Is risk acceptability really needed if all risks must be reduced as far as possible?

#1
Hello! :bigwave:
I'm revising a risk procedure based on ISO 14971 for my company ( an SME selling mainly class I (some class IIa), pressure relieving devices)).

I want to pull in the requirements of the MDD 93/42/EEC as there are some deviations as per annex ZA of ISO 14971 and I'm stuck on risk acceptability....

Do I have to include a quantitative measure for determine risk acceptability (i.e. risk acceptability table) when it is a requirement of the MDD that all risks be reduced as far as possible, using cumulative risk control measures if needs be?? It seems like this is additional work that isn't necessary when each risk must be reviewed individually to assess its medical benefit?

Would we still compliant with ISO 14971 if I omitted risk acceptability criteria from the procedure?

Any help you can provide will be greatly appreciated, thank you! :)
 
Last edited:
Elsmar Forum Sponsor

Marcelo

Inactive Registered Visitor
#2
I think you are confusing some concepts. First, risk acceptability criteria is always required, otherwise you cannot decide if the risk is acceptable or not.

Second, a risk matrix is not a risk acceptability criteria. A risk matrix is, at most, a risk ranking tool, that people usually use to decide in which risk to prioritize based on limited resources.

You are right in that, using the EN deviations, a risk matrix may not be necessary anymore, because you do not need to prioritize, you have to tackle all risks.

But you still need the risk acceptability criteria to decide if the risks are acceptable or not.
 
#3
Thanks for your reply!

..so do you mean to to decide if the risk is acceptable in terms of the medical benefit outweighing the residual risk? Sorry if this is a stupid question! :)
 
#4
I mean to say could it not be stated in our risk management policy that the basis for risk acceptability will depend solely upon the clinical risk/benefit analysis?
 

Marcelo

Inactive Registered Visitor
#5
Thanks for your reply!

..so do you mean to to decide if the risk is acceptable in terms of the medical benefit outweighing the residual risk? Sorry if this is a stupid question! :)
It's not a stupid question, it comes from the historical "bad" use of the risk matrix.

And not, it's not related to the benefit.

The problem is how you define your criteria for acceptability. The thing is, risk acceptability is not related only to severity and probability of harm, which is the definition of risk. It has to take into consideration other things (the current ISO 14971 mentions "criteria are based upon applicable national or regional regulations and relevant International Standards, and take into account available information such as the generally accepted state of the art and known stakeholder concerns" and we are expanding this in the revision).

One generic example of criteria (this is a step-by-step I created to show as an example during the revision of ISO 14971, but as it won't be used in the text, I think it would interesting to have it here as an example. Also, the example is not quite correct in some parts, but I'm trying to show the concept here):

1 - Determine the need to establish risk criteria. What risk decisions will be aided by the criteria?
Risk criteria will be used to show that risk related to medical device X are acceptable. The criteria will aid in the decision of:
- When identified and reasonably foreseeable individual risks related to the medical device are to be considered acceptable
- When the aggregate risks related to the medical device are to be considered acceptable

2 - Determine the risks to be addressed (Risk to what ?)
Risk of harm to patients, user and, where applicable, other persons

3 - Determine/classify the populations to be addressed
Individual patients, user, or other persons. The device is not expected to cause harm to groups of person at a time.

4 - Determine which risk criteria to develop.
Individual, societal, or other type of risk?
Will there be a criterion defining de minimis risk?
Individual risk - the risk to a person in the vicinity of a hazard. In particular, the individual risk type to be used will be the maximum individual risk (the individual risk to the person(s) exposed to the highest risk in an exposed population), for patient……because blahblahblah.

There won´t be a de minimis criteria.

5 - Determine philosophy for continuing risk reduction (e.g., ALARP, ALARA, AFAP)
ALARP will be used as philosophy for risk reduction.

6 - Develop individual risk criteria (based on policy)
See below

Example Develop individual risk criteria (based on policy)
1 - Identify possible criteria or basis of criteria in applicable regulatory requirements
Applicable regulations require that risks are acceptable when weighed against the benefits to the patient and are compatible with a high level of protection of health and safety. There´s no different or contradicting expectations in the applicable regulations.

