Risk management is a necessary step in developing a wide range of software systems. But in no area is it more important to get right than when developing software as a medical device (SaMD). In this world, it isn’t just necessary that your product be low risk in order to ensure customer satisfaction. Risks need to be minimized for the health and safety of your user. A good risk management plan can literally mean the difference between life and death when designing SaMD.
Luckily, an international standard exists to help software companies develop medical tech using a framework of risk analysis, control, and review. Of course, I am talking about ISO 14971. If you are unfamiliar with this standard, this article is for you.
Below, we will look at what ISO 14971 is and how it helps companies implement risk management procedures through design, development, and beyond to ensure a product that delivers the most benefit while minimizing risk. We’ll also discuss some challenges in implementing this ISO and how your company can best overcome these.
What Is ISO 14971?
ISO 14971 is a document put forth by the International Organization for Standardization. Specifically, 14971 is a nine-part standard that focuses on creating a framework for risk analysis, evaluation, control, and review. Included within the guideline is a procedure for reviewing and monitoring risk both during and after production.
Like other ISO guidelines, this document is not set forth by a regulating body in order to create compliance or attain government approval. However, EN ISO 14971:2012 is harmonized with the European Medical Device Directives and allows presumption of conformity to the Directives. Meanwhile, ISO 14971:2019 has been granted Recognized Consensus Standard status by the FDA and has been adopted as the standard of evaluation by most regulating bodies worldwide.
But the benefits of following this standard go beyond achieving compliance. To understand why this ISO is so vital, we first need to define risk and look at the role risk analysis plays in the development of medical software.
What Is Risk?
Risk, as defined in general terms, refers to the likelihood of something negative happening. In terms of SaMD as defined by ISO 14971 and the FDA, risk is the combination of the probability of harm occurring and the severity of that harm if it did occur.
When looking at medical software, such as an insulin pump and connected phone app, it’s easy to see how uncontained risk could quickly lead to devastating harm to the user. This risk could be born out of bugs within the software or from poorly tested design controls that too easily allow the user to activate the wrong actions.
Risk management solutions, such as those presented by ISO 14971, are intended to help software developers identify, evaluate, and mitigate risks throughout the production process. And to continue risk reduction techniques in postproduction and after the product has hit the market.
How Does This Standard Reduce SaMD Risk?
ISO 14971 accomplishes risk reduction by assisting developers of medical devices in four ways:
- First, it helps identify hazards associated with the software or medical device.
- Second, it helps estimate and evaluate the risks associated with those hazards.
- Thirdly, it provides guidelines for controlling the risks.
- And lastly, it offers instruction on how to monitor the effectiveness of the applied controls.
It is important to note that this standard does not specify acceptable risk levels. This is something that must be set by the developer in accordance with internal evaluation and government regulations. In order to use these guidelines effectively, objective risk criteria must be set prior to implementation based on perceived benefits.
Risk management is an inherent part of an effective quality management system (QMS). However, this documentation does not create a QMS or require that the company have one in place. For guidelines on how to implement QMS for SaMD development in order to align with government regulations, please refer to our article on ISO 13485.
The Benefits of Using This Standard to Develop SaMD
There are many benefits to using ISO 14971 to develop your medical device software. The most obvious of these is that it allows you to stay in compliance with global regulations, which allows for easy approval when the time comes.
The FDA, EU Component Authority, Japan MHLW, Health Canada, and Australia TGA all require companies to have a defined risk management process and associated documentation. Following 14971 guidelines from day one assures these requirements are met as this ISO is endorsed by each of these agencies.
Beyond regulatory compliance, ISO 14971 can be vital for helping companies create a complete and achievable plan for predicting, assessing, and managing risk. The documentation provides a thorough explanation of relevant terms associated with building, integrating, and following a risk management process.
The process set forth by 14971 works with your existing design controls to ensure they are effective at minimizing risk. While the two components are separate, and the latter is not defined within the documentation, both inherently work together to produce a product that is safe to use. Designing effective controls is not possible without implementing risk management in order to test controls from a different perspective. Likewise, risk management requires design controls in order to implement risk controls, which are needed to manage discovered risks.
All this is to say that ISO 14971 is vital to reduce risks for all stakeholders, including manufacturers and end users. By implementing these standards from day one of the planning process, you can ensure your SaMD is compliant with applicable regulations and is created in an effective manner that evaluates and reduces risks at every turn. This assures your product goes to market with minimal risk and maximum benefit.
The Challenges of Implementing ISO 14971
Having a complete and effective process for implementing risk management would seem like something that could only benefit a software company. Unfortunately, there are many ways we have seen medical technology developers misuse or misinterpret ISO 14971 to the point that its existence becomes more of a hindrance than anything.
Too often, we see companies wait too long to implement the risk management processes defined by this documentation. The mindset being, well we have the process already made up, we’ll put it into practice once development is up and running. This is not the way this process was meant to be used and it is certainly not the way to assure compliance from day one. In order for 14971 to be effective, it needs to be a part of your planning and development process from the beginning.
A similar but opposite problem we see far too often is that companies often fail to continue the risk management process through the product’s entire lifecycle. ISO 14971 is meant to be implemented early and continued through post-production. This is vital for addressing user complaints and noncompliance issues that arise. Risks do not stop existing once the software is developed, so the risk management process should not stop either.
Lastly, and perhaps the most costly mistake we see companies make when implementing ISO 14971, is the failure to adopt a risk-based mindset. With a completed risk management process to fall back on, it is far too easy for developers to use this documentation as a sort of risk checklist. In this way, ISO 14971 exists in parallel with your software, with boxes being checked as progress is made. This is in contrast to how this process is truly meant to be implemented, which is with the risk being the driving factor behind that progress. When you approach and grow the product from a risk-based mindset, you purge risks and failures holistically as you progress rather than allowing them to exist below the surface and grow into systemic flaws.
Implementing Risk Management Processes with Help
ISO 14971 is a comprehensive guide for implementing risk management processes to design and develop your medical device software. Using these guidelines early on and continuing to put them into practice after your product goes to market will help you meet compliance guidelines and continue to mitigate risk for a safe product. However, doing this effectively requires experience and an in-depth understanding of the industry.
To avoid many of the mistakes developers and manufacturers make when implementing ISO 14971 it is worth partnering with a software development company with experience in executing risk management techniques. Here at Sequenex, we have an in-depth knowledge of ISO 14971 and know how to implement these processes to streamline development, fast-track approval, and create a safe and effective product that will benefit the user while minimizing risk from day one.