Grouping of Products for Risk Analysis

#1
Hello,
I'm wondering if the following approach would be legit and in compliance with ISO 14971:

1. Group different products based on common characteristics.
2. Conduct a risk analysis to identify risks that overlap / are the same for each product of the product group (see 1.).
3. Define mitigation measures for the risks defined in 2. These measures have to be implemented for each product of the respective group (see 1.).
4. Conduct a product specific risk analysis in which you only check for risks that are not covered in the product group risk analysis.
5. Define mitigation measures for product specific risks and implement them.
6. Create a risk report based on the group risk analysis and product specific risk analysis (2. and 4.).

From my view, this approach should be possible. What is your opinion on this ?
 
Elsmar Forum Sponsor

Marcelo

Inactive Registered Visitor
#2
Hello,
I'm wondering if the following approach would be legit and in compliance with ISO 14971:

1. Group different products based on common characteristics.
2. Conduct a risk analysis to identify risks that overlap / are the same for each product of the product group (see 1.).
3. Define mitigation measures for the risks defined in 2. These measures have to be implemented for each product of the respective group (see 1.).
4. Conduct a product specific risk analysis in which you only check for risks that are not covered in the product group risk analysis.
5. Define mitigation measures for product specific risks and implement them.
6. Create a risk report based on the group risk analysis and product specific risk analysis (2. and 4.).

From my view, this approach should be possible. What is your opinion on this ?
Hello, and welcome to the Cove!

1, 2 - Normally, no. Risk management is applicable to each device or family (basically, each design). You can perform parts of the process in general (for example, it's common to have a document with lists of hazards or harm for some types of devices), but these are used as a basis for the application of ISO 14971 for each specific device.

3 - This is not feasible. Risk control measures are very specific for each device, including even similar devices (because they may be related to specific characteristics of the intended use).

4 - No, see 1.

5 - No.

6 - No.

Also, besides not being a good engineering practice, this won't be acceptable to any reviewer with a good knowledge of product risk management.
 
Last edited:
#3
Hi Marcelo,
thank you for your reply and feedback.
I do not agree with your reasoning though.

Let's assume you have a group of medical devices.
The common characteristics of that group are:

- They are based on the same technology with the same basic architecture.
- They are used by the same user group with same characteristics.
- They have certain similiar design features that apply to all of the devices.
- etc..

With this in mind:

1,2) You do not skip the device / design specific risk analysis. Instead you identify risks that apply to all of the devices of a certain group.
If there are additional risks from those in the group analysis you assess them in the product / design specific risk analysis.
The same applies if risks from the group analysis differ significantly for the specific device.

3) The risk control measures identified in the "group" analysis would still be included for each and every device.

Let's assume that all devices in your group are using the same display. You identified "bad readability due to direct sunlight".
As a risk control measure you define that a sunlight readable display has to be used). This measure will have to be implemented for each device in the respective group.

In addition, product specific risk control measures would also be implemented.

"Also, besides not being a good engineering practice .." <= Why is this considered as such ?
If you don't mind, please add a reference for me to research this in more detail.

I do not agree that there is only one legitimate approach to complying to ISO 14971. At its core, it is expected to assess all risks that arise from the use of the device to user and / or patient, implement measures to minimize the risk as far as possible resulting in a product with a positive risk / benefit ratio.

I do not see how the approach described above does not fulfill this requirement.
Product specific risk analysis is not skipped nor is it cut short. Instead common / alike risks are not explicitly listed in the product specific risk analysis but are still mentioned in the final product risk profile and are mitigated as well.
 

Marcelo

Inactive Registered Visitor
#4
The problem is that "group of devices" is not a defined term anywhere that I know of. If you mean by a "group of devices" a device family (which is a term usually defined in regulations, for example), then ISO 14971 already applies to that (but you have to perform the process for each family, anyway).

The rest of your comments are more or less what I mentioned, you can do anything you want regarding analysis, create lists, etc., but it is something "extra" to facilitate the application of the risk management process for a specific device or family. But you still need to transpose all the information to the specific risk analysis (you may try to link things, but from my experience it may create a lot of trouble, in particular when related to verifying completeness and assessing changes).

