Derive Risk Acceptance Matrix from Risk Policy

Auxilium

Involved In Discussions
#1
Good day, I have one question regarding a short explanation that I need for explaining why our Risk Acceptance Matrix has its borders.
There seem to be a lot of confusion here. From some Regulatory Consultants, I was told that in the worst case, you need to justify why your border for acceptable in S1 is there and your border for S2, S3 und S4 are set differently.

Then again, our auditor just briefly mentioned that a short explanation as for how our risk acceptance matrix can be derived from our risk policy is sufficient.
I could not ask any further and now am a bit clueless how you could do this.

We have an estimation of the usage of our product in the scheme Number of users x Usage per Day x 365 = Total usage in per year. We have Probabilities with ranges and calculated for each Probability category, how many cases that would be based on our total product usage per year.

However, for me these numbers seem a bit out of the blue and I am not allowed to adjust them. What I need now is a short but general plausible explanation as for why our matrix looks like it. Because the good news is, I know that the matrix itself also does not need to be updated.

I already use the comparison with the state of the art in the final benefit-risk-evaluation. However the comparison and the setting of our green and red sections in the matrix combined with our severity categories and probability ranges and usage estimations would not plausibly align with the comparison of the state of the art.

Complicated situation?
 
Elsmar Forum Sponsor

yodon

Leader
Super Moderator
#2
I got a bit lost. Presuming S1 - S4 are severity levels? Risk is expressed in terms of severity * probability. I think the most common I've seen is a 5x5 matrix (but if you're using 4 x 4 or 4 x 5, that's ok). Generally, anything with the highest severity (except lowest probabilities) will be unacceptable. And, generally, you have a few less unacceptable with the next lowest severity and so on. Most often, this is expressed in a color-coded matrix; e.g.:

1644435028977.png

Anything in red is unacceptable. Anything else is acceptable. I think most companies establish this at the corporate level (i.e., "policy") and then use it for all individual device risk management activities. The standard doesn't dictate what's acceptable or not; that's going to be your call where you draw the line. I've not heard of an auditor or anyone evaluating the Risk File to require justification.

To me, it's important that top management understand what they are calling acceptable risk because they will have to defend it in an inquiry. Do they, using the example above, agree that a severity of 5 (potential for death) and a probability of 2 (however it's defined) is acceptable?

Does that help?
 

Auxilium

Involved In Discussions
#3
Hey yodon, so far, clear and I get the general principle.
And exactly the "line" drawing part is my problem. Do you know any "generic" sentence as to why my predecessors chose the line to be that way?
I know that without any company specific information, it is difficult.

Would it be okay for example if I would just say:
We as a young company with an innovative medical device, do have a medical benefit which is slightly better than the current state of the art. Therefore, we follow a conservative approach in our risk acceptance matrix.
We accept risks that are S4 (deaths) only when unthinkable (P1), severe risks (S3) when they occur unlikely (P2), major risks (S2) can occur rarely and minor risks (S1) are also frequently (P5) acceptable.
 

yodon

Leader
Super Moderator
#4
Whether your company is young or old is quite irrelevant and asserting your youth would, for me, be a red flag! Further, asserting you are "slightly better than the current state of the art" is potentially a claim that would need to be proven and "slightly" is vague. The benefit can possibly factor in but it may open a rabbit hole. Since you have competition, do you know where they draw the lines?

Most of what I've seen is still rather generic, something like "The acceptability threshold aligns with industry norms and is appropriate for our product" (and yes, I realize "industry norms" is quite vague but that seems to satisfy those who are curious). Maybe others will weigh in on how they justify where the lines are drawn.
 

Tidge

Trusted Information Resource
#5
It is important for executive management to both believe in the acceptability and be able to state in simple terms why they accepted the ratings. This isn't an area where the individuals can (at any point) claim to "not understand" or (worse) "not believe" the ratings.

