By Steve A. McRoberts
AT A GLANCE
- Risk management standards
- What’s new
- What’s changed
- Risk management solution
- Eliminate or reduce risks as far as possible (inherent safe design)
- Where appropriate take adequate protective measures
- Inform users of residual risks
US regulations also incorporate risk management. The preamble to the final rule of the Quality System Regulations state that “Manufacturers shall identify possible hazards associated with the design in both normal and fault conditions . . . If any risk is judged unacceptable, it should be reduced to acceptable levels . . .” Thus, it is clear that the FDA also expects manufacturers to apply risk management.
The problem many manufacturers faced before the publication of ISO 14971 was satisfying the requirements of the regulations in a meaningful and systematic way. ISO 14971 established clear definitions for the many terms that had been included in these regulations and also a simple but effective methodology for applying risk management.
Furthermore, the latest edition of ISO 13485:2003, which has become the defacto standard for medical device quality management systems, contains a requirement for a risk management process to be developed. Developers of medical software will already be extremely familiar with the requirements of risk management, which is used extensively in the development of such medical software.
For many manufacturers, it has been difficult for them to know if they truly conform to the requirements of the ISO 14971 standard. Although notified bodies or quality system registrars may have evaluated them to ISO 13485, the risk management requirements of ISO 13485 do not necessarily match up with ISO 14971. Risk management contained in ISO 14971 is much more extensive than the risk management requirements of ISO 13485.
Risk Management RegistrationUL is launching a new Risk Management Registration program for manufacturers to enable them to meet the risk management requirements of the third edition of IEC 60601-1. Manufacturers will be able to have their systems assessed to the requirements of ISO 14971 by independent, and objective risk management auditors from UL. This registration will enable manufacturers to demonstrate that they meet the requirements of the third edition of IEC 60601-1 and to take advantage of the many benefits of fully implementing an ISO 14971 risk management system. This new service can be combined with UL’s medical device Quality Management System assessments (to ISO 13485:2003) and regulatory assessments such as those for CE marking, and for Canadian licensure (CMDCAS).
In December 2005, the long-awaited third edition of IEC 60601-1 was published by the International Electrotechnical Commission (IEC). Previously, the second edition of IEC 60601-1, as well as its five collateral (horizontal) standards and nearly 50 particular standards for specific types of medical equipment, were the principal standards for the safety of medical electrical equipment. Regulatory bodies and test laboratories around the world universally accepted these standards. The third edition of the standard integrates risk management throughout all of the clauses and sections of the standards. In addition, the third edition requires manufacturers to have a risk management process that conforms to ISO 14971 in place.
Furthermore, the scope of the new standard is expanded to include not only basic safety but also essential performance. Essential performance is defined by the manufacturer using its risk management process. Hence, it will be impossible to comply with the requirements of IEC 60601-1 and gain valued certification without having a fully documented risk management system in place.
In conclusion, the traditional world of testing and certification of medical equipment will be forever coupled with risk management, ISO 14971, and on-site audit of the effective implementation of a manufacturer’s risk management system. Does this make conformance with the standard more stringent? While there are new basic risks and requirements such as insulation coordination in the third edition of IEC 60601-1, risk management makes the application of the standard more flexible. One of the most obvious ways is the requirement to use risk management to determine whether a lesser degree of insulation (creepage, clearance distances, and dielectric strength) for parts that can only be contacted by the operator than for those parts that can be brought into contact with the patient. The second edition of IEC 60601-1 made little distinction in that regard.
This is not the only place where risk management is mentioned in the new standard. In fact, it is mentioned over 100 times throughout the new standard. Every clause and every requirement is subject to a risk management process. Is this different from what we did before? Test laboratories and manufacturers could always determine the applicability of a particular clause using the alternative construction clause 3.4, but the third edition of IEC 60601-1 requires manufacturers to have a clear methodology and basis for challenging the applicability of a particular clause. This methodology is the use of a risk management process conforming to ISO 14971.
ONLINEFor additional information on the technologies and products discussed in this article, see Medical Design Technology online at www.mdtmag.com or Underwriters Laboratories Inc. at www.ul.com.
Steve A. McRoberts is the global principal engineer for medical regulatory programs at Underwriters Laboratories Inc. (UL), 333 Pfingsten Rd., Northbrook, IL 60062. His responsibilities include the program development and technical expertise for UL’s medical regulatory programs including FDA 510(k) and inspection programs, CMDCAS (Canada) and European MDD, and IVDD Notified Bodies. Steve has been a participant in the IEC working groups for the development of risk management aspects of IEC 60601, third edition. He can be reached at +44-1259-215161 or Steve.A.Mcroberts@uk.ul.com.