1、Published in November 2007 by Canadian Standards AssociationA not-for-profit private sector organization5060 Spectrum Way, Suite 100, Mississauga, Ontario, Canada L4W 5N61-800-463-6727 416-747-4044Visit our Online Store at www.ShopCSA.caCSA Special PublicationPLUS 14971The ISO 14971:2007 essentials
2、A practical handbook for implementing the ISO 14971 Standard for medical deviceshe ISO 15189:2003 essentialsConsulting editorial team:Alfred M. Dolan (Senior editor)Oliver ChristStan Mastrangelo Charles SidebottomCanadian Standards Association (CSA)Technical Editor: David ZimmermanThe consulting edi
3、torial team would like to thank the editorial and production staff of CSA.Published byCanadian Standards Association5060 Spectrum Way, Suite 100Mississauga, Ontario, CanadaL4W 5N6To purchase CSA Standards and related publications, visit CSAs Online Store at www.ShopCSA.ca or call toll-free 1-800-463
4、-6727 or 416-747-4044.ISBN 978-1-55436-540-1 Canadian Standards Association 2007All rights reserved. No part of this publication may be reproduced in any form whatsoever without the prior permission of the publisher. ISO material is reprinted with permission. Canadian Standards Association The ISO 1
5、4971:2007 essentialsNovember 2007 iiiContentsPreface ivLayout of this Handbook vIntroduction viPLUS 14971, The ISO 14971:2007 essentials A practical handbook for implementing the ISO 14971 Standard for medical devices 1Scope 1General requirements for risk management 4Risk analysis 29Risk evaluation
6、40Risk control 42Evaluation of overall residual risk acceptability 54Risk management report 56Production and post-production information 60AnnexesA List of key Standards and documents 65B Glossary of key terms and definitions 70C Overview of risk management process for medical devices 81D List of an
7、nexes in ISO 14971:2007 82E Contacts 83Tables1 Example of a simple 5 5 risk matrix 212 Example of a simple 5 5 risk matrix applying the ALARP principle 22Figures1 Stages of the risk management process x2 Sample timeline for the development of a risk management implementation project xiiPLUS 14971 Ca
8、nadian Standards Associationiv November 2007PrefaceThis is the second edition of PLUS 14971, The ISO 14971:2007 essentials A practical handbook for implementing the ISO 14971 Standard for medical devices. It supersedes the previous edition published in 2003.The primary objective of this Handbook is
9、to provide both novice and experienced risk management practitioners with a concise, user-friendly guide to understanding and implementing the requirements of ISO 14971:2007. The second edition of ISO 14971, Medical devices Application of risk management to medical devices, was published in March 20
10、07. Three preliminary sections in the Introduction of the Handbook lay the groundwork for understanding a risk management system (RMS), as follows:a) The General section outlines the background of the ISO 14971 family of Standards and describes the development of these medical device Standards.b) Th
11、e Key concepts section describes the basic concepts of a risk management system.c) The section entitled “An implementation path” suggests an approach for the effective application of ISO 14971 within an organization and discusses conformity assessments by third-party registration bodies (registrars)
12、.November 2007Notes: (1) Use of the singular does not exclude the plural (and vice versa) when the sense allows.(2) Although the intended primary application of this Special Publication is stated in the Preface, it is important to note that it remains the responsibility of the users of the Special P
13、ublication to judge its suitability for their particular purpose.(3) All enquiries regarding this Special Publication should be addressed to Canadian Standards Association, 5060 Spectrum Way, Suite 100, Mississauga, Ontario, Canada L4W 5N6. Canadian Standards Association The ISO 14971:2007 essential
14、sNovember 2007 vLayout of this HandbookThe following layout applies to Clauses 3 through 9 of this Handbook, which correspond to and elaborate on Clauses 3 through 9 of ISO 14971:2007.This section provides guidance on the risk management requirements of ISO 14971:2007.This section lists audit questi
15、ons that are typically asked by third parties.This section provides diagnostic questions to consider when preparing risk management system documentation.This section refers the user to relevant definitions, to relevant clauses in the annexes in ISO 14971, or to other publications.This text box conta
16、ins the actual text of the risk management requirements contained in Clauses 3 through 9 of ISO 14971:2007.This text box contains the changes in the text of the risk management requirements that were introduced in the 2007 edition of ISO 14971.PLUS 14971 Canadian Standards Associationvi November 200
17、7IntroductionGeneralSince its publication in 2000, ISO 14971 has become a global Standard for organizations of all types and sizes to follow in implementing and operating a risk management system (RMS) for medical devices.Approved unanimously by the International Organization for Standardization (IS
