0,10. Since the user
will always experience a shock from the line voltage, the probability of discomfort is 2 = 0,10. The
prhoabzaabridliotyu so fs iat ubautrionn is lower (0,01) and the probability of dheaarthm is even lower (0,001).
hazardous situation harm
A (HhSa1r)m can lead to different kinds of P (H1 to H3), raPnging from discomfort,
to a burn to death. The probability that the leads to can have different values
depending on the kind of , which values are described as 2(HS1)H1 through 2(HS1)H3 in Figure 1. The
PROOF/ÉPREUVE 9
© ISO 2020 – All rights reserved
ISO/TR 24971:2020(E)
severity harm
of can be affected by the circumstances of the exposure. For example, the consequences
of an electric shock can vary from muscle contractions to burns, heart fibrillation or cardiac arrest,
depending on voltage, current, duration of the exposure, and location on the human body. severity
harm harm
Imt ains uefmacptuhraesrized that several scenarios can be relevant, not only thoshea zwairtdho uthse s ihtuigahtieosnt of
or with the highest probability of occurrence of haza. rOdtohuesr ssictuenatairoinos can also be relevant. The
harm should consider what the best manner is to document the , describing
one or more sequences of events that can lead to this and the different kinds of
that can occur. Hazard
: electricity
medical device
Situation: line voltage (220 V) of an insulated
wire beneath a cover of the
Events:
P
A. Insulation material is damaged by cracks
( A = 0,01)
P
B. Insulation material falls off the wire
( B = 0,10)
P
C. User connects and turns on the device
P
( C = 0,10)
Hazardous situation
D. User removes cover ( D = 0,10)
P P P P P
: user is exposed to line
-5
voltage ( 1 = A B C * D = 1 × 10 )
Probability that the user touches the wire and
P
experiences:
— discomPfort ( 2 = 0,10)
— burn ( P2 = 0,01)
— death ( 2 = 0,001)
[Figure 1 — Pictorial example of a relationship of hazard,]
sequence of events, hazardous situation and harm
medical devices risk
Information about the on the market can be useful in estimating . Several approaches
are commonly employed to estimate probabilities:
— use of historical design and development data;
— prediction of probabilities using analytical or simulation techniques;
— use of experimental data;
— reliability estimpaotesst-;production
— production and information;
— use of expert judgment (an expert in this context can be a person competent on the basis of
[24]
appropriate education, training, skills and experience; see ISO 13485 ).
Each of these approaches has strengths and weaknesses. Complementary approaches should be used
to increase confidence in the results. Expert judgment should be supplemented with one or more of the
10 PROOF/ÉPREUVE
© ISO 2020 – All rights reserved
ISO/TR 24971:2020(E)
other approaches wherever possible. When the other approaches cannot be used or are not sufficient, it
might be necessary to rely solely on expert judgment.
5.5 Risk estimation
5.5.1 General
manufacturer risk estimation
risk
ISO 14971:2019 requires the to perform . Various methods can be used to
estimate . Those methods shouhladz eaxradmine, for example:
— the circumstances in which a ha izsa prrdeosuesn sti;tuation
— the sequence of evenhtasz laeraddoiunsg s tiotu aa tion ;
— the probability of a hazardous situation occurring;harm
— the probability ofh aa rm leading to ;
R—is kthe nature of the that could result. risk
risk control severity risks
should be expressed in termsesv etrhiatyt facilitate decision making on acceptability and the need
for , for example, using and probability scales. In order to analyse , their
components, i.e. probability and , should be analysed separately.
Key
harm
severity harm
X probability of occurrence of
Y of
[Figure 2 — Example of a risk chart that illustrates the distribution of estimated risks]
risk risks
risks R R R
A chartR issukch as that shown in Figure 2 shows the distribution of the estimated , which can
be useful for later decision making. The ( 1, 2, 3, …) would bme epdloictatle dde ovnic ethse chart as they are
estimated. matrices deverliospked from trhisiks figure will be used in examripskless throughout thriiss kclause.
Thrisis dkoes not imply that this method has general applicability to all ; however, it can be
useful in many instances. If a chart or matrix is used for ranking , the particular chart
or matrix and the interpretation used should be justified for that application.
PROOF/ÉPREUVE 11
© ISO 2020 – All rights reserved
ISO/TR 24971:2020(E)
5.5.2 Probability
harm
When sufficient data are available to estimate the probability of occurrence of with adequate
confidemnecdei,c aa lq dueavnicteitative method should be used. Otherwise, a qualitative method based on expert
judgmpeonstt i-sp rpordeufecrtiaobnle to a quantitative estimate with high uncertainty. Anm eaxnaumfapclteu oref rthis situation is
a new where suitable quantitative data are not amvaeidlaicballe d uenvticile design validation or later
when data become available. For a qualitative method, the can describe a
series of probability levels with descriptors appropriate for the .
manufacturer
Although probability is a continuous variable, a number of discrete levels can be used in practice to
simplify the analysis. The decides how many probability levels are appropriate, based
on the expected confidence in the estimates. A larger number of probability levels can be used when
estimates are mmeaddicea wl diethvi cgereater confidence. At least three levels should be identified to facilitate
dMeacnisuifoanc tmuraekrsing. The levels can be descriptive and qualitative (e.g. not expected to occur during the
lifetime of the , likely to occur a few times, likely to occur frequently, etc.) or quantitative.
should define the levels explicitly, so that there will be no confusion over what falls
within each level. A particularly effective way is to assign ranges of non-overlapping numerical values
to the discrete levels. An example of three qualitative probability levels is given in Table 3 and an
example of five semi-quantitative probability levels in Table 5.
manufacturer
The definitions of the probability ranges can be the same or different for different product families.
For example, a can chhoaorsme to use one set of probability ranges for X-ray equipment, but
can have a different set of probability ranges for sterile disposable dressings. Scales for probability can
include probability of occurrence of per use, per device, per hour of use, or within a population, reitsck.
management file medical device
It is required to document the chosen probability levels or ranges and their descriptors in the
for the particular (see ISO 14971:2019, 5.5). harm
There are several factors that are important for estimating the probability of occurrence of . These
include, but are not limited to,m thede ifcoalll odweviincge.
— How often is a particular medical device used?
— What is the lifetime of the ?
— Who makes up the user and patient populations?
— What is the number of users/patients?
— How long and under what circumstances is the user/patient exposed?
harm P
Probability eshtaimrmation encompasses the circumstancesP and thhea zsaerqduoeunsc seist uaotfi oenvents from the
occurrence of the initiatinhga zeavrednt through to the Poccurrenceh aozfa rtdhoeu s situa. tTiohne probabhilaitrym of
occurrence of can be decomposed into a probPability P1 that a occurs (i.e. thaPt
persons are expohsaerdm to the ) and a probability 2 that the leads to . See
Figure C.1 in ISO 14971:2019. A decomposition into 1 and 2 can be useful to estimate the probability
of occurrence of , but such decomhpaorsmition is not mandatoryP. P
When the probability of occurrence of is decomposed into 1 and 2, it could be the case that one of
them can be estimated and the oritshker not. In such cases, a conservative approach can be used by setting
the unknownr ipsrkobability equal to 1. Such approach can be useful when the estimated probability is
either so low that the resulting becomes clearly insignificant or negligible, or so high that it is clear
the resulting should be reduced.
5.5.3 Risks for which probability cannot be estimated
risk
harm
Confidence in a estimate can be enhanced when a quantitative estimate of the probability of
occurrence of is made on the basis of accurate and reliable data, or when a reasonable qualitative
estimate is based on a consensus by qualified experts. However, this is not always achievable. For
example, the probabilities of systematic faults, such as those discussed in 5.4.5, are difficult to estimate.
12 PROOF/ÉPREUVE
© ISO 2020 – All rights reserved
ISO/TR 24971:2020(E)
When the accuracy of the probability estimate is in doubt, it is often necessary to establish a broad
range for the probability or to determine that it is no worse than some particular value.
Examples where probabilities are difficult to estimate include:
— software failure; medical device
— excepthioanzaalr mdsisuse situations, such as sabotage or tampering with a ;
risk
— novel that are poorly understood, e.g. imprecise knowledge of the infectivity of the
causative agent of Bovine Spongiform Encephalopathy (BSE) prevents quantification of the of
transmission; hazards
— certain toxicological , such as genotoxic carcinogens and sensitizing agents, where it might
not be possible to determine a threshhaorldm of exposure below which toxic effects do not occur. risk
severity harm risk control
hWahzaenrd tohues psirtoubaatiboinlity of occurrence of cannot beh aezsatirmdoautesd s,i tiut aist ionnecessary toh aervmaluate the
on the basis roifs kt hceo ntrol of alone. The measseuvererist yshould hfoacrums on preventing the
entirely or on preventing that the leads to . If this is not
possible, the measures should focus on reducing the of thper ocesse.s
An inverse relationship can be presumed between the rigoprsr ocoef sstehse used in design,
development, mseavneurfiatcyturing and maintenance and the probability of some systematic fraiuslkt sc obnetirnogl
introduced or remaining umndeedticeaclt edde.v Tichee required rigor of these can be determined by taking
account of threis k contro lof the consequences of systematic pfaruolctess saensd the effectiveness of
measures external to the . The more severe the consequences are and the less effective
the external measures, the more rigorous these should be.
5.5.4 Severity
severity harm manufacturer
medical device Severity
To categorizseev tehreit y of the potential , the shomualndu ufascet dueresrcriptors appropriate
for the . is, in reality, a continuum; however, in practice, the use of a discrete
number of levels simplifies the analysis. In such cases, the decides how many
categories are appropriate and how they are to be defined. The levels should be descriptive and should
nSeovte irnictlyude any element of probability. See the emxaanmupfalecstu irne Trable 2 and Tabhlea r4m. s
medical device severity
levels asreev ecrhiotysen and justified by the harm based on rtihske analysi sthat could result for a
particular . The levels should be defined with sufficient specificity, so that the
correct level of can be assigned tos eeavcehri ty identified in the . risk
management file medical device
It is required to document the chosen levels or ranges and their descriptors in the
for the particular (see ISO 14971:2019, 5.5). severity harm
NOTE Terminology used by regulators can be useful in describing the levels of of .
5.5.5 Examples
severities harm hazardous situation
Several approaches can be used for qualitative analysis. A tyspeivcearl iatpyproach is to use an N-by-M matrix to
describe the and probarbisiklisties of occurrence of associated with each .
One carefully defines N levels of probability and M levels of . Each cell of the matrix represents a
subset of the full set of possiblrei sk . severity
risks R R R
A simple example is a 3 × 3 matrix constructed by using the three Manufa cletuvreelsr sof Table 2 as
columns and the three qualitative probability levels of Table 3 as rows. The estimated ( 1, 2, 3,
...) are entered into the appropriate cells and the result is shown in Figure 3. should make
these definitions as device-specific and explicit as needed to ensure their reproducible use.
PROOF/ÉPREUVE 13
© ISO 2020 – All rights reserved
ISO/TR 24971:2020(E)
Table 2 — Example of three qualitative severity levels
Common terms Possible description
Significant Death or loss of function or structure
Moderate Reversible or minor injury
Negligible No injury or slight injury
Table 3 — Example of three qualitative probability levels
Common terms Possible description
High Likely to happen, often, frequently, always
medical device
Likely to happen several times during the lifetime of the
Medium Can happen, but not frequently
medical device
Likely to occur a few times during the lifetime of the
medical
Low Unlikely to happen, rare, remote
device
Not likely to occur during the lifetime of the
risks
NOTE The estimated in Figure 3 are not the same as those depicted in Figure 2.
[Figure 3 — Example of a qualitative 3 × 3 risk matrix]
risk severity
risks R R
AR more elaborate example is a 5 × 5 matrix constructed by using the five levels of Table 4 as
columns and the five semi-quantitative probability levels of Table 5 as rows. The estimated ( 1, 2,
3, …) are entered into the appropriate cells and the result is shown in Figure 4.
Table 4 — Example of five qualitative severity levels
Common terms Possible description
Catastrophic / Fatal Results in death
Critical Results in permanent impairment or irreversible
injury
Serious / Major Results in injury or impairment requiring medical
or surgical intervention
Minor Results in temporary injury or impairment not
requiring medical or surgical intervention
Negligible Results in inconvenience or temporary discomfort
14 PROOF/ÉPREUVE
© ISO 2020 – All rights reserved
ISO/TR 24971:2020(E)
Table 5 — Example of five semi-quantitative probability levels
Common terms Examples of probability range
−3
Frequent ≥10
−3 −4
Probable <10 and ≥10
−4 −5
Occasional <10 and ≥10
−5 −6
Remote <10 and ≥10
−6
Improbable <10
[Figure 4 — Example of a semi-quantitative 5 × 5 risk matrix]
Other sizes than 3 × 3 or 5 × 5 matrices can be employed. However, matrices with more than five
levels can require significantly more data to be able to distinguish between the various levels and to
avoid overlap of the levels. Rationales for the selection of matrices and their outcome scores should
be documented. Note that matrices with three levels might not always be sufficiently accurate for
adequate decision making. While the above examples were 3 × 3 and 5 × 5, there is no need that these
matrices be balanced. For example, a 4 × 5 matrix could be appropriate for a given application.
6 Risk evaluation
process risk evaluation
risk risk manufacturer’s
ISO 14971:2019 describreiss kthe for risk. mTahnea sgteamnednatrd, however, does not specify
levels of acceptable . The criteria for acceptability are based on the policy for
determinriisnkg aecvcaelupattaibolne amnda naurefa dcotucruemrented in the ris pkslan. risk
During , the risk compares threi seks etvimalautaetdio n with the criteria for
acceptability and determines if these criteria are met or not. See Annex C for further guidance and
examples of applying the criteria for acceptability in .
7 Risk control
7.1 Risk control option analysis
7.1.1 Risk control for medical device design
risks medical device
manufacturer risks
Several options exist to reduce associated with a . These can be used alone or in
combination. The can explore different options to reduce the to acceptable levels in
a reasonably practicable way. The order of priority is important, as emphasised in ISO 14971:2019. This
is explained belomwe daincda lc dlaerviifcieed with some examples. process
a) Making the dehsaigzna radnd the manufacturing inherently safe by:
— eliminating a particular ; PROOF/ÉPREUVE 15
© ISO 2020 – All rights reserved
ISO/TR 24971:2020(E)
hazard
hazard
EXAMPLE 1 Eliminating the of sharp edges that can cause injury by designing the surfaces
with rounded edges. Eliminating the of electric shock by using a manually operated pump
instead of an electrical pump. harm
harm
— reducing the probability of occurrence of the ;
EXAMPLE 2 Reducing the probability of fibrillation due to an electric shock by having no
accessible live parts. Reducing the probability of unauthorised access to data by identity management.
Reducing the probability of biological reactions due to microbial contamination by using cleanroom
technologies osre svteerriiltiyzation. harm
severity harm
— reducing the of the .
severity harm
EXAMPLE 3 Reducing the of from being squeezed by a moving part by using a low-
power motor and low speed. Reducing the of from an electric shock by using low electric
voltage (below 42 V).
b) Taking protective measures by: hazardous situation
— preventing the occurrence of a ;
EXAMPLE 4 Using automatic cut-off or over-pressure valves. Protective covers of electrical wires
and power units (covered plugs, sockets and connectors). Guards for moving parts or to prevent patients
falling off a tabhlea zoar roduotu osf sbietuda. Itniospnection testing in mhaanrumfacturing to detect non-conforming products.
hazardous situation
— preventing a from leading to .
EXAMPLE 5 Using vissuaafel toyr acoustic alarms to alert the user to a .
c) Providing information for med bicya:l device
— placing warnings on the ;
EXAMPLE 6 Warning: Do not use afatecrc o[emxppairnyy dinagte d].ocumentation
— including contra-indications in the ;
EXAMPLE 7 Do not use with neonates. use error
— providing instructions to support correct use and to avoid ;
EXAMPLE 8 Apply epinephrine injector to the middle of your outer thigh (upper leg), through
clothing if necessary. Do not inject into your veins, buttocks, fingers, toes, hands or feet. Hold the leg of
young children firmly in place before and during injection to prevent injuries.
— providing instructions to use personal protective equipment;
EXAMPLE 9 Use gloves and eyeglasses when handling tsoexvice roirt yhazahradromus materials.
— providing instructions about measures to reduce the of ;
EXAMPLE 10 Rinse immediately with water aftemr ecodnictaalm dienvaitcioen with hazardous substances.
— providing training to users on how to use the correctly;
EXAMPLE 11 Training program for operators of radiotherapy equipment or for home-use dialysis
machines.
medical device
— providing instructions relating to installation and maintenance during the lifetime of the
medical
.
device
EXAMPLE 12 Maintenance intervals, maximum expected lifetime, how to dispose of the
properly.
16 PROOF/ÉPREUVE
© ISO 2020 – All rights reserved
ISO/TR 24971:2020(E)
risk manufacturer
Options a) to c) are listed in descendirnigsk o crodnetrr oolf priority with regard to their generally recognised
effectiveness in reducing . The should take this order into account before deciding on
the most appropriate r(cisokm cboinntartoilon of) measures. medical devices
safety
Examples of specific measures for different types of are given in Table 6.
Further guidance on providing information for is given in Annex D.
Table 6 — Examples of risk control measures
Hazardous Inherently Protective Information
Medical device Hazard
situation safe design measure for safety
Reuse after
Syringe (for Biological con- Self-destruction Clear indication of Warning against
previous use on
single use) tamination after use first use reuse
another patient
Pacemaker stops
Information on
Implantable Loss of func- functioning due Reliable long-life Alarm before bat-
typical battery
pacemaker tionality to early battery batteries tery depletion
lifetime
depletion
Software failure Over-pressure Instruction to use
Mechanical Blower incapable
causes excessive valve in ventila- only breathing
patient Air pressure of delivering high
pressure in pa- tor or in breath- hose delivered by
ventilator pressure
tient airway ing hose manufacturer
Instruction to
Metrologically
IVD blood Systematic Incorrect result re- verify calibration
Self-calibration traceable calibra-
analyser error or bias ported to clinician with trueness
tors provided
controls
Not feasible Information on
X-ray Ionising radi- Staff exposed to Lead shields and
(stray radiation radiation level in
equipment ation stray radiation lead aprons
always occurs) occupancy zones
In this step possible solutions for inherently safe design and prortiescktsive measures can be invepsrtoicgeastsed for
mthaeniru sfatrcetunrgetrhs and weaknesses. The choice of design solutions should be based on these investigations.
Much knowledge of the possible design solutions and related can be created in this . The
should consider how to retain this knowledge for future use.
7.1.2 Risk control for manufacturing processes
processes safety medical devices
Deviations or errors in manufacturing can compromise the of , for
example, by:
— introducing hazardous residues or particulates;
— affecting critical physical or chemical properties such as surface coating, tensile strength, resistance
to ageing, homogeneity, etc.;
— exceeding crpirtoiccaels tsolerances;
— insufficient control, leading to mix up of gas lines during the assembly of a respirator; or
— impairing the integrity of welding, gluing, or bondingh oafz caormdponents. process
hazard medical device
Ipnrhoceersesntly safe manufacture eliminates the particular from the manufacturing and
ensures thamt ethdiec al devic eiss not present in the . Protective measures in the manufacturing
, such as inspection and/or testing, can detect non-conformities and can prevent the distribution
of affected .
PROOF/ÉPREUVE 17
© ISO 2020 – All rights reserved
ISO/TR 24971:2020(E)
Techniques such as Failure Modper oacnedss Eesffects Analysis (FMEA, see Annex B.5) and Hriaskz acrodn tAronlalysis
and Critical Control Points (HACCP, see Annex B.7) can be useful for analysing critical steps in the
manufacturing apnrdo cdeissstersibution . It is important to also consider the need for in:
— outsourced m, seudcicha al sd peuvircceh alisfee dc ypcrloeducts, components and services; and
— other phases of the , such as storage, distribution, installation, servicing,
decommissioning and disposal.
7.1.3 Standards and risk control
state of
the art manufacturer residual risks
Generally, international standards can be considered trois rkespresent the generamllye daicckanl doewvliecdeged
. By applying a standard, the can simplify the task of analysing , but it
is emphasised that the standard misgahfte ntyot address all associated with a safety. medical
devices risks
mMeadniyc aslt daenvdiacerds admdraensusf ainchtuerreernt , protective measures, and ionbfojercmtiavtei oenvi dfoern ce for
. When relevant standards exist, they can address some or all asrsiosckisated with a particular
. The can presume that, in the absence of to the contrary,
meeting the requirements of the relevant standards results in particular being reduced to an
acceptable level. See Annex E for further guidance on the use of international standards.
7.2 Implementation of risk control measures
risk control verification
verification risk control risk management
ISO 14971: 2019v reerqifuiciaretiso inmplementation of measures, of implementation and
of the effectiveness of those measures. The plan specifies how
tVheer itfiwcaot dioinstinct activitireissk w ciolln btero clarried out. medical device
Verification risk control medical device
of implementation of risk control measures in the medical dceavnic bee obtavienreifdic afrtoiomn
design documentation. risk contr oolf the effectiveness of the mseaafestuyres in the
can require testing of individual ve mrifeiacasutiroens or testing the . The
requirements apply to all measures, including information for . Testing with useinr sv ictarno
pdiraogvnidoest iucs mefeudl icinafl odremviacteison supporting the of effectiveness, for example usability testing
[16] [26]
r(siseke mIEaCn 6a2ge3m66e-n1t ), clinical investigation (see ISO 14155 ) or clinical performance studies of
[37]
(see ISO 20916 ). More guidance on the use of international standards in
Verification is provided in Anrnieskx Eco.ntrol process
process Verification risk control
of imprpolecemsesntation of measures in the manufacturingp rocess can be dpornoec ebsys
checking the specifications. of the effectiveness of measures in the
manufacturing can be done by qualification of the manufacturing , such as
validraistkio mn,a innaspgeemcteionnt method qualificatiovne roirfi coathtieorn appropriate means.
verification
The plan can detail the activities explicitly or by reference to the plan for
other activities.
7.3 Residual risk evaluation
Residual risks risk
risks residual risk risk
control are evaluated by the same method rainskd cwonitthr otlhe same criteria for ben eafcitc-eripstkability as
the initial . TheR esidual risk is either acceptable or unacceptable. Whliefen cuyncalecceptabmlee, dfuicratlh deer vice
options shouldp obset -ipnrvoedsutcigtiaotned. If further is not practricisakble, a analysis
may be performed. evaluation can be repeated through the of the ,
when production and information indicate that either the or its acceptability could
have changed.
7.4 Benefit-risk analysis
7.4.1 General
manufacturer benefit-risk risks
risk management risk
ISO 14971:2019 allows the to perform a analysis for those that are not
j1u8d ged acceptable using the criteria establi
P
sh
R
e
O
d
O
i
F
n
/ É
th
P
e
R EUVE
plan and for which further
© ISO 2020 – All rights reserved
ISO/TR 24971:2020(E)
control benefit-risk residual risk
benefits intended use medical device
is not practicable. The analysis is used to determine if the is outweighed
bBye ntehfeit e-rxipskected of the of threes idual risks .
analyses cannot be used to weigh against business advantages or economic
advantages (i.e. for business rdiesckision making). See also ISO 14971:2019, A.2.7.4. benefits
risks benefits
The practicability of further reduction should be taken into account before considering the
(see Annex C). The decision as to whether are outweighed by is essentially a mabtteenre foitf
judgment by experienced and knowledgeable individuals, usually a multridisiksciplinary team cormispkrising
medical, clinical or applicraestiidouna el xrpisekrts. An immpaonrtuafanct tcuorners’isd emreadtiiocanl ids ewvihceether an antriecsiipdautaeld r isk
can be amcehdieicvaeld d etvhircoeusgh the use of alternative solutions without that or with smaller . This
involves comparing the for the with the for
similar .
7.4.2 Benefit estimation
benefit medical device
Benefits
The arising from a is related to the likelihood and extent of improvement of
health expected from its use. can be described in terms of positive impact obnen celfiintiscal outcome,
the patient’s quality of life, outcomes related to diagnosis, positive impact from diagnostic devices on
clinical outcomes, or a positive impact on public health. The nature and degree of can depend
on the patienbte npeofpituslation.
benefit benefit
Sometimes can be described in terms of magnitude of the positive effects, for example the
pBreonpefoirttion of patients that will experience the and the duration of .
can be estimated from knowledge of several factors such as:
— the performance expected during clinical use;
— btheen ecfliitnsical outcome expected from that pmerefdoircmal adnecveic;es
— resulting fromr tihskes use obf esnimefiiltasr ;
— factors relevabnetn teof itthe and of other diagnosis or treatment options.
