ISO DTIR 24971:2020 – a short assessment

The new edition of the risk management standard ISO 14971:2019 was published and consequently the relevant technical report ISO TR 24971 was revised as well. The draft ISO DTIR 24971:2020 is available now. As a risk management practitioner, I was quite interested in the details. My short summary of the changes is provided below:

The technical report got much bigger as most of the informative annexes were moved from ISO 14971 into ISO DTIR24971. A new structure as per ISO 14971:2019 was introduced. This makes it much easier to understand the guidance.

• Some helpful explanation is given in section 4.2 regarding involvement of top management.
• Section 4.3 adds details to education and cross functional teams.
• Better understanding of the risk management plan is facilitated by section 4.4. Section 4.4 is more or less the content of former annex F to 2nd edition of ISO 14971. Especially the verification tasks are described much better now.
• Examples are introduced within section 5 to better understand the risk analysis process. Foreseeable misuse, characteristics to safety, hazards and the hazardous situations are elaborated in more detail.
• Figure 1 in section 5.4.7 is really good and will make it much easier to understand the sequence of events and probabilities of hazard situations and harm. However, it will take a while and needs some thoughts to understand figure 1 correctly. Unfortunately only P1 and P2 are explained and the reader must remember that there is figure C.1 in ISO 14971:2019 finalizing the risk estimation (P=P1xP2).
• If read in detail, section 5.5 Risk estimation is quite interesting and one could read it as a paradigm shift. The well known risk control chart is only one option when deciding about risk acceptability. This may be very valuable considering the discussions about content deviations from (EU) 2017/745 MDR. Top management may decide to go for “reduce risk as far as possible” and skip the antique risk charts.
• The new ISO TR 24971 is also busting the myth that severity ratings cannot be reduced. Section 7 risk control includes example for risk control (reducing severity of harm from an electric shock by using low electric voltage). Risk control measures are discussed for both design and process.
• Section 7.4 gives guidance to benefit risk-analysis. It is clearly stated that “benefit-risk analyses cannot be used to weigh residual risks against business advantages or economic advantages” and that benefit-risk-analysis is a “matter of judgment by experienced and knowledgeable individuals, usually a multidisciplinary team comprising medical, clinical or application experts.” Both statements fit very well to (EU) 2017/745 MDR. Helpful examples are given and discussed in detail.
• Unfortunately it is not a surprise that the ISO DTIR 24971:2020 does not provide real solutions for the most difficult task within the risk management process, i.e. how to judge and accept the overall residual risk. However, several possible approaches are discussed.
• Section 10 emphasizes the importance of collecting information of the production and post-production phases. A nice list of data sources is given and many questions supporting the review of this Information are given. Reading the very well written section 10 should remove any question how and when to update risk management files.

ISO DTIR 24971:2020 includes eight annexes (A-H).

• Annex A is more or less the same as annex C from ISO 14971:2007. Some questions were added, e.g. regarding data storage and device autonomy.
• Annex B is more or less the same as annex G from ISO 14971:2007. The Event Tree Analysis was added.
• Annex C is new and gives valuable insight in the ideas behind risk management policy and risk acceptance criteria. The content of the annex was partially contained in clause 3 of the old ISO TR 24971. Again, the guidance makes clear, that acceptance criteria are much more than just a risk control chart.
• Annex D is new and talks about information for safety and residual risk. The content of the annex was partially contained in clause 5 of the old ISO TR 24971. The new annex D incorporates as well the former annex J from ISO 14971:2007. Nice examples are given to differentiate between the terms. This is clearly an improvement versus the previous edition.
• Annex E is new and elaborates on the relation to other standards like IEC 62366-1 or ISO 10993-1. The content of the annex was already contained in clause 2 of the old ISO TR 24971 and just a few changes can be found. ISO 14155 was added.
• Annex F is new and gives guidance on risks related to security (mainly cyber security).
• Annex G is new and gives input to components and devices designed without using ISO 14971.
• Annex H refers to IVD and is the somehow the same as the annex H in 2nd edition of ISO 14971. The annex was rewritten and expanded from previously 16 into now 25 helpful pages.
• If you are looking for the former annex I (biological risks) you will not find it anymore, as those risks are covered by ISO 10993-1.
• The former annexes B and F are also not moved into annexes anymore but are covered by ISO 14971:2019.

Summarizing all the above in some few words: The new ISO TDIR 24971:2020 is really well done. Many details will help to better understand risk management and the examples given should drive more detailed risk analyses. My credit goes to the writing teams!