EU MDR Risk Management Requirements: From complex regulation to impactful change with the new ISO 14971

The life sciences sector is undergoing a plethora of unprecedented regulatory changes, affecting organisations involved in pharmaceuticals, medical devices, and in-vitro diagnostics. With the new EU MDR adopting a more universally risk-based approach compared to the EU MDD (93/42/EEC), more explicit requirements for manufacturers are laid out regarding the maintenance of a risk management program and life-cycle risk management.

The following is the thirteenth in the series of EU MDR related blogs. To learn more about the EU MDR changes you can view some of the previous posts in the series:

• Medical Device Equivalence vs Demonstration of Equivalence
• Post-market Clinical Follow-up Requirements for EU MDR
• The New European Union MDR: Impact on Technical Files
• Low-risk Device Challenges
• Selecting and Working with your Notified Body
• Medical Devices with Ancillary Medicinal Substances
• Regulatory Challenges Writing EU MDR Compliant Clinical Evaluation Reports (CER)
• International Medical Device Regulators Forum (IMDRF) & Summary of Recent Changes to Clinical Evaluation Guidance
• Remote Medical Audits During COVID-19
• Celegence Webinar: Taking advantage of the EU MDR Delay in Uncertain Times
• Components of an Effective Post-Market Surveillance for Medical Devices
• Medical Device Labeling Changes & Challenges under EU MDR

Risk management is an important lifecycle product development requirement for all medical device organizations when developing, manufacturing, and commercially distributing medical products. To effectively meet regulatory requirements, manufacturers must utilize the harmonized standard, EN ISO 14971:2019 Risk Management Standard and the technical report that accompanies it, ISO TR 24971:2020 to address issues of potential risk within the European Economic Area (EEA). This blog aims to prepare EU device manufacturers who struggle to implement this requirement effectively, given how the standard was harmonized by the European competent authorities.

There is no explicit requirement in the MDD that manufacturers should eliminate or reduce the risks associated with an individual device, that adequate protection measures are taken in relation to risks that cannot be eliminated, and that users are informed about any residual risks. Moreover, apart from software devices, there is no article in the MDD that requires manufacturers to have a risk management system. With the notified bodies expecting that manufacturers have a risk management system which conforms to EN ISO 14971, the new EU MDR contains an explicit obligation in the new Article 10 (2), that manufacturers establish, document, implement and maintain a system for risk management. The detailed requirements of which are listed in the new Annex I Chapter I (3).

Under the EU MDR, risk is defined in Article 2 as

“the combination of the probability of occurrence of harm and the severity of that harm” and benefit-risk determination is defined as “the analysis of all assessments of benefit and risk of possible relevance for the use of the device for the intended purpose, when used in accordance with the intended purpose given by the manufacturer.”

For every device, the EU MDR mandates that the manufacturers must have a documented risk management plan, identify, and analyse the known and foreseeable hazards, estimate, and evaluate the associated risks and eliminate or control those risks. Additionally, in the “production phase”, they must evaluate the impact of new information and if necessary, amend control measures accordingly. The combination of the new article 10 (2) obligation on manufacturers to establish a risk management system and the explicit requirements for each device contained in the new Annex I Chapter I (3), can be read together that the current state of the art in device risk management (EN ISO 14971) will become the new minimum standard for device risk management under the new EU MDR.

Risk-Benefit Analysis

Risk management is emphasized in the regulation as an iterative process throughout the entire lifecycle of a device (a key input in developing the new regulation was to implement more of a lifecycle approach). Annex I Chapter I (2) states that the risks must be reduced as far as possible, meaning the reduction of risks as far as possible without adversely affecting the benefit-risk ratio.  The following are required for each device:

• Establish and document a risk management plan for each device
• Identification and analysis of possible hazards associated with each device
• Estimation and evaluation of risks associated with the intended use and misuse of the device
• Risk mitigation (reduction or elimination of risk)
• Assessment of production and post-market information on the documented risk assessment, and the overall risk, benefit-risk ratio, and risk acceptability
• Changes to control measures (e.g. safety by design, alarms, safety information) when required based on the assessment of production and post-market information