Confidence in the estimate is strongly dependent on the reliability of the information addressing
these factors. This includes recognition that there is likely to be a range of possible outcomes. For
example:
— It can be difficult to compare different outcomes, e.g. which is worse, pain or loss of mobility?
Different outcomes can result from the side-effects being very different from the initial problem.
— It is difficult to take account of non-stable outcomes. These can arise both from the recovery time
and long-term effects.
Due to the difficulties in applying a rigorous approach, it is generally necessary to make simplifying
assumptions. Therefore, it will usually prove expedient to focus on the most likely outcomes for each
option and those that are the most favourable or unfavourable.
The following aspects shobuelnde bfiet staken into account: medical device
— the type of expected for the patient or other people (e.g. the is life-saving or
essential in a given medical scenbaerinoe)f;its
benefit
— the magnitude of the expected (e.g. the degree to which the patient will experience the
therapeutic or diagnostic ); benefits
medical device
— the probability that the patient will experience the expected (i.e. the likelihood that the
is effective in treating or diagnosing theb epnaetfiietnt’s disease or condition); and
— the duration of the expected effects (i.e. how long the is expected to last for the patient).
PROOF/ÉPREUVE 19
© ISO 2020 – All rights reserved
ISO/TR 24971:2020(E)
benefit process
medical device
An ebsetnimefaitte of can vary markedly across different phases of the design . If reliable clinical
dbeantae fditemonstrating the consistent performance and effectiveness of the are available,
the can be estimated confidently. In caspesro wcehsesre clinical data abreen leimfitited in quantity or quality,
is estimated with greater uncertainty from whatever relevant information is available. For
example, it is sometimes necessary early in the to estimate the from the expected degree
of health improvemreisnkts and the likelihood of abchenieevfiitng the intended performance.
Where significant are present and the estimateb ehnaesf ita- rhisigkh degree of uncertainty, it will
be necessary to verify the anticipated performance roers iedfufaelc rtiivskeness through a simulatiporno csetduudrye sor a
clinical investigation. Thims eids iceasls ednetviiacle sto confirm that the balance is as expected inan vdit rtoo
[26]
pdiraegvneonstt uicn mweadrircaanl tdeedv iecxepsosure of patients to a large . ISO 14155 specifies for
[37]
clinical investigations of and ISO 20916 for clinical performance studies of
.
7.4.3 Criteria for benefit-risk analysis
benefit-risk
risk management
Those involved in making judgments have a responsibility to understand and take into
account the technical, regulatorym, eedciocnaol mdeicv iacned sociological context of their decisions.
This can involve an interpretation of fundamental requirements set out in applicable regulations or
standards, as they appsalyfe ttoy the under consideration under the anticipated conditionriss kosf
use. Since this type of analysis is highly product-specific, furthreisrk guidance of a general nature is not
possible. Instead, the requirements specified by standards addressing specific products or
can be presumed to be consistent with an abcecneepfittable lreevseidl uoafl risk, especially where the use of those
standards is sanctioned by the prevailing regulatory system. Note that a clinical investigation might be
required to verify that the balance between and is acceptable.
7.4.4 Benefit-risk comparison
benefit risk
A direct comparison of and is complicated and should take the following into account:
— characterization of the disease or condition of the intended pahtaieznartsd;s medical device
benefit risk
— the uncertainty of data. Initially, a literature search for the and the being
considered can pproosvt-ipdreo dinuscitgihont into the balance betweemn edical d eavnidc es ;
— production and information for similar that are already available on
the market; state of the art
— the generally acknowbleedngefeidts medical; device benefits
medical devices
— a comparison of the of the under development with the of similar
availraebslied uoanl trhisek msarket;medical device residual risks
medical devices
— a comparison of the of the under development with the of
similar avamilaanbulefa ocnt utrheer market. benefit-risk risk
management file
ISO 14971:2019 requires the to record the results of a analysis in the
. It is recommended to include the rationale how the conclusion was reached.
7.4.5 Examples of benefit-risk analyses
benefit-risk
The following examples illustrate the conclusions of analyses.
EXAMPLE 1 Burns can occur where the returnb eenleefcittrode of a high-frequency surgery device is improperly
arettsaidcuhaeld r itsok the patient. Although conformance to the relevant product standard minimizes the probability of
such burns, they can still occur. Nevertheless, the of using a high-frequency surgery device outweighs the
of burns.
20 PROOF/ÉPREUVE
© ISO 2020 – All rights reserved
ISO/TR 24971:2020(E)
EXAMPLE 2 Although X-rays are known to be potentially harmful, the clinical effectiveness of conventional
diagnostic imaging almost always justifies its use. However, the unmwaannutfeadc teufrfeercts of radiation on the patient
abreen enfoitt- riigsnkored. Standards exist to minimize radiation exposure tom peadtiiceanlt ds.e Wvicheesn a new application of ionizing
radiation is developed and existing standards are not applicable, the verifies that the results of the
analysis are at least as favourable as that of alternative and treatments.
EXAMPLE 3 Once implanted, some cochlear implant components, such as the implant receiver stimulator
with electrode array, cannot easily be replaced. They are intended to remain implanted for life and are required
to perform reliably for years and even decades. (This is an especially important consideration in the case of a
young adult or crheislidd.)u aAlc creislkeratedm reedliicaabli lditeyv itceesting of these components can be cboenndeufictted for specific failure
mechanisms. Howerveesird, uvaall ridisakting the reliability of components that are to last for decades is not practical.
Therefore, the of failure is weighed against the r eosifd upaolt reinstkial hearing
impbroenveefmitent. The b edneepfietnds on the estimriastked reliability of the components and the confidence in the
reliability estimates for those components that cannot be validated. In some cases, the outweighs
the ; in other cases the outweighs the .
7.5 Risks arising from risk control measures
risk control risk risks risks
risk
Implementing a measure to reduce one can introdmuecdei cnaelw d evice or increase other ,
including those hparzeavrioduouslsy s eitvuaalutiaotnesd to be acceptable. For example, elimination of a use-related in
trhisek user interface can restrict the user’s flexibility riins ku scionngt rtohle and restrict his ability
to intervene in manufacturer . A second example is a software chanrgisek sto control one particular
, which unintentionally undermines another measure embedded in the software
architecture. The reviews these effecrtiss kto a ennaslyusries that thomseed ical d aervei csetill acceptable. risk
control risks risks risk
Oconnet rwolay to perform this review is to uppdraotcee stshe manufactu orfe rthe , including all
process mriseka asunraelyss, iasnd ptoro icdeesnstify if new are introduced or existing are increased. For
measures in the manufacturing , the can perform the review as part of
or validation.
7.6 Completeness of risk control
risks hazardous situations
risk control hazards
hISaOz a1r4d9o7u1s :2si0tu1a9t rioenqsuires that the frroimsk sall identified are considerrisekds and that
all haza radcotiuvsi tsiietsu aatrieo ncsompleted. This can be achieved by mriasiknstaining a list of all and
and the associaritsekd m ana.g Temhee nlits fti lcean be checked to ensure that the from all
identified have been considered and that no are overlooked. The results of
this activity are documented in the .
8 Evaluation of overall residual risk
8.1 General considerations
residual risk benefits
intended use medical device residual risk
ISO 14971:2019 requires that the overarells idual risk be evaluated irni srke mlaatinoang etom ethnte of the
of the , and that both the criteria for acceptability of the overall
and the method of evaluarteiosind uoaf lo rviesrkall be irnecsliuddueadl r iinsk the plan.
hazardous situations risks
The evaluation of overall is the bpeoninefti tw-rhisekre is viewmeadn furfoamct uar berroad perspective.
All idenrteifsiieddu al risk have bmeeendi ecavla dlueavtieced and all have been reduced to an acceptable
level or havrees bideueanl arcisckepted based upon a analysis. Now, the cornessiiddeurasl irf itshkes
overall associatbeedn ewfiittsh the intended use as a whomlee dsiactails fdieesv itchee criteria for acceptability
of overall .m Tehdiisc aclo dnesviidceersation takmese diinctaol daecvciocuesnt the contributions of all risks
together in relation to the of the medic aolf dtehvei ce . This step is particularly
important for complex and for with a large number of individual .
The evaluation can lead to the conclusion that the is safe.
PROOF/ÉPREUVE 21
© ISO 2020 – All rights reserved
ISO/TR 24971:2020(E)
residual risk
risks
The evaluation of overall is a challenging task that cannot be achieved by adding all
individual numerically. The diffichualrtmy arises for the following rheaarsmons: severity
hazardous situations
— Each probability of occurrence of is related to a different with different and can
be related to different .
— Probabilities are often known with different degree of uncertainty. Some probabilities could
be known precisely from either historical data or testing. Other probabilities might be known
imprecisely such as estimates by expert judgment, or cannot be estimated such as the probability of
a software failure. severities harms
risk analysis
— It is not possible to combine the of individual within the broad categories usually
employed in . residual risk
risks risks
Furthermore, the criteria for acceptahbairlimty of the overall severity can be different from the criteria
for accerpetsaibdiulaitly r oisfk individual . The criteria used to evaluate individubaeln efits usuallyin itnecnluddede luismeits
for tmheed picraolb daebviilcitey of occurrence of with a particular . The criteria used to evaluate the
overall are often based on additional elements, such as the of the of
the . residual risk manufacturer
There is no preferred way for evaluating the overall . The is responsible
fmoar nduefatecrtmurienrisng an appropriate method. In the following subclauses some examples of approaches
are presented that can be used in defining the evaluation method. This guidance is intended to assist
in establishing methods andr cersiitdeuraial .risk
ISO 14971:2019 requires that the overall medical dev bicee evaluated by persons with the knowledge,
experience and authority to perform such tasks. It is recommended to involve application specialists
with knowledge of and experience with the . Ultimately, the evaluation should be based
on expert judgment with essential roles for raepspidluicaalt iroinsk knowledge and clinicraislk e xmpaenrtaigseem. ent file
residual risk
The results of the evaluation of overall form part of the . It is
recommended to document thme arnatuifoancatuler eforr the acceptance of the overall residual risk.s
accompanying documentation residual risks
ISO 14971:2019 requires the re tsoid iunaflo rrimsk users of significant and to provide
the necessary information in the to disclose those . See
Annex D for guidance on the disclosure of .
8.2 Inputs and other considerations
residual risk
The evaluation of overall can take several inputs and considerations into account. Some
examples of inputs and their use are presented below. hazardous situations risks
residual risk
a) Different sequences of events can lead to different and , each contributing
to the overall . For example, the reuse of a single-use device can be associated with
infection, leachinrgi skosf toxic substances, mechanical failure due to ageing and bio-incompatible
disinfectant residues. Event Tree Anasleyvseisr it(yETAh, asreme Annex B.4) can be a suitable methroisdk sfor
analysing these , to differentiate bertewsiedeuna ls reiqskuences of events with considerable versus
negligible probability of occurrence or of . The combined contribution of these is
considered inh tahrem evaluation of the overall hazardo. us situations
harm residual risk
b) A particular can originate from different . In such cases, the probability
of occurrence of the can be used to determine the overall harm based on a combination
of the individual probabilities. Fault Tree Analysis (FTA, see Annex B.3) can be a suitable method
Rfoirs ke sctoimntartoilng the combined probability of occurrence of a particular . risks
residual risk
c) meriasskures that are appropriate for independent individual could result in
conflicting requirements, which can increase the overall . For example, an instruction
to address the of an unconscious patient falling off a patient table could be “never leave an
unconscious patient unattended”. This could conflict with the instruction “stand behind protective
screen when making X-ray images” intended to protect medical staff from being exposed to X-rays.
22 PROOF/ÉPREUVE
© ISO 2020 – All rights reserved
ISO/TR 24971:2020(E)
risk
medical device
d) A warning considered on its own could provide adequate reduction of an individual . However,
too many warnings can confuse the user of the and can thursis kreduce the effect of
the indirveisdiduuaal lw riasrknings. An analysis might be needed to determine if there is an over-reliance
on warnings and whether such over-reliance could have an impact on the reduction and the
overall . medical device
e) Are sciodmuaplr reihskensive review of all operating instructions for the might reveal that the
instructions are inconsistent or too difficult to follow. This can also have an impact on the overall
.
residual risk
f) The results of the design validation, usability studies, clinical evaluations and clinical investigations
can provide useful information about the overall . Appropriate input from stakeholders
canb pernoevfiitd-rei sukseful information. risks
g) All analyses for individual shroiusklds be takenri isnkt oa naacclyosuisnt.
residual risk risk
h) When there have been trade-offs between in the risk , the impact on the overall
risk should be analysed with extra care. These are insrtisaknces where one might have
been allowed to increase somewhat in order that another could be rerdisukcsed. For example, the
to one person (the user) is allowed to increase so that the r itsok sanother (the patient) can be
reduced. The evaluation can take the form of going through related major , describing why the
trade-off balance is justified, and why the combined level of the in the trade-off decision is
acceptable.
8.3 Possible approaches
residual risk
manufacturer
The method to evaluate the overall can include the following approaches or other
approachbeesn defeietsmed appropriatinet beyn dtehde use med.ical device residual
risk Benefits
a) Tbehnee fit related to the of the are weighed against the overbaelnl efit
. can be described by their magnitude or extent, the probability of experiencing the
within tshtaet ien otef nthdee adr ptatient population, and the duration and frequency of the me.d Tichael
edvevailcueastion should take into account knowledge of the intended medical indication, the generally
acknowledged in technology and medicine, and the availability of alternative
or treatments. residual risks residual risk
risk risk
b) Visual representatiornissk osf the r icsakns be useful. Each indisveivdeuriatly can be shown
in a chart or matrriisxk, such as those in Figurries k3s and Figure 4, giving a graphic view of the
rdiissktsribution of the . If many roefs itdhuea l risk are in the higher regions or in the higrhieskr
probability regions of the matrix, or clusters of are borderline, then the distribution of the
can indicate that the overall might not be acceptable, even if each individual
has bmeaennu jufadcgteudre arcceptable. medical device medical devices
medical device
c) The rceasni dcuoaml rpiaskre the underb ceonnefsiitdseration to similar medical
advevaiiclaebsleR oesni dtuhael m riasrkkset. The key quemsteidoinca ils dwehveicteher the under consideration has an
raicsckesptable overall medical dinev riecleation to the medical , in compianrtiesnodne dto ussime ilar
. intend peods eudse by the can be compmaerdeidca iln ddievviidcuesally to corresponding
for the similar , taking account of differences in . Up-to-date
information on and adverse events of similar should be carefully
reviewed, as well as information from scientific literature, including information about clinical
expemriaennucefa.cturer residual risk
benefits medical device
d) The can use experts to support the evaluation of the overall in relation
to the expected from usingm theed ical devices under consideration. These experts can come
from a variety of disciplines and should include those with clinmiceadli coarl adpepvilciceation experience and
tmhaonsuef awcittuhr ekrnowledge of similar . The experts should have an appropriate level
of independence from those who designed and developed the . They can assist the
in taking into account stakeholder concerns. Attention is drawn to the requirements
in ISO 14971:2019 for training and experience.
PROOF/ÉPREUVE 23
© ISO 2020 – All rights reserved
ISO/TR 24971:2020(E)
risks
risks
e) rEevseidnu tahlo ruigskh all individual should have been identified, rciosnktsrolled and judged acceptable at
this point, it could brees iadpuparlo rpisrkiate that some are investigated further as a result of the overall
evaluation. For example, there could be many close to being not acceptable.
Hence, the overall could not be deemed acceptable and a further investigation would
be appropriate. risks
risk control Risk control
f) Further investigation can also be appropriate when some are interdepernisdke ncot nwtritohl respect to
either their causes or rtihske control measures applied. meraisskusres should be verified
for effectiveness, not only individually but also in combination with other measures.
This can arlisskos applyr tisok control measures designed to control multiple simultaneously. Fault
Tree Analysis (FTA) or Event Tree Analysis (ETA) can be useful tools to discover such relationships
between and measures.
9 Risk management review
risk managementprocess
risk management residual risk
ISO 14971:2019 requires that the final results of the be reviewedp otost e-pnrsoudruec tthioant
the risk pmlaann ahgaesm beenetn appropriately executed, that the overall verifica tisio ancceptarbilsek,
aconndt trhoalt appropriate methods are in place to collect and revmieewdi rcealle dveavnitc eproducrtiisokn manadn agement
information. The review is performed afterri sikm mplaenmaegnemtaetniotn f ialend of all
measures but prior to commercial release of the . The report
provides the summary of this review and is inclurdisekd mina tnhaeg ement .
post-production manufacturer
There can be a need to revise or update the risk manage rmeepnotrt if new information becomriesks
amvaanilaagbelme, efnotr example during the production and phases. The me ddiectaelr dmevinicees
when subsequent reviews of the execution of the plan and updates of the
report are performed, froisrk e mxaamnapglee,m afetnetr a major change in the design of the .
risk managementprocess top management risk
Tmhaen argevemieewn tof the execution of thel ife cycle plan mise ndoicta tl od ebvei cceonfumseedd iwcaitlh d ethviec ereview of the
suitability of the risk manage mate pnlta pnrnoecde sisntervals by (see 4.2.p3r)o. cTehses
proc pelsasn is related to the of one type of (or family). The
review of the suitability of the is related to the effectiveness of the and
how this is implemented.
10 Production and post-production activities
10.1 General
post-production medical device
manufacturers risk management life cycle process
Monitoring of production and information is the critical step that enables
safety to close the feedback loop and to make risk ma an acognemtinenutouprso cess .
Dursinafge ttyhis phamsee, diincfaolr dmevaitcieon is collected from many different sources, reviewed for relevance to
, and where appropriate, fed back into earlier phases of the to maintain
the of the . manufacturer
medical device safety
ISO 14971:2019 requires the risk managem etnot establish a system to actively collect and review
information about the that could be related to . The activities necessary to establish
this system are recorpdoesdt -ipnr tohdeu ction plan (see 4.4.8).
The production and activities can be part of a post-market surveillance system. See
[35]
ISO/TR 20416 for more guidance on post-market surveillance.
ISO 13485:2016– Medical devices – A practical guide
[24]
NOTE This phase is aligned with the relevant parts of Clauses 7 and 8 of ISO 13485:2016 . More guidance
[25]
is provided in the ISO Handbook: .
10.2 Information collection
safety medical device
manufacturer medical devices
Information relevant to the of the can come from a variety of sources. The more
experience a has in developing and marketing similar , the more likely the
24 PROOF/ÉPREUVE
© ISO 2020 – All rights reserved
ISO/TR 24971:2020(E)
manufacturer medical device
reasonably foreseeable misuse risks medical device
will have a good understanding of the performance, the patient population,
the post-production that could occur, and the associated with the medical d.evice
safety
Production and activities can include receiving informahtairomn about the
hazard aonuds spiteurafotiromnsance. Sources typically ihnacrlmude general feedback from users, distributors, service
personnel amnedd itcraali ndienvgi cpeersonnel. The information crainsk bse related to that has occurred or to
that occurred without . The activities can also include soliciting information
about the performance anmd arneulfaatcetdu rer . These acmtievditicieasl idnevvoiclvee reaching out to
stakeholders to obtain specific information and insight, using methods such as customer surveys,
expert user groups (focus groups) and -sponsored tracking/implant
registries. It also includes publicly available information such as clinical literature, incident reports and
adverse event databases.
safety
The macetdivicitaile ds ecvaince further include post-market clinical follow-up (PMCF) studies carried out following
market approvsaalf,e twyhich are intended to enhraenscide utahle r icslkinsical evidemneced icfoarl dthevei ce and performance
of a intended u saefter it is placed on the market. PMCF studies typically address specific questions
related to the or performance (i.e. the ) when a is used in accordance
[26]
with its . See ISO 14155 for requirements on clinical investigations and GHTF/SG5/N4:
[3]
2010 for further guidance on PMCF studies. manufacturer’s medical
device medical devices intended use hazards
The information collected does not necreissskasrily have to be directmlya rneulafatectdu troe rt’hs em edical device
. Other with similar , similar principle of operation or similar
can yield useful information about the associated with the . This also
applies to other products without a medical purpose but with similar upsoes to-rp rsoimduilcatrio onperating principle.
safety
Table 7 presents a list of data sources containing production and information that
should be considered for analysis and possible relevance to . This table is based on GHTF/SG3/
[2]
N18: 2010 .
If the collection and review of information is performed by different departments, effective
communication and coordination between those departments is essential.
Table 7 — Data sources related to production and post-production information
Data sources Information
— PDraotcae fsrsom monitoring supplier performance/controls
— proce mssonitoring
Production
— In- inspection/testing
— Internal/external audits
— Quamnetditiycal device
— By family
— By customer (physician, healthcare facility, patient, etc.)
Complaint handling — Reason for complaint
— SCeovmerpiltayint codehsarm
— of any
— Component involved
PROOF/ÉPREUVE 25
© ISO 2020 – All rights reserved
ISO/TR 24971:2020(E)
Table 7 (continued)
Data sources Information
— Installationmedical device
— First use of
— Frequency of maintenance visits
— Types of repairs
Service reports
— Frequency of repairs
— Usage frequency
— Parts replaced
medical devices
— Service personnel
Risk management
— Published adverse event reports for similar state of the art
— Stakeholder concerns and generally acknowledged
Clinical activities — Post-Market Clinical Follow-up (PMCF) studies
— Service response time medical devices
Market/patient surveys
— Solicited information on new or modified
Scientific literature — Research publications
— Online newsletters
Media sources — Medical information websites
— Articles in trade journals, scientific journals and other literature
— Independent security researchers
— In-house testing
— Suppliers of software or hardware technology
Security data sources
— Health care facilities
medical device
— Published events for devices sharing similar technologies as the
— Information Sharing and Analysis Center (ISAC)
10.3 Information review
safety
The collected information is reviewed to determine if the information is relevant to . The following
questions cinatne nhdeelpd iuns ethis review:
— Is the stbielln veafiltisd?
— Are the anticipated hazards achhieavzeadrd?ous situations
harm
— Is there evidence of or not previously identified? For example, did any
unforeseen occur?
— Are there occurrences of misuse which were previously not foreseiennte?nded use
— Is there an increasing trend of use for applications othhaezra trhdaonu st hseit uation ha?rm
harm
— Does the frequency of occurrence of a particular or suggest that the
probability of occurrence of was underestimated?
26 PROOF/ÉPREUVE
© ISO 2020 – All rights reserved
ISO/TR 24971:2020(E)
harm severity harm
— Does the reported inrdisicka ctoen tthraotl the of was underestimated?
— Is there evidence that the resi dmueaal sruisrkes are not effective?
— Does the evaluation of the overall accsutraattee olyf trheep raerstent the actual market experience?
— Are there changes in the generally acknowrilsekdged ?
— Are there indications that the criteria for acceptability should be adjusted?
The inforhmazaatriodn revhieawza cradno ulesa sdit utoa tsieovneral possible outcomes, for examrispkle:
— The and were correctly identified. The was adequately assessed and
remahianzsa arcdceptahbalez.ardous situation risk
— The and were correctly identified, but the has increased and is no
longehra zaaccrdeptahbalez.a Frudrotuhse sri taucattioionn is required.
— The or state w oafs t nhoet aidrtentified. bFeunretfhitesr action ims reedqicuairl edde.vice
— The generally acknowledged or the for the have changed.
Further action is required. state of the art
Concerning chasanfgeetsy in the generally acknowledged risks , consideration should alsor bisek sgiven
tboe ntehfeit asvailability of alternatives to treat or diagnose the medical condition of the intended patients,
including the and effectiveness and the associated of those alternatives. The and
man tuof apcattuiernerts in situations where no treatment or diagnosbies nise faitvsailable sihnoteunldde adl suos ebe considered.
benefits risks benefit
The residual ris kshould also assess whether the anticipated benefi tof the are achieved
or have changed. If the change while the remain the same, the balance between and
overall can also change. See 7.4.2 for a discussion of estimation.
Statisticmael dtieccahl ndieqvuiceess should be considered to assist in the processing of data, such as trmenandu afancatluyrseisr,
predictive mreeldiaicbailli tdye veincegsineering techniques (e.g. Weibull analysis), and reliability evaluation (e.g.
testing or components to failure, testing failed components returned to the ,
[21]
or testing from the same lot or previous/succeeding lots). See ISO/TR 10017 for
further guidance on the selection and use of statistical techniques.
10.4 Actions
safety
medical device
If the collected information is rreisvki emwaenda gaenmde dnettperromceinssed to be relevant to , several actions are
required by ISO 14971:2019. Some of these actions are related to the particular , while
othehra azcatriodns ahrae zraerladtoeuds tsoit tuhaet ion . risks
If a or risk assessment is present that was norits kp rceovnitoruoslly recognised, the associated risk
amraen aasgseemsseendt failned controlled where appropriate, following the steps of ISO 14971:2019 Clauses 5 to 7.
