Originally Published MDDI November 2003REGULATORY OUTLOOKHarvey RudolphUnderwriters Laboratories Inc.

November 1, 2003

15 Min Read
Do We Need Medical Device Risk Management Certification?

Originally Published MDDI November 2003


Harvey Rudolph
Underwriters Laboratories Inc.

A popular catchphrase these days is risk management. It is being used by regulators worldwide, as well as by standards developers and others whose business is the safety and effectiveness of medical devices. Perhaps the popularity of the term shouldn't come as much of a surprise, given the ever-growing need to provide safer and more-effective devices to the marketplace.

Because of the regulatory need, the International Organization for Standardization (ISO) TC 210 Working Group 4 was formed to create a medical device risk management standard. Later, a joint working group of the International Electrotechnical Commission (IEC) and ISO was formed to ensure that the regulatory standard also met the needs of standards writers (in this case, the writers of IEC 60601). That joint working group expended a great deal of effort between 1996 and 2000 to establish a risk management standard for medical devices.

That standard is ISO 14971, and it has become widely accepted by both regulators and standards developers.1 The standard received a unanimous positive vote in both the IEC and the ISO when it was circulated as a final draft international standard—an extremely rare event. ISO 14971 is harmonized in Europe (where it also received a unanimous positive vote in both the European Committee for Standardization [CEN] and the European Committee for Electrotechnical Standardization [CENELEC]), recognized in the United States, and will become a Japanese Industrial Standard. Thus, ISO 14971 is widely recognized by regulators as a standard appropriate for risk management.

Harvey Rudolph

The joint working group is currently at work to develop a second edition of ISO 14971, to be released in 2005, which will better enable manufacturers to establish a comprehensive risk management system. Why all this effort? Why do you, as a manufacturer, need risk management? This article will try to answer that question. It will also provide some arguments for why having your risk management system certified or registered by a competent third party is an appropriate next step.

What Drives Risk Management?

Why do we need risk management? There are a number of drivers for manufacturers to establish a risk management system.
Not the least of these are the regulators. Their mandate is to ensure that safe devices are used in their jurisdictions. They see risk management as requiring manufacturers to do the upfront analysis necessary to put safe devices on the market, and to ensure that any unsafe or problematic devices that do reach the market are promptly identified and efficiently corrected.

The regulators in the major world markets (the European Union, North America, and Japan) all require risk management. They may not all express an explicit regulatory requirement, but each component of risk management is individually present in the regional laws and regulations by which manufacturers must abide.

In the United States, for example, the quality system regulation (QSR) states that “design validation shall include software validation and risk analysis, where appropriate.”2 Risk analysis is only a small part of risk management, but if you talk to FDA compliance staff, they will point out that the QSR's preamble, which has the same force as the regulation, also states the following.

Manufacturers are expected to identify possible hazards associated with the design in both normal and fault conditions. The risks associated with the hazards, including those resulting from user error, should be calculated in both normal and fault conditions. If any risk is judged unacceptable, it should be reduced to acceptable levels by appropriate means.

Thus the preamble to the QSR adds requirements for risk evaluation and risk control to the mix. In addition, the QSR requires manufacturers to establish a corrective and preventive action (CAPA) system and to analyze and follow up on complaints. Taken together, these mandates match up fairly well with the components of risk management identified in ISO 14971 and listed in Table I.

Table I. Elements of a risk management system.

It should be noted that FDA's use of the term risk analysis actually means much more than is usually meant. The following directive is in the quality systems inspection techniques (QSIT) guide.3

When conducting risk analysis, firms are expected to identify possible hazards associated with the design in both normal and fault conditions. The risks associated with those hazards, including those resulting from user error, should then be calculated in both normal and fault conditions. If any risk is deemed unacceptable, it should be reduced to acceptable levels by the appropriate means, for example by redesign or warnings. An important part of risk analysis is ensuring that changes made to eliminate or minimize hazards do not introduce new hazards.

Note that the last sentence parallels a similar requirement in ISO 14971, clause 6.6.

As further evidence of the need for risk management to meet U.S. regulations, FDA guidance documents also rely heavily on risk management. The sidebar on page 47 provides a partial list of such guidance documents. FDA reviewers expect you to provide the results of risk management activities as part of your premarket submissions to FDA. This is probably not an accident, as a risk management system is perfectly aligned with the total life cycle approach currently espoused by FDA senior managers.

Canadian Regulation. In Canada, Section 10 of the Canadian medical devices law states that manufacturers must

• Identify risks.
• Eliminate or reduce risks.
• Protect and provide information on remaining risks.
• Minimize potential failures.4

Manufacturers must also correct defects found in the field. Again, Canadian law contains requirements for all of the elements of a risk management system.

European Regulation. In the European Union, the situation is similar. Although risk analysis is not a specific requirement in any of the medical device directives, the essential requirements state that manufacturers must

• Eliminate or reduce risks as far as possible with inherently safe design and construction.
• Where appropriate, take adequate protective measures, including alarms if necessary, in relation to risks that cannot be eliminated.
• Inform users of the residual risks due to any shortcomings of the protection measures adopted. 5,6

This is a statement on risk control, but a risk analysis is always required for establishing conformity to the essential requirements, too. A copy must be maintained in the technical file.

