A lot of people ask me this, and, although it's too dependent on each manufacturer, I think some guidelines might help (this is really not easy, so one of the questions being answered in the new guidance to ISO 14971 (draft ISO 24971) is about how to create this policy)
Anyway, what the standard wants is that you as the manufacturer takes into consideration all the relevant information, state of the art, known risk control measures and user needs and create a policy based on that.
Please note that this policy is the MAIN driver for all safety related issues in the risk management framework of ISO 14971. It's what you help you defined if your device is safe or not. This is in fact a very important BUSINESS decision, because it could impact a lot of things, from the regulatory aspect to the perception of your product bythe stakeholders aspect.
As a generic (exxagerated) example I cite in courses I give, I say that, when X-rays where discovered, it was ok that a medical x-ray equipment killed 50 % of it's users, because there were no clear risk controls and it would stil be better than death.
On the other hand, now that we have developed better risk controls (see standards and regulations) and there's also some other treatment options, the user perception (user including all stakeholders) has changed and do not accept this kind of mortality anymore.
So your policy has to reflect all this.
Please note that possible occurences per use or anything like that are only one aspect of the policy, there's a lot more.
Also remember that the policy is for you to determine the risk acceptability criteria for each device you have. Some people confuses this and thinks that it's THE risk acceptability criteria. It's not, it's only a policy, and as a policy, it's objective is to guide you when defining the risk acceptability criteria of each of your devices.
A generic example of part of a policy related to the rationale I cited above is:
- Our devices cannot have occurrencies leading to death (or serious adverse event, or something like that) in more than 0,01 % of it's uses (this requires that, for each device, when you is defining the risk acceptability criteria, you take into consideration that anything beyong this number is unnaceptable)
- Our devices will follow the risk control measures detailed on all applicable standards and, when risk control options are not defined in standards, we will implement risk control options which reflect the current practice and current perceptions of all the involved stakeholders, including any which comes from regulatory expectations ( this in practice means that, when dfining the risk acceptability criteria for each device, you will need to consult stakeholders to define what they expect as state-of-the-art risk control measures)
- Our devices will always have a safety level comparable, and if possible better to, other diagnostic/treament solutions in the market (this means that your risk benefit/analysis always has to be based on the other treatment safety levels, not the ones you internally defines)
And it goes on.
Maybe I will try and creat some model example for this in the future, but as you might have noticed, even a simple example is not that simple.
Anyway, what the standard wants is that you as the manufacturer takes into consideration all the relevant information, state of the art, known risk control measures and user needs and create a policy based on that.
Please note that this policy is the MAIN driver for all safety related issues in the risk management framework of ISO 14971. It's what you help you defined if your device is safe or not. This is in fact a very important BUSINESS decision, because it could impact a lot of things, from the regulatory aspect to the perception of your product bythe stakeholders aspect.
As a generic (exxagerated) example I cite in courses I give, I say that, when X-rays where discovered, it was ok that a medical x-ray equipment killed 50 % of it's users, because there were no clear risk controls and it would stil be better than death.
On the other hand, now that we have developed better risk controls (see standards and regulations) and there's also some other treatment options, the user perception (user including all stakeholders) has changed and do not accept this kind of mortality anymore.
So your policy has to reflect all this.
Please note that possible occurences per use or anything like that are only one aspect of the policy, there's a lot more.
Also remember that the policy is for you to determine the risk acceptability criteria for each device you have. Some people confuses this and thinks that it's THE risk acceptability criteria. It's not, it's only a policy, and as a policy, it's objective is to guide you when defining the risk acceptability criteria of each of your devices.
A generic example of part of a policy related to the rationale I cited above is:
- Our devices cannot have occurrencies leading to death (or serious adverse event, or something like that) in more than 0,01 % of it's uses (this requires that, for each device, when you is defining the risk acceptability criteria, you take into consideration that anything beyong this number is unnaceptable)
- Our devices will follow the risk control measures detailed on all applicable standards and, when risk control options are not defined in standards, we will implement risk control options which reflect the current practice and current perceptions of all the involved stakeholders, including any which comes from regulatory expectations ( this in practice means that, when dfining the risk acceptability criteria for each device, you will need to consult stakeholders to define what they expect as state-of-the-art risk control measures)
- Our devices will always have a safety level comparable, and if possible better to, other diagnostic/treament solutions in the market (this means that your risk benefit/analysis always has to be based on the other treatment safety levels, not the ones you internally defines)
And it goes on.
Maybe I will try and creat some model example for this in the future, but as you might have noticed, even a simple example is not that simple.
Last edited: