请选择 进入手机版 | 继续访问电脑版
查看: 6162|回复: 0

ISO 14971:2019 医疗器械 — 风险管理对医疗器械的应用 — 中...

发表于 2020-5-11 14:07:54 | 显示全部楼层 |阅读模式

Annex A
Rationale for requirements

A.1General 总则
The ISO/TC 210 — IEC/SC 62A Joint Working Group 1 (JWG 1), Application of risk management to medical devices, developed this rationale to document its reasoning for establishing the various requirements contained in this document. Those who make future revisions can use this annex, along with experience gained in the use of this document, to make this document more useful to manufacturers, regulatory bodies and health care providers.

ISO / TC 210 — IEC / SC 62A,风险管理在医疗器械中的应用,联合工作组1(JWG 1)起草了这一要求的基本说明,以文件说明本标准中建立各种要求的理由。未来标准修订者可以使用本附件,结合使用标准时获得的经验,使本标准对制造商,监管机构和医疗卫生保健提供者更有用。

ISO Technical Committee 210 and IEC Subcommittee 62A decided to combine their efforts on risk management and to form JWG 1 with the task to develop a standard for the application of risk management to medical devices. When discussions on an International Standard for risk management began, crucial features of risk management needed to be addressed, such as the process of risk evaluation as well as the balancing of risks and benefits for medical devices. Manufacturers, regulatory bodies, and health care providers had recognised that “absolute safety” in medical devices was not achievable. In addition, the risks that derive from the increasing diversity of medical devices and their applications cannot be completely addressed through product safety standards. The recognition of these facts and the consequent need to manage risks from medical devices throughout their life cycle led to the decision to develop ISO 14971 as a tool to actively improve the safety of medical devices. The first edition of this standard was published in 2000.

ISO技术委员会210和IEC小组委员会62A决定将他们在风险管理方面的努力结合起来,并成立JWG 1,其任务是制定将风险管理应用于医疗器械的标准。当开始讨论有关风险管理的国际标准时,就需要解决风险管理的关键特征,例如风险评估过程以及医疗器械风险与收益的平衡。制造商,监管机构和医疗保健提供者已经认识到医疗器械的“绝对安全性”是无法实现的。此外,医疗产品及其应用日益多样化所带来的风险无法通过产品安全标准完全解决。对这些事实的认识以及随之而来的在医疗器械整个生命周期中管理风险的需求,导致决定开发ISO 14971作为积极提高医疗器械安全性的工具。该标准的第一版于2000年发布。

The second edition of ISO 14971 was developed and published in 2007 to address the need for additional guidance on its application and on the relationship between hazards and hazardous situations. Minor changes were made to the normative section, such as the addition of the requirement  to plan for post-production monitoring and the removal of the requirement for traceability from the   risk management report.

为阐述有关其应用的附加指南危害和危害处境的关系的需要编制和发布2007第二版的ISO 14971,以解决对其应用以及危害与危险状况之间的关系提供额外指导的需求。对正文部分作了较小的更改,如对计划增加了生产后监视的要求,并从风险管理报告中删除了可追溯性要求。

The systematic review in 2010 revealed the need for further guidance on a few specific topics. It was decided to develop the technical report ISO/TR 24971[9], because even a small update of the guidance would necessitate a revision of the standard. The first edition of this report was published in 2013.

关于未来一些特定主题的需求,在2010年进行了系统的评审, 决定制定ISO / TR 24971[9]技术报告,因为即使对指南进行很小的更改也需要对标准进行修订。该报告的第一版于2013年发布。

This third edition was developed to clarify the normative requirements and to describe them in more detail, in particular the clauses on the evaluation of overall residual risk, on  the  risk management review and report and on production and post-production information. The clarifications were deemed necessary in view of requests for explanation in the systematic review of ISO 14971 in 2016 and in view of stricter requirements from regulatory bodies. More emphasis was put on the benefits that are anticipated from the use of the medical device and the balance between the (overall) residual risks and those benefits. It was explained that the process described in ISO 14971 can be applied to all types of hazards and risks associated with a medical device, for example biocompatibility, data and systems security, electricity, moving parts, radiation or usability. Several informative annexes were moved from this document to the guidance in ISO/TR 24971, which was revised in parallel. This allows for more frequent updates of the guidance independent of revising the standard.

第三版的编制旨在阐明规范要求并对其进行更详细地描述,尤其是有关综合剩余风险评估,风险管理评审和报告以及生产及生产后信息的条款。鉴于2016年对ISO 14971进行系评审的解释要求以及监管机构提出的更严格要求,认为需要进行澄清。更加强调了使用医疗器械预期的收益以及(综合)剩余风险与收益之间的平衡。解释说,ISO 1497中描述的过程可以应用于与医疗器械相关的所有类型的危害和风险,例如生物相容性,数据和系统安全性,电力,运动零件,辐射或可用性。几个信息性附录已从本标准中移至ISO / TR 24971中的指南,该指南同时进行了修订。这样可以更频繁地更新指南,而不需要修改标准。
A.2 Rationale for requirements in particular clauses and subclauses
A.2.1 Scope 范围
As explained in the introduction to this document, a risk management standard applying to the life cycle
of medical devices is required. Software as a medical device and in vitro diagnostic medical devices are specifically mentioned in the scope to avoid any misunderstanding that, due to different regulations, these devices might be excluded from this document.