2- Identify possible criteria or basis of criteria in applicable international standards
Device has applicable international safety product standard that can be used as basis (ISO XXX or IECXXX). Other applicable standards exist that can be used as basis for criteria for different aspects of device risks (example, biocompatibility)

3 - Identify state-of-the-art regarding intended use of device, including medical alternatives
There´s several similar devices in the market. Alternative treatment (example drug, manual, etc.) is considered safer but slow in recovery time when compared to devices (and for XXX reason it´s important to have a quicker recovery time)

4 - Identify known stakeholder concerns, including public perception of risk
Patients tend to think that risks related to the device are commonplace (the same risk as being punctured by a needle), and also are more willing to tolerate risks if treatment has quicker recovery time than current treatments
Users generally think that device do pose risks, but are more willing to accept it if protective equipment is required to be used with device so as to diminish involuntary risk.

5 - Identify probability /severity criteria
The following criteria is to be used as a basis, and shall take into consideration the additional criteria mentioned below

See attached image.

Maximum individual risk to patients (fatality /year): 10-3

6 - Identify additional criteria
Risks shall be reduced wherever practicable. This includes cases in which, even if the risk is already deemed acceptable by the criteria, the cost to include the additional risk control is considered so low as to be essentially free.
Further development should not pose any incremental risk.
No single failures/errors should lead to an accident.
Device shall comply with requirements from international standards X, Y, Z. Unless an evaluation shows otherwise, compliance with those standards shall be used as argument to consider the risk as reduced to an acceptable level (ALARP good practice argument).
Risks to patients than can be considered ALARP if:
- there´s a good practice argument which demonstrate that risk control measures comply with relevant good practice and similar solutions in similar devices. This situation can be accepted by the authority of design engineers.
- there´s a qualitative first principles argument based on common sense or professional judgment that weighs possible risk reduction against the gain in recovery time. This situation can be accepted only by the authority of the device design project leader and risk management leader.
- there´s a quantitative first principles arguments based on a Cost Benefit Analysis (CBA) that weighs possible risk reduction against the gain in recovery time (this case would only be required if individual risk is more than 10-4). This situation can be accepted only by the authority of the device design project leader and risk management leader, and top management.
A risk to the user may be acceptable if it can be justified that the use of a protective equipment which is required to be present will reduce the individual risk to less than 10-3
Risks more than 10-4 can only be accepted if it a risk-benefit analysis shows that the total benefits of the device outweighs the aggregate risk profile. This situation can only be accepted by top management.
 

Attachments

#7
This is great thank you! It will take me some time to digest this..

Thank you for taking the time to help me with this matter, it's greatly appreciated! :)
 
