Iso 14971:2019(E)

Total Page:16

File Type:pdf, Size:1020Kb

Iso 14971:2019(E) This is a preview - click here to buy the full publication INTERNATIONAL ISO STANDARD 14971 Third edition 2019-12 Medical devices — Application of risk management to medical devices Dispositifs médicaux — Application de la gestion des risques aux dispositifs médicaux Reference number ISO 14971:2019(E) © ISO 2019 This is a preview - click here to buy the full publication ISO 14971:2019(E) COPYRIGHT PROTECTED DOCUMENT © ISO 2019 All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below or ISO’s member body in the country of the requester. ISO copyright office CP 401 • Ch. de Blandonnet 8 CH-1214 Vernier, Geneva Phone: +41 22 749 01 11 Fax:Website: +41 22www.iso.org 749 09 47 Email: [email protected] iiPublished in Switzerland © ISO 2019 – All rights reserved This is a preview - click here to buy the full publication ISO 14971:2019(E) Contents Page Foreword ........................................................................................................................................................................................................................................iv Introduction ................................................................................................................................................................................................................................vi 1 Scope ................................................................................................................................................................................................................................. 1 2 Normative references ...................................................................................................................................................................................... 1 3 Terms and definitions ..................................................................................................................................................................................... 1 4 General requirements for risk management system ...................................................................................................... 7 4.1 Risk management process ........................................................................................................................................................ 7 ..................................................................................................................................................... 4.3 Competence of personnel .............................................................................................................................................................. 9 4.24.4 ManagementRisk management responsibilities .................................................................................................................................................................. 89 4.5 Risk management file ................................................................................................................................................................10 plan 5 Risk analysis ..........................................................................................................................................................................................................10 5.1 Risk analysis process ..................................................................................................................................................................10 5.2 Intended use reasonably foreseeable misuse ..........................................................................................10 safety ................................................................................................11 andhazards hazardous situations ......................................................................................11 5.35.5 IdentificationRisk estimation of charact .................................................................................................................................................................................eristics related to 11 5.4 Identification of and 6 Risk evaluation ....................................................................................................................................................................................................12 7 Risk control .............................................................................................................................................................................................................12 7.1 Risk control ....................................................................................................................................................12 risk control ..................................................................................................................13 7.3 Residual risk option analysis .............................................................................................................................................................13 7.27.4 ImplementationBenefit-risk of ....................................................................................................................................................................... measures 14 7.5 Risks evaluationrisk control ...................................................................................................................14 7.6 Completeness analysis of risk control ................................................................................................................................................14 arising from measures 8 Evaluation of overall residual risk ..................................................................................................................................................14 9 Risk management review ..........................................................................................................................................................................15 10 Production and post-production activities..............................................................................................................................15 ........................................................................................................................................................................................................15 ...................................................................................................................................................................15 10.1 General ..........................................................................................................................................................................16 10.210.4 InformationActions ......................................................................................................................................................................................................... collection 16 10.3 Information review Annex A Rationale for requirements ...........................................................................................................................17 Annex B Risk management process for medical devices ...........................................................................26 (informative) Annex C Fundamental risk concepts ............................................................................................................................30 (informative) Bibliography .............................................................................................................................................................................................................................36 (informative) © ISO 2019 – All rights reserved iii This is a preview - click here to buy the full publication ISO 14971:2019(E) Foreword ISO (the International Organization for Standardization) is a worldwide federation of national standards bodies (ISO member bodies). The work of preparing International Standards is normally carried out through ISO technical committees. Each member body interested in a subject for which a technical committee has been established has the right to be represented on that committee. International organizations, governmental and non-governmental, in liaison with ISO, also take part in the work. ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of electrotechnical standardization. The procedures used to develop this document and those intended for its further maintenance are described in the ISO/IEC Directives, Part 1. In particular,www .isothe .org/different directives approval). criteria needed for the different types of ISO documents should be noted. This document was drafted in accordance with the editorial rules of the ISO/IEC Directives, Part 2 (see Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. ISO shall not be held responsible forwww identifying .iso .org/ any or all). such patent rights. Details of any patent rights identified during the development of the document will be in the Introduction and/or on the ISO list of patent declarations received (see
Recommended publications
  • Senior Data Engineer Cala Health, Inc
    875 Mahler Road, Ste. 168 Burlingame, CA, 94010 +1 415-890-3961 www.calahealth.com Job Description: Senior Data Engineer Cala Health, Inc. About Cala Health Cala Health is a bioelectronic medicine company transforming the standard of care for chronic disease. The company's wearable neuromodulation therapies merge innovations in neuroscience and technology to deliver individualized peripheral nerve stimulation. Cala Health’s lead product, Cala Trio™, is the only non-invasive prescription therapy for essential tremor and is now available through a unique digital business model of direct- to-patient solutions. New therapies are under development in neurology, cardiology, and psychiatry. The company is headquartered in the San Francisco Bay Area and backed by leading investors in both healthcare and technology. For more information, visit CalaHealth.com. The Opportunity We are looking for a Senior Data Engineer to expedite our Data Platform Stack to support our growth and also enable new product development in a dynamic, fast-paced startup environment. Specific Responsibilities also include ● Key stakeholder in influencing the roadmap of Cala’s Digital Therapeutics Data Platform. ● Build, operate and maintain highly scalable and reliable data pipelines to enable data collection from Cala wearables, partner systems, EMR systems and 3rd party clinical sources. ● Enable analysis and generation of insights from structured and unstructured data. ● Build Datawarehouse solutions that provide end-to-end management and traceability of patient longitudinal data, enable and optimize internal processes and product features. ● Implement processes and systems to monitor data quality, ensuring production data is always accurate and available for key stakeholders and business processes that depend on it.