Risks can be present throughout the life cycle of the medical device, and risks that become apparent at one point in the life cycle can be managed by action taken at a completely different point in the life cycle. For this reason, the standard needs to be a complete life cycle standard. This means that the standard instructs manufacturers to apply risk management principles to a medical device from its initial conception until its ultimate decommissioning and disposal.


The process described in ISO 14971 can be applied to hazards and risks associated with the medical device. Risks related to data and systems security are specifically mentioned in the scope, to avoid any misunderstanding that a separate process would be needed to manage security risks related to medical devices. This does not preclude the possibility of developing specific standards, in which specific methods and requirements are provided for the assessment and control of security risks. Such standards can be used in conjunction with ISO 14971, in a similar way as IEC 62366-1[13] for usability, ISO 10993-1[4] for biological evaluation, or IEC 60601-1[12] for electrical and mechanical risks.

ISO 14971中描述的过程可以应用于与医疗器械相关的危害和风险。范围中特别提到了与数据和系统安全性有关的风险,为避免任何误解,即需要单独的流程来管理与医疗器械有关的安全性风险。这并不排除制定特定标准的可能性,用特定方法和要求评估和控制安全风险。此类标准可以与ISO 14971结合使用,类似于IEC 62366-1 [13]可用性评估,ISO 10993-1 [4]生物学评估或IEC 60601-1 [12]电气和机械风险的。

The scope of this document does not include clinical decision making, i.e., decisions on the use of a medical device in the context of a particular clinical procedure. Such decisions require the residual risks to be balanced against the anticipated benefits of the procedure or the risks and anticipated benefits of alternative procedures. Such decisions take into account the intended use, performance and risks associated with the medical device as well as the risks and benefits associated with the clinical procedure or the circumstances of use. Some of these decisions can be made only by a qualified health care professional with knowledge of the state of health of an individual patient and the patient’s own opinion.


The scope of this document also does not include business decision making. Other standards such as ISO 31000[10]  exist for organisational risk management and related topics.

本标准的范围同样不包括商业决策。如其他标准ISO 31000 [10],适用于组织风险管理相关主题。

Although there has been significant debate over what constitutes an acceptable level of risk, this document does not specify acceptability levels. Specifying a universal level for acceptable risk could be inappropriate. This decision is based upon the belief that:


the wide variety of medical devices and situations covered by this document would make a universal level for acceptable risk meaningless;


ocal laws, customs, values and perception of risk are more appropriate for defining risk acceptability for a particular culture or region of the world.

Because not all countries require a quality management system for medical device manufacturers, a quality management system is not a requirement of this document. However, a quality management system is extremely helpful in managing risks properly. Because of this and because most medical device manufacturers do employ a quality management system, this document is constructed so that it can easily be incorporated into the quality management system that they use.


A.2.2 Normative references
No other standards are required in order to establish and maintain a risk management process in accordance with ISO 14971. Clause 15 of ISO/IEC Directives, Part 2:2018, requires standards to include this statement.

根据ISO 14971,无需其他标准即可建立和维护风险管理流程。ISO/ IEC指令第2部分:2018年的第15条要求标准中包括此声明。

A.2.3 Terms and definitions
Most of the definitions used in this document are taken from ISO 9000:2015[3] and ISO/IEC Guide 63:2019[2] which in turn adopted and adapted many of the definitions in ISO/IEC Guide 51:2014[1] and the definitions developed by the Global Harmonization Task Force (GHTF). Some of these definitions have a slightly different meaning in ISO/IEC Guide 63:2019[2] and ISO 14971 than in other standards.

本标准中使用的大多数定义均来自ISO 9000:2015 [3]和ISO / IEC指南63:2019[2]  ,依次采用并改编了ISO / IEC指南51:2014 [1]中的许多定义以及全球协调工作组( GHTF)。其中一些定义在ISO / IEC指南63:2019 [2]和ISO 14971中的含义与其他标准略有不同。

For example, JWG 1 intended the definition of harm (3.3) to have a broad range and to include unreasonable psychological  stress  or  unwanted  pregnancy  as  part  of  “damage  to  the  health of

people”. Such stress can occur after a false positive diagnosis of a disease. “Damage to property and the environment” is undesirable and the associated risks need to be considered as well, for example those related to hazardous waste materials created by the use or disposal of the medical device. The word “physical” is removed from the definition of harm in ISO/IEC Guide 51:2014[1] and thus also in ISO/IEC Guide 63:2019 [2] and this document, because injury by itself already includes physical damage. Breaches of data and systems security can lead to harm, e.g. through loss of data, uncontrolled access to data, corruption or loss of diagnostic information, or corruption of software leading to malfunction of the medical device.