The manufacturer is also required to establish procedures to review postproduction experience and apply protective action. The combination of these three requirements, along with the requirement for balancing risks and benefits, suggests the need for a risk management system.
Thus, it is not surprising that one impetus for the development of ISO 14971 was the need for a harmonized standard on risk management in the European Union. Note that manufacturers must have a risk management system in place even if they do not need a notified body to help them apply the CE mark.

Japanese Regulation. In Japan, the regulators are much more direct than in North America or the European Union. ISO 14971 is currently being translated into a Japanese Industrial Standard and soon will be a standard for satisfying the country's essential requirements for medical devices established under the new Pharmaceutical Affairs Law—a mandatory requirement for manufacturers who wish to market there. 

Standards Developers. The need to comply with standards, whether for market access or market acceptance, is also a driver for risk management. As noted above, the Joint Working Group on Risk Management was formed to ensure that ISO 14971 would meet the needs of IEC 60601.

Table II. Standards referencing ISO 14971.

But ISO 14971 is also identified in a number of other standards as either a normative (“shall”) or informative (“should”) reference, particularly on the international scene. Table II provides a short list of generally applicable existing and draft standards that would have manufacturers adhere to ISO 14971 to establish conformity.

Although most of the standards listed are for electromedical devices, makers of other devices should not ignore ISO 14971. This standard satisfies the needs of ISO 10992-17, and IEC 60601-1-8 will contain a normative reference to ISO 14971 when it is modified by a joint IEC and ISO working group to apply to all devices.

Other Possible Drivers. Are there other drivers for implementing a risk management system? Although the evidence for other drivers is not as compelling, there are arguments for other driving forces.

One possible driver is the underwriter for a manufacturer's liability insurance. Underwriters emphasize loss prevention activities as a mechanism for reducing insurance payouts. Companies that institute such mechanisms may be able to get reduced premiums for their coverage or, for that matter, better coverage.

A risk management system can be viewed as a basic activity in loss prevention for several reasons.

• It forces the manufacturer to look beyond the labeled indications for the device and to assess how the device might be used or misused.
• It establishes a feedback mechanism whereby failures are analyzed to improve products.
• It enforces a state-of-the-art approach to analyzing and reducing risks.

One could posit then that insurance underwriters could be potential drivers.

What about the courts? A constant worry of manufacturers is the possibility of a large punitive damages award should their device be implicated in a death or injury.

Would a functioning risk management system demonstrate to the court that the manufacturer had indeed used state-of-the-art technology in providing safe devices? Presumably, for reasons similar to those mentioned above, a manufacturer could mount a defense demonstrating that all due care and diligence was taken in designing and testing the device, in further assessing postmarket risks, and in promptly and effectively following up on “unavoidable” device failures. Although a manufacturer might not avoid direct damages, one would hope that punitive damages might be greatly reduced or eliminated if risk management was ardently practiced. Note that the courts may not act as a separate driver from the insurance underwriters, since the latter are probably inextricably related to the litigation climate in which the medical device companies exist.

Should You Conform to ISO 14971?

The regulators in the major device markets require you to do risk management. Should you conform to ISO 14971, then? Let's look at the United States first.

Remember that all of the elements of risk management are contained in the QSR or are stated in the preamble to the final rule. Further, the QSIT guide tells the FDA inspector to look for these same elements.

Currently, inspectors are trained in risk management, and ISO 14971 forms an integral part of that training. Thus, it appears that practicing risk management and conforming to ISO 14971 would provide the inspector with the information he or she needs, which would therefore benefit the manufacturer.

On the premarket side, ISO 14971 is recognized by FDA and can be used to satisfy risk management needs in submissions to the agency. For example, in a special 510(k), the manufacturer must describe its risk analysis process and include it in the FDA submission. If a manufacturer declares conformity to ISO 14971 for the risk analysis, the special 510(k) can be reduced to one or two pages since all that is needed is a short summary of the results.

Further, for all of the guidance documents listed in the sidebar (and others relying on risk management), a declaration of conformity to ISO 14971 could similarly greatly reduce the volume of paper submitted to FDA.

In the European Union, conforming to ISO 14971 is the evidence that a notified body will look for (and accept) to meet the risk management elements contained in the directives. Although it is not necessary for the manufacturer to conform to a harmonized standard, the use of a harmonized standard is evidence that the notified body must accept.

Finally, ISO 14971 is going to be a Japanese Industrial Standard. This means that it will be a de facto requirement for the Japanese device market. Thus, manufacturers should conclude from the regulatory requirements of the three major device markets that they would be well advised to conform to ISO 14971.

In a sense, the standards writers require conformity to ISO 14971 as well, since it is so intimately involved in claiming conformity to a large number of standards already developed or under development. So conforming to ISO 14971 may be essential for manufacturers that use standards to help establish device safety.