    [Show full text]
  • Software Assurance
    Information Assurance State-of-the-Art Report Technology Analysis Center (IATAC) SOAR (SOAR) July 31, 2007 Data and Analysis Center for Software (DACS) Joint endeavor by IATAC with DACS Software Security Assurance Distribution Statement A E X C E E C L I L V E R N E Approved for public release; C S E I N N I IO DoD Data & Analysis Center for Software NF OR MAT distribution is unlimited. Information Assurance Technology Analysis Center (IATAC) Data and Analysis Center for Software (DACS) Joint endeavor by IATAC with DACS Software Security Assurance State-of-the-Art Report (SOAR) July 31, 2007 IATAC Authors: Karen Mercedes Goertzel Theodore Winograd Holly Lynne McKinley Lyndon Oh Michael Colon DACS Authors: Thomas McGibbon Elaine Fedchak Robert Vienneau Coordinating Editor: Karen Mercedes Goertzel Copy Editors: Margo Goldman Linda Billard Carolyn Quinn Creative Directors: Christina P. McNemar K. Ahnie Jenkins Art Director, Cover, and Book Design: Don Rowe Production: Brad Whitford Illustrations: Dustin Hurt Brad Whitford About the Authors Karen Mercedes Goertzel Information Assurance Technology Analysis Center (IATAC) Karen Mercedes Goertzel is a subject matter expert in software security assurance and information assurance, particularly multilevel secure systems and cross-domain information sharing. She supports the Department of Homeland Security Software Assurance Program and the National Security Agency’s Center for Assured Software, and was lead technologist for 3 years on the Defense Information Systems Agency (DISA) Application Security Program. Ms. Goertzel is currently lead author of a report on the state-of-the-art in software security assurance, and has also led in the creation of state-of-the-art reports for the Department of Defense (DoD) on information assurance and computer network defense technologies and research.
    [Show full text]
  • Mdcg 2019-16
    Medical Device Medical Device Coordination Group Document MDCG 2019-16 MDCG 2019-16 Guidance on Cybersecurity for medical devices December 2019 This document has been endorsed by the Medical Device Coordination Group (MDCG) established by Article 103 of Regulation (EU) 2017/745. The MDCG is composed of representatives of all Member States and it is chaired by a representative of the European Commission.The document is not a European Commission document and it cannot be regarded as reflecting the official position of the European Commission. Any views expressed in this document are not legally binding and only the Court of Justice of the European Union can give binding interpretations of Union law. Page 1 of 46 Medical Device Medical Device Coordination Group Document MDCG 2019-16 Table of Contents 1. Introduction ........................................................................................................................................ 4 1.1. Background ............................................................................................................................. 4 1.2. Objectives ............................................................................................................................... 4 1.3. Cybersecurity Requirements included in Annex I of the Medical Devices Regulations ........ 4 1.4. Other Cybersecurity Requirements ......................................................................................... 6 1.5. Abbreviations .........................................................................................................................
