September 11, 2020 – Reading time: 9 minutes
In December 2019, the ISO organization has released the 3rd edition of the ISO 14971 for application of risk management to medical devices which includes all aspects of functional safety. Still we have observed that due to the on the surface minor changes many development projects do not respond accordingly to this change and treat the 2019 edition just like the predecessor from 2012. To understand why a new edition has been defined despite that few changes, let us take a closer look at these changes:
Expansion of scope to functionality instead of terminology of systems
It is now clearly stated that the ISO14971 can also be applied to products that are not necessarily medical devices in some jurisdictions and can also be used by others involved in the medical device life cycle. Here the new ISO closes a gap that could lead to scenarios, where subsystems used in a medical context were not covered by ISO 14971.
Cybersecurity included into Scope of ISO 14971
A central aspect of the update is the clarification of the scope of risk management for a medical device. This is not only related to biocompatibility (e.g. preventing tissue rejection) but also to data and systems security, electricity, moving parts and usability. Especially the introduction of the term “data and system security” clearly incorporates the growing field of Cybersecurity into the scope of the ISO 14971 to temporarily fill the gap, that for medical devices no Security norm (like e.g. the ISO/SAE 21434 for automotive) has been released, but Security is still covered by guidance documents of the FDA, IEC 60601 and efforts by private organizations e.g. TIR57, released by the Association for the Advancement of Medical instrumentation (AAMI).
As the ISO 14971 is still no harmonized standard one may speculate that this step is especially in Germany of high importance, as “Sicherheit” does mean safety as well as security, making it easier to focus on the first and already more convenient meaning. We are very curios, whether this will appear as well in a harmonized EN ISO 14971-2020 or -2021 (has any schedule remained unaffected by COVID-19…?).
Definitions of terms
Furthermore, the terms benefit, reasonably foreseeable misuse and state of the art have newly been defined:
- the term benefit reflects the importance for making risk-benefit decisions, as benefits and risks will both need to be evaluated relative to the standard of care. The benefits may broadly extend to public health, not just an individual patient.
- The term reasonably foreseeable misuse requires an understanding of the intended use of a medical device and its usage by patients and providers.
- The term state of the art requires to define and document a policy for risk acceptability based on national and regional regulations and International Standards.
- However the clear statement that risk is not only severity times the likelihood of an injurious hazard (as seen so many times) has been moved to ISO 24971.
Further changes that were made aim to clarify and simplify requirements and to make the risk management process more effective. For instance, new requirements have been defined for the risk management plan, such as a method for the evaluation of the overall residual risk and the criteria for its acceptability or a risk management review.
In our opinion the ISO 14971-2019 was a necessary interim step to bridge the situation, that still no widely accepted standard for Cybersecurity in medical devices has been released. The redefinitions of scope and some terms are helpful however do not really justify the release of a new edition instead of a revised version of the ISO 14971-2012, the clear inclusion of security aspects – be it only as an indication – clearly does.
If you have any further questions or challenges in this topic, we’re looking forward to discussing them with you. With our expertise in Functional Safety as well as Security and Systems Engineering of Medical Devices, we are pretty sure to be able to answer almost all questions that could arise – and if not, we tell you immediately.