18、O), the International Electrotechnical Commission (IEC), the European Committee for the Coordination of Standards (CEN), and the European Committee for Electrotechnical Standardization (CENELEC), ISO 14971 provides manufacturers of medical devices with internationally accepted requirements for an RM
19、S that can be used throughout the life cycle of these products.ISO 14971 evolved from a family of Standards that began with ISO 14971-1:1998, Risk Analysis. Based on EN 1441, Medical devices Risk analysis, ISO 14971-1 was intended to be the first in a series covering the risk management process. As
20、it became apparent, however, that risk management would be an integral part of several regulatory jurisdictions in the world, including Europe, it was no longer useful or necessary to have a separate Standard for risk analysis. Accordingly, ISO 14971-1 was withdrawn when ISO 14971:2000 was published
21、. In Europe, ISO 14971:2000 superseded EN 1441, and EN 1441 was withdrawn on April 1, 2004.ISO 14971:2007 is the second edition of this successful Standard. There are no substantive changes in the normative requirements, but more information has been provided in the annexes. Manufacturers that have
22、implemented ISO 14971:2000 will find that few changes in their risk management system are necessary to meet ISO 14971:2007 requirements.Key conceptsInvolvement of top managementThe need for “leadership” is expressed in Clause 3.2 of ISO 14971, which deals with management responsibility and emphasize
23、s that management must assume certain responsibilities. Canadian Standards Association The ISO 14971:2007 essentialsNovember 2007 viiFurthermore, commitment cannot be limited to signing reports or signing a risk acceptability policy. Clause 3.2 specifies that top management must demonstrate commitme
24、nt to the RMS and its continual improvement byestablishing the risk management process;establishing the policy for determining risk acceptability;ensuring that risk management objectives are established;ensuring the availability of resources;ensuring the assignment of trained personnel;conducting ma
25、nagement reviews; andensuring the continued suitability and effectiveness of the RMS.Top managements commitment emphasizes that the RMS is an integral part of an organizations management systems, requiring a level of attention equivalent to that given to other management systems. Accordingly, integr
26、ation with the other systems, such as financial or personnel systems, must be effectively managed. ISO 14971 specifies the characteristics, such as personnel qualifications and record keeping, that must be in place for an effective risk management system.Management by factsThe factual approach to ma
27、king decisions related to risk management is evident throughout ISO 14971, but it is addressed directly in Clause 3.4, Risk management plan; Clause 3.5, Risk management file; and Clause 9, Production and post-production information. These clauses require that risk management objectives and methods b
28、e set for all relevant risk management functions within the organization that are related to the device, and that these objectives be measurable and recorded. The risk management file is where all the data are collected that will enable the effective management of the system. Such management relies
29、on the collection of factual data from various sources, such as the measurement and monitoring of similar products and processes, trends in technology, customer satisfaction, and user feedback, and the analysis of these data to provide useful information for decision making. The risk management file
30、 will also be available for revisiting the risk management process and pertinent device information after the release of the device. Other clauses specify what, where, and how factual data and information are to be collected. Clause 3.2, for example, requires an organization to evaluate the effectiv
31、eness of the risk management activities undertaken.The requirement to base decisions on factual data is not limited to top management performing management reviews. Measurable objectives are to be determined at every level of the organization. Data must be PLUS 14971 Canadian Standards Associationvi
32、ii November 2007collected on products and processes, and the analysis of data must provide useful information for factual decision making at all levels and for all appropriate functions of the organization. Risk management charts or other methods of recording and communicating this data are essentia
33、l for any organization. Examples of some of these tools are provided in the annexes of ISO 14971.Conceptual overview of ISO 14971The conception of ISO 14971 is similar to that of ISO 9001, Quality Management Systems Requirements. In both, the initial and key requirement for successful implementation