The results of the and the implemented measures are recorded in the
risk . risk
risk control
If a has become no longer acceptable, an update of the assessmenrti sokf the specific is necessary.
The impact of the collected information on previously implemmedenictaeld d evice measures is evaluated
to see if these measures are still effective and sufficient to reducrei stkh ec ontr.o Tlhe results of this evaluation
should be conrsiisdke raesds easssm aenn tinput for modification ofr itshke control . If appropriate, the stepsr isokf
mISaOn 1a4g9e7m1e:n2t0 f1i9le Clauses 5 to 7 are repeated and new/additional measures are implemented.
The updated and the implemented measures are recorded in the
. residual risk benefits intended
use medical device risk management
It couldri sbke mneacneasgseamrye ntot evaluate the overall again in relation to the of the
of the . It could also be necessary to repeat the review and to prepare
a new report. See Clauses 8 and 9 of ISO 14971:2019.
PROOF/ÉPREUVE 27
© ISO 2020 – All rights reserved
ISO/TR 24971:2020(E)
manufacturer medical devices
The should also consider if actions are nmeaenduefda ctotu arderdress those thamt eadriec:al
devices
— already distributed (i.e. beyond the control of the ), because correction of these
or removal from the market could be necessary; manufacturer
medical devices
— already manufactured but not distributed (i.e. still under the control of the ), because
containment and correction of these could be necmesesdaircya;l odrevice
processes
— to be manufactured in the future, because modification of the design and related
mmeadniucafal cdteuvriicnegs or servicing ma cnouufladc tbuer enrecessary.
For on the market, the should consider whether anryis uk rcgoennttr oinlformation
should be communicated to users, patients and other stakeholders as an interim measure (for example
[24]
as an advirsiosrky notice as described in 8.3 of ISO 13485:2016 ), before further measures
are developed. The degree of urgency in this communication should be commensurate with rtihske
dmeagnraegee omf ent fi, lebecause the speed of these actions contributes to their effectiveness. The time period
can be subject to regulatory requirements. The decisions and actions taken are recorded in the
. risk management process
manufacturer
The results of the information review can indicate rtihsakt m tahnea gement is insufficient
or inadequate. Therefore, ISO 14971:2019 requires the ttoop emvaanluaagteem tehnet impact of the
collected information on the previously implemented actriivsikt imesa, ntoa gseeme wenhticphro accetsisvities
should Tboep i mmparnoavgeedm. Tenhte results of this evaluation are communicated trois k management p,r wocheos swill take
these results as input into the planned reviews of the suitability of the (see
4.2.3). then decides which parts or aspects of the require
improvement to ensure its continuing effectiveness.
28 PROOF/ÉPREUVE
© ISO 2020 – All rights reserved
ISO/TR 24971:2020(E)
Annex A
Identification of hazards( iannfodr cmhaatrivaec)t eristics related to safety
A.1 General
manufacturer medical device
safety hazards
ISO 14971:2019 requmireedsi ctahla dt etvhiece identify those characteristics of the that
could affect . Consideratiionnte onfd tehde uses echraeraascotnearbislyti cfosr iess eaena ebsles emnitsiuals estep in identifying the
amsesdoicciaalt deedv wiceith the . One way of doing this is to ask a series of questions concerning the
manufacture, intended users, , , ahnadz aurldtismate disposal of the
. If one asks these questions from the point of view of all the individuals involved (e.g. users,
maintenance staff, patients, etc.), a more complete picture can emerge of the that mmigedhitc eaxl idste.vice
safety risks IVD
Tmheed iqcaule sdteivoincse sin A.2 can assist the reader in identifying all the characteristimcse doifc athl ed evices
tmhaant ucfoauctldu raefrfect . Annex H contains additional points to consider in estimating medi cfarol mde vice
. These lists are neither exhaustmivaen unfoarc truerperresentative of all , and the
is advised to add questions that can have applicability to the particular
and to skip questions that are not relevant. The is also advised to consider each question
not onmlayn ounf aitcst uorwern but also in relation to others.
safety medical devices in vitro
dTihaeg nostic medical dmevaicye sfurther consult relevant clinical literaturem, aedpipclaicl adbelvei ceresgulations, or the
[29]
essential principles of and performance for in ISO 16142-1 or for
[30]
in ISO 16142-2 . An additional source for where security is
[1]
a concern is AAMI TIR 57 .
A.2 Questions
A.2.1 What is the intended use and how is the medical device to be used?
Factors that shomuledd bicea cl odnevsiicdeered include:
— what is the ’s role relative to:
— diagnosis, prevention, monitoring, treatment or alleviation of disease,
— diagnosis, monitoring, treatment or alleviation of or compensation for an injury, process
— investigation, replacement, modification or support of anatomy or a physiological , or
— control of conception?
— what are the indications for use (e.g. patient population, user profile, use environment)?
— what are mtheed iccoanl tdreav-iicnedications?
— does the sustain or support life? medical device
— is special intervention necemsseadricya iln d ethveic cease of failure of the ?
— can the performance of the be impacted in the event of a security breach (performance
degradation or loss of availability)? medical devicesafety
— can unauthorized access, unauthorized activities, or loss of data affect the ?
PROOF/ÉPREUVE 29
© ISO 2020 – All rights reserved
ISO/TR 24971:2020(E)
A.2.2 Is the medical device intended to be implanted?
Factors that should be considered include the location of implantation, the characteristics of the patient
population, age, weight, physical activity, the effect of ageing on implant performance, the expected
lifetime of the implant, the reversibility of the implantation, whetmheedr icthael diemvpicleant can be modified or
configured while implanted and the access connection to perform this modification or configuration
(Ae..2g.. 3p hyIssi ctahle a cmceesdsi pcaoiln dt eovr iwceir ienletsesn cdoendn etcot iboen tino tchoen imtapclta wntietdh the patient o).r other persons?
Factors that should be considered include the nature of the intended contact, i.e. surface contact,
iAn.v2a.4si veW cohnatta cmt, aotre irmiapllasn otra tcioonm apnod,n feorn etsa cahr, eth uet pileirzieodd ainn dt hfree qmueedncicya olf dceovnitcaect o. r are used with,
or are in contact with, the medical device?
Factors that should be considered include:
— compatibility with relevant substances;
— compatibility with tissues or body flsuaifdest;y
— whethmere dchicaarla dcetveirciestics relevant to are known;
— is the manufactured utilizing materials of animal origin?
[22] [39]
NAO.2T.E5 Is Seenee Arngnye xd Be loifv IeSOre 1d0 9t9o3 o-1r:2 e0x18trac atendd aflrsoo mthe t hISeO p22a4t4ie2n set?ries of standards .
Factors that should be considered include:
— the type of energy transferred;
— its control, quality, quantity, intensity and duration; medical devices
—A.2 .w6 heAthreer s eunbesrgtayn lecveesl sd aerlei vheigrheedr ttoh aonr t ehxotsrea ccutrerden ftrloy mus ethd efo pr astimieinlatr? .
Factors that should be considered include:
— whether the substance is delivered or extracted;
— whether it is a single substance or range of substances;
—A.2 .t7h e Amraex ibmioulmo gaincda ml minaimteurmia tlrsa pnrsfoecre rsasteesd a bnyd tchonet mroel tdhiecraelo df.evice for subsequent reuse,
transfusion or transplantation?
process
Factors that should be considered include the type of and substance(s) processed (e.g. auto-
Atr.a2n.8sf usIiso nth, dei amlyesdisi,c ballo dode vciocme psounpepnlti oerd c setlle trhielera opry ipnrtoecnesdseindg t)o. be sterilized by the user, or
are other microbiological controls applicable?
Factors that shoumlde bdeic caol ndesivdiceered include:
— whether the is intended for single use or reuse packaging;
—30 shelf-life issues; PROOF/ÉPREUVE
© ISO 2020 – All rights reserved
ISO/TR 24971:2020(E)
— limitation on the number of reuse cycles;
— method of product sterilization; manufacturer
—A.2 .t9h e Iism tphaect m ofe odtihcearl sdteerviilcizea itniotne nmdeethdo dtos nboet rinotuetnidneedl yb yc ltehae ned and disi.nfected by the user?
medical device
Factors that should be considered include the types of cleaning or disinfecting agents to be used and
any limitations on the number of cleaning cyclesas.f eTthye design of the medical dceavni cienfluence the
effectiveness of routine cleaning and disinfection. In addition, consideration should be given to the
Aef.f2e.c1t 0o fD coleeasn itnhge a mnde ddiiscianlf edcetivnigc ea gmenotds iofyn tthhee patie onrt peenrvfoirrmonanmcee notf ?the .
Factors that should be considered include:
— temperature;
— humidity;
— atmospheric gas composition;
— pressure;
—A.2 .l1ig1h At.re measurements taken?
Factors that should be considered include the variables measured and the accuracy and the precision of
the measurement results, as well as whether the measurement apparatus or data can be compromised.
IAn. 2ad.1d2it Iiosn t,h thee m neeeddic faolr dcaelvibicrea tiinonte arnpdr metaaitnitveen?ance should be considered (see also A.2.18).
medical device
Factors that should be considered include whether conclusions are presented by the from
input or acquired data, the algorithms used, and confidence limits. Special attention should be given to
unintended applications of the data or algorithm, as well as unauthorized manipulation or changes to
aAl.g2o.r1i3th Ims st haned m deadtai.cal device intended for use in conjunction with other medical devices,
medicines or other medical technologies?
Factors that should be conmsieddeirceadl dinevcilcuedse:
— identifying any other , medicines or other medical techmnoedloicgaiel sd tehvaict ecan be involved;
medical devices
— the potential problems associated with interactions (such as the impacting the
performance of other ); and
—A.2 .w14h eAthreer t thheer pea utinenwt afonltloewds o tuhtep inusttsr oucf teionnesr fgoyr tohre s tuhebrsatpayn.ces?
Energy-related factors that should be considered include noise and vibration, heat, radiation (including
ionizing, non-ionizing, and ultraviolet/visible/infrared radiation), contact temperatures, leakage
currents, and electric or magnetic fields.
Substance-related factors that should be considered include substances used in manufacturing,
cleaning or testing having unwanted physiological effects if they remain in the product.
PROOF/ÉPREUVE 31
© ISO 2020 – All rights reserved
ISO/TR 24971:2020(E)
Other substance-related factors that should be considered include discharge of chemicals, waste
pAr.2od.1u5ct Iss, atnhde bmodeyd ifcluaild ds.evice susceptible to environmental influences?
Factors that should be considered include the operational, transport and storage environments. These
include light, temperature, humidity, vibrations, spillage, susceptibility to variations in power and
cAo.2ol.i1n6g Dsuopepsli eths,e a nmde edleiccatrlo dmeavgincee tiinc filnuteernfecree nthcee. environment?
Factors that should be considered include:
— the effects on power and cooling supplies;
— emission of toxic materials;
—A.2 .t1h7e Dgeoneesr atthioen m ofe edlieccatrl odmevagicnee triec qduisitruer bcaonncseu.mables or accessories?
Factors that should be considered include specifications for such consumables or accessories and any
rAe.s2t.r1ic8t iIosn ms paliancteedn uapnocne u oserr cs ainli bthreairti soenle ncteiocne sosf athryes?e.
Factors that should be considered include:
— whether maintenance or calibration are to be carried out by the user or by a specialist;
— whether special substances or equipment are needed for proper maintenance or calibration;
— traceability of the calibrator values to a higher order reference;
— how to determine when maintenance or recalibration is needed;
—A.2 .h1o9w D tooe vse rtihfye tmhaetd ciaclaibl rdaetivoinc eis c (ostniltla) ianc cseopfttawblaer.e?
Factors that should be considered include whether software is intended to be installed, verified,
mA.o2d.2if0ie dD oore esx tchhea nmgeedd ibcya tlh dee uvsiecre o arl bloyw a sapcecceiaslsi stto, ainndfo trhme aauttihoenn?ticity of a software update.
Factors that should be considered include accessible Ethernet ports, USB ports, serial ports, and
rAe.m2.o2v1a bDleo ehsa rtdh der miveesd.ical device store data critical to patient care?
Factors that should be considered include the possibility of the data being modified or corrupted,
uAn.2au.2t2ho Driozeeds tahccee mss etod itchael d daetav,i caen dh tahvee c ao nrseesqtureicntceeds fsohr ethlfe l pifaet?ients.
medical device
Factors that should be considered include whether the can deteriomraetdei coavl edre vtiicmees, the
impact of storage conditions and primary packaging, the communication of the expiry date (by labelling
or an indicator), possibility of use after the expiry date, and the disposal of expired .
32 PROOF/ÉPREUVE
© ISO 2020 – All rights reserved
ISO/TR 24971:2020(E)
A.2.23 Are there any delayed or long-term use effects?
Factors that should be considered include ergonomic and cumulative effects. Examples could include
pumps for saline that corrode over time, mechanical fatigue, loosening of straps and attachments,
vAi.b2r.a2t4io Tno e fwfehctast, lmabeeclhs athnaitc wale faor rocre fsa lwl oiflfl, tlohneg m-teerdmic maal tdeerviailc dee bgera sduabtijoenc.ted?
medical device
Factors that should be considered include whether the forces to which the will be
sAu.2bj.e2c5te Wd ahraet u dnedteerr tmhei ncoenst trhole o lfi tfeheti umseer o ofr tchoen tmroelldeidc abyl dinetveircaec?tion with other persons.
Factors that should be considered include battery depletion, deterioration of materials and failure
of components due to ageing, wear, fatigue or repeated use. The availability of spare parts should be
cAo.2ns.2id6e rIesd t hase wmeelld. ical device intended for single use?
Factors that shoumlde bdeic caol ndesivdiceered include:
— whether the self-destructsm afetdeirc auls dee;vice
—A.2 .w27h eItsh sear fiet ids eocbovimoums itsos tihoen uinsegr othra dt itshpe osal of the m ehdaisc bael edne uvsiceed .necessary?
medical device medical
Fdaevcitcoers that should be considered include the waste products that are generated during the disposal
of the itself,m aenddic tahl ed epvriocpeer sanitization (removal) of all sensitive data on the
. For example, does it contain hazardous material (e.g. toxic chemical or biological agent), or is the
material recyclable? If the stores data, proper handling and security of the stored data
Ash.o2u.2ld8 b Deo ceons siindesrteadll, aintciolund ionrg duastea orefm thovea ml aendd irceatel ndteiovnic.e require special training or
special skills?
medical device
medical device
Factors that should be considered include the complexity and novelty of the and the
knowledge, skills and ability of the persons installing, maintaining or using the . This can
iAn.c2lu.2d9e tHroaiwni nwgi,l el dinucfoatrimona, tcioomnp feotern scaef aestsye bssem pernot,v ciedretdifi?cation or qualification.
Factors that should be considered include: manufacturer
— whether information will be provided directly to the end user by the or will it involve
the participation of third parties such as installers, care providers, health care professionals,
laboratory directors or pharmacists and whether this will have implications for training;
— commissioning and transferring to the end user and whether it is likely/possible that installation
can be carried out by people without the necesmseadriyc askl dilelsv;ice
— based on the type and expected lifetime of the , whether re-training or re-certification
A.2.o3f0 u Aserres nore wse rmviacen upefarscotnunreinl wg opurlodc bees saepsp reosptraibatleis.hed or introduced?
Factors that should be considered include the application of new or innovative technology and changes
in the scale of production. This can also involve changes in contract manufacturing, suppliers and
vendors.
PROOF/ÉPREUVE 33
© ISO 2020 – All rights reserved
ISO/TR 24971:2020(E)
A.2.31 Is successful application of the medical device dependent on the usability of the
user interface?
A.2.31.1 Can the user interface design features contribute to use error?
medical devices
Factors that should be considered include: control and indicators, symbols used, ergonomic features,
physical design and layout, hierarchy of operation, menus for software-driven , visibility
[16]
of warnings, audibility of alarms, standardisation of colour coding. See IEC 62366-1 for additional
[7]
information on usability and IEC 60601-1-8 for alarms.
A.2.31.2 Is the medical device used in an environment where distractions can cause use error?
Factors that should be counses iedrerroerd include:
— the consequence of ;
— whether the distractions are commonplace;
— whether the user can be disturbed by an infrequent distraction;
— whether repetitive stress can reduce the user’s awareness or attention.
A.2.31.3 Does the medical device have connecting parts or accessories?
Factors that should be considered include the possibility of wrong connections, similarity to other
products’ connections, connection force, feedback on connection integrity, and over- and under-
tightening.
A.2.31.4 Does the medical device have a control interface?
Factors that should be considered include spacing, coding, grouping, mapping, modes of feedback,
blunders, slips, control differentiation, visibility, direction of activation or change, whether the controls
are continuous or discrete, and the reversibility of settings or actions.
A.2.31.5 Does the medical device display information?
Factors that should be considered include visibility in various environments, orientation, the visual
capabilities of the user, populations and perspectives, clarity of the presented information, units, colour
coding, and the accessibility of critical information.
A.2.31.6 Is the medical device controlled by a menu?
Factors that should be considered include complexity and number of layers, awareness of state,
location of settings, navigpartoiocned mureetshod, number of steps per action, sequence clarity and memorization
problems, and importance of control function relative to its accessibility and the impact of deviating
from specified operating .
A.2.31.7 Is the successful use of the medical device dependent on a user’s knowledge, skills and
abilities?
Factors that should be considered include:
— the (intended) users, their mental and physical abilities, skill and training;
— the use environment, ergonomic aspects, installation requirements; medical device
— the capability of intended users to control or influence the use of the ; and
34 PROOF/ÉPREUVE
© ISO 2020 – All rights reserved
ISO/TR 24971:2020(E)
medical device
— the personal characteristics of intended users that can affect their ability to successfully interact
[17]
with the . See IEC TR 62366-2 .
A.2.31.8 Will the medical device be used by persons with specific needs?
Factors that should be considered include:
medical device
— users with special characteristics, such as disabled persons, the elderly and children, who might
need assistance by another person to enable the use of a ;
medical device
— users having wide-ranging skill levels and differing cultural backgrounds and expectations that
could lead to differences in what is considered appropriate application of the .
A.2.31.9 Can the user interface be used to initiate unauthorised actions?
Factors that ushseo uerldro bre considered include whethriesrk sthe user interface allows the user to enter an
operation mode with restricted access (e.g. for maintenance or special use), which increases the
possibility of and thereby the associated , and whether the user becomes aware of having
eAn.2te.3re2d Dsuocehs o tpheer amtieond imcaold de.evice include an alarm system?
risk
Factors that should be considered are the of false alarms, missing alarms, disconnected alarm
systems, unreliable remote alarm systems, and the user’s ability of understanding how the alarm
[7]
sAy.2st.e3m3 wIno rwkhs.a Gtu widaaynsc em foigr hatla trhme smysetdemicsa lis d geivveicne i nb eIE mC 6is0u6s0e1d-1 -(8del.iberately or not)?
safety
manufacturer’s medical device
Fmaecdtiocrasl tdheavtic sehould be considered are incorrect use of connectors, disabling features or alarms,
neglect of recommended maintenance, unauthorized access to the or to
A.2.34 Is the fmunecdtiicoanls .device intended to be mobile or portable?
Factors that should be considered are the need for grips, handles, wheels or brakes, and the need for
mA.e2c.h3a5n Dicoale sst atbhieli tuys aen odf d tuhrea bmileitdy.ical device depend on essential performance?
medical devices
Factors that should be considered are, for example, the characteristics of the output of life supporting
[5]
or the operation of an alarm. See IEC 60601-1 for a discussion of essential performance
oAf. 2m.3ed6i cDaol eelse ctthreic mal eedquicipaml denevt iacned h maevdei caa ld eelgecrtereic oalf sayusttoemnos.my?
Factors that should be considered inmclueddiec:al device
— awareness of the user when the with a degree of autonomy generates an error, alarm
or failure;
— awareness of the user when intervention in an autonomously performed action is required;
— the ability of the user to intervene in or to abort an action that is performed autonomously; and
— the ability of the user to select and perform pmreodpicear lc doervrieccetsive actions.
[9]
See IEC TR 60601-4-1 for further guidance on with a degree of autonomy.
PROOF/ÉPREUVE 35
© ISO 2020 – All rights reserved
ISO/TR 24971:2020(E)
A.2.37 Does the medical device produce an output that is used as an input in determining
clinical action?
risks
Factors that should be considered inicnl uvditer ow dhiaegthneors tiinc cmoerrdeiccat l odre vdiecleasyed outputs can result in direct
or indirect to patients, e.g. an incorrect diagnosis resulting in delayed or omitted therapy for a
patient. See Annex H for guidance on .
36 PROOF/ÉPREUVE
© ISO 2020 – All rights reserved
ISO/TR 24971:2020(E)
Annex B
Techniques t(hinafto srumpaptiovret) risk analysis
B.1 General
risk analysis
harm harm
This annex provides guidance on several techniques that can be used to support a . Some
techniques start with the phoasrsmible and analyse the variety of events that can cause that .
Other techniques start with an initiating event and analyse the subsequent sequence or combinations
of events that could leadr itsok anal.y Tsihse basic principle is that the rsieskq umenacnea ogef meveennttsp riso caensaslysed.
Irti skis aenmalpyhsiassized that is only one step of the deshcarzibaerddo uins
IsSitOu a1t4io9n7s1:2019. Further, the techniques described in this annex do not address all elements of a
, and only provide supporting information. For example, the identificatriioskn aonfa lysis
is not included in all of these techniques. These techniques are complementary, and it can be
necessary to use more than one of them in order to support a thorough and complete .
The following analysis techniques are discussed in more detail: process
hazards hazardous situations harm
— Prelimmineadricya Hl adzeavircde Analysis (PHA) is a technique that can be used early in the development
to identify the , , and events that can cause when few of the details
of the design are known. safety
process
— hFaauzaltr dTsree Ahnaazlayrsdiosu (s FsTitAu)a taionnds Event Tree rAinska lcyosnistr o(lETA) are especially useful in
engineering, early in the development , for the identification and prioritization of
and and possible measures as well as for analysing the
consequences of adverse events.
— Failure Mode and Effects Analysis (FMEA) is a technique by which effects or consequences of
individual components are systematically identified and is more appropriate as the design matures
and the failure modes are better understood.
process
— Hazard and Operability Study (HAZOP) is typically used in the early stages of the development
to study deviations from the intended performance.
process
— Hazard Analysis and Critical Control Point (HACCP) is typically used in the later stages of the
development to verify and then optimize design concepts or changes.
B.2 Preliminary Hazard Analysis (PHA)
hazards hazardous
situations harm
PHA is an inductive method of analysis with the objective of identifying the ,
apnrodc eevdeunretss that can cause for a given activity, facility or system. It is most commonly
carried out early in the develophmaeznatr dosf a project when there is little information on design details or
operating and can often be a precursor to further studies. It can be useful when analysing
existing systems or prioritizing where circumstances prevent a more extensive technique from
being used. hazards hazardous situations
In a Preliminary Hazard Analysis, a list of and is formulated by considering
characteristics such as:
— materials used or produced and their reactivity;
— equipment used;
PROOF/ÉPREUVE 37
© ISO 2020 – All rights reserved
ISO/TR 24971:2020(E)
— use environment;
— layout;
— interfaces among system components.
The method is completed with: hazardous situation
hazardous situation harm
a) the identification of the probabilities that a occurs and the probabilities that a
leads to ; harm
b) the qualitative evaluation of trhisek e cxotnetnrto olf possible ; and
c) the identification of possible measures.
The results obtained can be presented in different ways such as tables and trees.
B.3 Fault Tree Analysis (FTA)
hazards
harm hazardous situation
FTA is primarily a means of analysing identified by other techniques and starts from a
postulated undesired consequence, i.e. a possible or , also called a “top event.”
In a deductive manner, starting with the top event and asking “Why?”, the possible causes or fault
modes of the next lower functional system level causing the undesired consequence are identified.
Following stepwrisiske c iodnetnrtoilfication of undesirable system operation to successively lower system levels
will lead to the desired system level, which is usually either the component fault mode or the lowest
level at which measures can be applied. This will reveal the combinations most likely to
lead to the postulated consequence. The results are represented pictorially in the form of a tree of fault
modes. At each level in the tree, combinations of fault modes are described with logical operators (AND,
OR, etc.). The fault modes identified in the tree can be events that are associated with hardware faults,
human errors, or any other pertinent event, which leads to the undesired event. They are not limited to
the single-fault condition.
risk analysis
FTA allows a systematic approach that is sufficiently flexible to allow analysis ofh aa zvaarrdieotuys osift ufaacttioonrss,
including human interactions. FTA is used in as a tool to provide an estimate of fault
probabilities and to identify single faults and common cause faults that result in .