From my PoV: setting the initial green/yellow/red ratings is where a "risk versus (treatment) options" analysis is. If there are few options for treatment, there is a greater appetite for risk. Keep in mind "let nature take its course" is always an option. If there is a large menu of options, then there should be less appetite for risk. The nature of the intervention (by use of the medical device) itself must be considered: study of internal body structures via X-ray is still tolerated in some circumstances, but other technologies (generally) have less risk for certain harms.
 

Auxilium

Involved In Discussions
#6
Honestly, thank you all for the replies! I appreciate it.
That helped a lot! Out of interest, could you tell me in what fields you have been working and for how many years in total?
When did you get the feeling that you're a competent risk manager?
 

Auxilium

Involved In Discussions
#7
Whether your company is young or old is quite irrelevant and asserting your youth would, for me, be a red flag! Further, asserting you are "slightly better than the current state of the art" is potentially a claim that would need to be proven and "slightly" is vague. The benefit can possibly factor in but it may open a rabbit hole. Since you have competition, do you know where they draw the lines?

Most of what I've seen is still rather generic, something like "The acceptability threshold aligns with industry norms and is appropriate for our product" (and yes, I realize "industry norms" is quite vague but that seems to satisfy those who are curious). Maybe others will weigh in on how they justify where the lines are drawn.
Btw no, we have competitors but we don't know where they draw the line. Do you even know any way to find out about competitor's approaches?
Is this even possible to find out other than "calling" them?
 

yodon

Leader
Super Moderator
#8
I have been on the quality side of medical device development now for close to 20 years. I still wouldn't call myself a competent risk manager. :) I feel fairly comfortable with the process, only.
 

Tidge

Trusted Information Resource
#9
Do you even know any way to find out about competitor's approaches?
Is this even possible to find out other than "calling" them?
You can review the literature of competitors, and also review their regulatory filings... as well as complaints and recalls. Literature searches will also help, especially if the device is used in a clinical environment. Your customers may also be happy to tell you about your competitor's products!

Out of interest, could you tell me in what fields you have been working and for how many years in total? When did you get the feeling that you're a competent risk manager?
I've been working in some sort of scientific, engineering or medical manufacturing field for about 30 years. As the saying goes: If you want to know which animals bite, and how hard... you ask the person with the most scars.

With reluctance: I can make a self-assessment of "competency" with respect to medical device risk management only on the following bases. (1) I was recruited into the field explicitly because I had been implementing risk management in another area (2) I am comfortable walking in areas my colleagues would rather avoid at all costs (3) I've had numerous interactions with regulators, NRTLs and the such... with the absolute best ones being that after review of the risk management files they don't have any questions!
 