"Also, besides not being a good engineering practice .." <= Why is this considered as such ?
If you don't mind, please add a reference for me to research this in more detail.
I mentioned this in the context of what you seemed to be implying - to do something like a "bulk" risk analysis. Your further comments seems to have clarified that. However, your comments still look to imply that you would simply link things to a generic document, which as I mentioned above, may create trouble.

You identified "bad readability due to direct sunlight".
This is not a risk, as it does not have the exposure and related harm of the patient/user/etc. In particular, and I also mentioned this above, risks will depend on the intended use (including intended user) of the device, so even for the same similar devices, different intended uses will change the risks. This is the other aspect that I would be concerned in the approach you mentioned.

For example, if you look at the problem you mentioned (and I'm not discussing it being a risk or not), of "bad readability due to direct sunlight", if the intended use of the device is to be used in closed environments, this problem does not exist.

I do not agree that there is only one legitimate approach to complying to ISO 14971. At its core, it is expected to assess all risks that arise from the use of the device to user and / or patient, implement measures to minimize the risk as far as possible resulting in a product with a positive risk / benefit ratio.
Again, it seems that I understood your original comment wrong. I did not try to imply that applying ISO 14971 can only be done thru one way. In fact, one of the strengths (unfortunately, it's also a big weakness due to some problems) is that it's a generic standard (as always based on good safety engineering practices of the last 50 or 80 years), and you may comply with it with several ways.

I do not see how the approach described above does not fulfill this requirement.
Product specific risk analysis is not skipped nor is it cut short. Instead common / alike risks are not explicitly listed in the product specific risk analysis but are still mentioned in the final product risk profile and are mitigated as well.
I still think that this approach will in practice create some problems and possible gaps, and for these reasons, I've never seen this done that way anywhere in the literature of risk management (I've seem some examples of approaches that tried to to that but used things as starting points, as I mentioned).

You certainly won't see NASA doing somethings like this (and they tried), because it was noted that, for optimal performance, you need to focus risk management activities in the particular problem, even if they share common characteristics.

In fact, ISO 14971 even mentions that in NOTE 1 to 4.1:

NOTE 1 If a risk analysis, or other relevant information, is available for a similar medical device, that analysis or information can be used as a starting point for the new analysis. The degree of relevance depends on the differences between the devices and whether these introduce new hazards or significant differences in outputs, characteristics, performance or results. The extent of use of an existing analysis is also based on a systematic evaluation of the effects the changes have on the development of hazardous situations.
Even in the case above, it's expected that you use the previous analysis as a basis, and not share it with other analysis.

So, related to your initial question - would be legit and in compliance with ISO 14971? I still think that it's not a good way to comply (not that I'm that fixed on complying directly with ISO 14971 because unfortunately, the current and also the newer version to be published in a while have several technical mistakes, so in principle I would say that it's really impossible to fully comply with the standard unless you correct those mistakes and make the correct activities - which I always do).
 
Last edited:
#5
Thanks Marcelo for your valuable insights. I guess you're having a point!
Especially
But you still need to transpose all the information to the specific risk analysis (you may try to link things, but from my experience it may create a lot of trouble, in particular when related to verifying completeness and assessing changes).
might really cause problems. I can see that one of the main problems of the approach would be to guarantee the up to dateness and relevance. Have you ever experienced a successful implementation of a "device family approach"?

Regarding your NASA comment, I would really be interested to read more about that (NASA's approach in general).
Are there resources available which you know about / recommend?
 

Marcelo

Inactive Registered Visitor
#6
Thanks Marcelo for your valuable insights. I guess you're having a point!
Especially might really cause problems. I can see that one of the main problems of the approach would be to guarantee the up to dateness and relevance. Have you ever experienced a successful implementation of a "device family approach"?
Yes, it's very common for certain types of medical equipment for example (think about an anesthesia system, which is comprised of several modules and in which there is a complete device with all the modules and each other device in the family removes certain modules. The risk management process is performed for the family as a whole).

Regarding your NASA comment, I would really be interested to read more about that (NASA's approach in general).
Are there resources available which you know about / recommend?
Sure, there are several from NASA (and several other basic ones from other sources) - see this for NASA - NASA risk management - OSMA.