Thread starter Similar threads Forum Replies Date
P Risk acceptability alignment between ISO 14971 and IEC 62304 IEC 62304 - Medical Device Software Life Cycle Processes 6
D Rationale for Risk Acceptability Matrix - ISO 14971 ISO 14971 - Medical Device Risk Management 9
A Risk Acceptability Criteria - Probability and Acceptability Level ISO 14971 - Medical Device Risk Management 1
K What is the policy for Risk Acceptability per ISO 14971 ISO 13485:2016 - Medical Device Quality Management Systems 2
Sam Lazzara ISO 14971 Clause 7 - Evaluation of Overall Residual Risk Acceptability ISO 14971 - Medical Device Risk Management 3
M How to create the Policy for determining criteria for Risk Acceptability ISO 14971 - Medical Device Risk Management 11
B Residual Risk Acceptability - Where do I get this Data/Figures from? CE Marking (Conformité Européene) / CB Scheme 9
A How to Rate a Risk Acceptability and on What Basis is it Measured? ISO 13485 ISO 13485:2016 - Medical Device Quality Management Systems 7
A Correlating Hazard Analysis and DFMEA Risk Acceptability Criteria FMEA and Control Plans 8
T Defining Criteria for Risk Acceptability - ISO 14971 Clause 3.2 ISO 14971 - Medical Device Risk Management 4
Sravan Manchikanti Software Risk Management & probability of occurrence as per IEC 62304 IEC 62304 - Medical Device Software Life Cycle Processes 8
E Normal Condition Hazards in Risk Analysis ISO 14971 - Medical Device Risk Management 3
silentmonkey Rationalising the level of effort and depth of software validation based on risk ISO 13485:2016 - Medical Device Quality Management Systems 10
R Risk assessment on IT containers and the information they contain IEC 27001 - Information Security Management Systems (ISMS) 4
B Threat/Vulnerability Catalogue for risk assessment IEC 27001 - Information Security Management Systems (ISMS) 4
R Opportunity For Improvement vs Opportunity (Positive Risk) ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 18
R FOD Risk Assessment - What tools would you recommend for assessing FOD risk? AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 1
R Identify Medical Device characterstics as Annex C of ISO 14971 Risk Management ISO 14971 - Medical Device Risk Management 5
A ISO 14971 PFMEA Manufacturing Risk ISO 14971 - Medical Device Risk Management 2
Q Example of the Risk Template Document Control Systems, Procedures, Forms and Templates 1
K Overall residual risk according to ISO 14971:2019 ISO 14971 - Medical Device Risk Management 5
A Risk Number for each software requirement IEC 62304 - Medical Device Software Life Cycle Processes 7
A IEC 60601 11.2.2.1 Risk of Fire in an Oxygen Rich Environment, Source of Ignition IEC 60601 - Medical Electrical Equipment Safety Standards Series 0
D Importing a general wellness low risk product Other US Medical Device Regulations 3
C Quantifying risk in choosing the number of parts, operators and replicates in a GR&R Gage R&R (GR&R) and MSA (Measurement Systems Analysis) 4
R AQL, Consumer Risk and MA Statistical Analysis Tools, Techniques and SPC 2
M Risk managment report of Surgical Mask Example ISO 14971 - Medical Device Risk Management 14
M Risk Analysis Flow - Confusion between ISO 14971 and IEC 62304 IEC 62304 - Medical Device Software Life Cycle Processes 8
R ECG Risk Analysis Standards ISO 14971 - Medical Device Risk Management 2
N Device Labeling - Medtronic Ventilator Files (Risk Management documents) Coffee Break and Water Cooler Discussions 2
A 5 x 5 Risk Matrix - Looking for a good example Manufacturing and Related Processes 2
F Risk for Quality Assurance Department in a Hospital - Hospital Incident Reporting ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 7
M Should volume of sales be factored into risk probability assessments? ISO 14971 - Medical Device Risk Management 33
T How do you define your Hazards? <a Risk Management discussion> ISO 14971 - Medical Device Risk Management 16
adir88 Documenting Risk Control Option Analysis ISO 14971 - Medical Device Risk Management 8
B Risk Assessment Checklist for Non product Software IEC 62304 - Medical Device Software Life Cycle Processes 1
MrTetris Should potential bugs be considered in software risk analysis? ISO 14971 - Medical Device Risk Management 5
K Identification of hazards and Risk file IEC 62366 - Medical Device Usability Engineering 7
S Risk based internal auditing Internal Auditing 6
Robert Stanley I'm @ RISK of not showing my RISKS! ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 20
M Estimating the benefit-risk ration under MDR EU Medical Device Regulations 1
adir88 Information of safety can reduce risk now? ISO 14971 - Medical Device Risk Management 12
G Any good examples of CAPA forms that include a risk based approach? ISO 13485:2016 - Medical Device Quality Management Systems 8
adir88 MDR requirement: Risk Management Plan for "each device" ISO 14971 - Medical Device Risk Management 5
M Has anyone heard of Run at Risk? Manufacturing and Related Processes 15
Tagin Is SARS-CoV-2/COVID-19 on your risk register? Misc. Quality Assurance and Business Systems Related Topics 11
D IEC 62304 Risk Classification - With and without hardware control IEC 62304 - Medical Device Software Life Cycle Processes 2
J ISO 14971 applied to ISO 13485? Low risk class 1 devices ISO 13485:2016 - Medical Device Quality Management Systems 3
DuncanGibbons Classification of aerospace parts depending on their risk and criticality etc. Federal Aviation Administration (FAA) Standards and Requirements 3
D Performance specification as a Risk Control Measure, EN 14971 ISO 14971 - Medical Device Risk Management 7

Similar threads

Top Bottom