4 General requirements .gif)
- 4.1 Risk management
- 4.2 Top management responsibilities
- 4.3 Competence of personnel
- 4.4 Risk management plan
- 4.5 Risk management file
4.1 Risk management
Requirements of ISO 14971, clauses, process
Requirements 1 to 11 (see also the quiz)
The requirementsexplicit or implicit need or expectation (see also ISO 9000, 3.1.2) of ISO 14971 in clauses 4 to 10 are shown in figure 4-1:
Figure 4-1. Requirements of ISO 14971
These requirementsexplicit or implicit need or expectation (see also ISO 9000, 3.1.2) allow MD manufacturers to:
- identify hazards
- estimate and evaluate risks
- control risks and
- monitor the effectiveness of the risk control measures put in place
Risk is everyone’s business
Integrating risk management into all company processes is a key objective.
The requirementsexplicit or implicit need or expectation (see also ISO 9000, 3.1.2) apply to all stages of the life cycle of MDs and to the risks associated with a MD such as:
- biocompatibility
- information security
- electricity
- moving parts
- radiation
- normal use
- reasonably foreseeable misuse, cf. § 5.2
When a requirementexplicit or implicit need or expectation (see also ISO 9000, 3.1.2) is linked to a risk control measure, it becomes a safety requirementexplicit or implicit need or expectation (see also ISO 9000, 3.1.2) for the medical device.
The “Manage risks of a medical device” processactivities which transform inputs into outputs (see also ISO 9000, 3.4.1) and the clauses of ISO 14971 are shown in figure 4-2, cf. annex 04: 
.jpg)
Figure 4-2. Manage risks of an MD
The “Risk management” procedure allows you to follow the essential steps, cf. annex 09. 
The “Risk Support”, in Excel format, allows you to identify, analyze, evaluate and treat DM risks, cf. annex 10.
The “Address MD risks” processactivities which transform inputs into outputs (see also ISO 9000, 3.4.1) can also be represented as follows (figure 4.3):
Figure 4-3. The process Address MD risks
As we will see in the following chapters, some processes include activities or sub-processes. A description of the processactivities which transform inputs into outputs (see also ISO 9000, 3.4.1) activities in the form of a flow diagram is shown in annex B.2, figure B.1 of ISO 14971 with details of the relevant paragraphs.
The “Address MD risks” processactivities which transform inputs into outputs (see also ISO 9000, 3.4.1) allows you to:
- identify the hazards and hazardous situations that may result from them
- estimate and evaluate the risks
- control risks
- monitor the effectiveness of risk control measures
A list of risks is proposed in annex 11.
A risk manager should always assume that the list of risks considered, no matter how extensive, is incomplete. Douglas Hubbard
Risk management is dynamic, iterative and responsive to any change.
The “Address MD risks” processactivities which transform inputs into outputs (see also ISO 9000, 3.4.1) includes the following elements:
- risk analysis, cf. clause 5
- risk evaluation, cf. clause 6
- risk management, cf. clause 7
- production and post-production activities, cf. clause 10
The MD processes are described in clause 7 of ISO 13485, cf. the T 22v16 training. .jpg)
- the process map contains enough arrows to clearly show who the customer is (internal or external)
- the added value of the process is revealed during the process review
- the list of processes is updated
- the purpose of each process is clearly defined
- risk management requirements are respected at all stages of the MD life cycle
- all staff know the activities of the “Address risks” process
- some process output elements are not correctly defined (customers not taken into account)
- list of processes not updated
- non-formalized process owner
- very real activities are not identified in any process
- requirements are not met at certain phases of the MD life cycle
- people do not know essential activities of the “Address risks” process
4.2 Top management responsibilities
Commitment, risk policy, management review
Give freedom, you will get responsibility. Reed Hastings
Top management commitment to the “Address MD risks” processactivities which transform inputs into outputs (see also ISO 9000, 3.4.1) consists, among other things, of ensuring the availability of the necessary resources and staff with in-depth expertise in risk management.