ISO TR 24971:2020 Clause 7.4 includes extensive coverage of benefit and benefit-risk analysis, including that benefit does not encompass economic or business advantages. Clause 7.4.5 mentions three specific examples of benefit-risk analysis conclusions, and Clause 7.4.2 provides an extensive overview of clinical benefits. Most vulnerability among the points above are with respect to production and post-market information, and the risk management file. This is because, while using a “checkbox approach” for risk management, device design (specifically, control measures) may not be adequately evaluated in response to production and post-market information. Therefore, manufacturers must consider strengthening procedures around risk management and production and post-market information to comply with these requirements.  Also, ensure that you are evaluating the device design in response to post-market information. In totality, per the regulation, a thorough documentation of requirements and procedures for risk management is required. The technical file for each device must include the results of the risk management process including the benefit-risk analysis, the solutions adopted to address risks, and the updated PSUR. All risk documentation for each product must be maintained and readily available per record retention requirements.

Risk Management During Design and Beyond

The most detailed information for manufacturers regarding risk management that must be adopted during design are provided in Annex I. The annex provides the order of priority that the manufacturers must consider while selecting the most appropriate solutions. These include:

• Eliminate or reduce risks as far as possible through safe design and manufacture
• Adequate protection measures for risks that cannot be eliminated (e.g. alarms)
• Provide information or user training for safety and disclose any residual risks

Line item 3 diverges from the requirement of EN ISO 14971:2012 which allows the manufacturer to determine which residual risks are to be disclosed (for residual risks deemed acceptable). The EU MDR simply states that the manufacturer “shall inform users of any residual risks.”

Requirement for Acceptable Benefit/Risk

• Evaluation of the description of the intended purpose of the device
• Evaluation of the device’s benefits to the patient
• Quantification of benefit(s) to the patients
  • Probability of the patient experiencing one or more benefit(s)
  • Duration of effect(s)
• Evaluation of the clinical risks of devices (extent of risk(s) / harm(s), the following should be addressed individually and in aggregate):
  • Severity, number, and rates of harmful events
  • Probability of a harmful event
  • Duration of harmful events
  • Risk from false-positive or false-negative results (diagnostic medical devices)
• Evaluation of acceptability of the benefit/risk profile

The EU MDR identifies the use of clinical investigations as a method of assessing the benefit-risk ratio of medical devices. Additionally, risk assessment is useful to justify any foreseeable risks to trial subjects when weighed against the benefits. These should be well-documented in the clinical investigation plan. The plan is also required to include an ongoing monitoring strategy for the risks and the benefit-risk ratio. The new EU MDR Articles 62 through 82 addresses all the familiar topics related to clinical investigations: the need for informed consent, considerations for vulnerable populations, the application process, requirements for the conduct of the investigation, adverse event reporting etc. However, the EU MDR does not specify the triggers for conducting a new clinical investigation when a device is changed or modified.

As a part of the clinical evaluation to establish conformity, clinical investigations are performed to:

• Establish/verify that, under normal conditions of use a devices is design, manufactured and packaged in such a way that it suitable for one or more of the specific purposes (as defined in Article 2, point 1) and achieves the performances intended as specified by the manufacturer (MDD, Annex X 2.1 & MDR, Annex I, SPR 1)
• Establish/ verify the clinical benefits of the device as specified by the manufacturer
• Establish/verify the clinical safety of the device and to determine any undesirable side-effects, under normal conditions of use of the device, and assess whether they constitute acceptable risks when weighed against the benefits to be achieved by the devices (MDD, Annex X 2.1 and MDR Annex I, SPR 1)

A new clinical investigation would be required when the change/modification calls into question one of requirements of Article 62, Section 1:

• Suitability of its intended use (medical purpose) and achievement of the intended performance
• To verify that the clinical benefits as specified have not been altered
• The device is still clinically safe
• The undesirable side effects continue to constitute acceptable risks when weighed against the benefits of the device

• If the clinical evaluation of the CE marked device is based on sufficient clinical data and is complaint with the relevant product-specific Common Specification (CS) (where available)
• Devices such as sutures, staples, dental fillings, dental braces, tooth crowns, screws, wedges, plates, wires, pins, clips or connectors for which the clinical evaluation is based on sufficient clinical data and is in compliance with the relevant product-specific CS, where such a CS is available