What about the other drivers for risk management that I mentioned earlier? While it is true that the evidence given for the other driving forces for risk management—that is, insurance underwriters and the courts—may not be as strong as regulations and standards, they probably exist to some extent. The question is whether conforming to ISO 14971 would help satisfy these stakeholders regarding device safety. Remember that ISO 14971 is the only risk management standard for devices. It received no negative votes on balloting and is the choice of three significant regulatory bodies. Shouldn't this mean that conforming to ISO 14971 will have significant, favorable impact on a manufacturer's interactions with insurance underwriters and the courts? Although the vagaries of these groups cannot be predicted with certainty, one would hope so.

Should a Risk-Management Registration or Certification System be Developed?

Before addressing this question, there are a few things manufacturers can do to help themselves conform to ISO 14971. It is clear that manufacturers must practice risk management and that they are driven to conform to the standard.

If the executives and staff are not very familiar with the standard, there are several workshops and seminars available, including some taught by the developers of the standards themselves. These meetings can prove useful in acclimating staff to a device risk management approach and in applying the standard to their business. In addition, the organization might consider hiring a risk management consultant to help guide it in implementing risk management, particularly as part of the quality system. Once a company has begun to implement a risk management system according to ISO 14971, it may want to avail itself of an independent risk management expert to assess how the risk management system stacks up against ISO 14971—a procedure known as gap analysis.

Does this mean that a manufacturer must obtain certification (by an independent third party) to show that it conforms to ISO 14971? The answer is no. However, more and more individuals will be scrutinizing risk management systems to assess whether businesses do indeed conform. These include

• The FDA inspector, especially if conformity to ISO 14971 has been claimed.
• The notified body auditor.
• Third-party certifiers or auditors, if certification to standards like those listed in the sidebar is necessary.
• Insurers or lawyers who might be looking for evidence of state-of-the-art risk management.
• Any other person who might not accept a self-declaration of conformity at face value.

The traditional way of satisfying such scrutiny is to have an independent third party certify conformity. Like many other standards, ISO 14971 has compliance statements for each requirement that can be used by risk management experts to assess conformity. Independent third-party certification should be sufficient evidence to establish conformity for those institutions or individuals who require such proof.

While in most cases, third-party certification will be sufficient, certification does offer drawbacks. Risk management is not just a set of objective requirements; it is a way of conducting business not unlike a quality management system. Although ISO 14971 does not require that a quality management system be in place, it is much easier to practice risk management within the context of a quality management system. In fact, numerous informative references to a quality management system, and to how the various risk management documents may be included in the quality management system records, exist in ISO 14971. Like a quality management system, a risk management system can, over time, drift from the standard on which it is based. 

The solution for a quality management system is to have the system registered with an accredited registrar. This means that the third-party auditor looks at the system over time, performing surveillance audits and periodic reregistrations to ensure that the system remains stable and is in conformance with the standard. One could argue that a manufacturer might want to have its risk management system registered to ISO 14971 to assure itself—and all of the stakeholders in its proper performance of risk management—that its risk management system is stable and performing optimally.


A number of forces drive manufacturers to practice risk management, and the risk management system of choice is that defined by ISO 14971. It is preferable that manufacturers who are not familiar with risk management or with ISO 14971 seek help in implementing such a system. 

The original question posed in the title is not really answerable. There are reasons why a manufacturer might desire certification or even registration of its risk management system by an independent third party, but the key term here is desire. No requirements for risk management certification or registration exist. However, as more and more of those who have a stake in the manufacturer's well-functioning risk management system look closer at the evidence the manufacturer can provide, desire may turn into need.

1. ANSI/AAMI/ISO, 14971:2000—Medical Devices—Application of Risk Management to Medical Devices (Arlington, VA: AAMI, 2000).
2. Code of Federal Regulations, 21 CFR Part 820.
3. FDA, Guidance on Inspections of Quality Systems (Rockville, MD: FDA, 1999). 
4. Health Canada, Acts & Regulations for Medical Devices [on-line] (Ottawa, ON, Canada: Justice Canada, 1998); http://laws.justice.gc.ca/en/f-27/sor-98-282/text.html
5. The Council of the European Communities, Amendments to the European Medical Device Directive MDD 93/42/EEC [on-line] (Gare, Luxembourg: Office for Official Publications of the European Communities, 1998); http://europa.eu.int/eur-lex/en/consleg/pdf/1993/en_1993L0042_do_001.pdf
6. The Council of the European Communities, Directive 98/79/EC of the European Parliament and of the Council on in vitro Diagnostic Medical Devices [on-line] (Gare, Luxembourg: Office for Official Publications of the European Communities, 1998); http://europa.eu.int/eur-lex/pri/en/oj/dat/1998/l_331/l_33119981207en00010037.pdf.   

Copyright ©2003 Medical Device & Diagnostic Industry

Sign up for the QMED & MD+DI Daily newsletter.

You May Also Like