Top management establishes a risk policy (risk management policy), cf. annex 12 in order to:
- set risk acceptability criteria
- provide a framework guaranteeing the criteria set's compliance with applicable regulations and standards
- take into account:
- the accepted state-of-the-art
- the concerns, needs and wishes of stakeholders
The risk policy may include:
- the scope
- goals
- the principles
- responsibilities
The policy is updated once a year.
One possibility for the risk acceptability criteria is to choose as a risk reduction approach, without modifying the benefit-risk ratio, between as many as:
- reasonably practicable
- reasonably achievable
- possible
The Manhattan military project (the creation of the atomic bomb) was moving too slowly. Secrecy was required for security reasons and the very nature of the project was hidden from all staff.
To move up a gear, project manager Robert Oppenheimer decided to inform all members of the team of the nature of the project, its extreme urgency and its crucial importance for the end of the war. An unsuspected energy was released; the work progressed by leaps and bounds.
Informing about the mission, giving meaning to the work and trusting the staff are guarantees of success for any project.
Top management and auditors regularly check the effectiveness of the “Address MD risks” processactivities which transform inputs into outputs (see also ISO 9000, 3.4.1), cf. annex 13. Any decision taken or action carried out in relation to the processactivities which transform inputs into outputs (see also ISO 9000, 3.4.1) is documented, cf. annex 14.
When the manufacturer has implemented a quality management systemset of processes allowing the achievement of the quality objectives (see also ISO 9000, 3.2.3), which is almost always the case, checking the effectiveness of the “Address MD risks” processactivities which transform inputs into outputs (see also ISO 9000, 3.4.1) is part of the management review.
- the risk policy takes into account all the specificities related to the corporate culture
- top management regularly checks the effectiveness of the “Address risks” process during the management review
- the job description of the risk manager includes raising staff awareness of the different requirements
- the risk policy does not take into account all the specificities related to the corporate culture
- the risk policy is not up-to-date
- the risk policy is not displayed outside the director’s office
- top management does not regularly check the effectiveness of the “Address risks” process
4.3 Competence of personnel
Education, training, experience, knowledge
To succeed in life, you must find a domain, a skill, or something that you love to do and for which you are naturally gifted. Bob Davids
People carrying out activities linked to the “Address MD risks” processactivities which transform inputs into outputs (see also ISO 9000, 3.4.1) are competent thanks to their:
- education
- training
- experience
- knowledge
These people have for the use of MD:
- practical knowledge on:
- the development of the MD
- how does the MD work
- how MD is made
- how the MD is used
- implementation of the “Address MD risks” process
- convincing experience
- control of:
- technologies involved
- risk management methods
Top management assigns specific responsibilities and authorities to the risk manager in relation to the “Address MD risks” processactivities which transform inputs into outputs (see also ISO 9000, 3.4.1), cf. annex 15.
The story of the three stonecutters conveys a great deal. When asked about their work:
- the first replied that he is cutting stones for a living
- the second that he tries to be the best stonemason in the country
- while the third answered that he is building a cathedral
Hence the three main types of relationship to work:
- livelihood
- career
- vocation
A record of the skills required of the people involved, including experts and consultants, is kept up to date (personal files).
Minute of relaxation. Cf. the “Gold contract” joke
- the skills for each activity are determined in a file
- recruitment is consistent with top management decisions
- job descriptions for all positions (including executives) are accessible on the network
- the annual training program is updated at least twice a year
- the training file of each employee is protected (access restrictions)
- the annual training program is not updated (training planned but not provided)
- some job descriptions are non-existent
- missing skills are not listed
- evaluation of the effectiveness of training is not carried out
- the level of risk of training based on their impact on the safety and performance of the medical device is not identified
- certain training courses were not evaluated either at the end of the session or later
- certain skills are not determined
4.4 Risk management plan
Get organized, remain objective
The tiles which protect from the rain were all installed in good weather. Chinese proverb
The risk management plan is part of the risk management file, cf. § 4.5 and annex 16.