(Note: Devices may be added/removed to the CS via Delegated Acts)

• If demonstration of conformity with general safety and performance requirements (GSPR) based on clinical data is not deemed appropriate. This would require:
  • Adequate justification for any such exception shall be given based on the results of the manufacturer’s risk management and on consideration of the specifics of the interaction between the device and the human body, the clinical performances intended and the claims of the manufacturer. The manufacturer shall duly substantiate in the technical documentation referred to in Annex II why it considers a demonstration of conformity with general safety and performance requirements that is based on the results of non-clinical testing methods alone, including performance evaluation, bench testing and pre-clinical evaluation, to be adequate.

Both risk management and clinical evaluation are interdependent and hence, must be cross-referenced and updated concurrently and regularly. As a part of clinical investigation, all the clinical risks must be identified in the risk management file and addressed as part of clinical investigations, the clinical evaluation and post-market clinical follow up (PMCF). Data gathered through post-market surveillance must be used to update the benefit-risk determination and improve risk management. Additionally, these can also serve to update the technical documentation relating to risk assessment and clinical evaluation. Like the clinical evaluation plan, the PMCF plan must also be linked to the risk management processes.

In addition to the requirement for a PMCF, manufacturers of class IIa, class IIb and class III devices must also prepare a periodic safety update report (PSUR) for each device (and groups of devices where relevant). The PSUR includes the results and conclusions of the post-market surveillance analysis and any corrective or preventive action taken, and the updated benefit-risk determination. The PSUR must also include the “denominator” for the data in the form of sales volume or estimated usage of the device. The PSUR must be updated periodically (timeframe for updating the report is based on device risk class) and must be done so with consideration for risk activities.

Another new requirement specifically for implantable and Class III devices is the Summary of safety and clinical performance (SSCP). Residual risks, undesirable effects, warnings and precautions must all be included in the SSCP which is submitted to the Notified Body (NB) during conformity assessment and uploaded by the NB to Eudamed so that the information is available to the public. Under the new EU MDR 2017/745, there is an increased requirement to conduct clinical trials (clinical investigations) on certain risk classes of medical devices (Article 62). The Eudamed module for clinical investigations will be publicly accessible under the EU MDR. However, the European Commission postponed the EU MDR date of application (DoA) for one year due to the COVID-19 pandemic. Therefore, there appears to be a delay in the new Eudamed and all its modules that were intended to replace the existing Eudamed.

Interestingly, the EU MDR seemed to have anticipated the Eudamed delay under Article 123d:

“Until Eudamed is fully functional, the corresponding provisions of Directives 90/385/EEC [Active Implantable Medical Device Directive (AIMDD)] and 93/42/EEC [Medical Device Directive (MDD)] shall continue to apply for the purpose of meeting the obligations laid down in the provisions listed in the first paragraph of this point regarding exchange of information including, and in particular, information regarding vigilance reporting, clinical investigations, registration of devices and economic operators, and certificate notifications.”

The regulation introduces a concept alongside harmonized standards, called Common Specifications (CS), that is to be implemented wherever harmonized standards are not present or insufficiently cover the requirements. CS addresses requirements for both products and quality system management. Thus, there will be CS for safety and performance requirements for devices (specifically, high-risk devices such as implantable and class III devices) and quality system requirements (for technical documentation and risk management). When a CS is implemented for risk management, you will want to ensure that your risk management processes, and documentation are compliant.

In summary, your risk management, clinical evaluation, PMCF, and PSUR procedures and plans must all be synchronized, and each resulting report must each consider the data and results of the others. As before, devices are required to achieve the performance intended and must be designed and manufactured to fulfil their intended purpose. While the task of becoming compliant may seem daunting, review the EU MDR and highlight new requirements and differences between the new regulation in the existing regulations and standards with which you comply, develop a general plan for revising your procedures and other documented requirements. This plan should include assignments for responsible parties within your organization.  With the EU driven by the need to strengthen the regulatory platform, under the new regulation, the devices must not compromise safety, and the individual and cumulative risks must be outweighed by the clinical benefit.