例如,JWG 1打算对伤害(3.3)进行广泛的定义,并将不合理的心理压力或意外怀孕作为“损害人的健康”的一部分。在对疾病进行假阳性诊断后,可能会出现这种压力。应考虑“对财产和环境的损害”相关的风险,例如与因使用或处置医疗器械而产生的危险废物相关的风险。ISO / IEC指南51:2014 [1]中的伤害定义中删除了“物理”一词,因此ISO / IEC指南63:2019 [2]和本标准中也删除了“物理”一词,因为伤害本身已经包括在物理伤害中。违反数据和系统安全性可能导致损害,例如 通过数据丢失,对数据的不受控制的访问,损坏或诊断信息丢失或软件损坏导致医疗器械故障。

The definition of the term intended use (3.6) combines the definition of intended use as used in the United States and intended purpose which is the term in the European Union. These terms have essentially the same definition. It was intended that, when determining the intended use of a medical device, the manufacturer takes into account the intended medical indication, patient population, part of the body or tissue interacted with, user profile, use environment, and operating principle. The definition of life cycle (3.8) was necessary to make it clear that the term as used in this document covers all aspects of the existence of a medical device. The definition for risk management (3.24) emphasises the use of a systematic approach and the need for management oversight. The definition of top management (3.29) uses the definition from ISO 9000:2015[3]. It applies to the person or group at the highest level in the manufacturer’s organization.

“预期用途”(3.6)一词的定义合并了美国使用的 “预期用途”和欧盟中术语中的 “预期目的”。这些术语具有基本相同的定义。在确定医疗器械的预期用途时,制造商应考虑到预期的医疗器械的特征,患者人群,与之互动的身体或组织的一部分,用户资料,使用环境和操作原理。必须明确定义 “生命周期”(3.8),以便本标准中此术语涵盖医疗器械存在的所有方面。风险管理的定义(3.24)强调系统方法的使用和监督管理的的必要性。“最高管理者”(3.29)的定义采用ISO 9000:2015 [3]中的定义。它适用于制造商组织中最高级别的人员或小组。

Three other terms in ISO 14971 are not based on definitions in ISO/IEC Guide 63:2019[2] or in other standards. They are benefit (3.2), post-production (3.12) and risk management file (3.25). The term benefit is defined because of the increased emphasis by regulatory bodies on balancing the (residual) risks against the benefits of the medical device. For the same reason the phrase “benefit-risk analysis” is used. A definition of post-production was added to emphasise that the entire life cycle of the medical device is important for risk management. The concept of a risk management file is now well understood.

ISO 14971中的其他三个术语不是基于ISO / IEC指南63:2019 [2]或其他标准的定义。它们是 “受益”(3.2), “生产后”(3.12)和 “风险管理文档”(3.25)。定义受益是因为监管机构越来越重视平衡(剩余)风险与医疗器械的受益。出于同样的原因,使用了“收益风险分析”一词。增加“生产后”的定义,以强调风险管理对医疗器械全生命周期的重要性。风险管理文件的概念现已广为人知。

A.2.4 General requirements for risk management system
A.2.4.1 Risk management process

The risk management system consists of the elements in 4.1 through 4.5.
The manufacturer needs to establish a risk management process as part of the design and development of a medical device. This is required so that the manufacturer can systematically ensure that the required elements are in the process. Risk analysis, risk evaluation and risk control are commonly recognised as essential parts of risk management. In addition to these elements, this document emphasises that the risk management process does not end with the design and production (including, as relevant, sterilization, packaging, and labelling) of a medical device, but continues on into the post-production phase. Therefore, the collection and review of production and post-production information was identified as a required part of the risk management process. Furthermore, it was felt that when a manufacturer employs a quality management system, the risk management process should be fully integrated into that quality management system.


Although risk management activities are highly individual to the medical device being considered, there are basic elements that need to be included in the risk management process. This need is addressed in 4.1. This subclause also recognises that there can be some differences in regulatory approaches to applying risk management to medical devices.


Subclauses 4.2 and 4.3 closely follow the risk-related requirements of quality management system standards. In some countries a quality management system is always required to market a medical device (unless the medical device is specifically exempted). In other countries manufacturers can choose whether to apply a quality management system. However, the requirements of 4.2 and 4.3 are always needed for an effective risk management process, whether or not the manufacturer operates all the other elements of a quality management system.


A.2.4.2 Management responsibilities
The commitment of top management is critical for an effective risk management process. These individuals are responsible for overall guidance of the risk management process and this subclause is intended to emphasise their role. In particular:


in the absence of adequate resources, risk management activities would be less effective, even if complying, to the letter, with the other requirements of this document;


— risk management is a specialized discipline and requires the involvement of competent individuals trained in risk management techniques (see A.2.4.3);

— because this document does not define acceptable risk levels, top management is required to establish a policy on how acceptable risks will be determined;

risk management is an evolving process and periodic review of the risk management activities is needed to ascertain whether they are being carried out correctly, to rectify any weaknesses, to implement improvements, and to adapt to changes.

A.2.4.3 Competence of personnel
It is most important to get competent people with the knowledge and experience necessary to perform risk management tasks. The risk management process requires people with knowledge and experience in areas such as:

how the medical device is constructed;
how the medical device works;
how the medical device is produced;
how the medical device is actually used;
how to apply the risk management process.