The pictorial representation leads to an easy understanding of the system behaviour and the factors
included, but, as the trees become large, procepssrioncge douf rfeasult trees can require computer systems.
[12]
See IEC 61025 for more information on the for FTA.
B.4 Event Tree Analysis (ETA)
ETA is a causal analytical technique that is based on an analysis of a sequence of actions and events that
can lead to a negative outcome. ETA uses the same logical and mathematical techniques as Fault Tree
Analysis (FTA). However, whereas FTA analyses how an undesirable top event can occur, ETA considers
the impact of the failure of a particular component or item in the system, and works out the effect such
a failure can have on the overall system and on the users and patients. ETA uses an inductive approach,
whereas FTA is deductive.
The initiating event in an event tree willm uesduiacallly d feavlli ciento one of the following four categories:
a) ufasiel uerrerso ror unsafe conditions in the ;
b) ;
c) utility failures (such as loss of power or internet connectivity); and
d) environmental conditions (such as temperature, humidity, altitude, weather).
38 PROOF/ÉPREUVE
© ISO 2020 – All rights reserved
ISO/TR 24971:2020(E)
harm
The goal of ETA is to determine the probability of possible negative outcomes that can result from the
selected initiating event and that can eventually lead to . It is necessary to use detailed information
about a system to understand the sequence of events to construct the event tree diagram. The event
tree begins with the initiating event where consequences of this event follow in a binary (success/
failure) manner. Each event creates a path in which a series of successes or failures will occur where the
overall probability of occurrence for that path pcraonc bedeu ersetsimated.
[18]
See IEC 62502 for more information on the for ETA.
B.5 Failure Mode and Effects Analysis (FMEA)
FMEA is a technique by which the consequences of an individual fault mode are systematically identified
and evaluated. It is an ipnrdouccetdivuere technique using the question “What happens if ... ?”. Components are
analysed one at a time, thus generally looking at a single-fault condition. This is done in a “bottom-up”
mode, i.e. following the to the next higher functional system level.
Process
The FMEA is not restricted to a failure of a component’s design but can also include failures in the
manufacturing and assembling of components ( FMEA) and the use or misuse of the product
by the end user (Use FMEA). FMEA can be extended to incorporate an investigation of the individual
cseovmerpiotynent fault modes, their probability of occurrence and detectability (onlym etod ictahle d edveigcreee that
detection will enable preventive measures in the context of ISO 14971:2019) and also the degree of
of the consequences. In order to perform an FMEA, the construction of the should
be known in some detail.
Disadvantages of this technique can arise from difficulties in dealing with redundancies and the
incorporation of repair or preventive maintenance actions, as well as its restriction to single-fault
conditions. procedures
[10]
See IEC 60812 for more information on the for FMEA.
B.6 Hazard and Operability Study (HAZOP)
hazardous situations harm
process
HAZOP is based on a theory that assumes that and are caused byh daezasirgdns
deviations or operational variations. HAZOP can be performed early in the development when
only the design and development inputs are defined. It is a systematic technimqueed ifcoarl iddeenvitcifeying
and operability problems. It was originally developed fomre udiscea li nd etvhiece chemical industry focusing on
dpreovciaestisoenss from design intent, but there are alternative applications for developers.
HprAoZceOsPs can be applied to the operation/function of the medica l( ed.egv. itcoe the existing methods/
used for the diagnosis, treatment or almleevdiiactaiol nde ovfic deisease as the “design intent”), or to a
used in the manufacture or maintenance/service of the (e.g. sterilization) that
can have significant impact on the function of the .
Two particular features of a HAZOP are: medical device
— it uses a team of people with expertise covering the design of the and its application;
— guide words are used to help identify deviations from normal use (ALL, NONE, NO/NOT, MORE/
LESS THAN, AS WELL AS, PART OF, etc.).
The objectives of the technique are: medical device
— to produce a full description of the intended a unsde how it is intended to be used;
medical device
— to review systematically every part of the in order to discover how deviations from the
normal operating conditions and the design can occur;
hazardous situations
— to identify the consequences of such deviations and to decide whether these consequences can lead
to or operability problems.
PROOF/ÉPREUVE 39
© ISO 2020 – All rights reserved
ISO/TR 24971:2020(E)
processes medical device
medical device process
When applied to the used to manufacture a , the last objective is particularly
useful in those cases where the pcrhoacreadcuterersistics depend upon the manufacturing .
[14]
See IEC 61882 for more information on the for HAZOP.
B.7 Hazard Analysis and Critical Control Point (HACCP)
hazards hazardous situations
risks process
HACCP is a systemriastki cm aapnpargoeamcehn tto identify and and to control and
monitor the associated by focusing on the critical control points in a manufacturing . In the
description below, terminology is supplemented to conventional HACCP terminology
where appropriate.
HACCP is based on the followingr issekv aenna cloysries principles: hazards hazardous situations
- Conduct a hazard analysis ( ) to identify and ;
- Determine the critical control points;
- Establish appropriate limits;
- Monitor each critical control point; risk control
- Establish cpororrceecdtuirvees and vperreifviecanttiiovne actions (identify and implement measures);
- Establish procedures for ; record
- Emsteadbilcisahl device for docuhmaeznatradtsion anhda zardou kse seiptuinagti.ons intended
use reasonably foreseeable misuse safety Hazardous situations
Each has its own and life cycle that can be related to its
, or its characteristics related to . can be
initiated by events during different phases in the , such as design, development, manufacturing,
service, use, disposal, etc.
hazards hazardous situations manufacturer
The heart of rainsk e cffoencttriovle HACCP system focuses on the continuing contrporlo caensds monitoring of the
identified and . The demonstrates the effectiveness of the
implemented measures by establishing and documenting the flow diagram, the
hazard analysis worksheet and the critical control plan.
The PHrAoCcCesPs system uses the following tools as documented evidence:
a) flow diagram
process
The purpose of the diagram is to provide a clear and sipmropclee sdsescriptionve orfif itchaet isotneps involved in
the . Tphreo cdeisasgram is necessary to the HACCP team in its subsequent work. The diagram can
also serve as am fuatnuurfea cgtuuirdeer for others to understand the for their activities. The
scope of the flow diagram should cover all the processing steps that are under the direct
control of the .
b) Hazard analysis worksheet records risk analysis
The worksheet contains the of the hazarpdr oacneaslsysis ( hazards ):
— the identification and listingh aozf asrtedpss in thhea zardou sw shiteuraet ions of significance are present;
— the listing of all identified (and ) associated with each step and
their significancrei;sk control hazard hazardous situation
— the listing of all measures for each (and );
— the identification of all critical control points and their monitoring and controls.
40 PROOF/ÉPREUVE
© ISO 2020 – All rights reserved
ISO/TR 24971:2020(E)
c) Critical control plan procedures
process procedure
The plan is based on the seven principles of HACCP and delineates the to be followed to
assure the control of a specific design, product, or . The plan includes:
— identifying critical control points and appropriate limits;
— monitoring and continuing conrtirsokl caocnttivroitlies;
— implementingv earnifdi cmatoinonitoringr ecord measures;
— activities for and keeping.
PROOF/ÉPREUVE 41
© ISO 2020 – All rights reserved
ISO/TR 24971:2020(E)
Annex C
Relation between the pol(iicnyf,o crrmitaetriviae) f or risk acceptability,risk
control and risk evaluation
C.1 General
manufacturer’s risk
top management risk
This annex describes the relation between the policy for determining acceptable risk
as defined by risk a cnodn ttrhoel criterrisika efovar luati oancceptability established based on that policy.
This description incrliusdke esv aellueamteionnts that can be part of the policy. It explains how the criteria for
acceptability can be used in and . Examples of the relation between the policy,
the criteria and the are given for several policy elements.
C.2 Policy for establishing criteria for risk acceptability
risk
The policyr pesriodvuiadle rsi sak sframework for establishing the criteria for r eascidcueaplt aribsiklity. This framework
directs and guides the establishing of the criteria. This concerns both the criteria for acceptability of
individual and the criteria for acceptability of the overallr isk .
manufacturer’s
ISO 14971:2019 requires that the policyr fiosrk emstaanbalgisehmineng tt hfiele criteria for acceptability be documented,
for example as part of the quality management system documentation. However, it is not
necessary that the policy is part of the risk .
A policy for establishing the criteria for acceptability can typically address the following elements:
— purpose;
— scope; risk
— factors and conrsisidk ecroanttiroonls for determining acceptable ;
— approaches to ;
— requirements for approval and review. manufacturer’s
The policy and its elements should be tailored to fit the specific needs of the organization.
Each of the elements is discussed in more detail below. risk
risk
— The purpose describes the goals of the policy for establishing criteria for acceptability.
residual risks medical devices
EXAMPLE 1 Them apnuurfpaocstue reorf’ sthe policy is to provide guidance for mesetdaibcalils dheinvgic etshe criteria for
saacfceetpytability. These criteria are used in the evaluation of associated with the
manufactured by [ name]. The criteria will ensure that the have a high level of
consistent with stakeholder expectations.
— The scope specifies to whom, where and when the policy applies.
risk risk management medical devices
EXAMPLE 2 This policmy aanpupfalicetsu rteor' sall persons involved in establishing, reviewing, updating, and
approving the criteria for acceptability in plans for designed, developed
and/or manufactured by [ name] for commercial distribution.
risk
— The following factors and considerations should be taken into account when establishing the criteria
for acceptability: medical device
— Applicable regulatory requirements in the regions where the is to be marketed;
42 PROOF/ÉPREUVE
© ISO 2020 – All rights reserved
ISO/TR 24971:2020(E)
medical device
— Relevant international standards for the particular type of , including standards
for testing of specific propertiesst awtiet ho af ptphreo vaartl/rejection limits (see also Annex E);
— The generally acknowledged , which can be detmeremdiicnaeld d efrvoicmes a review of
international standards, best practices in technology, results of accepted scientific research,
publications from authorities, and other information for similar and similar
other products.
— Validated concerns from stakeholders, for example obtained through direct communication
from users, cliniciraisnks, patients or regulatory bodies, or through indirect communication via
news reports, social media or patient forums. It is important to consider that the perception and
understanding of acceptability can vary between different groups of stakeholders and can
be influencreidsk b yco tnhteriorl background and the nature of their interest.
risk
— Approachreiss kto can be defined according to ISOr i1s4k971:2019, 4.2, Note 1. The approach
can include cobnesnideefirta-rtiisokns of practicability, such as reducing ri saks lcoownt aros lreasonably practicable,
reducing as lorwis kas reasonably achievriasbkl ec,o onrt rroelducing as far as possibrlies kwsithout adversely
affecting the ratio. Another possible approach to can be related to the
magnitude of the , for example that can be omitted for small below a certain
Risks benefit-risk
limit. This is elaborated further in C.4.
risk
EXAinMtPenLdEe 3d use abreen reefidtuced ams efdairc aal sd epvoicsesible without adversely affecting the ratio.
Consideration is given to whether technically practicable measures would reduce the without impacting
the R oirs ktshe of the .
risk control
EXAMPLE 4 related to radiation exposure are reduced to a level as low as reasonably achievable
(ALARA), taking account of the technical practicability of the measures.
— Requirements for approval and review can be specified in the policy. This can include who approves
risk
and, if needed, how often the policy is reviewed.
top management
EXAMPLE 5 The policy for establishing the criteria for acceptability is approved by [title/function of
] and is reviewed at least every [X] years by [name of reviewing body].
C.3 Criteria for risk acceptability
risk manufacturer’s
risk risks
hTahrem criteria for acceptability are established based on the seve rpitoylicy hfoarr mdetermining
acceptable risk. This also applies to criteria for aricscke mptainnga gemen wthen the probability of occurrence of
cannot be estimated, in which case the criteria can be based on the of alone. The
criteria for acceptability are recorded in the medical device planm.edical device
intended use medical devices
Specific criterrisika can be established for each type of (or family), dependent
on its characteristics and , or the same criteria can be applied to all . The
criteria for acceptability can include combinations of qualitative requirements and quantitative
limits for specific properties, preferably based on international standards. residual risk
risks
ISO 14971:2019 requires that three scirdiutearl irai sfkor the acceptability of the overall be established
raiss kw melal.n Tagheemsee nctan be the same or different from the criteria for acceptability of individual . The
method to evaluate the overall and the criteria for its acceptability are documented in the
plan. More detailed guidance on the criteria and methods are provided in Clause 8.
C.4 Risk control
Risk control process risks
process
is the in which decisions are mraisdke and measures implemented by which rairske
rceodnturcoeld to, or maintained within, specified levels. This can be directed by the approaches
included in the policy for establishing criteria for acceptability (see C.2). Two approaches to
are discussed below. risk control
risk control
One possible approach is to consider the practicability of the measures. Practicability
(being practicable) refers to options that are considered viable or capable of being put into
PROOF/ÉPREUVE 43
© ISO 2020 – All rights reserved
ISO/TR 24971:2020(E)
practice. This is not to be confused with practicality (being practical), which refers to measures that are
useful or convenient. Practicability has two components, namely technical practicability and economic
practicability. risk
Technical practicability refers to the ability to reduce the regardless of cost. The following are a few
examples wrihske rceo ntetrcohlnical practicability is questionable: medical device
intended use
— using measures that diminish the beefnfeecfittivenersiss kof the or compromise the
(e.g. reducing the power of an electrosurgical unit below its effective level), which also
has a negative epfrfeoccte dounr tehse balance betmweedeinc al devic eand ; use error
intended use benefit
— roivsekrly complex for using the so that the probability of is increased
or the is compromised, which has a negative effect on the balance between and
(see ISO 14971:2019, 4.2, Note 1);
— multiple alarms that create confusion and thereby hamper the operation by the user;medical device
— including so many warningrse osrid cuaault rioisnk lsabels that the user is hampered in operating the ;
— communicating too many so that the user has difficulty understanding which ones are
really important. risk medical device
risk control medical device
Economic practicability refers to the ability to reduce the without making the an
unsound economic proposition, because the measures would make the too
expensive and therefore unavailable. risks
These decisions necessarily involve making trade-offs between accepting and the availability of
treatments or diagnosis. Cost and availability implicationsb aernee cfoitnssidered in deciding what is practicable
to the extent that these impact upon the preservation, promotion or improvement of human health. The
economic prarcitsikcability in such decisions relates to the for public health and for the society
as a whole. However, economic practicability should not be used as a rationale for the acceptance of
unnecessary . risk control residual risk
risk
Another possible approach to is to consider the magnitude of the . This can
include classifying ther esid uinalt or ioskne of three catmegaonruifeasc taucrceorr’dsing to its margisnkitude:
a) the mreasgidnuiatul dreis kof exceeds the criteria for acceptability;
residual risk
b) the is so small that it can be regarded as insignificant or negligible (i.e. removing it
wourleds indouta lle raidsk to a lower ); or
c) the is between the twrois sktates specified in a) and b). residual risks
risk evaluation
The policy can direct whether or not reduction efforts should continue for classified
as insignificant or nemglaigniubflaec (tcuarteergory b) before proceeding to risk ri.sk
risk estimation risk
In this approach ther isk may use a semi-quanrtiitsaktive crhisakrst or matrix as in Figure C.1
to support the risk (see also 5.5). This matrix irsi sdkisvidRed RintoR three regions corresponding
to a) unacceptable Ris, kbs) RinsigRnificant or negligibleR isks, Rand c)R that require investigation Rto
determine if further control is feasible. The estimamteadn ufact u(re1r, ’s2, 3, ...) have been entered into
the appropriate cells. 1 to 3 are not acceptable. 4 and 5 are investigated further, while 6
is insignificant and can be acceptable depending on the policy.
44 PROOF/ÉPREUVE
© ISO 2020 – All rights reserved
ISO/TR 24971:2020(E)
Key
risk
unacceptable
riskcontrol
investigate further
risk
insignificant or negligible
Figure C.1 — Example of a three-region risk matrix
C.5 Risk evaluation
manufacturer risks risk
risk management residual risks risk
In this step the compares the estimated with the criteria for ri sakcceptability
definerdi sikns the plan and determines if the are acceptable or not. A
matrix as shown in 5.5 and Figure C.1 can support the estimation and evaluation of , especially
those for which no requirements or solutions in international standards exist.
C.6 Examples
manufacturer’s risk
risk risk evaluation
The policy for determining acceptable can include multiple elements and approaches.
Examples of the relation between the policy, the criteria for acceptability and the are
given in Table C.1 for several of those elements and approaches.
Table C.1 — Examples of the relation between elements in the policy, the criteria for risk
acceptability, and how the criteria are used in risk evaluation
Regulatory requirements
Policy: safety
medical device medical
Cdervitiecreia meet the safety requirements of the applicable regulations in each market in which
the is / will be marketed. For example, regulations require that the
Criteria: medical devices
maintains in single fault condition, including software failures.
Evaluation: medical device
The remain safe in single fault condition, including software failures.
Risk evaluation
The is tested and criteria based on testable limits in standards or regulations
are applied. can include inspection of test results, standard conformance
International standards
reports or certificates.
Policy: process
Criteria:
Criteria are based on applicable international product and standards.
process
- Testable limits from international product standards are applied.
Evaluation: [16]
- User interfaces are developed according to the in IEC 62366-1 .
- Inspection of compliance assessment reports for each standard.
- Inspection of the usability engineering file.
PROOF/ÉPREUVE 45
© ISO 2020 – All rights reserved
ISO/TR 24971:2020(E)
Table C.1 (continued)
State of the art
Policy: state of the art
medical devices intended use
Criteria are based on them geedniecaral ldleyv aicceksnowledged , as determined from similar
available on the market and a review of literature on and any
Criteria: medical device state of the art
alternative therapies or .
- Leakage currents of the are , demonstrated by compliance to
state of the art [5]
the limits and tests regarding leakage current of IEC 60601-1 .
- Dose accuracy of the delivery device are , as demonstrated by compliance
[23]
to the limits and tests regarding dose accuracy of ISO 11608-1 .
medical device
- Protection against mechanical failure caused by impact is on the same level as or better
Evaluation: medical device
than a similar , as demonstrated by comparative test such as drop test.
state of the art
Inspection mofe ddiactaal adnedvi icneformation demoRnisstkr eavtianlug atthiaotn the conforms to or sur-
passes the limits based on the , based on international standards or compari-
son with a on the market. can include inspection and compari-
Stakeholder concerns
son of design specifications or comparative test results.
Policy:
intended use medical device
Criteria address known stakeholder concerns as identpifoisetd-p irno ad urcetviioenw of medical and scien-
tific literature on the of the , in usability studies, through feedback
Criteria: Risks
from advisory boards and/or focus groups, or during monitoring.
Risk medical devices
- related to bovine materials are a public concern and are essentially eliminated by design.
risk
- related to accidental multi-patient use of needle-based for drug delivery
is a concern for clinical organisations, and therefore warnings are required for the to be
Evaluation: Risk evaluation medical device
deemed acceptable.
risk eval cuaanti oinnclude reviewRiisnkg e pvearlufoartmionance of the r iasgka eisntsimt laimtioitnss
requiredr bisyk the stakeholders, or direct participation of stakeholders (in focus groups or sim-
ilar) in activities. can include comparing with
levels of that are considered acceptable by stakeholders.
46 PROOF/ÉPREUVE
© ISO 2020 – All rights reserved
ISO/TR 24971:2020(E)
Annex D
Information for safety(i annfodr minaftoivrem) ation on residual risk
D.1 General
safety
residual risk safety residual
Trihskes purpose of this annex is to clarify the differenrciessk between “information for ” and “disclosure
of ”. It provides guidance on how information for can be provided, and how
can be disclosed in such a way as to promote awareness.
D.2 Information for safety
safety risk control manufacturer
risk
Inforrimskation for is a measure that should be usmeded oicnally d aefvtiecre the has
determined that (further) reduction by other measures is not prascatfiectayble. The preferred options
for reduction are implementing design features that make the inherently safe and, if
this is not possible, simafpetleymenting protective measures. Even then, the of the patient, the user or
others can still depend on certain actions to take or to avoid. Instructions on those actions constitute
the information fsoarf ety .
hazardous situation harm
Information for is instructive and gives the user clear instructions of what actions to take or
to avoid, in order to prevent a or from occurring. This information csaanf ebtey
provided in the form of warnings, (pre)cautions, contra-indications, instructions pfroorc uessse (including
installation, mairnitsekn aasnsceess amnedn dtisposarl)i,s ko rm taraniangienmg.e InStO f i1le4971:2019 requires the information for
to be verified for effectiveness (for example by applying a usability engineering ) and to be
traceable to the in the safety .
In some cases, the text for informatsiaofne tfyor is prescribed by local regulations.
risk
When developing information for , it is important to idheanrtmify to wmhaonmuf athctisu rienrformation is to be
provided and how it is to be provided. This can include an explanation of the , the consequences of
exposure and what should be done or avoidesda fteot yprevent any . Ther isk should consider:
— the need to classify the information for , based on thes alefevteyl of ;
— the level of detail necessary to convseayf ethtye information for ; medical device
— the location for the information for (e.g. a warning label on the );
— the wording, pictures or symbols to be used to ensure clarity and understandability;
— the intended recipients (e.g. users, service personnel, installers, patients);
— the appropriate media for providing the information, (e.g. instructions for use, labels, warnings in
the user interface);
— regulatory rseaqfeutiyrements. medical device
life cycle medical
Idnefvoicremation for can be communicaactceodm ipna dniyffienrge dnot cwuamyesn, tdaetpioennding on when in the
the information is to be communicated, e.g. via the user interface of a menu-driven
, as cautionary statements in the , or in an advisory notice.
PROOF/ÉPREUVE 47
© ISO 2020 – All rights reserved
ISO/TR 24971:2020(E)
safety medical
device
Information for can be given in various forms, such as warning labels attached to the
, warning statements in the instructions for use, instructions on a graphical user interface, or
instructions in training videos. Some examples are given below.
— Warning: Do not step on surfacer.isk
— Warning: Do not remove cover, of electric shock.
— Warning: Do not use haemolyzed serum samples. These can interfere with the measurement and
affect the accuracy of the result.
D.3 Disclosure of residual risk
Residual risk risk risk control Residual
risks medical
device is the that remainms aafntuefra catlul rer measures have been imprleesmideunatl erdis. ks
can relate to the possible occurrence of side-effects or after-effects related to the use of a
. ISO 14r9e7s1id:2u0a1l 9ri srkequires the to inform users about significant .
residual risks medical device
Discalocscuomrep oafn ying docume ins tdaetsiocnriptive and provides the user with information necessary to understand
the associarteesdid wuaitl hr itshkes use of the benefits . The amimed iicsa tlo d edvisiccelose inmfoarnmufaatciotunr einr
the residual risks to enable the user, and potentially the patient, to make an informed
decisiomna tnhuafta wcteuirgehrs the against three sidual ri sokf using the risk m. Tahnea gement file
examines the and determines what information the user needs to receive. The decisions
of the regarding the disclosure of proce sasre recorded in the .
intended use medical device
The disclosed informatiobne nceafnit be significant in the of clinirceasli ddueacl irsiisokn making. Within the
framework of the , the user can decide in which clinical settings the harms can be
used to achieve a certain for tmheed picaatile dnetv. iTchee disclosure of the can also be useful for
the user or the hmoesdpiictaall doervgiacensization to prepare the patient for possible side-effects or that can
occur during or after the use of the . Note that user and patient can be the same person,
for example for used in the home heraelstihdcuaarl er iesnkvsironment.
manufacturer
When developing information on the disclosure of , it is important to identify what is to be
communicated and to whom the information is directed. The should consider:
— the level of detail of the information;
— the wording to be used to ensure clarity and understandability;
— the intended recipients (e.g. users, service personnel, installers, patients);
— the means and media to be used. manufacturer
risk
Wmahneang edmeetenrt mfiliening the appropriate level of detail, the should consider wrehseidthuearl
sriusmkmarizing information is more appropriate than providing detailed information from the
. The nature and extent of the information should be commensurate with the
and the knowledge and experience of the intreensdideuda rl ercisipkisent of the information.medical devices
Some examples are given below to illustrate the associated with using and
the side-effects that are normally disclosed. residual risks
— Linear accelerators can be used to treat tumours. The of radiation therapy for tumours
include the possibility of erythema or epilation.
— When undergoing magnetic resonance imaging (MRI), the patient can be in an enclosed space. Some
patients can experience claustrophobia.
— Mechanical ventilation to assist or replace spontaneous breathing can lead to complications such as
airway injury, alveolar damage or pneumothorax.
