Navigating the intricacies of risk management standards is crucial for ensuring clinical safety and regulatory compliance. This blog post delves into the relationship between ISO 14971 and DCB0129, two pivotal standards that form the cornerstone of risk management in the medical device sector. It aims to demystify the standards, highlighting their similarities, differences, and how they complement each other to safeguard the integrity of medical products. Whether you’re a manufacturer expanding into the UK market or a digital health developer integrating medical device features, understanding the interplay between ISO 14971 and DCB0129 is essential for your product’s success and compliance.
What is ISO 14971?
ISO 14971 tells manufacturers and developers of medical devices how to approach risk management to ensure the safety of their product. It dates back to before the turn of the century with the European Committee for Standardisation’s creation of EN 1441, and was most recently updated by the International Standards Organization (ISO) in 2019 (with an addendum by the European Committee for Standardisation CEN in 2021). It’s highly-regarded internationally, including by the MHRA in the UK as a designated standard.
What is DCB0129?
DCB0129 tells manufacturers and developers of health IT systems* supplied to the public health and social care sector in England how to approach clinical risk management to ensure the safety of the product. Its initial version (DSCN 14/2009) was derived from an earlier version of ISO 14971 and later updated in 2018 to encompass ‘medical devices’. It was made mandatory under Section 250 of the Health and Social Care Act 2012.
*Health IT systems are product[s] used to provide electronic information for health or social care purposes.” Software medical devices are almost always health IT systems, but some health IT systems are not medical devices. Confusing? We know, however, that the two standards address broadly the same issue in very similar ways. But, just how similar are they and what are the commonly-missed differences?
What are the similarities between DCB0129 and ISO 14971?
As you would expect from two documents with such a shared history, there are a lot of similarities – DCB0129 even states that: “..the requirements defined [in DCB0129] are broadly consistent with the requirements of ISO 14971″.
Both place overall responsibilities for risk on top (or senior) management, require knowledge and competence of any staff involved, require a plan, a risk assessment, a report to be created and follow a very similar approach to how risks should be identified, assessed and controlled. If you’ve created a Risk Management File under either system, you’ll likely be pretty close to meeting the requirements of the other standard. However, missing any of the key differences outlined below could cause problems with your customer or regulator when they are reviewing your file:
The guidance document* for ISO 14971 (ISO TR 24971) gives the example of “Medical or Clinical Expert” as the type of expertise that would be required when performing risk management activities. However, DCB0129 goes further and makes it very clear, indicating that you MUST have a Clinical Safety Officer leading risk management throughout the product lifecycle. The CSO must be a qualified clinician with a current registration and knowledge of clinical risk management; the CSO is responsible for ensuring that your company complies with DCB0129. Having a suitably qualified CSO will certainly add credibility to your ISO 14971 risk management file, but without a CSO on a DCB0129 risk management file, you will have fallen at the first hurdle. Fortunately, we have many experienced CSOs to support you.
*Yes. There are supplementary guidance documents for some standards and yes, your auditors and regulators will have read them and expect your company to have followed them to the letter. We’re sorry.. we didn’t write these standards!
2. Benefit-Risk Analysis
DCB0129 mandates that when a risk remains elevated and no further ‘practicable’ risk control measures can be implemented, this risk should be evaluated against the clinical benefits of the product to decide whether it can be deemed acceptable.
ISO 14971 expands on this by stating that the total risk associated with the medical device must be weighed against its overall clinical benefit. But, it also necessitates an understanding of, and the ability to provide evidence of your product’s total clinical benefit, with a comparative analysis of the total risk relative to this benefit. This process is closely linked with Clinical Evaluations under UK and EU Medical Device Regulations, and is referred to as “Performance Evaluations” for In Vitro Diagnostics (IVDs). *See section on ALARP and AFAP below.
3. Risk Control Implementation Responsibility
Medical device manufacturers take full responsibility for the safety and performance of their product – if a user uses it wrong, it’s on the manufacturer not having checked for that in Usability Engineering. ISO 14971 reflects this by stating that it is solely on the manufacturer to ensure risk controls are implemented. For example, if your medical device instructions contain a risk control from the customer’s power backup, you’ll need to verify this is an effective risk control.
DCB0129 allows for the manufacturer to rely on risk control measures carried out by other organisations (e.g. the clinical setting), but remember – your customer will see this transfer of responsibility when they are performing their DCB0160 assessment of your product.
4. ALARP and AFAP
“As low as reasonably practicable” (ALARP) and “as far as possible” (AFAP) are both terms used to describe the level of remaining risk after you have put risk controls in place. The technical definitions of both terms are very complicated and steeped in decades of legal history. In short, ‘ALARP’ is the term used in health and safety guidance (in the UK) and allows for a trade-off between the difficulty of implementing a control and its effectiveness and ‘AFAP’ is used in Medical Device Regulations in the UK and the EU to describe the acceptable level of risk for some types of risk. Confusingly, both ISO 14971 and DCB0129 make reference to ALARP and ISO 14971 also mentions AFAP, but neither specify which is required and when. That comes down to the regulations for medical devices, which is why having a Regulatory Expert involved in your risk management is a must.
5. Documentation and Practical Concerns
As carefully as you apply either or both standards, practical experience in what is expected from customers, regulators and the auditors tasked with reviewing your documentation, will save you time and heartbreak when submitting your application. Neither standard specifies the format the documentation produced must be stored in, but you’ll need to send your hazard log as a spreadsheet to an NHS customer, and a PDF or a spreadsheet (their choice, not yours) to a regulator.
Other things to consider:
- Is the wording of the risk control clear enough that the regulator will be able to find the relevant report?
- Does the doctor reviewing your clinical safety case have enough information about your product to understand and recommend it?
When should you add DCB0129 requirements to your ISO 14971 risk management file?
Medical device manufacturers outside the UK market who want to deploy your product in the UK (particularly in the NHS) need to meet the requirements of DCB0129 on top of ISO 14971 as part of their DTAC compliance work – we support you to do this with Clinical Safety Officer as-a-service.
When should you add ISO 14971 requirements to your DCB0129 risk management file?
Digital health developers already on the UK market will need to add the extra requirements of ISO 14971 as they develop medical device features for their product.
We’ll soon be supporting all aspects of Medical Device Regulations and Standards for digital health technology organisations. Get in touch for more information.
Access specialist support
As specialists in the field, we understand the nuanced relationship between ISO 14971 and DCB0129, and the importance of specialised guidance in this complex arena of medical device and health IT system development. That’s why our expertise goes beyond compliance; we’re dedicated to ensuring the highest safety and efficacy of products while making it as simple as possible to implement.
Working with 8foldGovernance means partnering with a team that is deeply committed to upholding the highest standards, especially in stringent markets like the UK and the EU. Our knowledge and experience guides manufacturers to align these standards with their product development process, making it not just a regulatory necessity but a strategic move to advance healthcare technology and patient safety in line with commercial success.