34、 of a system (which, in the case of ISO 14971, is risk management) is identified as management responsibility. Management is required toestablish a particular risk management system;provide appropriate personnel to carry out the process;identify the risk management team;establish a process for deter
35、mining acceptable risk levels; andreview the process on a regular basis.Furthermore, a risk management plan for each device must be developed in accordance with the above risk management process. A critical component of the plan includes setting the level of acceptable risk for the device, based on
36、the approved corporate process for setting that level. The plan will describe how each element of the risk management process is to be achieved for the device.The risk management process includes risk analysis, risk evaluation, risk control, and ongoing monitoring of the risk management process (pro
37、duction and post-production information).ISO 14971:2007 provides a number of informative annexes (significantly expanded since the first edition), which provide information helpful in the implementation of this process.Records provide the information on which effective management of risk is based. T
38、he required records are generated at various stages of the process, beginning with analysis and continuing through the evaluation and control stages of the process. Records can be incorporated and controlled as part of an existing record system of a quality management system. Canadian Standards Asso
39、ciation The ISO 14971:2007 essentialsNovember 2007 ixInternational risk management Standards typically require monitoring of the RMS. In ISO 14971, this requirement is part of a larger requirement pertaining to the generation of post-market information. This step involves incorporating information g
40、enerated during in-service experience into a feedback process. This information is useful in the review of the effectiveness of the risk control measures and serves as a source of information for future risk management plans. It also can be used as a basis for modification of the risk analysis or ev
41、aluation. At first glance, it might appear that the criteria presented in ISO 14971 is arranged in order of descending importance, or in terms of the position of the criteria in decision/information flow or the life cycle of the product. In reality, the clause numbering is not related to any of thes
42、e concepts. Instead, ISO 14971 addresses seven equally essential elements in Clauses 3 to 9. These clauses can be grouped as shown in Figure 1.PLUS 14971 Canadian Standards Associationx November 2007Figure 1Stages of the risk management processEnterprise risk managementThere has been a significant i
43、ncrease in the establishment of risk management as an enterprise management system. Enterprise risk management defines “risk” as the probability of meeting objectives. Enterprise risk may be positive or negative. Positive risk refers to opportunity, while negative risk refers to impediments to meeti
44、ng objectives. ISO 14971 employs concepts that are similar to those used in managing the enterprise risks associated with finance, the environment, capital projects, etc. Risk management tools such as failure mode and effect analysis (FMEA) and fault trees are useful to personnel working in enterpri
45、se risk management. Enterprise risk management systems serve as part of the enterprise management system and are specifically aimed at Management leadershipand involvementClauses 3.1, 3.2, 3.3, and 3.4Risk managementsystem supportClauses 3.5 and 8Risk managementprocess and controlClauses 4, 5, 6, an
46、d 7Process and productmonitoringClauses 3.2 and 9 Canadian Standards Association The ISO 14971:2007 essentialsNovember 2007 ximinimizing risk to the enterprise. ISO 14971 is specifically intended for manufacturers of medical devices to meet product safety and health requirements. The ISO 14971 proce
47、ss should operate independently from the enterprise risk management process. Because enterprise risk management and ISO 14971 risk management processes have different purposes, different objectives, separate socio-legal requirements, and different criteria for qualification of personnel, these proce
48、sses should remain separate. Maintaining these systems separately will facilitate documentation that clearly demonstrates that product safety and health decisions are made and justified based on appropriate criteria. This documentation must show that product health and safety decisions are not overr
49、idden by a firms need to make a profit, pay expenses, or acquire resources.An implementation pathManagement decision and commitmentTop management leadership and involvement are essential in the strategic planning, project planning, and implementation of a risk management system within an organization. A business plan (or equivalent) should be developed at the outset that meets the organizations strategy anddefines the purpose of implementing ISO 14971;defines the objectives and constraints;defines the project deliverables in the process;i