IN particular, the following documents are very interesting:

NASA Risk-Informed Decision Making Handbook

NASA Risk Management Handbook

NASA Accident Precursor Analysis Handbook

NASA System Safety Handbook Volume 1, System Safety Framework and Concepts for Implementation

Probabilistic Risk Assessment Procedures Guide for NASA Managers and Practitioners
 
Last edited:

Ronen E

Problem Solver
Staff member
Moderator
#7
Slightly off topic, but just so we don't inadvertently mislead others reading this -
implement measures to minimize the risk as far as possible resulting in a product with a positive risk / benefit ratio.
ISO 14971:2007 doesn't require minimizing risk as far as possible (AFAP), only as low as reasonably practicable (ALARP). Such minimization is only indicated in EN ISO 14971:2012.
 

Marcelo

Inactive Registered Visitor
#8
Slightly off topic, but just so we don't inadvertently mislead others reading this -

ISO 14971:2007 doesn't require minimizing risk as far as possible (AFAP), only as low as reasonably practicable (ALARP). Such minimization is only indicated in EN ISO 14971:2012.
In fact, IsO 14971:2007 also does not require minimizing risk as low as reasonably practicable either, as the ALARP comments are only examples in the informative annexes. In fact, ISO 14971 let the implementation decides which approach to use to control risks - ALARP, ALARA, SFAIRP, AFAP, and all the other tens of approach, it also let the implementation defines if de minimis risk will be used or not, and the like - as I mentioned, it's a very high level standard, and this is one of the problems as people do not understand that they have to build and decide on the criteria and approach to risk control (we did include a note in the next edition on this because people did not seem to understand that).
 

Ronen E

Problem Solver
Staff member
Moderator
#9
In fact, IsO 14971:2007 also does not require minimizing risk as low as reasonably practicable either, as the ALARP comments are only examples in the informative annexes. In fact, ISO 14971 let the implementation decides which approach to use to control risks - ALARP, ALARA, SFAIRP, AFAP, and all the other tens of approach, it also let the implementation defines if de minimis risk will be used or not, and the like - as I mentioned, it's a very high level standard, and this is one of the problems as people do not understand that they have to build and decide on the criteria and approach to risk control (we did include a note in the next edition on this because people did not seem to understand that).
Thanks, I stand corrected.
 