In general, this usually requires several representatives from various functions or disciplines, each contributing their specialist knowledge. The balance and relation between those representatives should be considered.


Records are required to provide objective evidence of competence. In order to avoid duplication and because of confidentiality and data protection considerations, this document does not require these records to be kept in the risk management file.


A.2.4.4 Risk management plan
A risk management plan is required because:
an organized approach is essential for good risk management;
the plan provides the roadmap for risk management;
the plan encourages objectivity and helps prevent essential elements being forgotten. The elements a) to g) of 4.4 are required for the following reasons.

—该计划加强了客观性,并有助于防止遗漏基本要素。由于下列理由,4.4的元素a)至g 要素是需要的。

a)There are two distinct elements in the scope of the plan. The first identifies the medical device, the other identifies the phase of the life cycle for which each element of the plan is applicable. By defining the scope, the manufacturer establishes the baseline on which all the risk management activities are built.


b)Allocation of responsibilities and authorities is needed to ensure that no responsibility is omitted.

c)Review of activities such as risk management is included as a generally recognised responsibility of management.

d)The criteria for risk acceptability are fundamental to risk management and should be decided upon
before risk analysis begins. This helps to make the risk evaluation in Clause 6 objective.

e)After implementing all risk control measures, the manufacturer is required to evaluate the overall impact of all residual risks together. The evaluation method and the criteria for acceptability of the overall residual risk should be decided upon before this evaluation is performed. This helps to make the evaluation of overall residual risk in Clause 8 objective.


f)Verification is an essential activity and is required by 7.2. Planning this activity helps to ensure that essential resources are available when required. If verification is not planned, important parts of the verification could be neglected.


g)Methods for the collection and review of production and post-production information need to be established so that there is a formal and appropriate way to feed back production and post- production information into the risk management process.


The requirement to keep a record of changes is to facilitate audit and review of the risk management process for a particular medical device.

A.2.4.5 Risk management file
This document uses this term to signify where the manufacturer can locate or find the locations of all the records and other documents applicable to risk management. This facilitates the risk management process and enables more efficient auditing to this document. Traceability is necessary to demonstrate that the risk management process has been applied to each identified hazard.


Completeness is very important in risk management. An incomplete task can mean that an identified hazard is not controlled and harm can be the consequence. The problem can result from incompleteness at any step in risk management, e.g. unidentified hazards, risks not assessed, unspecified risk control measures, risk control measures not implemented, or risk control measures that prove ineffective. Traceability is needed to ensure completeness of the risk management process.

在风险管理中,完整性非常重要。一个不完整的工作可能意味着一项已识别的危害未被控制,并且可能会造成伤害。问题可产生于风险管理中任何阶段的不完整,例如 未识别的危害,未评估的风险,未规定的风险控制措施,未实施的风险控制措施或证明无效的风险控制措施。追溯性可以确保风险管理过程的完整性。

A.2.5 Risk analysis

A.2.5.1Risk analysis process
Note 1 of 5.1 describes how to deal with the availability of a risk analysis for a similar medical device. When adequate information already exists, this information can be applied to save time, effort and resources. Users of this document need to be careful, however, to assess systematically the previous work for applicability to the current risk analysis.


The details required by a), b), and c) form the basic minimum data set for ensuring traceability and are important for management reviews and for subsequent audits. The requirement in c) also helps clarify what is in the scope of the analysis and verifies completeness.


A.2.5.2Intended use and reasonably foreseeable misuse

The intended use of the medical device is an important aspect and is the starting point of the risk analysis. This should include the elements listed in the note to 3.6, where appropriate. The manufacturer should also consider the intended user(s) of the medical device, e.g., whether a lay user or a trained medical professional will use the medical device. This analysis should consider that medical devices can also be used in situations other than those intended by the manufacturer and in situations other than those foreseen when the idea for a medical device was first conceived. It is important that the manufacturer tries to look into the future to see the hazards due to potential uses of their medical device and also the reasonably foreseeable misuse.


A.2.5.3 Identification of characteristics related to safety

This step forces the manufacturer to think about all the characteristics that could affect the safety of the medical device. These characteristics can be qualitative or quantitative and can be related to the operating principle of the medical device, its intended use and/or the reasonably foreseeable misuse. Such characteristics can relate to the performance or operating principle of the medical device, the measuring function or the sterility of the medical device, the materials used for parts coming into contact with the patient, the use of radiation for diagnostic or therapeutic purposes, or other. Where applicable, the limits of those characteristics need to be considered as well, because the operation and/or safety of the medical device could be affected when those limits are exceeded.

此步骤迫使制造商考虑可能影响医疗器械安全性的所有特征。这些特征可以是定性的或定量的,并且可以与医疗器械的工作原理、其预期用途和/或合理可预见误用有关。此类特性可能与医疗器械的性能或工作原理,医疗器械的测量功能或无菌性,与患者接触的部位所使用的材料,用于诊断或治疗目的的辐射使用或其他相关 。在适用的情况下,还应考虑这些特性的限制,因为超过这些限制可能会影响医疗器械的操作和/或安全性。

A.2.5.4 Identification of hazards and hazardous situations
This step requires the manufacturer to be systematic in the identification of anticipated hazards in both normal and fault conditions. The identification should be based upon the intended use and reasonably foreseeable misuse identified in 5.2 and the characteristics related to safety identified in  5.3.