48 PROOF/ÉPREUVE
© ISO 2020 – All rights reserved
ISO/TR 24971:2020(E)
— After undergoing lithotripsy of kidney stones, about 10 % of patients have blood in their urine or
feel pain in the kidneys as small stone fragments pass, while about 2 % of patients incur an infection
of the urinary tract.
— Potential complications from using an ophthalmic surgical laser include swelling, inflammation or
pain in the eye. Mild light sensitivity occurred in 1 % of patients until 6 weeks after surgery.
— Patients with an implantable cardioverter defibrillator (ICD) system can experience inappropriate
shocks, imagined (phantom) shocks, dependencrye, sdiedpurael srsisiokn, feianr voift rsoh odciakgsn woshtiilce m awedaikcael. devices.
See H.5 for additional guidance on the disclosure of for
PROOF/ÉPREUVE 49
© ISO 2020 – All rights reserved
ISO/TR 24971:2020(E)
Annex E
Role of internationa(li nsftoarnmdaatridves) i n risk management
E.1 General
risk management
safety processes
Internationasl asfteatnydards can play a significant role in medical devic ebsy providing requirements for
[20]
the of products and/or . ISO/IEC Guide 63 provides guidance on the developmestnatt aen odf
itnhcel uarstion of aspects in international standards for . International standards are
developed by experts in the field and are considered to represent the generally acknowledged
. risk management manufacturer medical device
intended use safety hazards hazardous situations
WMahneunf apcetrufroerrmsing , the first conpsirdoecress sthe being designed,
its , its characteristics relatedr tiosk s , and the associated hazards and hazardous situations.
life ccyacnle select maneddi caapl pdleyv ipcreoduct standards and standards that contain specific
requirements to assist in managing the associated with those and
durimnge dthicea l devices of the .
residual risks hazards hazardous situations
For objective ev tidheant cseatisfy the requirements and the compliance criteria of these standards, the
related to those and can be considered acceptabplreo ucenslseesss
there is to the contrary (for example reports of adverse events, producrti srke ccaolnlst roorl
complaints). The requirements of internatiroinskasl standards h(sauzcahr daosu esn sgitiunaeteiroinnsg or analytical ,
specific output limits, warning statements, or design specifications) can be considered
measures that are intended to address the of specific . risk management
manufacturers
In many cases, the standards writers have perfroirsmk emda annadg ecmoemnptleted elememntasn uoffa cturers
and provide with solutions in the form of design requirements and test methods
for establishing conformity. When performing activities, risk can take
advantage of the work of the standards writers and not reppreoacte tshse analyses that led to the requirements
of the standard. International standards, therefore, provide valuable information on acceptability
that has been validated during a worldwide evaluation , including multiple rounds of review,
commenting and voting to reach international consensus.
E.2 Use of international product safety standards in risk management
safety
risk hazardous situations safety manufacturer
An international product standard can establish requirementrsi stkhat, when implemented, result in
acceptable for specific (e.g. design solutions, limits). The
can apply these requirements in the folsloawfeitnyg way when managing .
hazards hazardous situations
a) Where an international product standardr esspideuciafli ersi skresquirements addressing particular
or objective, teovgiedtehnecre with specific acceptance criteria, compliance with those
requirements is presumed to establish that the have been rerdiuskced to acceptable
[5]
levels, unless there is to the conrtisrka rmy.a nFaogr eemxeanmtple, IEC 60601-1 provides
leakage current limits that are considered to result in an acceptable level of when measured
under specified conditions. In this example, further would not be necessary. The
following steps are taken in this case. safety hazards hazardous situations
medical device
- Identify characteristics related to and identify and
associated withha tzhaer ds hazardo.us situations
safety
- Identify those and that are completely covered by the international
product standard.
50 PROOF/ÉPREUVE
© ISO 2020 – All rights reserved
ISO/TR 24971:2020(E)
hazards hazardous situations
safety manufacturer
- For those identified and risk that are completely covered by the
international product standard, the can rely on the requirements in the
international standard to demmaonnusftarcattuer aecrceptable .
medical device risk control
- To the extent possible, the should ensure that the design specifications of the
comply with the requirements in the standard that serve as
measures. safety
risk control
NOTE For smomedei cianlt edrenviacteiosnal product standards, the possibility of identifying all specific
measures is limited. One example is electromagnetic compatibility testing in IEC 60601-1-
[6]
2Ver iffoicr actoimonplex . risk control hazardous situations
Verification risk
- control of the implementation of the measures for these medic aisl
doebvtaiciened from a review of the design documentation. of thsaef eetffyectiveness of the
measures is obtained from the tests and test results demonstrating that the
meets the relevant requirements of the internarteisoidnuaal lp rriosdkuct standard.
risk management file
- If the rreelseivdaunatl rriesqkuirements are met, the associated is considered acceptable. The
use of the standard should be documented in the to support the acceptance
of the . safety
b) Where an international product standard hdaozeasr ndsot cohmazpalredteoluys sspiteucaitfiyo nrsequirements and
associated tests and test acceptance criteria, the situation is more complex. In some cases, the
standardh parzoavriddses spehcaizfaicr dteosutss rseitluaatetido ntos known or without specific
[8]
test acceptance criteria (e.g. IEC 60601-2-16 ). In some other cases, the standard only identifies
specific or risk managementpro cwesisthMouatn uffuarctthuerre rsrequirements (e.g. some clauses of
[5]
IEC 60601-1 ). The range of alterrnisakt imveasn aisg etomoe nlatrge to provide spmeceidfiicc aglu diedvainccee on how to use
such standards in the . are encouraged, however, to use the
content of such standahradzsa rind theihra zardous situation of the particular .
safety manufacturer hazard hazardous situation risk
c) Wmahneargee amne nidt epnrtoicfieesds ma nour facturer is not specificalrliys kaddressed in international
prodriusckt standards, the addresses that or in the
. The estimates and evaluates the and, if necessary, controls
the . safety
See Figure E.1 for a flowchart and an example outlining the use of international product
standards.
PROOF/ÉPREUVE 51
© ISO 2020 – All rights reserved
ISO/TR 24971:2020(E)
Figure E.1 — Use of international product safety standards and example of such standard that
specifies requirements and provides specific test acceptance criteria
52 PROOF/ÉPREUVE
© ISO 2020 – All rights reserved
ISO/TR 24971:2020(E)
E.3 International process standards and ISO 14971
process
International standards, as shown in the examples below, can often be used in conjunction with
ISO 14971. This is perfporromceedss in several ways:
process
— The international standard requires application of ISO 14971as part of the implementation
of the internationaplr ocess standard; or risk management
— The international standard is intendepdro tcoe sbse used in .
risk medical device
In either case, proper use of the international standard requires attention to the interfaces
between that standard and ISO 14971in order to achieve acceptable levels of for the .
The standards should work together such that inputs, outputs and their timing are optimized. Some
examples are g,i Mveend ibceallo dwe vtioc ed esomftownastrrea –t eS othftiws iadreea lli fsei tcuyaclteio pnr.ocesses
a) IEC 62304
The relationship between IEC 62304 and ISO 14971 is well-described in the introduction to
[15]
IEC 62304:2006 and AMD1: 2015 : medical device
risk
“mAasn aa gbeamseicn tfopurnodceastsion it is assumed that software is derviesklo pmeadn aagnedm menatinptraoicneesds
[15]
within a quality management system (see 4.1 of IEC 62304:2006 and AMD1: 2015 ) and a
[15]
(see IEC 62304:2006 4.2 and AMD1: 2015 ). The
irsis ka lrmeaandayg vemereyn twell addressed by the International Standard ISO 14971. Therefore IEC 62304
makes use of this advantage simply by a normhaatizvaer drseference to ISO 14971. Some minor additional
requirements are needed for software, especially in trhisek amraenaa ogfe mideennttipfricoacteisosn
of contributing software factors related to . These requirements are summarized and
[15]
captured in IEC 62304:2006 Clause 7 and AMD1: 201h5azar daosu tsh es istoufattwioanre .
hazard risk management process Hazardous situations
Whether software is a contributing factor to a is determined during the
identification activity of the . that could be
indirectly caused by software (for example, by providing misleading infroirskmation that could caruissek
icnoanptrporlopriate treatmernistk t mo abnea agdemmeinnitspterroecdes)s need to be conrsiisdke mreadn awgheemne ndtetperromceisnsing whether
software is a contributing factor. The decision tor uisske m soafntawgaerme etnot cpornotcreosls is made during the
activity of the . The software required in
this standard has to be embedded in the device according to ISO 14971.”
IEC 62304 makes a normative reference to ISO 14971 and specifically requires:
risk management
[15]
— software development planning (see IEC 62304:2006 5.1 and AMD1: 2015 ), which
requiremenrtiss ka rme acnoangseismteenntt wpriothce tshse plan required by ISO 14971; and
[15]
— a software (see IEC 62304:2006 Clause 7 and AMD1: 2015 ), which
requirements are based upon ISO 14971.
b) IEC 62366-1, Medical devices – Application of usability engineering to medical devices
processes risk management
[16]
The flow diagram in Figure A.4 of IEC 62366-1:2015 demonstrates the relationship and
ipnrtoecrecsosnnection of the two parallel and intreisrkc omnanneacgtienmg ent of and usability
[16]
engineering. IEC 62366-1 identifies several specific clauses where the usability engineering
can supplement and interact with manufacturer as described in ISO 14971:
intended use
[16]
— 5.1 of IEC 62366-1:2015 requires the to prepare a use specification, which can
be an input to determining the ma naucfcaocrtduirnegr to ISO 14971;
safety risk analysis
[16]
— 5.2 of IEC 62366-1:2015 requires the to identify user interface characteristics
that could be related to as part of ma anufacturer performed according to ISO 1497h1a;zards
hazardous situations
[16]
— m5.3ed oicf aIEl dCe 6v2ic3e66-1:2015 r rieskq uainraelsy tshise to identify known or foreseeable
and , which could affect patients, users or others, related to the use of the
, as part of a performed according to ISO 14971;
PROOF/ÉPREUVE 53
© ISO 2020 – All rights reserved
ISO/TR 24971:2020(E)
manufacturer
medical device risk management
[16]
— 5.9 of IEC 62366-1:2015 requires the to perform a summative evaluation on
the final user interface of the as part of .
c) ISO 10993-1, Biological evaluation of medical devices — Part 1: Evaluation and testing within a risk
management process medical devices risk
managementprocess medical device
[22]
ISO 10993-1 is a guidance document for the biological evaluation of within a
, as part of the overall evaluation and dreivske lmopamnaegnet mofe neatch .
hazards medical devices
[22]
Annex B of ISO 10993-r1i:s2k0s18 provides guidanrciesk osn the approach accordingri tsok
IcSoOnt 1r4o9l71for the identification of biological associated with , the estimation
and evaluation of the , the control of those , and monitoring the effectiveness of the
measures.
This approach combines the review andm eedviaclaula dteiovnic eof existing datas afrfeotmy all sources, with the
selection and application of additional tests (where necessary), thus enabling a full evaluation to be
made of the biological responses to each , relevant to its in use.
risks risk analysis hazards risks risk evaluation
The biological evaluatiorni sskh ocuonldt rboel conducted in a manner similar to that used for other product
resid,u aanl dr isshkould include a (what are the and associated ?), a
(are they acceptable?), (how will they be controlled?), and an evaluation of overall
. The biological evaluation should take account of:
— the physical and chemical characteristics of the various choices of materials;
— any history of clinical use or human exposursea fdeattya;
— any existing toxicology and other biological data on product and componinetnetn mdeadt eursieals.
The amount of data required and the depth of the investigation can vary with the and
can depend on the nature and duration of patient contact.
residual risk hazards
[22]
According to ISO 10993-1 , expert assessors should determine if the available information is
rsiusfkf imciaennat gtoem deentet rfmileine if the overall proce asssessociated with biological is acceptable.
This concluressioidnu iasl d roisckumented in the Biological Evaluraitsikosn Report, which becomes an erlieskm ceonnt torfo tlhe
. In agreement with the defined in ISO 14971:2019r, iisfk tshe evaluation
of overall concludes that the identified are acceptable, no further is
needed. OthCelirnwiciasle i,n avpepsrtiogpartiiaotne omf meaesduirceasl dsehvoiucelds bfoer thaukmena nto s ufubrjetchtesr — co Gnotroodl ctlhinei cal pr.actice
d) ISO 14155,
[26]
ISO 14155 addresses good clinical prascatfiectey for mtheed idcaels idgenv,i cceosnduct, recording and reporting of
pre-markerti saknsd post-market clinical invebsetnigefaitti-orinssk carried out mine dhicuaml daenv iscuebsjects to assess the
clinical performance or effectiveness and of . This is relevant to the estimation
of clinical and the assessment of the balance for .
54 PROOF/ÉPREUVE
© ISO 2020 – All rights reserved
ISO/TR 24971:2020(E)
Annex F
Guidance on( irnisfokrsm reatlaivtee)d to security
F.1 General
risk management process hazards risks
medical device Risks
The described in ISO 14971:2019can be applied to and assopcroiacteesds
with the security of the risks . related to dmatead iacnadl d seyvsicteesms security are specifically
mentioned in the scope of ISO 14971:2019 to avoid any misunderstanding that a separate
would be needed to manage relaterids ktso the security of . This does not preclude the
possibility of applying specific standards, in which specific methods and requirements are provided for
the assessment and control of security . harm
Breamcehdeisc aolf ddeavtiac eand systems security can lead to , e.g. through loss of data, uncontrolled access to
data, corruption or loss of diagnostic information, or corruption of software leading to malfunction of
the .
Security in this document includes cybersecurity and data and systems security.
F.2 Terminology used in security risk management
risk management
risk management
Security often employs different terminology than ISO 14971:2019. Nevertheless,
correspondence exists between the terms used rinis ks mecaunraitgye ment and those used in
[4]
ISO 14971:2019. The following defined terms originate from IEC Guide 120 . Other definitions such as
[1]
thosSee fcroumri tAyA:MI TIR 57 are also used in security .
— a condition that results from the establishment and maintenance of protective measures
[4]
that ensure a state of inviolability from hostile acts or influences (see 3.13 in IEC Guide 120:2018 ),
where hostile acts or influences could be intentional or unintentional.
medical device
[1] [19]
NOTE In 2.6 of AAMI TIR 57:2016 and 2.5 of IEC 80001-1:2010 , security is defined as an operational
state of a in which irnifsokrmation assets (data and systems) are reasonably protected from
degradation of confidenrtiisaklity, integritys aafnetdy availability. This can be seen that security is focused on hostile
acts as events that can contribute to , and that security is considered to be a state of inviolability as being
fTrheer efraotm: unacceptable (similar to , see 3.26 in ISO 14971:2019).
harm
— potential for violation of security, which exists when there is a circumstance, capability,
[4]
ahcatziaornd, oours esivteunatt itohnat could breach security and cause (see 3.16 in IEC Guide 120:2018 ).
Threat corresponds to an event or a sequence of events that can exploit a vulnerability leading to a
Vulnerability: (see 3.5 in ISO 14971:2019).
— flaw or weakness in a system’s design, implementation, or operation and management
[4]
that could be exploited to violate the system’s security policy (see 3.18 in IEC Guide 120:2018 ).
VCounlnfeidraebnitliitayl ictayn be seen as a type of event or circumstance (see Table C.2 in ISO 14971:2019).
processes
— : property that information is not made available or disclosed to unauthorized
[4]
iInndteivgirdiutayls, entities, or (see 3.6 in IEC Guide 120:2018 ).
[4]
— Availabili: tpyroperty of accuracy and completeness (see 3.9 in IEC Guide 120:2018 ).
— : property of being accessible and usable upon demand by an authorized entity (see 3.5
[4]
in IEC Guide 120:2018 ).
PROOF/ÉPREUVE 55
© ISO 2020 – All rights reserved
ISO/TR 24971:2020(E)
hazard hazardous situation harm
The relationship between a , sequence of events, , and relating to
security can be represented as shown in Figure F.1.
Figure F.1 — Relation between hazard, hazardous situation, harm and security terminology
F.3 Relation between ISO 14971 and security
harm
A common misconception is that ISO 14971:2019 would only apply to the health of people, disregarding
tharti stkhse definition of includes damage to property and trhiesk esnvironment. This misconception is
often discovered during discussions of security, where it is assumed that ISO 14971:2019is restricted
to related to the patient and the user and would not cover related to security.
safety Safety risk management,
[4]
It should be noted that the definition of security from IEC Guide 120 is not on the same level as the
definition of . is related to the final outcome of while security looks at the
effects of hostile ahcatsr mor events on the characteristics and performance of the system.
record
The definition of in ISO 14971:2019 applies to people, property, and the environment, with the
potential for some overlap. For reixsakm mpalnea, gdeammeangte to an electronic health (damage to prhoapzearrtdys)
can additionallyh raersmult in incorrect diagnosis which can lead to patient injury (damage to people). It is
noted that the scope of security is often broader. Several examples of security
that can lead to are shown in Table F.1.
56 PROOF/ÉPREUVE
© ISO 2020 – All rights reserved
ISO/TR 24971:2020(E)
Table F.1 — Examples of hazard, sequence of events, hazardous situation and harm
in the situation of security hazards
Hazard Sequence of events Hazardous situation Harm
Loss of data 1) The vulnerability of Incorrect dosage data Deterioration of health.
integrity unnecessarily opened leading to infusion fluid
Death.
network port is exploited. not being delivered as
intended.
- Dose setting data of
infusion pump is modified
by unauthorized access.
Loss of data 1) The vulnerability of Modifiedp droactead luearedsing to Deterioration of health.
integrity unnecessarily opened incorrect clinical deci-
Unnecessary surgery.
network port is exploited. sions or , or
lack of treatment.
- Patient data or diagnostic
results are modified by
medical device
unauthorized access.
Loss of data 1) The vulnerability of Delay of therapy. Loss of
availability unnecessarily opened functionality.
Inability of diagnosis.
nMeetdwicoarlk d peovircte is exploited.
Deterioration of health.
-
performance is reduced
or is terminated by DDoS
attack or ransomware.
Loss of data 1) The vulnerability of Denial of insurance cov- Psychological stress.
confidentiality unnecessarily opened erage leading to lack of Deterioration of health.
network port is exploited. treatment.
- Disclosure of personal
health information.
Additionally, when differentiating between thessea fedtoymains, the terms “safety risk management”
and “security risk management” are somriestki mmeasn augseemd.e nTthis document folloswasfe ttyhe suggestion from
[20]
ISO/IEC Guider i6sk3 which states that the term “ ” should notr ibsek sused as an adjective. It should
be kept in mind that the goal of security is also to achieve (i.e. freedom from
unacceptable ) when using the ISO 14971 framework to manage related to security.
[4]
hIta izsa nrodtsed that the definition of security from IEC Guide 120 includes unintentional acts, such as the
accidental release of personal health information that is not due to a malicious attack, and that security
related to normal use should also be evaluated, such as displaying personal health information
to unauthorized persons.
F.4 Characteristics of security risk management
risk management process risks process
risk risk analysis risk evaluation risk
cSoencturroilty follroewsisd uaa sl imrisiklar as management of other in that the
steps include establishing criteria for acceptability, performing process , ,
, evaluation of overall , etc. The specific details regarding the data sources used,
analysis tools and techniques, and validationri cskasn vary, but the roivsekr caolln trol is the same.
risks
ISO 14971:2019 requires the evaluation of arising from measuresm. Iet diisc aplo dsesvibiclee that
new are introduced by security control measures or vice versa. For example, a security control
measure is to require the user to enter a password before use, but on a life-saving (e.g.
an automatic external defibrillator) the potential for delays due to a forgotten password might be
unacceptable, and therefore different options should be considered. This relationship is illustrated in
Figure F.2.
PROOF/ÉPREUVE 57
© ISO 2020 – All rights reserved
ISO/TR 24971:2020(E)
hazards
hazards risks
Management of related to security can require different methods and approaches than
management of other , similar to differences in methods for controlling related to usability
or reliability.
Figure F.2 — Possible interaction of security risk control measures
with other risk control measures
Severity hazard
Severity severity
is defined as the “measure of the possible consequences of a ” (see 3.27 in ISOs 1e4ve9r7i1ty:2019).
is often represented in degrees of degradatisoenv oerf iat yperson’s health. A low can be defined
as temporary discomfort or a light injury requiring no medical intervention, a mediurmisk manage mase natn
injury requiring medical intervention, and a high as an injury requiring immediate mseevdericitayl
inthearrvmention and possibly leading to permanent impairment or even death. In security ,
a secure data system maintains high confidentiality, integrity, and availability. Therefore, the
of related to the damage to a secure system could consider among others the consequences of loss
oHra drmegradation of these three factors. safety
intended use medical device risk
manag iesm oeftnetn injuhrayr omr damage to the health of people and related to basic (e.g. emleecdtirciacl sdheovcicke)
or the of the (e.g. radiation exposure during X-ray imaging). In security
, the is often damage to property and related to information on the
itself (e.g. disclosure of personal health information, modification or corruption of software or data), or
information available on connheacrtmed devices (e.g. loss of connectivity, access to credit card information).
Probabilirtiys ko fm oacncaugreremnecnet of is often a function of design and manufacturing, material selection,
tolerances, design margins, etc. These factors can often be predicted with high levels of confidence. In
security , probability of occurrence is often a function of motivation, financial gain,
as well as function of opportunity, e.g. open vulnerabilities. These factors are not easily estimated.
Additionally, the probability (likelihood) of a vulnerability being exploited can quickly change from
“remote” to “every time” once vulnerability information is published on the internet.
F.5 Prioritizing confidentiality, integrity, and availability
risks manufacturer
intended use medical device
When evaluating security-related , the ensures that the security priorities
(confidentiality, integrity and availabilirteyc)o rpdroperly take the of the into
account. For some applications, integrity of information is of high concern and a loss of integrity could
result in changes to a patient’s medical (e.g. changes in drug orders or medical data/images). In
other instances, loss of confidentiality could be more important, because disclosure of personal health
information can create a potential for blackmail.
58 PROOF/ÉPREUVE
© ISO 2020 – All rights reserved
ISO/TR 24971:2020(E)
Amneodtichaelr d eexvaicmeple of loss of confidentiality is a situation where design femaetduirceasl daervei cneot encrypted
(data at rest or in transit). Reverse engineering of those features could compromise ompeedraictaiol nd eovfi ctehse
and result in injury to the patient. Loss of availability of the can result in
delay of diagnosis or delraisyk osf treatment. Especially for life supporting or life-saving ,
linotsesn odfe adv uasielability omre ad irceadl udcetviiocne in effectiveness can be most important to the health of people. These
examples indicate that related to security can impact the patient’s health, depending on the
of the .
PROOF/ÉPREUVE 59
© ISO 2020 – All rights reserved
ISO/TR 24971:2020(E)
Annex G
Components and device(si ndfeosrimgnateivde w) ithout using ISO 14971
G.1 General
manufacturer risk management process
This guidance assumesm tehdaict atlh dee vice has already established ma anufacturer
compliant with ISO 14971:2019. riIstk dmoaensa gneomt ernet pfillaece or eliminate any of the requirements in
ISO 14971:2019 for a , but recommends a way for the to remediate
deficiencies that might exmisatn iunf athcteu rer . processes
medical device
For various reasons, a might not have followed all the med icaanl dd erveiqceusirements
described in ISO 14971:2019 for each constimtuaennutf acoctmupreorn’se nrits ko f ma anagement , such as proprietary
components, software components, subsystems of non-medical origin, or for already
available on the market. In such cases, the medical device documentation could be
limited and insufficient for the purpose of demonstrating compliance with ISO 14971:2019. In mpoosstt-
cparosedsu,c thioownever, a wealmthe doifc ailn dfoervmiceation about them edical devices and its constituent components
is available. For example, information on the saacfetutyal use could be acquired through a review of
data for the or for similar on the market. Relevant reliability
and production data and prevmioaunsulyf accotmurpeirled -related documentation could also be available.
risk management file
This annex aims to provide a with guidance on how available information can be used to
build an iniMtieadl ical device that can be maintained in the future.
NOTE “ ” includes its subsystems, components and software components of medical origin and
of non-medical origin. manufacturer risk management
risk management file medical device
Using available information, the can establish documenritsaktsion that
would be thmee bdiacsails dfoerv ibceuilding an initial medica lf odre vthicee particular intended u suender
consideration. This dmoacnuumfaecnttuarteiron could be sufficient evidencer itsok dcoenmtoronlstrate that the for the
particular are acceptable, and that the state of the ar its safe for its . On
the other hand, the could decide that additional measures are appropriate.
For example, comparison to the generally acknowledged could indicate that additional
actions are warranted in order to become fully compliant with ISO 14971:2019.
