TC 210 Not Ready to Adopt Definition of Risk Outlined in Annex SL

Last week, we wrote about recent reflections on the current state of ISO 9001 and how the 2015 standard caused so much confusion with the added notion of risk-based thinking – how the standard failed to align with language in ISO 31000, while also acknowledging that the language in ISO 31000, as lauded as it is, does not present a definition of risk that the framers of the quality management standard were ready to adopt wholesale, with TC 176 now looking to how the language ought to be framed in a possible early revision of the benchmark standard while being tethered to the HLS, now known as the HA, or Harmonized Approach – terms that you’ll find that we still use interchangeably throughout this article.

But this isn’t the first time that quality standard committees have failed to adopt the language of ISO 31000 or pointed out its deficiencies – indeed, it’s one of the main reasons that ISO 13485, in its 2016 revision – one year after ISO 9001 adopted the HLS – retains the structure of ISO 9001:2008 and has yet to adopt the HLS that has been required by most other MSSs.  TC 210, which is responsible for ISO 13485, ISO 14971, and other medical device-related standards, rejected the language of ISO Guide 73, a document published in support of the hallmark ISO 31000 standard, as not being suitable for medical devices since its first publication in 2002, continuing to favor the language of ISO/IEC Guide 51, initially published in 1990.

Graphic Representation of how MSSs are ‘Plugged In’ to the Core Elements of the HLS

ISO 13485 was said to have ‘escaped’ having to adopt the HLS that has been mandatory for MSSs in that the 2016 revision actually began the development process in 2011.  You’ll note that the most common current management system standards that are frequently integrated do adopt the HLS, such as ISO 9001, ISO 14001, and ISO 45001.  While TC 210 holds the view that the concept of the HLS to provide common structure and language for MSSs is brilliant, they also consider themselves lucky to have been able to publish the 2016 revision of ISO 13485 without its adoption.

At the time, Guide 73 was being framed as ISO/IEC Guide 73, being that it would have been uniformly adopted by ISO and IEC, but thorough analysis from TC 210 and IEC/SC 62A determined that the language between ISO/IEC Guide 51 and the proposed Guide 73 were “vastly different,” with the definitions given in the proposed Guide not being suitable for medical devices, with the analysis ending with the recommendation that IEC not adopt the new document.  The differences in the definitions of risk are apparent and certainly noteworthy.

ISO/IEC Guide 51 defines risk as a “combination of the probability of occurrence of harm and the severity of that harm,” with Note 1 reading, “The probability of occurrence includes the exposure to a hazardous situation, the occurrence of a hazardous event and the possibility to avoid or limit the harm.”

ISO Guide 73 defines risk as the “effect of uncertainty on objectives”, And Note 1 to the ISO Guide 73 definition of risk reads: “An effect is a deviation from the expected — positive and/or negative.” Meaning that – in this context – risk can also refer to something positive; supposedly not to be minimized.

TC 210 recently articulated why this matters much better than I could:

Most people see the term “risk” as an indication of something to be avoided. Like the risk of being mugged if you walk alone in the night in a dark alley. Or that your bicycle is stolen. For many product sectors, including the medical devices sector, there is a special meaning associated with the term “risk”. This meaning is included in many regulatory frameworks, typically combined with the requirement to minimize risk. Since some 15 years, ISO allowed an additional meaning to this term, causing a lot of confusion and irritation…In the medical devices sector, risk is associated with the possibility that using these devices can cause harm. Actually, the definition of risk used in many regulatory frameworks combines the probability of occurrence of harm with the severity of that possible harm. This regulatory definition determines the required approach to manufacture and sell medical devices.  – From Risk?  What Risk?