A risk can only be assessed and managed once a hazardous situation has been identified. Documenting the reasonably foreseeable sequences of events that can transform a hazard into a hazardous situation allows this to be done systematically. Annex C aims to assist manufacturers in identifying hazards and hazardous situations. Typical hazards are listed and the relationships between hazards, foreseeable sequences of events, hazardous situations and associated possible harm are demonstrated.


A.2.5.5 Risk estimation
This is the final step of risk analysis. The difficulty of this step is that risk estimation is different for every hazardous situation that is under investigation as well as for every medical device. Therefore, this subclause was written generically. Because hazards can occur both when the medical device functions normally and when it malfunctions, one should look closely at both situations. In practice, both components of risk, probability of occurrence and severity of harm, should be analysed separately. When a manufacturer uses a systematic way of categorizing the severity levels or the probability of occurrence of harm, the categorization scheme should be defined and recorded in the risk management file. This enables the manufacturer to treat equivalent risks consistently and serves as evidence that the manufacturer has done so.


Some hazardous situations occur because of systematic faults or sequences of events. There is no consensus on how to calculate the probability of a systematic fault. Where the probability of occurrence of harm cannot be calculated, hazards still have to be addressed and listing resulting hazardous situations separately allows the manufacturer to focus on reducing the risks due to these hazardous situations.


Frequently, good quantitative data are not readily available, especially in development of an entirely new medical device or for security risks. The suggestion that risk estimation should be done only in a quantitative way has therefore been avoided.


A.2.6 Risk evaluation

Decisions have to be made about the acceptability of risk. Manufacturers can use the estimated risks and evaluate them using the criteria for risk acceptability defined in the risk management plan. They can investigate the risks to determine which ones need to be controlled. Clause 6 was carefully worded to allow the user of this document to avoid unnecessary work.


A.2.7 Risk control

A.2.7.1Risk control option analysis

Often there will be more than one way to reduce a risk. There are three mechanisms listed, which are all standard risk reduction measures and are derived from ISO/IEC Guide 63:2019[2]. The priority order listed is important. This principle is found in several places, including IEC TR 60513[11] and local or regional regulations. Inherently safe design and manufacture is the first and most important option in the risk control option analysis, becausedesign solutions inherent to the characteristics of the medical device are likely to remain effective, whereas experience has shown that even well-designed guards and protective measures can fail or be violated and information for safety might not be followed. If practicable, the medical device should be designed and manufactured to be inherently safe. If this is not practicable, then protective measures such as barriers or alarms are appropriate. The third option is to provide information for safety such as a written warning or contra-indication. Training to users can be an important aspect of delivering information for safety. The manufacturer can consider to provide mandatory training for the intended users.

通常,减少降低风险的方法不止一种。有三种途径,都是降低风险措施标准,并且源自于ISO / IEC指南63:2019 [2]。列出的优先顺序很重要。可以在多个地方找到该原理,包括IEC TR 60513 [11]和地方或地区法规。固有安全的设计和制造是风险控制分析方案中的最初和最重要的选项,因为医疗器械特性固有的设计解决方案可能会保持有效,而经验表明,即使设计良好的防护装置和防护措施也可能失败或被违反,及不会遵循安全信息。如果可行,医疗器械的设计和制造应具有固有的安全性。如果这不可行,则应采用防护措施,例如屏障或警报。第三种选择是提供安全信息,例如书面警告或禁忌证。对用户的培训可能是传递安全信息的重要方面。制造商可以考虑为目标用户提供强制性培训。

The manufacturing process can contribute to risks, for example originating from contamination of components, residues of hazardous substances used in the process, or mix-up of parts. Such risks can be controlled by designing the manufacturing process to be inherently safe (e.g. eliminating hazardous substances or using separate production lines) or by applying protective measures (e.g. visual inspection steps in the process).


It is recognised that one possible result of the risk control option analysis could be that there is no practicable way of reducing the risk to acceptable levels according to the pre-established criteria for risk acceptability. For example, it could be impractical to design a life-supporting medical device with such an acceptable residual risk. In this case, a benefit-risk analysis can be carried out as described in 7.4 to determine whether the benefit of the medical device, to the patient, outweighs the residual risk. This option is included at this point in the document to make sure that every effort was first made to reduce risks to the pre-established acceptable levels.


A.2.7.2 Implementation of risk control measures
Two distinct verifications are included. The first verification is required to make sure that the risk control measure has been implemented in the final design of the medical device or in the manufacturing process. The second verification is required to ensure that the risk control measure (including information for safety) as implemented actually reduces the risk. In some instances, a validation study can be used for verifying the effectiveness of the risk control measure.