Thread starter Similar threads Forum Replies Date
J Grouping Products and Testing Sterile and Biocompatibility - Validating Products Other Medical Device Regulations World-Wide 3
S How to consider the relevant standards during development of ISO13482:2016 for IVD manufacturing Blood grouping Other Medical Device Related Standards 6
bio_subbu Indian government issues guidance on Grouping Medical Devices in a Single Submission Other Medical Device Regulations World-Wide 1
P Standards related to ER Checklist for Blood Grouping Reagents CE Marking (Conformité Européene) / CB Scheme 2
W AS9100 Rev C PEARs - Grouping Processes Document Control Systems, Procedures, Forms and Templates 3
BeaBea Interesting Discussion Where Does Marketing/ Advertisement of Products fit in to ISO 9001? Process Maps, Process Mapping and Turtle Diagrams 35
J Iterative design and production for custom made products ISO 13485:2016 - Medical Device Quality Management Systems 3
Q Old products new class - Dental Devices - Choosing tests EU Medical Device Regulations 2
J Design file for pre-existing products - Inputs and Outputs ISO 13485:2016 - Medical Device Quality Management Systems 5
P Do I need to get registered or have German entity to sell IVD products in Germany? CE Marking (Conformité Européene) / CB Scheme 2
R Reduced sampling plan for sterial products APQP and PPAP 0
D Cleanroom Cleaning Products and Storage Other Medical Device and Orthopedic Related Topics 18
J Raw material certificates - CC - Safety products - Sheet metal stamping IATF 16949 - Automotive Quality Systems Standard 1
M Validation of two nearly identical products Other Medical Device Regulations World-Wide 5
B Unit of Use DI (Device Identifier) - Products using the same device US Food and Drug Administration (FDA) 0
G Class IIa medical products - PMS report and PSUR EU Medical Device Regulations 2
Z 510(k) usage - Company has 2 physically similar products Medical Device and FDA Regulations and Standards News 2
T API Q1 - Will I be able to maintain Q1 if I have products that fall under 6A Oil and Gas Industry Standards and Regulations 5
A VDmax25 and cGMP requirements for "research use only" products Other Medical Device Related Standards 1
B QMS question in regards to multiple medical devices/products and N/A activities Other Medical Device Related Standards 12
H Re-labelling in IVDD - Re-label two products and package them as one CE Marking (Conformité Européene) / CB Scheme 5
V IATF 16949 8.4.1 Control of externally provided processes, products and services - Should the CB be on our Approved Supplier List? IATF 16949 - Automotive Quality Systems Standard 10
S Similar scope medical products connected by WIFI US Food and Drug Administration (FDA) 2
F Calibrating Gagemaker Products General Measurement Device and Calibration Topics 1
C AS9100D -8.5.1j - Accountability For All Products Tiny Parts AS9100, IAQG 9100, Nadcap and related Aerospace Standards and Requirements 1
M NANDO codes of products - These are not the GMDN codes, correct? EU Medical Device Regulations 4
M Informational TGA – Current status of breast implant products in Australia Medical Device and FDA Regulations and Standards News 0
shimonv Recall - Is there a European regulation for recalls of products EU Medical Device Regulations 3
M Informational EU – New designated Notified Body under the MDR – TÜV Rheinland LGA Products GmbH Medical Device and FDA Regulations and Standards News 0
A Design and development of products and services ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 2
S Clause 8.2.2 Determining the requirements for products and services ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 5
Marc Goldsmiths University will take beef products off the menu starting in September 2019 Sustainability, Green Initiatives and Ecology 19
T Product Labeling - Modified the name of one of our products EU Medical Device Regulations 5
J MDR Annex VIII, Rule 6 Classification - Implication for lower risk CV products? CE Marking (Conformité Européene) / CB Scheme 3
M Informational US FDA Final guidance – Postmarketing Safety Reporting for Combination Products Medical Device and FDA Regulations and Standards News 0
M Informational TGA – Advertising health products: Rules about safety claims in advertising Medical Device and FDA Regulations and Standards News 0
M Informational BSI – ISO 13485 and products with May 2020 deadline for MDR certification Medical Device and FDA Regulations and Standards News 0
M Informational Medicines and Healthcare Products Regulatory Agency Annual Report and Accounts 2018 to 2019 Medical Device and FDA Regulations and Standards News 0
J US Manufacturer of Export Only Exempt Products applying for CFG 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 0
S GMDN Code for Chitosan Products CE Marking (Conformité Européene) / CB Scheme 1
DuncanGibbons Why is 8.4 post-delivery activities before 8.6 release of products and services in AS9100D? AS9100, IAQG 9100, Nadcap and related Aerospace Standards and Requirements 5
O Validation approach for a Photostability Chamber (used for fluid therapy and injectable drug products) Qualification and Validation (including 21 CFR Part 11) 1
M Informational EMA – Consultation on draft guideline on quality requirements for medical devices in combination products Medical Device and FDA Regulations and Standards News 0
Q IATF 16949 certification without automotive products in "production" IATF 16949 - Automotive Quality Systems Standard 5
J UDI Requirements - Products that all fall under the same family 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 3
M Informational EU – Medicinal products and medical devices: Coordinated approach in case of a withdrawal of the United Kingdom from the Union without a deal Medical Device and FDA Regulations and Standards News 0
B How to assess which directives and standards apply - Brewing and distilling products CE Marking (Conformité Européene) / CB Scheme 1
M Informational USFDA – Radiological Health Regulations; Amendments to Records and Reports for Radiation Emitting Electronic Products; Amendments to Performance Stand Medical Device and FDA Regulations and Standards News 0
K PFMEA (Process FMEA) - Can be common for 3000 products? FMEA and Control Plans 2
A Definition of "Sensitive Products" Clause 8.5.4 (c) in AS9100 Rev. D AS9100, IAQG 9100, Nadcap and related Aerospace Standards and Requirements 4
Similar threads


















































Top Bottom