G.2 Risk management plan
risk management
risk management file medical device intended use
ISO 14971:2019 requires thatr aislkl management activities be planned, especially those activities for
the creation of a demonstrating that the is safe for its .
The mandatory erleismk emnatsn aogf eam ent plan are given in ISO 14971:2019.
In esrtiasbk lmisahninagg eam ent plan, particular attention sholiufeld c ybcel egiven tom:edical device
a) activities for the remaining phases of the of the (especially
maintenance, decommissioning and disposal, where applicable);
b) the assignment of responsibriilsikti emsa annadg eamutehnotrities;
c) requirements forri rskeview of activmitaineus ffarcotmur nero’ws on;
risk risks harm
d) the criteria for acceptability, based on the policy for determining acceptable
, including criteria for accepting when the probability of occurrence of cannot be
estimated;
60 PROOF/ÉPREUVE
© ISO 2020 – All rights reserved
ISO/TR 24971:2020(E)
residual risk residual risk
e) a method to evaluate the overall and criteria for acceptabilpitoys to-pf rtohdeu ocvtieornall ;
NveOrTifEic 1a tionThe criteria under d) and e) canr bisek s cuopnptorrotled by production and risk control information.
f) activities, both for existing measures and for new measures that
are considered necessary; post-production
risks medical device
g) activities for the collection and review of production and information, and how this
information is used to determine if the associated with the verific aartieo nacceptable.
NOTE 2 The design documentation or other documentation can include some evidence.
G.3 Risk management file
medical device manufacturer
risk management file risk control
Since the was designed without ushinazga rIdSOs 149h7a1z:a2r0d1o9u, s tshiteu ations should
starmt ebduiicladli ndegv aic e manu. fIatc itsu rliekrely that some measures have already been
implemmenetdeidca bl udte wviictehout recorded traceability to thhaez ards ahnadz ardous situations associated with
the . Therefore, the could begirnis bky c iodnetnrtoilfying the solutions already adopted
for trhisek management f ialend then by identifying the and that are controlled
by these solutions. These solutions are now considered measures and are documented in
the .risk management file
Such approach to build ian tended use m ecdainca clo dnesvisict eof the froelalosownianbgl ys tfeoprse.seeable misuse
safety Reasonably foreseeable misuse
- Documenting the of thpeo st-production , the and the
characteristics related to . safety can be derived from the information
about actual use gathered during the phase. The questions in Annex A can be useful
to determine the characteristics related to m. edical device risk control
- Identifying all solutions already adopted in the that can be considered
measures. hazards hazardous situations medical device
harm
- Identifying all and associated with the and the possible
that can result fhroamza rthdem. hazardous situation risk control
manufacturer risk
- Determining if any h aozra rds hazardous si tueaxtiisotns sfor which rnisok control measure
is implemented. Inm athnuofsaec tcuarseers, the should estimate and evaluate the and
raepspidlyu aISl Ori s1k4971:r2e0si1d9u. aFl orris ks and for which ris kmeasures are
implemented, trhies k management should vermifayn tuhfaecirt uerfefrectiveness and estimate anridsk e cvoanlutraotel the
. For that are not judged acceptable using the criteria for acceptability
defined in the plan, the should consider further and
apply ISO 14971:2019. hazard hazardous situation risk control
- Documenting traceability for each identified and to the
measures. The traceability can be documented with the following elements:
— the identified hazards and hazardous situations;
— the possible harm that can occur;
— the risk control measures;
— verification of implementation and effectiveness; and
— the acceptability orf easnidyu raels ridisukal risks.
- Evaluating the overall r aisckc omrdainnagg teom IeSnOt 14971:2019 Clause 8.
risk management
- Reviewing the execution of the plan according to ISO 14971:2019 Clause 9.
Dreoccourmdsent the result in a report. risk management file
The and other documents generated during these steps form the initial .
PROOF/ÉPREUVE 61
© ISO 2020 – All rights reserved
ISO/TR 24971:2020(E)
Annex H
Guidance for in vi(tirnof odrimagantiovset)i c medical devices
H.1 General
H.1.1 Risk management for IVD medical devices
in vitro diagnostic (IVD) medical devices
Trihskes purpose of this annex is to provide guidance for the application of particular aspects of
ISO 14971:2019 to R.i sTkhsis guidance is focused on the indirect
to patients from incorrect or delayed in vitro diagnosMtiacn ruefasuctltusr,e arsnd is intended to suppmleemdiecnatl
tdheev igceesneral guidance provided throughout this document. to device users, other persons and the
environment are addressed elsewhere in this document. of other diagnostic
might also find these guidelines useful.
Throughout this annex, “clinician” is used as a general term to mean a healthcare provider who sees
patients and who orders, interprets and acts upon IVD examination results. For definitions of other
[34]
terms comIVmD omnelyd iucsael dd einvi tchees IVD indusitnrtye nadnedd l aubsoeratory medicine, see ISO 18113-1 .
Because manufact uarnedr ’sth reisirk management a prreo scoes dsiverse, this annex can only provide general
guidance, with the intent to foster critical thinking, cross-functional analysis and informed decision-
making within the risk management IVD med. iTcahle dqeuveicsetisons and examples in this annex
are intended to guide those with appropriate scientific, IeVnDg imneeedricinagl daenvdic ecslinical emxapneurftaiscetu troe rdevelop
and execute effective plans fIoVrD medical devices . They are not intended to be
exhaustive nor necessarily represent best practice for all . Each should
dHe.1te.r2m iCnoe nwtheaxtt i sfo arp pIVlicDa brlies kto m thaenira pgaermticeunltar .
risks manufacturers IVD medical devices risks
Managing to patients can bIeV cDh malelednicgainl gd efovirc es of . These are
indirect, often characterized by extended sequences of events that involve “competent intermediaries”
such as trained users who use to perform IVDr eisxkasminations and clinicians who
[27]
rely on the examination results. ISO 15189 , the internationalr sistka nmdaanrda gfeomr eqnutalpitryo caensds competence
of medical laboratories, requires medical laboratories to control to patients. To support this
[38]
requiremreinskt, ISO 22367 is being dmeavneulofapcetdu rteor sdesIcVrDib me ead ical devices for medical
laboratories based on the same principles and concepts described in ISO 14971:2019. This will promote
effective commusnaifceattyion between residu oafl risks manu afnadct mureedr’isc arils lka bmoarnaatogreimese.nt
process risk management process
The information fIoVrD medic aanl dd etvhiec edsisclosure of from the
IVD med aicrael dimevpicoerstant inputs to the medical lmabaonruafatocrtuyr’se r’s risk management proces.s Conversely, the
needs of umsaernsu foafc turer for such informraitsiko mn aannadg tehme elanbtoratory’s feedback from using the
are impoIrVtDa nmt eindpicuatls d teov tichee . It is incumbent
upon the to include the user needs for information as design input when
developinmga onru fmacotduirfeyring an IVD medical. device risks
When a safety supplies an risks man tuof aac tmueredrical laboratory, any residu tahla rti sckosuld not
bacec coomnptraonlyleindg t dhorcouumghe ndteastiigonn or protective measures are transferred to the laborartioskrsy along with the
information for to control those . The also discloses any in the
, so that the laboratory director can evaluate these and determine
tMhaeniru afacccteuprtearbsility. safety IVD medical devices
can provide information for to inform users of , but they cannot
influence the actions of clinicians who order, receive and act upon the examination results.
62 PROOF/ÉPREUVE
© ISO 2020 – All rights reserved
ISO/TR 24971:2020(E)
IVD medical devices IVD
medical devices risk
Some are inrteisnkdsed for use by clinicians at the point of care, while self-testing
are actually used by patients. Althourigshk sciomntilraorl scenarios can exist for these devices,
the user’s ability to control the can be more limited. Therefore, it is important that point of care
devices and self-testing devices are designed with measures appropriate for the (intended)
users and the (intended) use environment outside laboratories.
H.2 Risk analysis
H.2.1 Intended use and reasonably foreseeable misuse
H.2.1.1 Analytical and clinical use
IVD medical devices
Most have two users. It is important to consider:
— a user who performs all or part of an examination (“analytical use”); and
— a clinicianI VwDh mo erdeciceaivl edse,v iincetesrprets and acts on the examination results (“clinical use”).
In the case of intended for self-testing, the patient can be the only user.
H.2.1.2 Device description
risk analysis IVD medical device
IVD
mEaecdhic al device begins with identifying and documenting a clear description of the
and its specific role in producing the examination result. Questions to consider when describing the
include:
— Is the device used alone to produce examination results or in combination with other devices?
— If the device is a standalone analyticIaVl Ds ymsteedmic,a ils dite avuicteosmated (software, robotics)?
— If used in combination with other to form a system, what is its role in
producing the examination result (e.g. sample collection system, sample receptacle, measuring
instrument, software, databaseIsV, Dre mageednictasl, dceavliibcerators, control materials, or accessory)?
— If part of a system, how does the interact with other components of the system?
— Are other reagents or accessories necessary but not provided?
— Does the device employ new or novel technology (e.g. for measurement, communication)?
— Does the device employ digital information technology for documenting and/or transmitting
examination results to clinicians or communicating with mobile applications?
— Do softwaIrVeD a pmpleidciactaiol ndse vpircoevide diagnostic or treatmmeednitc rael cdoemvimceendations?
IVD medical device
— Does the communicate with a that immediately administers
treatment based on the IVD result (e.g. an that measures blood glucose levels and
communicates with an implanted insulin administration system)?
H.2.1.3 Analytical use
intended use IVD medical device
The of the reas oinnaclbuldy efos rtehsee eaanballey mtei(ssu) sientended to be detected or measured;
acceptable sample types; calibration, quality control and preventive maintenance activities; and the
use environment. It is important that IVD i sm aeldsoic acol ndesvidiceered (see H.2.3.5).
Questions to consider when identifying the analytical use of the include:
— What analyte is the device intended to measure or examine?
— Will the examination results be qualitative, semi-quantitative or quantitative?
PROOF/ÉPREUVE 63
© ISO 2020 – All rights reserved
ISO/TR 24971:2020(E)
— Will the device be used in the pre-examination, examination or post-examination phase?
— What specimens can be analysed (e.g. serum, plasma, blood, urine, other body fluids, ptrisoscueesss)?
— Do other substances potenptrioaclelyd uforuesnd in these samples interfere with the analytical ?
— In nucleic acid sequencing , is the amplicon sensitive to contamination from environmental
sources of DNA/RNA?
— Are there any additional limitations for use in specific use environments (e.g. medical laboratories,
emergency room, operating room, ambulance, intensive care unit, neonatal care unit, nursing home,
physicianI’sV Dof mficeed,i sccarl edeenviinceg clinics, or the patient’s home)?
— Does the IV Din tmerefdaiccea,l c odnevnieccet or communicate with other devices or networks?
— Who will be using the to perform examinations, and what training and
qualifications will be appropriate?
H.2.1.4 Clinical use
IVD medical device
TMhaen uinfatcetnudreedrs clinical use of the (called indications for use in some jurisdictions)
includes the medical conditions and patient populations for which the examination results are used.
can rely on internal or external clinical experts to understand the following:
— how the IVD examination results will be used in clinical decision making;
— the medical decision points and degree of accuracy required;
— whether clinicians can recognize incorrect results (e.g. based on magnitude of error or consistency
with other clinical information);
— what actions the clinician would take in the event of an abnormal or unexpected result;
— the clinical significance of delayed results, if any;
— potential adverse consequences of unnecessary medical intervention.
Additional questions to consider when identifying the clinical use include:
— Will the examination results be used for:
— diagnosis in order to cure, treat or prevent a disease or other condition?
— measuring body fluid constituents to determine a patient’s state of health?
— monitoring theraspaefeuttyic drug levels to ensure an effective dose?
— determining the of donated blood or organs?
— screening a population for the presence or absence of a specific marker?
— predicting the erifsfkectiveness of a therapeutic alternatives (“companion diagnostic”)?
— predicting the of develoipnitnegn dae md eudseical condition?
— applications other than the ?
— What injury, illness or condition will the results be used to detect, diagnose, predict or monitor?
— Who will use the IVD examination results: medical specialists, general clinicians or patients?
— Is the role of the examination results in medical decisions to be used:
— as the basis for immediate medical decisions?
64 PROOF/ÉPREUVE
© ISO 2020 – All rights reserved
ISO/TR 24971:2020(E)
— with other relevant information to guide a medical decision?
— Which patient populations will primarily experience the benefit from the IVD examinations?
—H. 2.S2h oCuhlda arnayc tpeartiiesntitc pso rpeullaattieodn st ob ep eaxtpielincitt lsya cfoenttyraindicated?
H.2.2.1 General considerations
medical devices IVD medical devices
In addition to biological, chemical, electrical, mechanical and security characteristiIcVsD i nm ceodmicmalo dne vwicitehs
other (see Annex A), have analytical performance and reliability
characteristics that determine the suitability for their intendeIdV Dcl imniecdailc auls ed.e Svoicmese
can perform multiple examinations simultaneously, and their clinical performance can rely on the
interpretation of patterns of results (e.g. multiplex assays). that employ digital
information technology can also have characteristics related to their ability to store and transmit an
examinathioanrm result or ancillary information to where it is needed for a medical decision. Failure to meet
a performance, reliability or communication requirement can initiate a sequence of events that might
result in to a patient.
H.2.2.2 Performance characteristics related to patient safety
a) Quantitative examinations measure a quantity in a representative specimen taken from a patient.
The results are usually expressed as a concentration or percentage. The required analhyatircmal
performance dseevpeernitdys onh atrhme medical application, but false high, false normal or false low results
can potentially affect a diagnosis, cause inappropriate or delayed therapy, and lead to patient .
The type and of can depend on the magnitudIVeD o fm eerdriocra al td emveicdeiscal decision points.
The relevant performance characteristics of quantitative can include:
— trueness of the measured values (bias, traceability to a reference standard);
— measurement precision (repeatability, intermediate precision, reproducibility);
— analytical specificity (influence of interfering or cross-reacting substances);
— analytical sensitivity (ability to discriminate between quantity limits or ranges);
— detection limit (lowest quantity that can be reliably detected);
— quantitation limit (lowest quantity that can be accurately measured);
— measuring interval (range of values over which the analytical performance was validated).
b) Semi-quantitative examinations provide a clinically useful approximation of the quantity being
measured. Values are typically assigned based on an ordinal scale or are reported as a quantity
limit, and can be expressed numerically (e.g. within a specified range of values, or greater or less
than a specific quantity, titer or serial dilution) opr rroecleadtuivreelsy (e.g. as +3, +2, +1 or trace amount).
Common examples of semi-quantitative examinations are urine “dipsticks,” tablets that detect the
presence of ketones, and serological agglutination .
Microscopic examinations can also be considered semi-quantitative if the results are reported as
the number of cells observed in a low-power or high-power field. For example, a urine microscopic
examination might report a value of 0 to 5 red blood ceIlVlsD i mn ead hicigahl -dpeovwiceers field.
The performance characteristics of semi-quantitative can include:
— analytical sensitivity (ability to discriminate between quantity limits or ranges);
— analytical specificity (influence of interfering or cross-reacting substances)
— detection limit (lowest quantity thaPtR cOaOnF b/eÉ PrRelEiaUbVlEy detected); 65
© ISO 2020 – All rights reserved
ISO/TR 24971:2020(E)
— precision of the measured signal values (repeatability, reproducibility).
c) Qualitative examinations determine the presence or absence of an analyte, and results are reported
as positive, negative or indeterminate. Cut-off values and relevant databases can define positive or
negative results. A positive result when the analyte is absent or a negative result when the analyte
is present can affect the diagnosis or treatmentI.VD medical devices
The performance characteristics of qualitative can include:
— analytical sensitivity (fraction of true positive results in samples containing the analyte);
— analytical specificity (fraction of true negative results in samples containing the analyte);
— diagnostic sensitivity (fraction of true positive results in patients with disease);
— diagnostic specificity (fraction of true negative results in patients without disease).
H.2.2.3 Reliability characteristics related to patient safety
When clinicians depend on IVD examination results for urgent medical decisions, such as in emergency
or intensive care settings, timely results can be as important as accurate results. Failure to produce a
result when it is needed can delayIV nDe cmeesdsiacrayl mdeevdiciecasl intervention.
The reliability characteristics of can include:
— system reliability (mean time between failures, mean time to failure);
— component compatibility (including versions and critical tolerances);
— software reliability (error-free operation);
— reagent or control stability; use errors
— system usability (avoidance of ).
H.2.2.4 Digital information technology characteristics related to patient safety
Correct identificaItVioDn mofe tdhicea pl adteiveincte and the sample is clearly essential. Some examinations also require
ancillary information about the patient, the sample, or the examination for proper interpretation of
the results. If an is designed to collect, store and report such information with the
examination result, device characteristics leading to data corruption or alteration can contribute to
misdiagnosis or inappropriate therapy.
The ancillary patient information required by the clinicians can include:
— correct patient name and sample identification;
— patient details (age, gender, population, genetic factors, medications, nutritional state);
— sample details (sample type, descriptpioronc, eadcuqrueisition time);
— measurement details (measurement , units of measure, measurement uncertainty);
— application details (cut-off points, reference intervals). safety
Digital information technology characteristics that can affect patient include:
— connections between devices and/or networks (wireless or wired);
— internet data transmission;
— interface with digital applications (networked or mobile);
66 PROOF/ÉPREUVE
© ISO 2020 – All rights reserved
ISO/TR 24971:2020(E)
IVD medical device
— applications that emulate results from an ;
— embedded software applications (e.g. interpretation or treatment recommendations);
— unshielded data transfer (e.g. ESD susceptibility);
— digital data storage (e.g. susceptibility to corruption, maniphualzaatriodns or deletion);
—H. 2.d3i srKunptoiownn o af ontdh efro croensneeecatbedle d hevaizcaesr d(csr etoat pinagt iaedndtitsional ).
H.2.3.1 Identification of hazards
hazard
harm
From the standpoint of the patient, an IVD examination result would be choanzsaidredrsed a if it
could lead to (1) inappropriate medical intervention that can rehsauzlat ridns , or (2) lack of medical
intervention necessary to prevent being harmed. The following general could cause or
contribute to potentially harmful medical decisions. The specific should be identified in terms
of the magnitude and direction of error, the extent of delay, or the ancillary information that is incorrect
or missing. hazard IVD medical device hazard
IVD medical devices
In addition to identification for the itself, identification related to
connectivity should be evaluated. The increased use of connectIeVdD t om oetdhiecra ld edveivcieces
or systems, eithers adfierteyctly or through a computer network, wireless technology or the internet, has
created new challenges for their safe operation. The need to ensurIVe De fmfeecdtiicvael devices
functionality and hahs abzeacrodmse more important with the increasing use of connected devices, and
the rfirsekq mueannta geleemcternotnpirco ecxescshange ofI VhDea mltehd iicnafol drmevaictieon produced by . Identifying
failures that can cause the described below, due to connectivity, should be performed as part of
the for the .
a) Incorrect examination result
For quantitative and semi-quantitative examinations, results are considered incorpreroctc eisfs the
difference from a correct value exceeds the error limit required for the clinical application.
Analytical performance requirements are typically established during the design input .
Some medical decisions can be influenced by the magnitude of the examination result, so the
clinical significance of an incorrect result can depend on the magnitude of the difference between
the measured value and the trpureo cveadluuree.s
For qualitative examination , in which only a positive or negative result is provided,
(e.g. HIV and pregnancy examinations), examination results are either correct, incorrect or
indeterminate.
b) Delayed examination result
An examination result or its ancillary information is considered delayed if it is needed for a medical
decision and the clinician does not receive it in time to support a critical therapeutic or intervention
decision. Criteria can be established to define what constitutes a clinically significant delay for the
medical application (e.g. urgent care situation).
c) Incorrect information accompanying the result
The consequences of anh aerrmror in the ancillary information provided with an IVD examination result
depends on how the information is used in clinical decision making, and whether the error could
cause or contribute to .
PROOF/ÉPREUVE 67
© ISO 2020 – All rights reserved
ISO/TR 24971:2020(E)
H.2.3.2 Identification of hazards from fault conditions
IVD medical devices hazards
hazards
that fail during use can lead to one or more of the general defined in H.2.3.1.
Fault conditions potentially leading to can include the following:
— within-batch or batch-to-batch inconsistency (e.g. reagents, calibrators, controls);
— non-traceable value assignment (e.g. calibrators, proficiency materials, assayed controls);
— reagent non-specificity (e.g. interfering factors, antibodies);
— sample or reagent carryover (e.g. pipetting instruments);
— measurement imprecision (e.g. system-level);
— unstable materials (e.g. during transportation, storage or use);
— system malfunctions (e.g. hardware, software, components, accessories);
— digital technology failures such as:
— software/firmware vulnerability to intrusion (e.g. data modification or theft).
— data transfers resulting in incorrect or missing results, inappropriate treatment recommendations,
or delays from loss of function due to environmental condmiteiodnicsa (le d.ge.v eicleectrostatic discharge, ESD);
— connections disrupting the performance of the connected , creating unsafe conditions
for the patient;
— digital applications incorrectly connected to another device or digital application;
— corruption during data storage that causes incorrect information or delayed results; or
— delays IiVnD a vmaeildaibcailli tdye ovfic reesults or patient information due to loss of network connectivity.
When the is used with digital software applications, failures leading to a delay of
results include:
— smart device operating system changes, resulting in application not being available and causing
delay of treatment, or in unexpected behaviour causing incorrect recommendation for treatment;
— smart device data storage capacity or rate of transfer data limitations, resulting in delay of treatment
or incorrect recommended treatment;
— time inconsistencies between application and smart devices, resulting in delay of treatment or
incorrect results (specifically related to out-of-date results appearing as valid).
H.2.3.3 Identification of hazards from normal use
IVD medical device
hazards
Inherent limitations in technology can occasionally lead to one or more of the general
manufac ttou rpeartients described in H.2.3.1, even though all warnings, precautions and instructions for use
were followed, the device functioned as intended, and the analryistkicsal performance met the claims of the
haza.r dEvery examination result is subject to unavoidable sources of variability. Even when the
analytical performance has been optimized to minimize the , an occasional result in normal use
cHaanz abred as for an individual patient.
potentially occurring in normal use can include inaccurate results duep rtoo ctehdeu froelslowing:
— inherent false negative and false positive rates of qualitative examination caused by the
uncertainty of statistically assigned cut-off values; procedures
— measurement uncertainty associated with quantitative examination (performance
claims often represent 95 % of the results within medically defined target limits);
68 PROOF/ÉPREUVE
© ISO 2020 – All rights reserved
ISO/TR 24971:2020(E)
— misclassification of results as “abnormal” or outside a “normal” reference interval (determined
empirically from the central 95 % of results in a “normal” population study);
— influence of interfering substances in the sample (e.g. cross-reacting antibodies, certain drugs or
biochemical metabolites, or sample preparation materials);
— biological variability of the analyte itself (e.g. heterogeneity of natural proteins, population
differences in normal analyte concentrations);
— chemical properties of the analyte itself (e.g. intrinsic instability, adhesiveness);
— variability of the patient sample matrix (i.e. “matrix effects”);
— the finite reliability of instrument components.
hazardous situation
NOTE Medically defined performance rereqsuidirueaml erinstks take into account the statistical distribution of
examination results in the intended patient populations. The occurrence of a in normal use is
considered an unavoidable contribution to the .
H.2.3.4 Identification of hazards from use errors
Use errors hazards
processes use error use errors
can cause one or more of the general described in H.2.3.1. Non-routine laboratory
canp broec eessspecially prIVoDne mtoe dical devi.c Reeasonably foreseeable (i.e. resulting from
readily predictable human behaviour) can be identified and potentially prevented by a usability
[16]
engineering during design and development. See IEC 62366-1 for
iUnsfeo errmroartison and guidance. hazards
potentially leading to IVD in the medical laboratory or at the point of care can include
the following:
— overlooking special requirements (e.g. outside the normal laboratory routine); processes
— performing operations out of sequence, including pre-examination and post-examination
(e.g. unclear instructions, confusing user interface);
—Us e edrartoar sentry errors (e.g. patient name, identification number, birth date or age, gender, etc.).
by patients performing self-testing can include the following:
— applying insufficient volume of sample (e.g. too little for accurate measurement);
— inserting reagent module improperly (e.g. before device is ready for measuring).
H.2.3.5 Identification of hazards from reasonably foreseeable misuse
process manufacturers IVD medical devices hazards
hazardous situations reasonably foreseeable misuse
A usability engineering can also help of to prevent
[16]
and reasonably fo arreisseineagb flreo mmi suse . See IEC 62366-1 for guidance.