Thread starter Similar threads Forum Replies Date
Q Acceptable Tolerance - how to derive? Measurement Uncertainty (MU) 16
M How to Mathemetically Derive the AQL Tables given Lot Sizes AQL - Acceptable Quality Level 8
D Percent - Formula to derive Numbers from Percent Calculation Statistical Analysis Tools, Techniques and SPC 1
K Help with ISO 14971: Benefit-Risk Analysis ISO 14971 - Medical Device Risk Management 0
T AS9100D Risk-Based Internal Audit Schedule AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 10
thisby_ Installation Related Issues and Risk Management ISO 14971 - Medical Device Risk Management 5
W Reconciling FMEA RPN ratings with Risk Acceptability ISO 14971 - Medical Device Risk Management 11
D How to address the content deviation of 'cannot apply criteria of risk acceptability prior to...' ISO 14971 - Medical Device Risk Management 1
Doninina Risk management file according MDR or ISO 14971:P2019 ? EU Medical Device Regulations 2
T Risk based CA AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 5
T IVD Risk - destruction of patient samples - Harm to property? ISO 14971 - Medical Device Risk Management 5
E Do anyone have document of automotive production risk and control of risk? Lean in Manufacturing and Service Industries 1
R Using RPN to Confirm Risk Reduced to an Acceptable Level Risk Management Principles and Generic Guidelines 12
T IVD Device Software - Risk Classification IEC 62304 - Medical Device Software Life Cycle Processes 16
G Help:Risk Management - Accessories US Food and Drug Administration (FDA) 1
N Writing Risk Management procedure for small manufacturing and we don't know where to start. Manufacturing and Related Processes 9
E How to risk assess tooling? For a medical device and is it needed??? Manufacturing and Related Processes 2
M Clinical evaluation interface with the risk management process EU Medical Device Regulations 9
L Risk analysis Manufacturing and Related Processes 4
J Risk Analysis for Proficiency Testing Reliability Analysis - Predictions, Testing and Standards 1
J ISO 10993-1:2018 Format to Perform Risk Management Process US Food and Drug Administration (FDA) 1
B Risk Management Procedure updates needed for 14971:2019 ISO 14971 - Medical Device Risk Management 11
M What is the Risk of Using Obsolete Versions of C=0 & ANSI/ ASQ Z1.4 Sampling Plans? ISO 13485:2016 - Medical Device Quality Management Systems 8
D AS9100D 8.4.2 Note 2 Significant Operational Risk AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 1
A Calculating Risk Estimation ISO 14971 - Medical Device Risk Management 29
M Intended Use vs Actual Use and Scope of Risk Management EU Medical Device Regulations 8
S IDCB 0129/0160 Clinical Risk Management ISO 14971 - Medical Device Risk Management 2
H At what level (harm, hazardous situation, seq. of events, etc) is "risk" estimated? ISO 14971 - Medical Device Risk Management 12
A Risk Management Team IEC 60601 - Medical Electrical Equipment Safety Standards Series 11
S Risk Management File - Procedure Packs ISO 14971 - Medical Device Risk Management 3
B ISO 14001 Risk assesment ISO 14001:2015 Specific Discussions 4
J What risk to cover when NOT using ISO 17025 accredited/certified labs for calibration ISO 17025 related Discussions 3
G Risk Management for IEC 60601-1 and IEC 60601-1-2 IEC 60601 - Medical Electrical Equipment Safety Standards Series 15
S What is your favorite Usability Risk Analysis tool? IEC 62366 - Medical Device Usability Engineering 5
T Assessing risk where harm is indirect - Generic devices / accessories / intermediates ISO 14971 - Medical Device Risk Management 8
K Do you have separate clinical risk management group or experts in your manufactures? EU Medical Device Regulations 4
W IATF 9.2.2.1 Internal Audit how to determine risk IATF 16949 - Automotive Quality Systems Standard 12
S Risk control through Information for safety ISO 14971 - Medical Device Risk Management 12
B ERP software validation - risk assessment vs validation scope ISO 13485:2016 - Medical Device Quality Management Systems 11
I Estimation of overall residual risk. How to? EU Medical Device Regulations 11
Sidney Vianna ISO Practical Guide on ISO 31000:2018 - Risk Management Other ISO and International Standards and European Regulations 0
T IEC 62304 : Risk control for SaMD IEC 62304 - Medical Device Software Life Cycle Processes 8
T Risk Assessment and Management Misc. Quality Assurance and Business Systems Related Topics 0
P Scenario based risk assessment IEC 27001 - Information Security Management Systems (ISMS) 1
Q KPI risk assessment - Criteria for the given score IATF 16949 - Automotive Quality Systems Standard 3
S Foreign Risk Notification Canada Medical Device Regulations 2
J HELP NEEDED ! Risk Management Exercise ISO 14971 - Medical Device Risk Management 12
O Should a Covid vaccine and testing policy be included as part of ISO9001 or AS9100 risk management? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 6
M Does 4.5 - Alternative RISK CONTROL apply to the Particular Standards? IEC 60601 - Medical Electrical Equipment Safety Standards Series 3
Q Measurement Equipment Revocation - Looking for a Disposal Form with Risk Assessment IATF 16949 - Automotive Quality Systems Standard 10

Similar threads

Top Bottom