Obtaining sufficient data and information for risk estimation can be difficult, resulting in uncertainty of the residual risk evaluation. It can therefore be practical for the manufacturer to focus effort on verification of effectiveness of risk control measures to establish a convincing residual risk evaluation. Level of effort should be commensurate with the level of risk. Testing with users might be needed to verify the effectiveness of the risk controls, for example usability testing (see IEC 62366-1[13]), clinical investigation of medical devices (see ISO 141551)[6]) or clinical performance studies for in vitro diagnostic medical devices (see ISO 20916[8]). A usability test can verify effectiveness of information for safety and a test according to a test standard can verify effectiveness of designed risk control measures related to, for example, mechanical strength.

获取足够的数据和信息以进行风险估计可能有困难,从而导致剩余风险评估的不确定性。因此,制造商将通过验证风险控制措施的有效性,以证明剩余风险评估是可行。投入程度应与风险程度相适应。可能需要与用户进行测试以验证风险控制的有效性,例如可用性测试(请参见IEC 62366-1 [13]),医疗器械的临床研究(请参见ISO 141551)[6])或针对以下方面的临床性能研究:体外诊断医疗器械(请参阅ISO 20916 [8])。可用性测试可以验证安全性信息的有效性,而根据测试标准进行的测试可以验证如机械强度有关的设计风险控制措施的有效性。

A.2.7.3 Residual risk evaluation
A check was introduced here to determine whether the implemented risk control measures have made the risk acceptable. If the risk exceeds the acceptability criteria established in the risk management plan, the manufacturer is instructed to investigate additional risk control measures. This iterative procedure should be continued until further risk control is not practicable and the residual risk does not exceed the acceptability criteria established in the risk management plan.

A.2.7.4 Benefit-risk analysis
There can be particular hazardous situations for which the risk exceeds the manufacturer’s criteria for risk acceptability. This subclause enables the manufacturer to provide a high-risk medical device for which they have done a careful evaluation and can show that the benefit of the medical device   outweighs the risk. However, this subclause cannot be used to weigh residual risks against economic advantages or business advantages (i.e. for business decision making).


1) Under preparation. Stage at the time of publication ISO/FDIS 14155:2019.
ISO / FDIS 14155:2019发布时的阶段在准备之中。

A.2.7.5 Risks arising from risk control measures
This subclause recognises that risk control measures alone or in combination might introduce a new and sometimes quite different hazard, and that risk control measures introduced to reduce one risk might increase another risk.


A.2.7.6 Completeness of risk control
At this point, the risks of all the hazardous situations should have been evaluated. This check was introduced to ensure that no hazardous situations were left out in the intricacies of a complex risk analysis.


A.2.8 Evaluation of overall residual risk
During the process defined by Clauses 5 to 7, manufacturers identify hazards and hazardous situations, evaluate the risks, and implement risk control measures in their medical device design one at a time. This is the point where the manufacturer has to step back, consider the combined impact of all individual residual risks, and make a decision as to whether to proceed with the medical device. It is possible that the overall residual risk exceeds the manufacturer’s criteria for risk acceptability, even though individual residual risks do not. This is particularly true for complex systems and medical devices with a large number of risks. The method to evaluate the overall residual risk as defined in the risk management plan includes balancing the overall residual risk against the benefits of the medical device. This is particularly relevant in determining whether a high-risk, but highly beneficial, medical device should be marketed.


The manufacturer is responsible for providing users with relevant information on significant residual risks, so that they can make informed decisions on the use of the medical device. Thus, manufacturers are instructed to include pertinent information on residual risks in the accompanying documentation. However, it is the manufacturer’s decision as to what and how much information should be provided. This requirement is consistent with the approach taken in many countries and regions.


A.2.9 Risk management review
The risk management review is an important step before the commercial release of the medical device. The final results of the risk management process, as obtained by executing the risk management plan, are reviewed. The risk management report contains the results of this review and is a crucial part of the risk management file. The report serves as the high-level document that provides evidence that the manufacturer has ensured that the risk management plan has been satisfactorily fulfilled and the results confirm that the required objective has been achieved. Subsequent reviews of the execution of the risk management plan and updates of the risk management report can be needed during the life cycle of the medical device, as a result of the execution of production and post-production activities.


A.2.10 Production and post-production activities

It cannot be emphasized too often that risk management does not stop when a medical device goes into production. Risk management often begins with an idea, before there is any physical manifestation of the medical device. Manufacturers collect information from many sources, including experience with similar medical devices and technologies. Risk estimation is refined throughout the design process and can be made more accurate when a functioning prototype is built. However, no amount of modelling can substitute for an actual medical device in the hands of actual users.


Therefore, the manufacturer needs to collect and review production and post-production information and evaluate its relevance to safety. The information can relate to new hazards or hazardous situations, and/or can affect their risk estimates or the balance between benefit and overall residual risk. Either can impact the manufacturer’s risk management decisions. The manufacturer should also take into account considerations of the generally acknowledged state of the art, including new or revised standards. When the information is determined to be relevant to safety, the risk management process requires that it be considered as an input for modification of the medical device, and also as an input to improve the process itself. With effective production and post-production activities, the risk management process truly becomes an iterative closed-loop process to ensure the continued safety of the medical device.