Examples of IVD medical device include the following:
— use of an prior to reading the instruction msaafneutayl or completing training;
— disregard of warnings, instructions, or other information for ;
— collection of an inappropriate sample type (e.g. serum when citrated plasma is specified);
— reporting examinatIiVoDn mreesduilctasl fdoerv cicoentraindicated or unvalidated clinical use;
— using a self-testing in a critical care setting (e.g. accuracy might not be adequate);
— using unverified third-party calibrator, reagent, control material or accessory;
— storing materials in incorrect conditions (e.g. room temperature when refrigeration is specified);
PROOF/ÉPREUVE 69
© ISO 2020 – All rights reserved
ISO/TR 24971:2020(E)
— operation of an IVD instrument outside spsaecfeitfiyed environmental conditions;
— disabling, overriding, or failing to enable features (e.g. to reduce annoyance to users);
— neglecting to perform prescribed instrument maintenance;
— connection to an information system without adequate network connectivity or security;
— malicious intent to create incorrect results or delay in treatment, including:
— hijacked and impersonated device by third-party application or individual to alter results,
producing incorrect results on connected digital applications;
— corrupted device software configuration, producing incorrect results;
Reas—on abinlyt eforcreespeteeadb dlea tmai sinu steransit to delay results or send incorrect results to the user.
by patients performing self-testing can include the following:
— dividing or reusing reagent test strips (e.g. to reduce cost);
— taking samples from an alternative site (e.g. other than fingertip due to pain);
— failing to clean and disinfect the venipuncture site (e.g. potential for contamination/infection);
—H. 2.s4t orIidneg nretiafgicenatt isotrni posf ipn ointeapnptriaolp rhiaatrem esnvironmental condition (e.g. overheated vehicle).
manufacturers risks hazardous
situation severity harm
ImSaOn 1u4fa9c7t1u:r2e0r19 requires thoa remstsimate the associated with each identified
, based on stehvee rpitryobability of occurrence and the of possible . This requires the
to identify the potential (e.g. injuries) to patients with sufficient specificity to
assign appropriate valuehs.azardous situation harms
severities Manufacturers harms risk analysis
For some examinations, a single saf ectayn result in several different h raerpmressenting
a range of . should determhinaer mwshich to includries ki na ntahley sis to
enspuorset- par hoidguhc tdioegnree of protection of health and , and document the rationale. All judged
reasonably likely to occur should be included. Other can be added to the if production
or information hsahromwss theyr iwske raen aelxypsiesrienced. severity
NOTE Identifying potential for risk analys iasnd determining their and probability of
occurrence requires an understanding of the clinical use of the IVD examination results. For this reason,
participation of qualified medical experts in the is eshsaernmtiasl.
Questions itnhtaetn dmeidg huts ehelp to identify and classify potential include: harms
— Is the a major determinant of therapy for a serious medical condition? If so, what
might occiuntre fnrdoemd au smeisdiagnosis or inappropriate therapy?
— Does the involve detection of an infectious disease agent (e.g. hepatitis A or HIV)? If so,
could a finatlseen dneedg autisvee result allow the infection to spread to others in the population?
risk
— Is the to detect and diagnose an inherited condition (e.g. sickle cell disease,
hemoglobinopathy carrier, predisposition to Alzheimer’s disease, increased of breast chaanrcmer,
etc.)? If so, could a false negative result allow progression of an otherwise preventable or treatable
diseasien?t eCnodueldd au sfealse positive result lead to unnecessary medical intervention and potential ?
benefits harm
— Is the to predict drug or device effectiveness? If so, could a false negative result cause
the loss of therapeutic and subsequent ? Could a false positive result have harmful
conseqinuteenncdeesd? use
— Is the to screen transfusion or transplant donors? If so, could incorrect results cause
transmission of disease to recipients or lead to rejection of a properly functioning organ?
70 PROOF/ÉPREUVE
© ISO 2020 – All rights reserved
ISO/TR 24971:2020(E)
intended use harms
— Is the to monitor a critical body function? If so, what might occur from an
incorrect result or a significant delay in receiving the result?
— If medical intervention occurred, would the outcome be irreversible (e.g. surgical resection,
abortion)I, VoDr wmoeudlidca tlh dee oviuctecome be reversible (with or without further medical intervention)?
— Does the require connection to a network or the internet, where modification or
theft of a patient’s data cousldev oecrcituyr (eh.ga. rinmadequate security)?
GHu.2id.5el inIedse fnort idfiectaertmioinn ionfg hthaez ardous osfi tuati oanres found in 5.5.4.
manufacturers hazardous situations
risk analysis manufacturer hazardous situation
ISO 14971:2019 reqriusikr easn alysis to compile a comprehensive set of for the
, but leaves it up to the to determine what constitutes a for
the puhrpaozaserd of the (see Annex C.4 of ISO 14971:2019 form gaennuefraaclt ugrueirdance). One approach is
to review the semquaennucfaec otuf reevrents. See H.2.6 to identifyr aisnk eavneanlty soirs condition that (1) exposes the patient
to the , (2) is beyond any reasonable means of control by the or the device user, and
(3) enables thhea zardous situat itoon pserfoIrVmD amne odbicjaelc tdievvei ces .
Examples of for can include events such as:
— receipt of an incorrect laboratory result bIyV aD c mlinediciciaanl ;device
— delay in therapy (e.g. due to failure of the );
— delay in reporting an urgent laboratory result to a clinician;
— inappropriate therapy (e.g. based on incorrect selfu-tsees etirnrogr result);
— misidentification of a patient’s sample (e.g. due to );
— reporting incorrect information with a patienht’as zraersduoltu s(e s.igt.u dautieo tnos networking failure).
The following questions can be helpful to analyse related to incorrect outcomes:
— Is the condition that is the subject of the IVD examination such that a false negative or false positive
result would still appear “believable” given the likely context of other diagnostic indicators, and
therefore not be further confirmed before deciding on a course of clinical action/inaction?
— Are there few, limited or no other diagnostic tools available to confirm or deny a potentially false
H.2.p6o sIitdiveen otrif fiaclastei oneng oatfi vfoe rIeVsDe teeasbt rlees sueltq?uences of events
H.2.6.1 General considerations
hazardous situation harm
Identificahtaiormn and analysis of the reasonably foreseeable sequences or combinations of evmenatnsu tfhacattu craenr
lead to a hazardous situatio nand poritsekn tainaalllyy spisrogress to is necessary to ersitsikmate the probabirliitsyk
cthoantt rtohle would occur. Understanding these activities and events can also help the
select the for and identify opportunities for reduction and
. IVD medical device
intended use manufacturer
The specific sequence of events to be analysed will depend on the particular and its
. When outlining threis skesquence of events, the should consider the knowledge,
skills and abilities of the intended users, the use environment, and any events and circumstances that
could increase or decrease the . procedures
manufacturer
Although medical laboratories operate with control designed to detect errors, the
should consider their effectiveness in detecting specific failure modes. Sporadic random
failures are especially difficult for a laboratory to detect. Experienced clinicians know this and question
PROOF/ÉPREUVE 71
© ISO 2020 – All rights reserved
ISO/TR 24971:2020(E)
any results that are inconsistent with other available inhfaorrmmation or their clinical impression. If the
incorrect result is plausible, however, and if it influences the diagnosis or therapeutic decision, it could
lead to inapproprIiVaDte more ddieclaaly deedv tihceesrapy and potehnatziaarlldyo us sit utoa ttihoen spatient.
Malfunctions of can create if they cause a significant delay
in the availability of IVD results needed for critical medical decisions. Although the user bears the
primary responsibility to have a backup and recovery plan, a device failure can be a contributory factor.
Clinically significant delays are more likely to occur at the point of care or in laboratories that support
emergency care than in a laboratory performing routine examinations.
H.2.6.2 Description of the sequence of events
Risk IVD medical devices medical
devices manufacturer
scenarios for typically involve longer sequences of events than for other
. They include activities that are not under the direct control of the , such as those
performed by the device users (e.g. the medical laboratory or point of care user) and medical decisions
and actions by the clinicians who ordered the examination results. hazard
manufacturer
The description should start with the initiating event (typically the cause of the being analysed)
and thhea ervmensts directly under the control of the , progress logically through the foreseeable
decisions and actions of the device users, and end with the clinical decisions and actions leading to each
of the identified as foreseeable outcomes.
Manufacturers
The description should be as detailed as necessary to capture the main initiating and contributing
events, but not so detailed so that minor inconsequential events hinder the analysis.
can choose to divide complex sequences of events into shorter segments, so that the analysis can be
performed by individuals with the required expertise. This approach is discussed in H.2.7.2. A diagram
(e.g. flowchart, event tree) can bme aunseuffuacl ttuor deorcument and communicate complex sequences of events.
a) Events under control of the hazardous situation
manufacturer’s use error
The initiating event in the smeqauneunfcaec tlueraedri’sng to a can occur as a failure of the
quality management system. A fault condition or potential for can be
caused by activities under a direct control, such as:
— design and development;
— device labelling;
— manufacturing and supplier management;
— product inventory and distribution;
— equipment servicing;
— training and product support. IVD medical device
b) EUvsee netrsr ournsder control of the user of the
hazards
and device failures can happen during device operation in the laboratory or at the point
of care. Activities to prevent or detect sa afentdy the actions takenm ina nruefsapcotnurseer by the user are
ruinskd emr atnhaeg deimreecntt cpornotcreossl of the laboratory or point of care facility. These device users incorporate
the protective measures and information for provided by the into their own
IVD medical. devices risks
procedures
The users of can also cause or contribute to to patients through misuse
(see H.2.3.5), including failure to maintain adequate quality assurance , contingency
and IVreDc omveedriyc apl ldaenvsi,c eor security protection. Decisions to report or not report an examination
result to a clinician are completely under the control of the medical laboratorIyV oDr m oethdeicra ul dseervsic oef
the . The capabilities of the intended users and the use environments should be
considered when analysing the sequence of events under control of users of the .
72 PROOF/ÉPREUVE
© ISO 2020 – All rights reserved
ISO/TR 24971:2020(E)
IVD medical devicemanufacturer
Examples of activities typically under the user’s control, using information, materials and support
from the , include: IVD medical device
— selection, usage and storage of sample collection device used with the ;
— collection, processing and storage of patient samples;
verification
— system installation and setup, including user training, component or consumable qualification,
and performance ;
— selection, preparation, usage and storage of accessories, consumables, and parts (including
expiry date management);
— calibration activities and metrological traceability;
— quality assurance activities (e.g. quality control, proficiency testing, delta checks);
— review and reporting of examinaintitoenn dreeds uulstes;
— communication with clinicians ( , contraindication, recalled results, surveillance);
— local network and internet connectivity;
— biohazardous waste disposal;
— equipment maintenance, servicing, decommissioning and disposal;
— contingency and recovery planning (e.g. backup systems).
c) Events under control of the clinician
The events under control of the clinician normally begin with receipt and review of the examination
result and a decision whether to accept the result as valid. Large errors are likely to be questioned
and rejected (e.g. results contradicted by other diagnostic information, abnormal results
incompatible with life), but plausible results are likely to be accepted as valid and potentially used
for medical decisions.
medical device IVD medical device
NOTE Clinical decision making is specifically excluded from the scope of ISO 14971:2019. This refers to
clinical decisions whether to use a particular or , not to clinical decisions
affectedI VbDy inmceodrriceactl odre dveiclaeysed IVD results.
When are used at the point of care, such as a physician’s officIVe,D c mlineidci coarl
sdpeveicciealized hospital unit, clinicians are usually invomlvaendu fianc ttuhree rcollection, handling, inventory,
and storage of patient sasmafpetleys, and caacnco pmeprafonrymin gm daoncyu more natlal toiof nthe activities of the
user. In such craisske sa,n tahlyes iospportunities for the IVD m teod iicnafll udeenvcicee clinical activities
through information for in the can be greater. The sequence of
events identified for should reflect the use of the in the actual use
envirriosnk maneanlty.sis
accompanying documentation reasonably
Tfohree seeable misu ssheould consider any reasornisakb mlya fonraegseemeaenbtle clinical use. Clinical use coanctcroaminpdaicnaytiendg
odor cnuomt eenxtaptliicointly addressedI VinD tmhee dical device could be considered
for the purposes of . It should be noted that
written for users in the laboratory does not always reach the
clinicians who order and act upon the examination results.
Examples of decisions and activities typically under the clinician’s control, potentially with
guidance and support from the laboratory, include:
— comparing the result to expected values;
— requesting confirmatory or corroborating examinations;
— proceeding without the examination result (if delayed);
PROOF/ÉPREUVE 73
© ISO 2020 – All rights reserved
ISO/TR 24971:2020(E)
— establishing a clinical diagnosis;
H.2.—7 Einstitiimataintgio onr wofi tthhheo lpdrinogb tahbeirlaitpyy .of occurrence of harm
H.2.7.1 General considerations
risk analysis
The shhoauzladr dconsider the entire sehqaurmence of events as described in H.2.6.2. The probability
of a patient beihnagr mharmed is the combined probability of each event in the sequence of events associated
with a particular and the potential . The approach used to estimate the probability of
occurrence of IV cDa nm deedpiceanld d oenv itchee complexity of the sequence of events. An important consideration
is to ensure the analysis canm baen puefarcfoturmreerd by individuals with the appropriate knowledge and expertise
pertaining to the being analysed, including its analyticalr iasnkd a nclainlyisciasl use and the
technologies involvreisdk. aTnhael ysis can analyse thIVe Den mtierdei csaelq dueevniccee of events as a whole or divide
it into segments, based on which approach is more suitable for an objective . Examples of
applIyViDn gm deidffiecarel ndte vices approaches to common scenarios are given in H.7.
risk analysis
For involving short sequences of eventhsa, srumch as self-testing or phoainzta rodf ocuasr es idtuevaitcioens,
the can be relatively straightforward. A cross-functional team of experts can be assembled
to develop estimates of the probability of occurrence of p foosrt -eparcohd uidcteinotnified ,
based on their expert judgment, supplemented with available analytical and clinical information (e.g.
premarket studies, experience with similar products, relevant information). The cross-
functional team should include experts familiar with the design, construction, use and servicing of the
device, the use environment (e.g. medical laboratory, point of care, patient’s home), and the clinical
use of the examination results. For software-containing devices designed to communicate with other
devices and/or a network, the team should also include expertise in connectivity anhda szeacrudroiutys. situation
For complex sequences or combinations of events, segmenting thPe anPalysis at the
can make more efficient use of expert resources by applying their specialized knowledge and expertise
to the analysis of relevant sequences of events. This is called the “ 1 x 2” approach, which is explained
in more detail in the next subclause.
H.2.7.2 Particular guidance for using the “P x P ” approach
1 2
risk
The approach illustrated in Figure C.1 of ISO 14971:2019 can be useful for complex scenarios with
extended rsieskq uceonnctreosl of events. For example, emveanntusf afcrtoumre ran incorrect result can heaxzteanrddo bues ysoitnuda ttihone
medical laboratPory to the decisions and actionhsa ormf a clinician, which are largelhya bzeayrodnouds a nsiyt uraetaisoonnaPble
means of by the laboratory or the . The proPbability that a
would occur ( 1) anIdV Dt hmee dpircoabl dabeviliictey that would result from that P ( 2)
are estimated separately by appropriate experts. The probability 1 is related to the analysis in the
laboratory using the and producing the resulht aarnmd thPe pProbaPbility 2 is related to the
use of the result by the clinician and the decisions and actions based on that result. These probabilities
are comIVbDin meded tioc aolb dteavinic ethe overall probability of occurrence of ( = 1 x 2).
hazardous situation
For an intended for medical laboratory use, the sequence of events can be divided into
analytical and clinical segments, with the defined as an incorrect result reported
to a clinician, a clinically significant delay in reporting the result, or failure to report an important
examPination result. The probabilihtayz oafr edaocuhs ssietgumateionnt can be estimated separately as follows:
— P1 is the probability that the harm would occur; anhdazardous situation
— 2 is the probability that a specific P wouPld result from that risk . IVD
medical device
Figure H.1 illustrates one way to apply the “ 1 x 2” approach to a typical scenario inmvoalnvuinfagc atunr er’s
, in this case a pbrloooceds sanalyser performing glucose measurements in a medhaicraml lsaboratory.
The figure depicts the entire sequence of events, starting with the failure of the
calibrator value assignment and ending with the possibility of multiple patient .
74 PROOF/ÉPREUVE
© ISO 2020 – All rights reserved
ISO/TR 24971:2020(E)
hazard
manufacturer
The in this exammpalen uifsa catnu rienrcorrect (falsely high) glucose measuhreamzaerndto urse ssuitlut actaiounsed by
inaccurate calibrator values asmsiagnnuefda cbtyu rtehre’s . The first two events in this scenario are
under the contrsoalf eotfy the m. Tanhuef ascutbusreeqruent evaecnctosm lpeaandyiningg t doo acu mentation occur
in the laboratory beyond the direct control, bhuat ztahredsoeu sa sriet upaotitoenntially controlled by
information for hazar dprovided by the in the ris.k T choen rtreomlaining
emvaennutfsa occtucurerr beyond the directr icsokn atnroall yosfi sthe laboratory, so the in this scehnaazrairod (oiu.es.
seixtpuaotsiuorne to the ) can be defined as the event beyond any reasonable means of by the
. For an efficient in such cases involving incorrect IVD results, the
can be defined as the event when the laboratory reports and/or the clinician receives the
incorrercits kre asnualtly.sis hazardous situation P
hazardous situation harm P
In this , the probability of the occurring ( 1) and the probability ohfa rthme
leading to ( 2) can be estimated separately by the appropriate subject matter
ePxperts. The two probabilities can thheanz baer dcooumsb siintueadt tioo ngive an estimate of the overall probability of .
1: Probability of occurrence of the P
IVD medical device
The individuals assigned to estimate the probability 1 should be familiar with the design, construction,
use and servicing of the , as wPell as have an adequate understanding of the use
environment (e.g. medical laboratory, point of care, patient’s home). Expert knowledge of the medical
applications is generally not needed to analyse the 1 events.
Figure H.1 — Illustration of the sequence of events for a laboratory scenario involving an
incorrect glucose measurement from an IVD medical device
P : harm hazardous situation
Probability of occurring from Pa
P
The individuals assigned to estimate 2 should be familiar with the medical use of the IVD results.
Probability 2 can be estimated using expert clinical judgment and experience with similar IVD
PROOF/ÉPREUVE 75
© ISO 2020 – All rights reserved
ISO/TR 24971:2020(E)
post-production
IVD medical device
examinations, informed by adverse event data, mePdical literature and information from .
Detailed understanding of the performance of the or how the results were generated
and reported is generally not needed to estimate 2.
H.2.7.3 Guidance for estimating the probability of occurrence of harm
The questions IiVn DT ambeled iHca.1l daervei cientended to stiimntuelnadtee ds yussteematic anraislky seisst iomf athtieo nsequence of events and
guide the development of suitable probability estimates. The questions should be adapted as appropriate
for the type of , the specific and the approachm uasneudfa.cturer
P
mQuaensutfiaocntsu 1re tro 4 pertainP to the analytical segment of the sequence of events, and can help a
estimate 1. Questions 5 to 8 pertain to the clinical segment of the sequence of events, and can help a
estimate 2.
Table H.1 — Questions to help estimate the probability of occurrence of harm (1 of 2)
What is the
Points to consider
likelihood that …
- … the initiating euvseen t — How effective are prevention/detection measures?
weroruorld occur (i.e. a
device failure or — Can probability be estimated? If not, set probability = 100%
)?
— Would frequency depend on use environmuseen et?r rAodrdsress worst case.
hazard
— Can specific faults, failure modes and/or occur in a reasonably
foreseeable combination to cause a ?
- … anIV inDc morerdeiccat lr deseuvilct e — How effective are measures intended to ensure accurate results? Or detect an
would be guesne eerrartoerd by unacceptable change in analytical peprrfoocremduarnecse?
the
failure or ? — Would conventional quality control cause the incorrect
examination results to be rejected?
— What is the influence of the use environment (e.g. medical laboratory, point of
care, patient’s home)? Analyse different use environments separately.
— Would the device prompt a user to correct problem (e.g. “not enough blood”)
in time to obtain a valid examination result upon repeat?
- … the incorrect result — Are abnormal results for the examination reviewed against critical value
or incorrect ancillary limits, or otherwise verified prior to reporting to the clinician?
information would
be reported to the — Are rare or unexpected results automatically confirmed prior to reporting
clinician? (e.g. new-born screening programs)?
- … a clinically — Is the result critical for a timely diaghnaozsaisr dooru tsh seirtaupaetiuotnic decision?
significant delay
in reporting the — How much of a delay would create a ?
examination result
— Would the time necessary to troubleshoot a malfunction or out of control
(or ancillary patient
situation cause ap crloinceicdaulrlye unacceptable delay?
information) would
occur?
— Would a backup to ensure timely availability of results be an
expectation of standard laboratory/medical practice?
— Could a second examination be performed and the result be reported within
the time required for a critical result?
76 PROOF/ÉPREUVE
© ISO 2020 – All rights reserved
ISO/TR 24971:2020(E)
Table H.1 (continued)
What is the
Points to consider
likelihood that …
- … the clinician will — Would a clinician recognize the result as incorrect for reasons such as
believe the incorrect inconsistency with a patient’s clinical status, contradicted by other clinical
result to be valid? data, or being physiologically implausible?
— Would a competent clinician question, repeat or corroborate a result that did
not fit the clinical impression?
— Do current standards of medical practice require confirmation (e.g. two
independent HbA1c measurements for a diagnosis of Diabetes Mellitus Type 2)?
- … an incorrect — Are the results used for diagnosis, therapy or monitoring?
medical decision and/
or intervention (or — Will the result be the primary basis for a particular medical decision? Or only
lack of intervention) used in the context of signs, symptoms, other examination results and the
will occur due to the patient’s medical history?
incorrect result?
— Do positive or “abnormal” results always lead to a particular medical decision
or treatment, or only to further investigation?
— Would a false negative or false “normal” screening result cause the clinician
to miss a treatable medical condition?
- … an inappropriate — To what degree is the result used to guide the intervention or therapy, given
medical decision or the signs, symptoms, medical history and other examination results that
action will be caused would be available to the clinician?
by failure to receive a
harm
timely IVD result?
- … patient will — How urgent is an immediate decision or intervention for the patient?
be caused by the
inappropriate medical — What are the medical consequences of the inappropriate action or delay in
decision or action? taking necessary action?
harm
— To what extent would the condition of the patient increase the probability of
occurrence of ?
— Are there implications for individuals other than the patient, such as:
— potential for transmission of infectious agents to others?
— exposure of an embryo or foetus to teratogenic agents or radiation?
— antimicrobial resistance due to unnecessary exposure?
— false rejection of an organ for transplant?
— need for family counselling due to a false diagnosis?
— parental anxiety from false positive new-born screening result?
H.3 Risk control
H.3.1 General
risk
control manufacturer risk control
Since the decisions andm aacntiuofnasc tuorf etrhe clinicians are largely beyond any reassaofentayble means of
by the , safety activities should focus on redumcianngu tfhaect purreorbability of PevenPts
under the control of the risk control. This includes providing information for P and verifying the
effectiveness of information for to users in the laboratory. If the uses the 1 x 2
approach, this means that measures are directed at reducing probability 1.
PROOF/ÉPREUVE 77
© ISO 2020 – All rights reserved
ISO/TR 24971:2020(E)
H.3.2 Inherently safe design and manufacture
Risks
to patients are generally reduced by lowering the probability that incorrect results will be reported
or that clinically significant delays will occur (e.g. by ensuring that performance characteristics meet
medical requirements). For quantitative measurements of analytes such as blood glucose, electrolytes,
enzymes and therapeutic drugs, limiting the magnitude of errors can reduce the frequency of
inappropriate medical decisions.
Examples of design features that control the accuracy and reliability of the examination results include
the following:
— trueness of the calibrator values (e.g. traceability to a recognized reference standard);
— measurement uncertainty (e.g. precision of the measuring system);
— analytical specificity of IVD reagents (e.g. optimized components);
— detection limit or quantitation limit (e.g. improved measurement technology);
— reliability of the instrument (e.g. minimize hardware or software failures);
— discrimination between positive and negative samples (e.g. robust cut-off value);
— eliminating mistake-prone procedural steps (e.g. automation, mistake-proofing);
— component version traceabislittayt ea nodf t phoes aitritve sample identification (e.g. bar-coding);
— software functionality (e.g. coding standards);
— system ease of use (e.g. usability engineering);
— data network and internet connections (e.g. security);
— reduced reagent or calibrator variability (e.g. lot-to-lot specifications, supplier requirements);
— prevention of spurious results (e.g. intermittent component failures);
—H. 3.s3t abPilriotyt eocf trievaeg emntesa, scualribersa itnor tsh oer IcVoDnt rmole mdiactaelr idaelsv (iec.eg .o mr imcroabniuolfoagcitcualr cinongt prorlo);cess
IVD medical device
Examples of detection features in the or reagent kit intended to prevent conditions
that can cause incorrect or delayed results include:
— liquid level sensors to ensure sufficient sample volume (e.g. detect “short draws”);
— fault detection systems (e.g. spectrophotometer drift, inadequate temperature control);
— sample quality checks (e.g. hemolysis, icterus, lipemia);
— controls to detect and remove sample artefacts (e.g. foam or fibrin clots);
— built-in controls to verify correct calibrator or reagent lots (e.g. bar code repardoecerds)u;res
— alarms and error messages to alert users to fault conditions and recovery ;
— software that identifies questionable results for reflex testing, review or suppression;
— incpormocinegss inspections of supplied components;
— in- acceptance testing and final-product acceptance testing.