    [Show full text]
  • BSI Medical Devices: Webinar Q&A
    ISO 14971:2019 Risk Management for Medical Devices: Webinar Q&A November 2019 BSI Medical Devices: Webinar Q&A ISO 14971:2019 Risk Management for Medical Devices 13 November 2019 Page 1 of 10 ISO 14971:2019 Risk Management for Medical Devices: Webinar Q&A November 2019 Q&A Q. Should EN ISO 14971:2012 be used to demonstrate continued compliance to the ERs or GSPRs or use the 2019 revision of the standard? A. A manufacturer must demonstrate compliance to the applicable legislation. Harmonization of a standard allows for a presumption of conformity to the applicable legislation where the standard is applied and the manufacturer considers the Qualifying remarks/Notes in Annex Z. Additional clarification has been made available from the European Commission, whereby it is now considered that the recent editions of standards published by standardizers reflect the state of the art, regardless of its referencing in the OJEU and therefore the ISO 14971:2019 version represents the state of the art for the Medical Device Directives and Regulation. This update is welcomed as it provides clarity for industry and ensures manufacturers need only to comply with a single version of a standard. It is anticipated the 2019 revision will be harmonized to the Regulations. Q. From the Date of Application of the MDR and IVDR will the technical documentation for existing Directive certificates be required to be updated to the 2019 revision of the standard, considering the transitional provisions of MDR Article 120 and IVDR Article 110? A. A manufacturer must demonstrate compliance to the applicable legislation.
    [Show full text]
  • A Reference Architecture for Secure Medical Devices Steven Harp, Todd Carpenter, and John Hatcliff
    FEATURE © Copyright AAMI 2018. Single user license only. Copying, networking, and distribution prohibited. A Reference Architecture for Secure Medical Devices Steven Harp, Todd Carpenter, and John Hatcliff Abstract and users cannot assume that medical Steven Harp, is a distinguished We propose a reference architecture aimed at devices will operate in a benign security engineer at Adventium Labs in supporting the safety and security of medical environment. Any device that is capable of Minneapolis, MN. Email: steven. devices. The ISOSCELES (Intrinsically connecting to a network or physically [email protected] Secure, Open, and Safe Cyber-Physically exposes any sort of data port is potentially at Enabled, Life-Critical Essential Services) risk. How should we think about and Todd Carpenter, is chief engineer architecture is justified by a collection of design manage risk in this context? at Adventium Labs in Minneapolis, principles that leverage recent advances in This question has been explored exten- MN. Email: todd.carpenter@ software component isolation based on sively.3,4 Special publications from the adventiumlabs.com hypervisor and other separation technologies. National Institute of Standards and Technol- The instantiation of the architecture for ogy (e.g., 800-39) provide a conceptual risk John Hatcliff, PhD, is a particular medical devices is supported by a management framework.5,6 AAMI TIR577 distinguished professor at Kansas development process based on Architecture describes how security risk management State University in Manhattan, KS. Analysis and Design Language. The architec- can be integrated with safety risk manage- Email: [email protected] ture models support safety and security ment (e.g., as addressed in ISO 14971 and analysis as part of a broader risk management specifically for medical devices in IEC framework.
    [Show full text]
  • FI-STAR Deliverable D1.1 Has Already Discussed Legal Requirements Related to Data Security Breach Notifications
    Ref. Ares(2014)706091 - 13/03/2014 Deliverable D2.1 Standardisation and Certification requirements Editor: Franck Le Gall, easy global markets Deliverable nature: Report (R) Dissemination level: Public (PU) (Confidentiality) Contractual delivery Dec. 2013 date: Actual delivery date: Jan. 2014 Suggested readers: Version: 1.1 Total number of 74 pages: Keywords: Standardisation, certification Abstract This document details the technical requirements resulting from existing standards and prepares future certification process. FI-STAR FP7-ICT-604691 D1.2 Standardisation and Certification requirements Disclaimer This document contains material, which is the copyright of certain FI-STAR consortium parties, and may not be reproduced or copied without permission. All FI-STAR consortium parties have agreed to full publication of this document. The commercial use of any information contained in this document may require a license from the proprietor of that information. Neither the FI-STAR consortium as a whole, nor a certain part of the FI-STAR consortium, warrant that the information contained in this document is capable of use, nor that use of the information is free from risk, accepting no liability for loss or damage suffered by any person using this information. This project has received funding from the European Union’s Seventh Framework Programme for research, technological development and demonstration under grant agreement no 604691. Impressum [Full project title] Future Internet Social and Technological Alignment Research [Short project
