The biggest change, by far, is moving from risk-benefit analysis to benefit-risk analysis.

Risk Management Process

The overview of the risk management process was updated.

Since the “process” hasn’t really changed, this is mostly clarification.

The same elements are cited but the process requirements were elaborated.

“Competence” From “Qualification”

It’s likely that if you’re already doing risk management under 14971:2007, you have already effectively addressed these clarifications, but a review is still in order.

The updates changed the wording regarding personnel involved to “competence” from “qualification.”

This is just an alignment with current standard approaches and should not be an impact.

Content of the Risk Management Plan has been expanded.

Scope, assignment of responsibilities and authorities, requirements for review of risk management activities, and criteria for risk acceptability are all unchanged.

The following are more substantive changes:

Method of Evaluating

The method for evaluating the overall risk and criteria for the acceptability of the overall residual risk must be defined.

Previously, no such method definition was required and historically, the approach has been mostly handwaving (e.g., “none of the risks exceed the acceptability threshold and so we accept the overall residual risk”).

Approaches to consider existed in 14971:2007 and both FDA guidance and MEDDEV documents have weighed in (so to speak). In a subsequent course, we’ll take a look at these approaches and describe one approach which has been effective.

Verification of Implementation & Effectiveness

The 14971:2007 plan requirements only required that verification activities be documented (planned).

The updates are very explicit that planning should address verification of implementation and verification of the effectiveness of risk control measures.