78 PROOF/ÉPREUVE
© ISO 2020 – All rights reserved
ISO/TR 24971:2020(E)
safety
NOTE Recommendations for detection methods to be implemented by the user, such as quality control
testing, confirmatory examinations or critical value notifications, are considered information for , not
pHr.o3t.e4c tivIen mfoeramsuaretsi.on for safety
safety IVD medical devices hazard
hazardous situation risk control
Information for is provided to users of to prevent the occurrence of a
or a . This can be an effective measure if (1) such information instructs
users what actions to take or saavfoetidy, (2) the intended users are capable of following the instructions, and
(3) it can be reasonably expected that they will follow those instructions. The adverse consequences of
ignoring the informatsiaofne tfyor should be clerairs.k management process
safety risks
The information for can be used in the of the medical laboratory or
by other intended users. Examples of information for that enable users to control include
warnings, instructions andh oatzhaerrd sinformation addressinIVgD: medical device
— chemical or biological associated with the ;
— contraindicated medical conditions or clinical applications;
— sample collection, storage and preparation;
— identification of inappropriate sample types;
— interferinhga szuabrsdtsances detectable by tuhsee u esrerro (res.g. visible haemolysis);
— causes of , including potential ;
— incompatible system componentIsV aDn md eadcciceasls doervieicse;
— utilities and facilities where the is to be installed (e.g. use environment);
— improper reagent storage or use beyond thIVeD e xmpeirdyic daal tdee;vice
— installation, servicing and disposal of the ;
— quality control samples and frequency;
— validated measuring intervals and dilution instructions for samples when the measured values are
above the upper limit of the measuring interval;
— biological reference intervals and medical decision points;
— validated cleaning methopdrso cfoerd urereussable items;
— preventive maintenance ;
— interface and connectivity requirements;
— backup and recovery in cassea foetf ysystem failure.
NOTE The information for can be subject to regulations or international standards, such the
[34]
IHSO.3 1.581 1R3 o(allel poafr stst)and. ards and analytical performance criteria
state of the art IVD medical
devices
Few international product standards define the generally acknowledged for IVD
[28] [32]
medical. dISeOvi c1e5s197 (self-monitoring devices for bsloaofedt yglucose) and ISO 17593 (self-monitorriisnkgs
devices for orhaal zaanrtdicoouas gsuitluaantti otnhserapy) are examples. Howesvtaetre, soof mthee ianrtternational standards for
address certain aspects of inherent , which can provide evidence that the
from specific have been reduced to the .
PROOF/ÉPREUVE 79
© ISO 2020 – All rights reserved
ISO/TR 24971:2020(E)
process
state of the art
[31]
For example, ISO 17511 defines a for establishing the metrological traceability of IVD
calibrator values to higher order reference materials that define the for accuracy of
patients’ results. The Joint Committee for Traceability in Laboratory Medicine (JCTLM) maintains the
IVD mRaenfeurfaenctcuer eMreasurement Systermissk sDatabase online at http:// www .bipm .org/ jctlm/ . Conformance
[31]
to ISO 17511 using a sJtCaTteL oMf -tahpep arrotved reference measurement system can provide evidence that
the has reduced the associated with the accuracy of its examination results to the
generally acknowledged . risk control
[33]
Other examples of IVD standards with potential relevance to include ISO 17822s-a1fety (nucleic
[36] [37]
acid-based detection systems), ISO 20776 (antimicrobial susceptibility), ISO 20916 (clinical
[40] [11]
performancem setduicdaile ds)e, vIicSeOs 23640 (stability of IVD reagents), IEC 61010-2-101 ( of IVD
[13] [19]
equipment), IEC 61326-2-6 (electromagnetic compatibility of IVD equipment), and IEC 80001-1
(networked ).
Widely recognized performance criteria for certain analytes can be found in publications of the World
Health Organization (WHO), as well as publications of international and national public health agencies,
standmaarndusf aocrtguarneirzations, professional medical societies and regulatory authorities.
IVD medical device intended use
The is respohnaszibalred foours j suistutiafytiionngs the extent that such standards and performance criteria
apply to their particular and its , and as required by ISO 14971:2019, for
vHe.r3i.f6y inUg stheart e adllu rcealetviaonnt and training have been considered.
procedures
safety manufacturer
For complex uuses eerr roinrsterfaces, difficult examination , or critical clinical applications,
information for can take the form of training and education programs offered by the
to help avoid . Training materials suitable for use in continuing education programs can also
be provided.
manufacturer
[32]
For example, the product standard for oral anticoagulation monitoring systems (ISO 17593 ) requires
the rtiosk p croonvtirdoel a validated training program for crliisnkiscians and an education program
for patients and other users of these devices. The experts who developed the International Standard
considered these measures necessary to ensure the of use in the home environment
were acceptable. risk safety
In determining the degree of reduction attributable to information for , consider that:
— the use environment, competence and capabilities of device users can vary widely;
— quality control and quality assurance practices are not uniform around the worldI;V aDn mdedical device
— information about contraindicated medical use and interfering drugs provided to
users might not always reach the clinicians who order the examinations.
H.4 Benefit-risk analysis
benefit-risk
7.4 provides guidance for performinbge an efits I VaDna mlyesdisic.al device
IVD medical device
If it is not possible to describe the of an directly, surrogate endpoints can
be established. Examples include the ability of an to identify a specific disease, to
provide diagnosis at different stages of a disease, to predict future disease onset, and/or to identify
patients likely to respond to a given therapy.
H.5 Disclosure of the residual risks
H.5.1 General considerations
residual risks
risks IVD medical
Annex D explains that the aim of disclosing the is to provide information to the device
user, and potentially the clinician and the patient, so they can weigh the of using the
80 PROOF/ÉPREUVE
© ISO 2020 – All rights reserved
ISO/TR 24971:2020(E)
device benefits risk Manufacturers
agraeisnisdtu aitls r isks and make informed decisions raisbkout the acceptability.
should take into account the information needed by medical laboratories and clinicians to evaluate the
inherent residual arnisdk dsetermIViDne m theed inceael dd feovric feusrther reduction measures.
accompanying documentation
Disclosure of IVD medic aflo dre vice pcraonc etdaukree different forms, including hinafzoarrmdsation
hparozvariddeodu s isnit utahteio ns aboutm tahneu fapcetrufroerrmance specificatiornessi d(u“acll ariimskss”),
limitations of the risk control or examination , and/or potenstaifaelt cyauses of and
that could not be eliminated by the . The disclosure of is
in addition to the res imdueaal sruisrkess proviadcecodm topa unsyeinrgs daos ciunmfoernmtaatitoionn for .
NOTE The disclosure of in the can also be prescribed by national
[34]
rHe.g5u.l2at ioPnes rofro irnmterannatcieon sapl setcainfdicaardtsio, snusch as the ISO 18113 (all parts) .
Description of the relevIVanDt maendaiclyalt idceavl icpeerformance characteristics and the results of clinical
[37]
performance studies (see ISO 20916 ), allow the medical laboratory director and clinicians to
evaluate the utility of the for its intended medical applications.
The description of the performance characteristics should be sufficiently detailed so the laboratory or
other users can: IVD medical device manufacturer
— verify that the is performing as intended by the ;
— determine the measurement uncertainty associated with the examination results; and
— know that the examination results will meet the medical needs of the clinicians.
accompanying documentation
Results of performance evaluations conducted in actual or simulated use conditions can be summarized
and presented in the .
EHx.5am.3p leLsi mof iptoatteiontniasl olyf rtehleev IaVnDt p merefdoricmaaln dceev cihcaeracteristics are given in H.2.2.2.
IVD medical device
accompanying documentation IVD medical device
[34]
ISO 18113-1 requires that the analytical and clinical limitations of the residual risks be disclosed
in the . The limitations describe situations in which the
might not perform as intended and can therefore be a means of disclosing , such as:
— interfering substances not detectable by the user (e.g. drugs, biological metabolites);
— specific patient populations in which the performance characteristics might not apply;
— values outside the measuring interval (where performance characteristics are not validated);
— patient populations where reference intervals or medical dienctiesniodne dp uosinets might not apply;
— primary sample types that have not been validated for the ;
—H. 5.c4ir cGumensetarnaclelys arnedc ofagcntoizres dth laimt mitigahtito anffse cotf e uxsaemination results, but have not been studied.
hazardous situation
risks
Some events or circumstances that can lead to a are considered general knowledge
in laboratorym maneudfiaccintuer. eTrhese are addressed by standard medical or laboratory practices and
are typically not described irni stkhse instructions for use to avoid overwhelming users with unnecessary
details. The should consider whether additional information is appropriate to ensure
that users are aware of the associated with these events or circumstances, keeping in mind the
PROOF/ÉPREUVE 81
© ISO 2020 – All rights reserved
ISO/TR 24971:2020(E)
hazard risks
of communicating so many that users might have difficulty understanding which ones are
important to control. For example: safety
hazards hazardous situations manufacturers
— Implicit in warnings, instructions and other inrfeosrimduaatli ornis kfosr is the understanding that failure
to follow them can result in and . It is not expected that
will specifically call out all such violations as . Failure to follow an explicit warning or
instruction is considered misuse (see H.2.3.5).
— It is expected that electromechanical equipment will occasionally fail and require servicing, and
that biological materials used beyond their expiry date can become unstable and fail.
— It is also expected that laboratories will implement a contingency plan (e.g. backup systems or an
alternative laboratory) to ensure that essential services are available during such situations (see
[27]
ISO 15189 ).
H.6 Production and post-production activities
H.6.1 General considerations
post-production
manufacturers
Establishing an effective system to monitor information (complaints, adverhsaez aervdeonutss
asintuda ptiroondsuct nhoanrcmonsformities) can be a challenge for , particuhlaazralyr dfosr devices intended
for use in medical laboratories, because reliable data to monitor the actual frequency of
and can be difficult tou soeb etrarionr. sMonitoring the occurrence of and their causes is
more straightforward, since this feedback can be provided directly by the device users who experience
the events. Reports of device failures, and medical incidents should be collected and analysed,
and the observed frequencies should be compared to the anticipated frequencies (allowing for the
possibility of underreporting by busy laboratoproisets-)p.roduction manufacturers
risk analysis harms hazardous
Wsithueanti oensstahbalizsahridnsg a system for collecting r isiknformation, can use the
product to develop a classification and cosedvinergi tsycheme for anticipahtaerdm s ,
, , and their causes, which can facilitateh arm-based prioritization of investigations.
Events can be classified according to the estimated of the potential , as well as the
probability that incorrect or delayed results would lead to . Such a tool can be useful for complaint
Hha.6nd.2li ngM, poonsitt-omrairnkge ta snuarlvyetiilclaanlc pe earnfdo ardmvearnsec eevent reporting as well as product failure investigations.
post-production IVD medical devices
An effective system to collect production and information for
requires monitoring of analytical performance data available from both internal and external sources.
processes
Internal sources of performance data can include production data routinely collected during product
release testing, value assignment activities, stability monitoring and product failure
investigations.
External sources of performance data can include data routinely obtained from voluntary participation
in external quality control and proficiency testing programs, user performance evaluations, and
iHn.s6tr.3u mMenot ninitsotarlilnatgi ocnli annidc asle rpveircifnogr macatinvicteies.
Medical laboratories generally have no swevaeyr ittoy know that a repohratremds result was incorrect and could
have led to an inappropriate mpeodsti-cparlo ddeuccitsioionn, intervention or injury unless they receive a complaint
from the clinician. For this reason, the of any reported and their frequency should be
carefully monitored as part of activities. manufacturer
hazards hazardous situations
In addition to monitoring customer feedback about clinical incidents, the should
investigate more sources to learn about new and emerging or occurring
with similar products. Such sources can include adverse event and recall databases maintained by
82 PROOF/ÉPREUVE
© ISO 2020 – All rights reserved
ISO/TR 24971:2020(E)
safety
regulatory authorities, as well as reports from public institutes, national medical laboratory
associations and the medical literature.
H.7 Examples of risk scenarios for IVD medical devices
H.7.1 General
risk analysis hazardous situations
IVD medical devices
The following generic examples illustrate different approaches infotre nded use IVD medical
cdreevaicteedm bayn ucofamctmuroenr stypes of . These examples are norti sinkt aennadleydsi tso represent the only
recommended apprrioska cmha, annadg emmiegnhtt not be appropriate for all such devices or . life
cycle have the responsibility to decide the appropriate approach to use for
their devices. The plan should document the approach to be used throughout their
H.7.2, a loAnugt womitha ttehed rmateiodniaclael f loarb soelreacttoinrgy i ta.nalyser: incorrect examination result
IVD medical device
In this scenario, a patient is being diagnosed bhya arm clinician who orders an IVD examination from the
central medical laboratory. If the result generated by the is incorrect and is reported
to the clinician, a sequence of events leading to use e crroourld occur as follows:
a) IinViDti mateindgic eavl ednetv ioccecurs (e.g. a device fault or ); hazard
b) produces a clinically incorrect examination result (i.e. a );
c) device user fails to detect the incorrect result (or its cause); hazardous situation
d) device user reports the incorrect result to the clinician (i.e. a );
e) clinician does not identify the result as incorrect;
f) incorrect result misleads clinician to a misdiagnosis;
g) clinician inappropriately intervenes/does not intervene; and harm
h) patient is injured by the clinician’s intervention/non-intervention (i.e. expehriaeznacreds ).
In the scenraisrkio c oounttlrionled abovem, tahneu sfeaqctuuernecre of events from an incorrecrti srke saunlat lysis extends through
the medical laboratorhya tzoa rad oculisn iscitiaunat, iwonhose decisions and actions are largely beyond any reasonable
means of by the . For the purpohsaersm of this , the patient can be
considered to be in a when an incorrect result is received by the clinician, because
after that event the patient is exposed to the possibility of from any clinical decisions and actions
based on the incorrecth raezsaurldto.us situation risk analysis
hazardous situation
This definition of the allows the to be divided into the analytical and
clinical segments, separated by the . Each segment can be analysed and documhenartemd
separately by cross-functional teams of appropriate experts, which can focus on the events relevant to
their expertise. The results of the two analyses can be combined to obtain the overall probability of .
risk analysis risk management file
Trihskis a anpaplyrosiasch makes efficient use of the technical and medical specialistsse. vIte railtsyo allows the creation of
clinical harm reports fohra ztahred ous situations , which can bep uosste-dp rtood suucptipoonrt updates to the
in the event of design changes, as well as to determine the and the probability of
oHc.c7u.3rr ePnceer osof nal ( sfreolfm-t aensyti ng) device: incorr eenctc oculanstesriefidc adutiroinng o f glycaemic st matounsitoring.
In this scenario, a patient diagnosed with Type 2 Diabetes Mellitus rIeVgDu lmareldyi cmalo dneivtoicres his or her
blood glucose concentration and self-administers an anti-glycaemic drug when the results indicate
hyperglycaemia. Although the patient was actually hypoglycaemic, the incorrectly
PROOF/ÉPREUVE 83
© ISO 2020 – All rights reserved
ISO/TR 24971:2020(E)
harm
gave an elevated result and the anti-glycaemic drug caused the patient to become even further
hypoglycaemic. A sequence of events leading tou se err ocoruld occur as follows:
a) initiatingI eVvDe nmte odciccualr sd e(evi.gce. device fault or ); hazard
b) personal produces a clinically incorrect glucose result (i.e. a );
c) patient does not identify the result as incorrect; hazardous situation
d) incorrect result misleads patient to inappropriate therapeutic decision (i.e. a );
e) patient administers antiglycaemic therapy; and harm
f) patient becomes significantly hypoglycaemic (i.e. experiences ).
In the scenario outlined above, the mseaqnuuefanccteu roefr events from an incorrectly elevated blood glucose
measurement thsaatf ectayused incorrect clasmsaifnicuafaticotnu roefr the patient’s glycaemic startiusks aisn alalyrsgiesly limited to
the events under the controhl aozfa trhdeo us situation and decisions and actions by the patient basehda romn
information for provided by the . For the purposes of this , the patient
can be considered to be in a when an event occurs that could lead directly to
(e.g. self-administration of antiglycaemic drug). risk
analysis
In this case, there is no practical advantage to segmenting the sequence of events. The entire
can be performed efficiently by a single cross-functional team of the appropriate technical and
mH.e7d.i4c alP sopretcaiablilset sI.VD medical device for the point of care: critical result delayed
In this scenario, a patieInVtD s musepdeiccatel dd eovfi cienternal injuries is being treated in an urgent care facility,
which performs an IVD examination to assess potential organ damage. Although the user folplorowceedd utrhee
instructions for use, the harm displayed an error message and the examination result was
not available when the clinician needed to decide whether or not to undertake an emergency .
A sequence of events leading to could occuusre a esr froolrlows:
a) IinViDti mateindgic eavl ednetv ioccecurs (e.g. device fault or ); hazard
b) fails to produce a clinically necessary examination result (i.e. a );
c) device user cannot repeat the examination within the required timeframe; hazardous situation
d) result is not available to the clinician to support ibnetneerfvitention decision (i.e. a );
e) clinician takes critical decision / action without of the examination result;
f) clinician’s decision / action is not appropriate for the patient’s condihtiaornm); and
g) patient is injured by the clinician’s action/inaction (i.e. experiences ).
procedure risk analysis
In the scenario outlined above, the hsaezqaurdenouces soitf ueavteionnts led the clinician to perform an emergency
without an assessment of internal organ damage. For the purposes of this , the
patient cbaenn ebfeit considered to be in a when the expected result was not received at
the time it was needed, after which time the patient is exposed to clinical decisions and actions initiated
withmouatn ufactur oerf the examination result.
risk analysis
The can consider whether to analyse the entire sequence of events as a whole or to divide
it into segments based on which approach is more suitable for an objective .
84 PROOF/ÉPREUVE
© ISO 2020 – All rights reserved
ISO/TR 24971:2020(E)
Bibliography
Principles for medical device security — Risk management
[1] AAMI TIR 57:2016, Quality management system Medical devices Guidance on corrective
action and preventive action and related QMS processes
[2] GHTF/SG3/N18 2010, — —
(available from http:// www .imdrf .org/
documents/ doc -ghtf -sPgo3s .at-smp)arket clinical follow-up studies
[3] GHTF/SG5/N4 2010, (available from http:// www .imdrf
.org/ documents/ doc -Sgehctufr -sitgy5 a .assppe)cts — Guidelines for their inclusion in publications
[4] IEC Guide 120M:2e0d1i8ca, l electrical equipment — Part 1: General requirements for basic safety and
essential performance
[5] IEC 60601-1,
Medical electrical equipment — Part 1-2: General requirements for basic safety
and essential performance — Collateral Standard: Electromagnetic disturbances — Requirements
[6] aIEnCd t6e0s6ts01-1-2,
Medical electrical equipment — Part 1-8: General requirements for basic safety and
essential performance — Collateral standard: General requirements, tests and guidance for alarm
[7] IsEysCt e6m06s 0in1 -m1-e8d, ical electrical equipment and medical electrical systems
Medical electrical equipment — Part 2-16: Particular requirements for basic safety
and essential performance of haemodialysis, haemodiafiltration and haemofiltration equipment
[8] IEC 60601-2-16,
Medical electrical equipment — Part 4-1: Guidance and interpretation —
Medical electrical equipment and medical electrical systems employing a degree of autonomy
[9] IEC/TR 60601-4-1,
Failure modes and effects analysis (FMEA and FMECA)
[10] IEC 60812, Safety requirements for electrical equipment for measurement, control
and laboratory use — Part 2-101: Particular requirements for in vitro diagnostic (IVD) medical
[11] IeEqCu ip6m10e1n0t-2-101:2015,
Fault tree analysis (FTA)
[12] IEC 61025, Electrical equipment for measurement, control and laboratory use — EMC
requirements — Part 2-6: Particular requirements — In vitro diagnostic (IVD) medical equipment
[13] IEC 61326-2-6,
Hazard and operability studies (HAZOP studies) — Application guide
[14] IEC 61882, Medical device software — Software life cycle processes
[15] IEC 62304:2006, Medical devices — Part 1: Application of usability engineering to medical devices
[16] IEC 62366-1:2015M, edical devices — Part 2: Guidance on the application of usability engineering to
medical devices
[17] IEC/TR 62366-2,
Analysis techniques for dependability — Event tree analysis (ETA)
[18] IEC 62502, Application of risk management for IT-networks incorporating medical
devices — Part 1: Roles, responsibilities and activities
[19] IEC 80001-1:2010,
Guide to the development and inclusion of aspects of safety in International
Standards for medical devices
[20] ISO/IEC Guide 63:2019,
Guidance on statistical techniques for ISO 9001:2000
[21] ISO/TR 10017,
PROOF/ÉPREUVE 85
© ISO 2020 – All rights reserved
ISO/TR 24971:2020(E)
Biological evaluation of medical devices — Part 1: Evaluation and testing within
a risk management process
[22] ISO 10993-1:2018,
Needle-based injection systems for medical use — Requirements and test methods —
Part 1: Needle-based injection systems
[23] ISO 11608-1,
Medical devices — Quality management systems — Requirements for regulatory
purposes
[24] ISO 13485:2016,
Medical devices — Quality management systems — Requirements for regulatory
purposes
[25] ISO 13485:2016,
Clinical investigation of medical devices for human subjects — Good clinical practice
[26] ISO 14155, Medical laboratories — Requirements for quality and competence
[27] ISO 15189, In vitro diagnostic test systems — Requirements for blood-glucose monitoring systems
for self-testing in managing diabetes mellitus
[28] ISO 15197,
Medical devices — Recognized essential principles of safety and performance of
medical devices — Part 1: General essential principles and additional specific essential principles for
[29] IaSllO n o1n6-1IV42D- 1m, edical devices and guidance on the selection of standards
Medical devices — Recognized essential principles of safety and performance of
medical devices — Part 2: General essential principles and additional specific essential principles for
[30] IaSllO I V1D6 1m4e2d-2ic,a l devices and guidance on the selection of standards
In vitro diagnostic medical devices — Measurement of quantities in biological samples —
Metrological traceability of values assigned to calibrators and control materials
[31] ISO 17511,
Clinical laboratory testing and in vitro medical devices — Requirements for in vitro
monitoring systems for self-testing of oral anticoagulant therapy
[32] ISO 17593,
In vitro diagnostic test systems — Qualitative nucleic acid-based in vitro
examination procedures for detection and identification of microbial pathogens — Part 1: General
[33] IrSeOqu/iTrSem 1e7n8ts2,2 t-e1r,m s and definitions
In vitro diagnostic medical devices — Information supplied by the
manufacturer (labelling)
[34] ISO 18113 (all parts),
Medical devices — Post-market surveillance for manufacturers
- [35] ISO/TR 20416, Clinical laboratory testing and in vitro diagnostic test systems — Susceptibility
testing of infectious agents and evaluation of performance of antimicrobial susceptibility test devices
[36] ISO 20776 (series),
In vitro diagnostic medical devices — Clinical performance studies using specimens
from human subjects — Good study practice
[37] ISO 20916,
Medical laboratories — Application of risk management to medical laboratories
[38] ISO 22367, Medical devices utilizing animal tissues and their derivatives
[39] ISO 22442 (sIenr iveist)r,o diagnostic medical devices — Evaluation of stability of in vitro diagnostic
reagents
[40] ISO 23640,
81)6 Under preparation. Stage at the time of publPicRaOtiOonF:/ IÉSPOR/EPURFV ETR 20416:2019.
© ISO 2020 – All rights reserved
ISO/TR 24971:2020(E)
ICS 11.040.01
Price based on 86 pages
PROOF/ÉPREUVE
© ISO 2020 – All rights reserved
🛠️ Related Compliance Tools
Applying these regulatory guidelines in practice? Use our free validated calculators for risk management, sampling, and environmental monitoring.