You can see how this mirrors recent comments by TC 176 in an article that they published in ASQ’s Quality Progress in July regarding the definition of risk as adopted for ISO 9001, after spending years defending the definition, finally admitting that the definition used in Guide 73, ISO 31000, and, by default, ISO 9000 was not sufficient – see an excerpt on our coverage of the subject below from the article TC 176 Plans to Correct Mistakes With the Introduction of “Risk-Based Thinking” in ISO 9001:2015.

for risk-based thinking in any QMS to maintain competitive advantage and continual improvement, they acknowledge the flawed implementation of the concept and cite the following three things that went wrong that lead to the current state of the concept in the standard:

  1. Definition of risk
  2. Pairing risk with opportunities
  3. Auditability

Of the first, the authors admit that the use of the High Level Structure (HLS), now known as the harmonized approach (HA), didn’t meet its intended goal of creating a common definition and concept of risk to be employed throughout all management system standards (MSSs) using the approach, noting differences in the language of ISO 31000, ISO’s premier standard on risk management, and ISO 9000:2015, which set all of the vocabulary to be used throughout the set of quality management system standards in the ISO 9000 series.  The article doesn’t describe why this discrepancy existed in the first place – a topic that it seems would be worthwhile exploring – but does note the following two points: 1) the discrepancy is certainly an error and the language from ISO 31000 should be used, and 2) even with point 1 being true, the error carried over into the 2021 revision of the HA, which kept the language from ISO 9000.

The HLS and the 2021 revision of the HA defines risk as ‘effect of uncertainty,’ which was carried into ISO 9000:2015, and, by default, into ISO 9001:2015.  ISO 31000:2018, however, defines risk as ‘effect of uncertainty on objectives.’  The qualifications of risk being linked to objectives is compounded with Note 1 which in the HA and ISO 9000 states ‘an effect is a deviation from the expected-positive or negative,’ while the language of Note 1 in ISO 31000 reads, ‘an effect is a deviation from the expected.  It can be positive, negative or both and can address, create or result in opportunities and threats.’

While the differences in language are clear, what is a bit perplexing of the article is that the authors on one hand suggest that the language of ISO 31000 should have been adopted for uniformity in the understanding of the concept of risk amongst MSSs, but they do go on to argue that there are issues with the definitions in ISO 31000 as well, namely that a) the effect of risk is not on the objective but on the ability to achieve an objective – which is a fair statement – and, b) they assert that the notion that risk can be positive is wrong.  This would, of course, be necessarily be true when considering the suggestion in point a that risk effects an organization’s ability to achieve an objective, which, would would assume, would always be negative, but perplexing nonetheless in that the suggestion deviates both from ISO 9000 and ISO 31000, as well as the long-defended notion that risk can be both positive and negative – not that I’m disagreeing with any of the conclusions that they are now publicly sharing.

Still, the initial Guide 73 that was published in 2002 was published jointly between ISO and IEC, with the differing views on this definition causing the subsequent 2009 revision to be published solely as ISO Guide 73.

As ISO’s rules dictate, ISO 13485 is reviewed every 5 years, with its last review of the 2016 revision culminating with confirmation in January of 2020, meaning that the standard won’t be coming back up for review for another couple of years.  Since the standard was confirmed as-is, the current 2016 revision remains free of the language of Annex SL, and, by default, of ISO Guide 73.  While TC 210 is not likely to go the way of TC 176 and begin posturing for an early revision, they do seem to be preparing for a future in which ISO 13485 is not confirmed as-is and revision will force the adoption of the HLS to be aligned with other MSSs.

This is also not something that will happen lightly.  Peter Linders, the chair of ISO/TC 210 who has been involved in regulatory affairs since 1998, has been vocal about the deficiencies of the HLS for years and has staunchly rejected the notion that ISO 13485 should have to change to adopt the language of Annex SL, instead suggesting that the HLS should be changed.  In 2018, ahead of the review and subsequent 2020 confirmation of the standard, Linders held workshops reiterating that ISO 13485 did not have to change.  The standard had, at the time, just been revised two years prior having ‘escaped’ the adoption of the HLS, and this revision came after 13 years, meaning that it was not likely that the standard would again need to be revised so soon.  At the time, Linders noted that, though TC 210 did not adopt the HLS, the committee monitored ISO 9001’s adoption and concluded that there were no issues there, as they felt the two standards were compatible, a fact now questioned by TC 176 as noted above.  Still, he continued to argue, on the basis of the differences of the definitions of risk, that the standard could not serve users intending to use the standard to meet regulatory requirements by adopting the HLS and that there was no need for ISO 13485 to be aligned with other MSSs.