    [Show full text]
  • Medical Device Cyber Security – Best Practice Guide
    Integrating the Healthcare Enterprise 5 IHE Patient Care Device (PCD) White Paper 10 Medical Equipment Management (MEM): Medical Device Cyber Security – Best Practice Guide 15 Published Revision 1.1 20 Date: October 14, 2015 Author: IHE PCD Technical Committee Email: [email protected] 25 Please verify you have the most recent version of this document. See here for Published versions and here for Public Comment versions. Copyright © 2015: IHE International, Inc. IHE Patient Care Device White Paper – MEM Medical Device Cyber Security-Best Practice Guide ______________________________________________________________________________ Foreword This white paper is published on October 14, 2015. Comments are invited and can be submitted at http://www.ihe.net/PCD_Public_Comments/. 30 General information about IHE can be found at: www.ihe.net. Information about the IHE Patient Care Device domain can be found at: ihe.net/IHE_Domains. Information about the organization of IHE Technical Frameworks and Supplements and the process used to create them can be found at: http://ihe.net/IHE_Process and 35 http://ihe.net/Profiles. The current version of the IHE Patient Care Device Technical Framework can be found at: http://www.ihe.net/Technical_Frameworks. ______________________________________________________________________________ 2 Rev. 1.1 – 2015-10-14 Copyright © 2015: IHE International, Inc. IHE Patient Care Device White Paper – MEM Medical Device Cyber Security-Best Practice Guide ______________________________________________________________________________
    [Show full text]
  • Postmarket Management of Cybersecurity in Medical Devices
    Contains Nonbinding Recommendations Postmarket Management of Cybersecurity in Medical Devices Guidance for Industry and Food and Drug Administration Staff Document issued on December 28, 2016. The draft of this document was issued on January 22, 2016. For questions regarding this document, contact Suzanne Schwartz, Center for Devices and Radiological Health, Food and Drug Administration, 10903 New Hampshire Ave., Bldg. 66, rm. 5434, Silver Spring, MD 20993-0002, 301-796-6937. For questions regarding this document as applied to devices regulated by CBER, contact the Office of Communication, Outreach and Development in CBER at 1-800-835-4709 or 240-402-8010 or [email protected]. U.S. Department of Health and Human Services Food and Drug Administration Center for Devices and Radiological Health Office of the Center Director Center for Biologics Evaluation and Research Contains Nonbinding Recommendations Preface Public Comment You may submit electronic comments and suggestions at any time for Agency consideration to http://www.regulations.gov . Submit written comments to the Division of Dockets Management, Food and Drug Administration, 5630 Fishers Lane, Room 1061, (HFA-305), Rockville, MD 20852. Identify all comments with the docket number FDA-2015-D-5105. Comments may not be acted upon by the Agency until the document is next revised or updated. Additional Copies CDRH Additional copies are available from the Internet. You may also send an e-mail request to [email protected] to receive an electronic copy of the guidance. Please use the document number 1400044 to identify the guidance you are requesting. CBER Additional copies are available from the Center for Biologics Evaluation and Research (CBER), by written request, Office of Communication, Outreach, and Development (OCOD), 10903 New Hampshire Ave., Bldg.
    [Show full text]
  • 510(K) for a Software Change to An
    Contains Nonbinding Recommendations Draft – Not for Implementation 1 Deciding When to Submit a 2 510(k) for a Software Change to an 3 Existing Device 4 ______________________________________________________________________________ 5 Draft Guidance for Industry and 6 Food and Drug Administration Staff 7 8 DRAFT GUIDANCE 9 This draft guidance document is being distributed for comment purposes only. 10 11 Document issued on August 8, 2016. 12 13 You should submit comments and suggestions regarding this draft document within 90 days of 14 publication in the Federal Register of the notice announcing the availability of the draft 15 guidance. Submit electronic comments to http://www.regulations.gov. Submit written 16 comments to the Division of Dockets Management (HFA-305), Food and Drug Administration, 17 5630 Fishers Lane, rm. 1061, Rockville, MD 20852. Identify all comments with the docket 18 number listed in the notice of availability that publishes in the Federal Register. 19 20 For questions about this document, contact (CDRH) Linda Ricci, Office of Device Evaluation, 21 301-796-6325, [email protected]. 22 23 For questions about this document regarding CBER-regulated devices, contact the Office of 24 Communication, Outreach and Development (OCOD), by calling 1-800-835-4709 or 240-402- 25 8010. 26 27 28 29 U.S. Department of Health and Human Services 30 Food and Drug Administration 31 Center for Devices and Radiological Health 32 Center for Biologics Evaluation and Research 33 1 Contains Nonbinding Recommendations Draft – Not for Implementation 34 Preface 35 36 Additional Copies 37 38 CDRH 39 Additional copies are available from the Internet.