In reply to feedback and requests for additional guidance and in response to changing regulatory requirements, the requirements for production and post-production activities are elaborated in more detail in this third edition. The clause is divided into subclauses. More sources of information are listed, including information on the generally acknowledged state of the art and feedback from the supply chain. The latter includes suppliers of components or subsystems, and also third-party software. The possible need for actions regarding medical devices already on the market is made more explicit. The conditions under which follow-up actions need to be considered, are extended with changes in the state of the art that can be relevant to safety, such as alternative medical devices and/or therapies becoming available on the market, as well as changes in risk perception or risk acceptability.


Annex B

Risk management process for medical devices

B.1Correspondence between second and third editions
The numbering of clauses and subclauses has changed with this third edition of ISO 14971. Table B.1 provides the correspondence between clauses and subclauses in the second edition ISO 14971:2007 and those in the third edition ISO 14971:2019. This table is provided to assist users of this document in transitioning from the second to the third edition and to facilitate updating of references to ISO 14971 in other documents.

在ISO 14971的此第三版中,条款和子条款的编号发生了变化。表B.1提供了第二版ISO 14971:2007和第三版ISO 14971:2019中条款和子条款之间的对应关系。提供此表是为了帮助本标准的用户从第二版过渡到第三版,并有助于更新其他文档中对ISO 14971的引用。

Table B.1 — Correspondence between elements of ISO 14971:2007 and ISO 14971:2019 ISO 14971:2007和ISO 14971:2019的要素之间的对应关系

B.2 Risk management process overview

Figure B.1 is provided to give the user of this document an overview of the risk management process. It is for illustrative purposes only. As indicated in Figure B.1, the process needs to be iterative, covering each risk in turn, and returning to earlier steps if risk control measures introduce new hazards or hazardous situations, or if new information becomes available.

Figure B.1 — Overview of risk management activities as applied to medical devices

Annex C

Fundamental risk concepts

C.1 General 总则
This document requires the manufacturer to compile a list of known and foreseeable hazards associated with the medical device in both normal and fault conditions and to consider the foreseeable sequences of events that can produce hazardous situations and harm. According to the definitions, a hazard cannot result in harm until such time as a sequence of events or other circumstances (including normal use) lead to a hazardous situation. At this point, the risk can be assessed by estimating both severity and probability of occurrence of harm that could result (see Figure C.1). The probability of occurrence of harm can be expressed as a combination of separate probabilities (P1, P2) or as a single probability (P). A decomposition into P1 and P2 is not mandatory.


Probabilities (P1, P2) or as a single probability (P).
A decomposition into P1 and P2 is not mandatory.

NOTE 1Depending on the complexity of the medical device, a hazard can lead to multiple hazardous situations, and each hazardous situation can lead to multiple harms.

注1 根据医疗器械的复杂程度,危害可能导致多种危害处境,每种危害处境都可能导致多种伤害。

NOTE 2The probability of occurrence of harm (P) can be composed of separate P1 and P2   values.

注2 伤害发生的概率(P)可以由单独的P1和P2值组成。

NOTE 3The thin arrows represent elements of risk analysis and the thick arrows depict how a hazard
can lead to harm

注3 细箭头表示风险分析的元素,粗箭头表示危险的程度可能导致伤害

Figure C.1 — Pictorial example of the relationship between hazard, sequence of events,
hazardous situation and harm (from ISO/IEC Guide 63:2019[2])

图C.1 —危害,事件顺序,危险情况和危害(摘自ISO / IEC指南63:2019 [2])

A good starting point for this compilation is  a  review  of  experience  with  the  same  and  similar types of medical devices. The review should take into account a manufacturer’s own experience and, where appropriate, the experience of other manufacturers as reported in adverse event databases, publications, scientific literature and other available sources. This type of review is particularly useful for the identification and listing of typical hazards and hazardous situations for a medical device and the associated harm that can occur. Next, this listing and aids such as the list of examples in Table C.1 can be used to compile an initial list of hazards.


It is then possible to begin identification of some of the sequences of events that together with hazards could result in hazardous situations and harm. Since many hazards might never result in harm and can be eliminated from further consideration, it could be useful to perform this analysis by starting with the harm that the medical device might cause and work backwards to the hazardous situations, hazards and initiating causes. However, although this approach is useful for the reason described, it should be recognised that it is not a thorough analysis. Many sequences of events will only be identified by the systematic use of risk analysis techniques (such as those described in ISO/TR 24971[9]). Analysis and identification are further complicated by the many events and circumstances that have to be taken into consideration such as those listed in Table C.2. Thus, more than one risk analysis technique, and especially complementary techniques, are often used to complete a comprehensive analysis. Table C.3 provides examples of the relationship between hazards, sequences of events, hazardous situations, and harm.