His conclusion at the time was that the implementation of the HLS in ISO 13485 could only happen in the future if the language of the HLS was changed to meet the requirements of regulated sectors, and, at the time, he laid out plans for ISO to revise the HLS to address the concerns relating to risk – as well as terms such as opportunity, interested party, etc. – to ensure consistency and to meet regulatory requirements, suggesting that the design specification was to start in 2018 and would be given a deadline for completion as May 2022.  Linders essentially allowed for the can to be kicked down the road and a decision to be made on whether TC 210 should adopt the HLS until after 2022 to ensure that the language was adequate.

ISO did indeed begin review of Annex SL in 2018, with the commitment to complete a new version by 2020 and have it go into effect in 2021, which is the current 12th edition of the text.  Language from the ISO website illustrates how difficult it was for them to create a common text for the revision that would meet the needs of the millions of users of MSSs with the following statement, “Literally millions of people work on a daily basis with MSS, so we are working to ensure that the changes made bring clear, widespread advantages.  Where possible, changes will only be made to specific subparts of Annex SL to better maintain its overall familiarity to current users.”

The comments do little to address the reality that the language in the 2021 revision of Annex SL Appendix 2 defines risk as:


Effect of uncertainty

Note 1 to entry: An effect is a deviation front he expected – positive or negative.

Note 2 to entry: Uncertainty is the state, even partial, of deficiency of information related to, understanding or knowledge of, an event, its consequence, or likelihood.

Note 3 to entry: Risk is often characterized by reference to potential events (as defined in ISO Gude 73) and consequences (as defined in ISO Guide 73), or a combination of these.

Note 4 to entry: Risk is often expressed in terms of a combination of the consequences of an event (including changes in circumstances) and the associated likelihood (as defined in ISO Guide 73) of occurrence.

It should be apparent that the language would not be acceptable to TC 210 and would not meet the plan that Linders set out in 2018 which included requirements for consideration of the committee to adopt the HLS in any future revisions of ISO 13485.

The comments accompanying the unchanged definition of risk in the latest edition of Annex SL read:

It is recognized that some MSS disciplines have their own understanding of risk, which is not exactly aligned with that of others, but which has been adopted over many years.

MSS writers need to be aware that the main advantage of the HS is to make it easier for an organization to incorporate the requirements of multiple MSS into its management system.  They should therefore be aware of the need to maintain alignment wherever possible when introducing discipline-specific term entries for requirements related to risk.

If MSS writers (due to discipline-specific requirements) need to address a particular risk group, category or type for their users, in addition to the general concept specified here, they should consult Annex SL 8.3.8.

For further information, MSS writers can refer to ISO 31000 (Risk management – Guidelines).

It is apparent that the text is referring to Linder’s appeals to change the language of the standard, which they were unwilling to do, instead doubling down on the ISO Guide 73 language used in support for ISO 31000, which seemed to be adequate in its definition of risk in most other industries, as pointed out in Linders’ own comments about the compatibility with ISO 9001, again, a notion now questioned by TC 176.

It appears that Linder’s is again ready for the fight in preparation for ISO 13485’s future.  In an article published to TC 210’s website on August 12th, 2022, he announced that a Joint Task Force had been established to ensure that the needs of regulated industries were being heard during the formation of mandatory standards.

ISO and IEC are both aware that the terminology ambiguity needs be addressed. Therefore, an ISO/IEC Joint Task Force was established “on the Concept of Risk and Associated Terms” with a mandate that includes (see ISO/TMB N1146):

  • Information sharing among committees […]
  • Identify how the concept of risk […] should evolve in the standardization community to meet the need of standards users and suggest solutions […]

The mandate description of the JTF in ISO/TMB N1146 concludes with the following: “The TF should reach out to standards users and ensure that the needs of the users are considered in the proposed solutions.” This gives assurance that our voice will be heard and taken to heart!

The medical devices sector is well represented in this JTF with ISO/TC 210 and IEC/TC 62, among others. Jointly, these medical devices committees issued a statement that regulatory requirements always prevail, and that standards intended to be used in regulatory context cannot deviate from regulatory terminology (see ISO/TC 210 N1322).