FDA, ISO and the Risk Management Quandary

Due to the complexity of 21st Century medical technology, risk management for medical technology is a more complicated undertaking than ever, a situation not eased by the ongoing COVID-19 pandemic. One of the more difficult parts of risk management is that while ISO 14971 provides an overarching standard for risk management, the relevant provisions of the FDA approach are scattered across a number of guidances, a condition perhaps necessitated by the fact that Quality System Regulation (QSR) [21 CFR 820] mentions risk management once and only in passing.

The FDA’s regulatory approach to risk management is centered on Part 820.30, the portion of the regulation directed toward design controls. The general provisions of Part 820 state that design validation should include software validation and risk analysis when appropriate. However, Part 820.30(g) offers little detail other than to state that design validation should be undertaken under actual or simulated use conditions. The lack of detail in Part 820 is offset by a number of guidances, such as the August 2019 FDA final guidance for factors to consider in making benefit-risk determinations for PMA and de novo devices (the “factors-to-consider” guidance). However, there are several other guidances that also reference risk management, creating a nettlesome navigational problem for companies doing business in the U.S.

Residual Risk a Gray Regulatory Area

The ISO standard states that residual risk is that which is still in place after reasonable efforts to mitigate known risks with the help of existing standards. Once those mitigations are in place, the sponsor is then liable for conducting a benefit-risk analysis to address any sources of unacceptable residual risk. It might be noted that 14971 does not explicitly state that a benefit-risk analysis be limited to residual risks that are deemed unacceptable, so any regulatory agencies that accept this standard may be at liberty to require such analyses for all residual risks.

The FDA’s factors-to-consider guidance has little to offer where residual risk is concerned, although the FDA’s 2017 guidance for investigational device exemptions offers some insight into the agency’s thinking. This guidance states that the focus on residual risk will hinge on whether that risk has been reduced to a level deemed acceptable, given the anticipated benefit. Among the possible responses to a worrisome signal on a residual risk is to limit a study to those most likely to experience benefit and/or those whose benefit-risk profile is most favorable.

Beyond the question of residual risk, the FDA’s factors-to-consider guidance states that the factors that must be taken into account when assessing probable risks include:

  • the probability and duration of harmful events associated with the device’s use;
  • the risk of a false positive or false negative result for any diagnostic procedure; and
  • the severity, type, number and rates of harmful events associated with the device.

The factors-to-consider guidance does not require the sponsor to provide possible mitigations for risks that are hypothetical or which occur in negligible numbers, but the agency nonetheless recommended that sponsors describe such risks and explain how the level of such risks was determined. The ISO standard has little to offer in the way of hypothetical risks, however.

One of the key areas for industry is the question of the current state of the technological art (SoTA), a term and acronym that are not found in the FDA factors-to-consider guidance. The guidance mentions that a novel device type that addresses an unmet need may merit approval even if it offers only a “relatively small benefit,” but the guidance advises that subsequent iterations of the device may alter the benefit-risk profile for that device type due to improved performance. Consequently, the expectation regarding safety and effectiveness may drift from the initial expectation, and thus alter a previous or predicate device’s benefit-risk profile.

The related provisions of ISO 14971 make reference to a similar consideration regarding SoTA, but the phrase is used explicitly in the ISO standard. ISO defined the term as the developed stage of technical capability at any time, “based on the relevant consolidated findings of science, technology and experience.”


In section 3.28 of the standard, ISO emphasizes that the term SoTA embodies that which is currently accepted as good practice in medicine, and which is widely seen as an acceptable level of technological advancement. An alternative way of expressing the idea is that the device represents the generally acknowledged state of the art, and ISO stresses that the term is not intended to refer to the most technologically advanced solution that might be available at any given time.

Adoption of ISO Standard Short of Universal

The FDA factors-to-consider guidance included an appendix which states that 14971 is an FDA-recognized standard, and that conformance with the ISO standard may help the developer meet the design control requirements in Part 820.30. The agency offers little insight into the direct parallels between the two approaches, but the FDA has adopted ISO definitions related to risk management, such as for the terms risk estimation and risk analysis. When it comes to harmonization, however, there is a problem in that the European Union (EU) has not adopted the latest edition of ISO 14971.

Manufacturers and developers are still scrambling to meet the demands of the European Commission’s (EC’s) Medical Device Regulation (MDR), a task made more problematic by the COVID-19 pandemic. The EC indicated in March 2020 that the European Committee for Standardization (CEN) and the European Committee for Electrotechnical Standardization (CENELEC) had passed on the opportunity to ratify the 2019 version, but the EC can and is expected to apply again.

In the meantime, however, this impasse may mean extra work for companies that are updating existing dossiers and filing new dossiers for CE marking, thanks to some meaningful differences between the 2012 and 2019 versions of 14971. The situation presents yet another source of drag on companies doing business in the EU, particularly given the still-widespread concern that the number of pending applications is far greater than the current roster of notified bodies can hope to process as the May 26, 2021, MDR implementation date approaches.

Get more of Enzyme

Sign up for the latest updates in your inbox
Ready to level up? Inquire about certification.
info@enzyme.com or

Ready to do more?