The power supply to the computer room must be interrupted due to maintenance work. This is an opportunity to simulate a power outage. The staff is notified in order to observe how the shutdown of the servers will take place.
The planned day arrives: the power is cut off and the power goes to inverters, which provide around 50 minutes of autonomy. Operators initiate machine shutdown procedures in the computer room. But some machines are in a locked cabinet, which was not planned! We end up finding the bunch of keys, but they are not clearly identified, which wastes time trying them one by one. In the end, what remains is a machine that cannot be accessed: the cabinet key is found but not the second one needed to activate the keyboard. The machine ends up stopping due to lack of power, which was not planned! But it turns out that this machine is rightly considered critical.
Conclusion: a small oversight almost ruined everything! Concerning critical machines, it is better to analyze all potential problems in advance and in detail.
The plan allows, among other things, to get organized, to remain objective and not to forget any significant element.
The risk management plan includes at least:
- the scope of the MD, including the life cycle phases for each element of the plan
- the responsibilities and authorities assigned
- review of risk management activities, including those of top management
- the risk acceptability criteria for each MD, according to the acceptable risks and also when the likelihood of occurrence of harm cannot be estimated (only the severity of the harm is taken into account)
- a method for evaluating the overall residual risk, cf. clause 8
- activities to verify the implementation of risk control measures and the effectiveness of these measures
- activities to collect and review feedback from production and post-production
Annex C of ISO/TR 24971 contains, among other things, examples and recommendations on risk policy and risk acceptability criteria.
Any change to the risk management plan is recorded in the risk management file, cf. § 4.5 and annexes 16 and 25.
- the risk management plan includes all phases of the MD life cycle
- the acceptability criteria of each MD are justified
- changes to the risk management plan are recorded
- phases of the MD life cycle are not included in the risk management plan
- peripheral devices are included in the plan without reason
- acceptability criteria are not established
- no method for evaluating the overall residual risk is used
4.5 Risk management file
File, records, traceability
If it's not documented, it didn't happen. Milt Dentch
For each MD throughout its life cycle, the manufacturer establishes and maintains a risk management file, cf. annex 17.
Records included may only be referenced, but readily available, if needed.
The risk management file makes it possible to maintain traceability of each hazard identified in relation to:
- risk analysis
- risk evaluation
- the implementation and verification of the effectiveness of control measures
- the results of the residual risk evaluation
To do this, each document is indexed (or includes a version number).
Concerning medical devices that include software, the IEC 62304 standard requires traceability:
- software
- software system testing
- the risk control measure used
The risk management file includes, among other things:
- the Address risk process sheet, cf. annex 04
- the Monitor post-market process sheet, cf. annex 05
- the Evaluate benefit-risk ratio process sheet, cf. annex 07
- risk policy, cf. annex 12
- decisions and actions, cf. annex 14
- the risk management plan, cf. annex 16
- risk analysis activities, cf. annex 18
- risk evaluation activities, cf. annex 19
- control measures, cf. annex 21
- the benefit-risk ratio, cf. annex 22
- control measures review, cf. annex 23
- the completeness control review, cf. annex 24
- the accompanying documentation, cf. annex 25
- the risk management report, cf. annex 26
- the PMM (post-marketing monitoring) plan, cf. annex 27
- the PMM (post-marketing monitoring) report, cf. annex 28
- the list of collected information, cf. annex 29
- review of the collected information, cf. annex 31
Any incomplete activity in the “Address MD risks” processactivities which transform inputs into outputs (see also ISO 9000, 3.4.1) such as an unidentified hazard, non evaluated risk or ineffective risk control measure can result in significant harm.
The risk management file is available to all staff.
- the risk management file of each MD is complete
- the risk management file of each MD is up-to-date
- the risk management file allows you to consult the traceability of identified hazards
- the risk management files of certain MDs are not complete
- the risk management files of certain MDs are not up-to-date
- the risk policy is not included in the MD risk management file