    [Show full text]
  • MDR Best Practices Guidelines
    MDR Documentation Submissions – Revision 2, May 2020 Page 1 of 41 ` MDR Documentation Submissions Best Practices Guidelines MDR Documentation Submissions – Revision 2, May 2020 Page 2 of 41 Contents 1 Introduction ..................................................................................................... 3 2 Submission and Technical Documentation contents ....................................... 3 2.1 Cover letter ......................................................................................................... 3 2.2 The Technical Documentation ............................................................................ 4 2.3 Authorisation for the work to be conducted ....................................................... 4 3 Submission Method .......................................................................................... 4 4 Document Format ............................................................................................. 5 4.1 Language ............................................................................................................ 5 4.2 Electronic File Format ......................................................................................... 5 4.2.1 Format and file size limits ........................................................................................ 5 4.2.2 Optical Character Recognition (searchable format) ..................................................... 6 4.2.3 Bookmarks ............................................................................................................
    [Show full text]
  • Draft International Standard Iso/Dis 14971
    DRAFT INTERNATIONAL STANDARD ISO/DIS 14971 ISO/TC 210 Secretariat: ANSI Voting begins on: Voting terminates on: 2018-07-19 2018-10-11 Medical devices — Application of risk management to medical devices Dispositifs médicaux — Application de la gestion des risques aux dispositifs médicaux ICS: 11.040.01 Member bodies are requested to consult relevant national interests in IEC/SC 62A before casting their ballot to the e-Balloting application. THIS DOCUMENT IS A DRAFT CIRCULATED FOR COMMENT AND APPROVAL. IT IS This document is circulated as received from the committee secretariat. THEREFORE SUBJECT TO CHANGE AND MAY NOT BE REFERRED TO AS AN INTERNATIONAL STANDARD UNTIL PUBLISHED AS SUCH. IN ADDITION TO THEIR EVALUATION AS BEING ACCEPTABLE FOR INDUSTRIAL, ISO/CEN PARALLEL PROCESSING TECHNOLOGICAL, COMMERCIAL AND USER PURPOSES, DRAFT INTERNATIONAL STANDARDS MAY ON OCCASION HAVE TO BE CONSIDERED IN THE LIGHT OF THEIR POTENTIAL TO BECOME STANDARDS TO WHICH REFERENCE MAY BE MADE IN Reference number NATIONAL REGULATIONS. ISO/DIS 14971:2018(E) RECIPIENTS OF THIS DRAFT ARE INVITED TO SUBMIT, WITH THEIR COMMENTS, NOTIFICATION OF ANY RELEVANT PATENT RIGHTS OF WHICH THEY ARE AWARE AND TO PROVIDE SUPPORTING DOCUMENTATION. © ISO 2018 ISO/DIS 14971:2018(E) COPYRIGHT PROTECTED DOCUMENT © ISO 2018 Allon therights internet reserved. or an Unless intranet, otherwise without specified, prior written or required permission. in the contextPermission of its can implementation, be requested nofrom part either of this ISO publication at the address may be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting belowCP 401or ISO’s • Ch.
    [Show full text]
  • MEDICAL DEVICES Overview and Challenges
    MEDICAL DEVICES Overview and Challenges The medical device industry is witnessing transformational changes due to globalization, an uncertain macroeconomic climate, changing regulations and technology advancements. To succeed, we believe device manufactures need to focus on the following: Converging technologies Maintaining an Regulatory compliance Market opportunities and “consumerization” of innovative edge despite without aecting cycle with localized oerings healthcare strained R&D budgets times Manufacturers are looking to The rapid penetration of technology Increased taxation on medical Device development is being emerging markets for growth. in provisioning systems necessitates device manufacturers due to new saddled by compliance and Success will depend heavily on a seismic change in device healthcare regulations in mature regulatory initiatives impacting product oerings built for global development strategies, a sharper markets put additional pressure on development cycles, requiring new markets and localized to meet focus on consumer preferences and the bottom line and already strained investment in lifecycle processes specic regional requirements. This connected care as well as R&D budgets. Device manufacturers needs eective management of new investments in enabling need to rethink their core value and global value chains, consumer technologies such as cloud, mobility, identify opportunities to improve preferences, regulatory and healthcare analytics. R&D productivity environments and business models that are often unfamiliar
    [Show full text]