Derive Risk Acceptance Matrix from Risk Policy

Auxilium

Involved In Discussions
Good day, I have one question regarding a short explanation that I need for explaining why our Risk Acceptance Matrix has its borders.
There seem to be a lot of confusion here. From some Regulatory Consultants, I was told that in the worst case, you need to justify why your border for acceptable in S1 is there and your border for S2, S3 und S4 are set differently.

Then again, our auditor just briefly mentioned that a short explanation as for how our risk acceptance matrix can be derived from our risk policy is sufficient.
I could not ask any further and now am a bit clueless how you could do this.

We have an estimation of the usage of our product in the scheme Number of users x Usage per Day x 365 = Total usage in per year. We have Probabilities with ranges and calculated for each Probability category, how many cases that would be based on our total product usage per year.

However, for me these numbers seem a bit out of the blue and I am not allowed to adjust them. What I need now is a short but general plausible explanation as for why our matrix looks like it. Because the good news is, I know that the matrix itself also does not need to be updated.

I already use the comparison with the state of the art in the final benefit-risk-evaluation. However the comparison and the setting of our green and red sections in the matrix combined with our severity categories and probability ranges and usage estimations would not plausibly align with the comparison of the state of the art.

Complicated situation?
 

yodon

Leader
Super Moderator
I got a bit lost. Presuming S1 - S4 are severity levels? Risk is expressed in terms of severity * probability. I think the most common I've seen is a 5x5 matrix (but if you're using 4 x 4 or 4 x 5, that's ok). Generally, anything with the highest severity (except lowest probabilities) will be unacceptable. And, generally, you have a few less unacceptable with the next lowest severity and so on. Most often, this is expressed in a color-coded matrix; e.g.:

Derive Risk Acceptance Matrix from Risk Policy

Anything in red is unacceptable. Anything else is acceptable. I think most companies establish this at the corporate level (i.e., "policy") and then use it for all individual device risk management activities. The standard doesn't dictate what's acceptable or not; that's going to be your call where you draw the line. I've not heard of an auditor or anyone evaluating the Risk File to require justification.

To me, it's important that top management understand what they are calling acceptable risk because they will have to defend it in an inquiry. Do they, using the example above, agree that a severity of 5 (potential for death) and a probability of 2 (however it's defined) is acceptable?

Does that help?
 

Auxilium

Involved In Discussions
Hey yodon, so far, clear and I get the general principle.
And exactly the "line" drawing part is my problem. Do you know any "generic" sentence as to why my predecessors chose the line to be that way?
I know that without any company specific information, it is difficult.

Would it be okay for example if I would just say:
We as a young company with an innovative medical device, do have a medical benefit which is slightly better than the current state of the art. Therefore, we follow a conservative approach in our risk acceptance matrix.
We accept risks that are S4 (deaths) only when unthinkable (P1), severe risks (S3) when they occur unlikely (P2), major risks (S2) can occur rarely and minor risks (S1) are also frequently (P5) acceptable.
 

yodon

Leader
Super Moderator
Whether your company is young or old is quite irrelevant and asserting your youth would, for me, be a red flag! Further, asserting you are "slightly better than the current state of the art" is potentially a claim that would need to be proven and "slightly" is vague. The benefit can possibly factor in but it may open a rabbit hole. Since you have competition, do you know where they draw the lines?

Most of what I've seen is still rather generic, something like "The acceptability threshold aligns with industry norms and is appropriate for our product" (and yes, I realize "industry norms" is quite vague but that seems to satisfy those who are curious). Maybe others will weigh in on how they justify where the lines are drawn.
 

Tidge

Trusted Information Resource
It is important for executive management to both believe in the acceptability and be able to state in simple terms why they accepted the ratings. This isn't an area where the individuals can (at any point) claim to "not understand" or (worse) "not believe" the ratings.

From my PoV: setting the initial green/yellow/red ratings is where a "risk versus (treatment) options" analysis is. If there are few options for treatment, there is a greater appetite for risk. Keep in mind "let nature take its course" is always an option. If there is a large menu of options, then there should be less appetite for risk. The nature of the intervention (by use of the medical device) itself must be considered: study of internal body structures via X-ray is still tolerated in some circumstances, but other technologies (generally) have less risk for certain harms.
 

Auxilium

Involved In Discussions
Honestly, thank you all for the replies! I appreciate it.
That helped a lot! Out of interest, could you tell me in what fields you have been working and for how many years in total?
When did you get the feeling that you're a competent risk manager?
 

Auxilium

Involved In Discussions
Whether your company is young or old is quite irrelevant and asserting your youth would, for me, be a red flag! Further, asserting you are "slightly better than the current state of the art" is potentially a claim that would need to be proven and "slightly" is vague. The benefit can possibly factor in but it may open a rabbit hole. Since you have competition, do you know where they draw the lines?

Most of what I've seen is still rather generic, something like "The acceptability threshold aligns with industry norms and is appropriate for our product" (and yes, I realize "industry norms" is quite vague but that seems to satisfy those who are curious). Maybe others will weigh in on how they justify where the lines are drawn.

Btw no, we have competitors but we don't know where they draw the line. Do you even know any way to find out about competitor's approaches?
Is this even possible to find out other than "calling" them?
 

yodon

Leader
Super Moderator
I have been on the quality side of medical device development now for close to 20 years. I still wouldn't call myself a competent risk manager. :) I feel fairly comfortable with the process, only.
 

Tidge

Trusted Information Resource
Do you even know any way to find out about competitor's approaches?
Is this even possible to find out other than "calling" them?

You can review the literature of competitors, and also review their regulatory filings... as well as complaints and recalls. Literature searches will also help, especially if the device is used in a clinical environment. Your customers may also be happy to tell you about your competitor's products!

Out of interest, could you tell me in what fields you have been working and for how many years in total? When did you get the feeling that you're a competent risk manager?

I've been working in some sort of scientific, engineering or medical manufacturing field for about 30 years. As the saying goes: If you want to know which animals bite, and how hard... you ask the person with the most scars.

With reluctance: I can make a self-assessment of "competency" with respect to medical device risk management only on the following bases. (1) I was recruited into the field explicitly because I had been implementing risk management in another area (2) I am comfortable walking in areas my colleagues would rather avoid at all costs (3) I've had numerous interactions with regulators, NRTLs and the such... with the absolute best ones being that after review of the risk management files they don't have any questions!
 
Top Bottom