识别某些事件序列,以及这些事件序列与危害可能导致危害情况和伤害。由于许多危害可能永远不会造成伤害,而且可以不再考虑,因此从医疗器械可能造成的危害开始进行分析,并将其推向危害处境,危害和始发原因,尽管上述方法有用,但应该认识到,这不是一个全面的分析。只有通过系统地使用风险分析技术(例如,ISO / TR 24971 [9]中所述的那些技术),才能识别出许多事件序列。由于必须考虑许多事件和情况,例如表C.2中列出的事件和情况,使得分析和识别更加复杂。因此,经常使用一种以上的风险分析技术,尤其是补充技术来完成全面的分析。表C.3提供了危害,事件顺序,危害情况和危害之间处境关系的示例。

Although compilation of the lists  of  hazards,  hazardous  situations  and  sequences of events should be completed as early as possible in the design and development process to facilitate risk control, in practice identification and compilation is an ongoing activity that continues throughout the life cycle of the medical device through post-production to disposal.


This annex provides a non-exhaustive list of possible hazards that can be associated with different medical devices (Table C.1) and a list of events and circumstances (Table C.2) that can result in hazardous situations, which can result in harm. Table C.3 provides examples in a logical progression of how a hazard can be transformed into a hazardous situation and produce harm by a sequence of events or circumstances.


Recognising how hazards  progress  to  hazardous  situations  is  critical for  estimating the  probability of occurrence and severity of harm that could result. An objective of the process is to compile a comprehensive set of hazardous situations. The identification of hazards and sequences of events are stepping stones to achieve this. The lists in the tables in this annex can be used to aid in the identification of hazardous situations. What is called a hazard needs to be determined by the manufacturer to suit the particular analysis.


C.2Examples of hazards
The list in Table C.1 can be used to assist in the identification of hazards associated with a particular
medical device, which could ultimately result in harm.

Table C.1 — Examples of hazards

C.3 Examples of events and circumstances
In order to identify foreseeable sequences of events, it is often useful to consider events and circumstances that can cause them. Table C.2 provides examples of events and circumstances, organized into general categories. Although the list is certainly not exhaustive, it is intended to demonstrate the many different types of events and circumstances that need to be taken into account to identify the foreseeable sequences of events for a medical device.


Table C.2 — Examples of events and circumstances

Table C.2 (continued)

C.4 Examples of relationships between hazards, foreseeable sequences of events, hazardous situations and the harm that can occur.

Table C.3 illustrates the relationship between hazards, foreseeable sequences of events, hazardous situations and harm for some simplified examples. Remember that one hazard can result in more than one harm and that more than one sequence of events can give rise to a hazardous situation.


The decision on what constitutes a hazardous situation needs to be made to suit the particular analysis being carried out. In some circumstances it can be useful to describe a cover being left off a high voltage terminal as a hazardous situation, in other circumstances the hazardous situation can be more usefully described as when a person is in contact with the high voltage terminal.


Table C.3 — Relationship between hazards, foreseeable sequences of events, hazardous situations and the harm that can occur

Bibliography 参考文献

[1]ISO/IEC Guide 51:2014, Safety aspects — Guidelines for their inclusion in standards
ISO / IEC指南51:2014,安全方面-纳入标准的指南
[2]ISO/IEC Guide 63:2019, Guide to the development and inclusion of aspects of safety in international standards for medical devices
ISO / IEC指南63:2019,安全性方面的开发和纳入医疗器械国际标准的指南
[3]ISO 9000:2015, Quality management systems — Fundamentals and vocabulary
ISO 9000:2015,质量管理体系-基本原理和词汇
[4]ISO 10993-1, Biological evaluation of medical devices — Part 1: Evaluation and testing within a risk management process
ISO 10993-1,医疗器械的生物评估-第1部分:风险管理过程中的评估和测试
[5]ISO 13485:2016, Medical devices — Quality management systems — Requirements for   regulatory purposes
ISO 13485:2016,医疗器械-质量管理体系-法规要求
[6]ISO 14155, Clinical investigation of medical devices for human subjects — Good clinical practice
ISO 14155,人体医疗器械的临床研究-良好的临床实践
[7]ISO 18113-1:2009, In vitro diagnostic medical devices — Information supplied by the manufacturer (labelling) — Part 1: Terms, definitions and general requirements
ISO 18113-1:2009,体外诊断医疗器械-制造商提供的信息(标签)-第1部分:术语,定义和一般要求
[8]ISO 20916, In vitro diagnostic medical devices — Clinical performance studies using specimens from human subjects — Good study practice
ISO 20916,体外诊断医疗器械-使用人类受试者的标本进行临床性能研究-良好的研究实践
[9]ISO/TR 24971, Medical devices — Guidance on the application of ISO 14971
ISO / TR 24971,医疗器械-ISO 14971应用指南
[10]ISO 31000, Risk management — Guidelines
ISO 31000,风险管理-准则
[11]IEC/TR 60513, Fundamental aspects of safety standards for medical electrical equipment
IEC / TR 60513,医用电气设备安全标准的基本方面
[12]IEC 60601-1, Medical electrical equipment — Part 1: General requirements for basic safety and essential performance IEC 60601-1,医疗电气设备-第1部分:基本安全性和基本性能的一般要求
Price based on 36 pages
© ISO 2019 – All rights reserved


您需要 登录 才可以下载或查看,没有帐号?立即注册


使用道具 举报

您需要登录后才可以回帖 登录 | 立即注册


快速回复 返回顶部 返回列表