Management: A Closer Look: Understanding Risk Management for Medical Device Manufacturers
A requirement forces manufacturers to establish a formal process for dealing with risk management and focuses on how manufacturers can produce safer products.
But how does the Third Edition of IEC 60601-1 work with the ISO 1991 standard and what does it mean for the medical device industry?
With the release of the new Third Edition 60601-1, compliance with ISO 14971 also is now required for product certification. The Third Edition 60601-1 series of standards consists of the following: ANSI/AAMI ES60601-1: 2005; CAN/CSA-C22.2 No. 60601-1: 2008; CENELEC EN 60601-1: 2006; IEC 60601-1: 2005.
Decoding it All
For certification of products, both the ISO 14971: 2000 and the ISO 14971: 2007 standards need to be considered. The FDA and Medical Device Directive require that the risk management is completed to ISO 14971: 2007. However, for the CB Scheme certification, only certain clauses are required to be met in the ISO 14971: 2000 standard. These clauses include 3.3 a, 3.5 e, and 4 to 7. All of these clauses are documented in the test report form for the CB Certification.
But what about certification to ISO 13485? Certification to ISO 13485 does not demonstrate compliance to the requirements of ISO 14971.
Risk: What Does it Really Mean?
In the Third Edition 60601-1 series of standards the word risk appears more than 600 times. Risk management appears more than 200 times, and risk management file appears more than 100 times. Translation: This standard is taking a more risk-based approach, but many medical products in Europe still need to comply with the Third Edition deadline of June 1, 2012.
So how does a manufacturer move forward in applying both the requirements of the Third Edition 60601-1 series of standards and ISO 14971 to certify their product? Let’s investigate how the different clauses of 60601-1 use the tools of ISO 14971 for showing compliance with the requirements.
In the 60601-1 standard clause 4.2 is what drives the requirements for ISO 14971. The clause states “The Risk Management Process complying with ISO 14971 shall be performed.” Therefore, certification of a product without a compliant risk management process will not occur.
The following three requirements need to be met to compliance with the requirement:
The manufacturer shall establish a risk management process.
The manufacturer shall establish acceptable levels of risk.
The manufacturer shall demonstrate that the residual risk is acceptable based on the requirements in the manufacturers risk management policy.
The entire risk management file must be submitted when the product is sent to a third-party laboratory for certification. A risk management policy statement is required to be completed from top management, which includes the following information:
Criteria for risk acceptability.
Applicable national and regional regulations.
Relevant international standards.
Any information that could affect risks in the product, state of the art, stakeholder concerns.
This policy statement can be a general statement that covers all products in the organization or can be created for all individual projects in the organization.
The Need for Essential Performance
Essential performance is not new to the Third Edition, it is more defined-the performance necessary to achieve freedom from unacceptable risk. Essential performance in the Third Edition is a requirement for compliance.
Essential performance functions could lead to an unacceptable risk. The IEC 60601-1 Third Edition standard also notes that “essential performance exists when the feature or function in question is either absent or its characteristics are degraded to a point that the ME equipment is no longer suitable for its intended use.”
A simplified way of determining essential performance is to use the risk management tools and run all the performance functions of the product through risk assessment. Any performance functions that are determined to be acceptable risks can now be classified as performance functions. The remaining functions are what the standard is referring to as essential performance. Some examples of essential performance functions are diagnostic functions, surgical functions, alarms and the performance functions in the particular standards for medical products.
Expected Service Life, Equivalent Safety for Equipment
Third Edition 60601-1 in Clause 4.4 introduces the concept of expected service life. The definition from the standard “maximum period of useful life as defined by the manufacturer” needs to be declared in the risk management file. This expected service life is then used as a tool to determine compliance with additional clauses in the standard.
Clause 4.5 “Equivalent Safety for ME Equipment or ME Systems” allows for risk management to show an alternate method for complying with a requirement in the standard. For example, on mobile products there is a requirement in the standard that the product must pass over a 20-millimeter high threshold. To pass the test, the mobile product wheels will need to be larger than designed so that the product can pass over the threshold, but with larger wheels the product cannot function as intended. By applying the tools of risk management, the manufacturer can justify equivalent means of safety to show an alternate method than what is in the standard is an acceptable risk.
Risk management in the Third Edition 60601-1 plays a role in how third-party testing companies will conduct certain tests of the product. For example, in the Second Edition 60601-1, Clause 44.3 covers the spillage test which was conducted by spilling 200 milliliters of tap water at a distance of 5 centimeters for 15 seconds on the top of the product.
The Third Edition 60601-1 Clause 11.6.3 takes a different approach of using risk management to determine the requirements of the spillage test. Through risk management, the manufacturer can determine the type of liquid, volume, duration of spill and the location of the spill that the testing partner will be when conducting compliance testing.
Third Edition 60601-1 uses ISO 14971 techniques in a variety of ways to better assist in the certification of product requirements. Specifically, there are requirements for outright compliance to the requirements of ISO 14971. In addition, the clause requires that the tools of ISO 14971 are used to determine key functions of the product required to demonstrate compliance with the requirements, and the clause requires that the tools of ISO 14971 are used to determine the test methodology that the third-party testing company will use to conduct the test.
Both the FDA in the United States and the Medical Device Directive in the European Union have made risk management compliance for ISO 14971 a requirement.
Certification of a product without a compliant risk management process will not occur.
The entire risk management file must be submitted when the product is sent to a third-party laboratory for certification.