SBS - The best value in QMS software

Is risk acceptability really needed if all risks must be reduced as far as possible?

#1
Hello! :bigwave:
I'm revising a risk procedure based on ISO 14971 for my company ( an SME selling mainly class I (some class IIa), pressure relieving devices)).

I want to pull in the requirements of the MDD 93/42/EEC as there are some deviations as per annex ZA of ISO 14971 and I'm stuck on risk acceptability....

Do I have to include a quantitative measure for determine risk acceptability (i.e. risk acceptability table) when it is a requirement of the MDD that all risks be reduced as far as possible, using cumulative risk control measures if needs be?? It seems like this is additional work that isn't necessary when each risk must be reviewed individually to assess its medical benefit?

Would we still compliant with ISO 14971 if I omitted risk acceptability criteria from the procedure?

Any help you can provide will be greatly appreciated, thank you! :)
 
Last edited:
Elsmar Forum Sponsor

Marcelo

Inactive Registered Visitor
#2
I think you are confusing some concepts. First, risk acceptability criteria is always required, otherwise you cannot decide if the risk is acceptable or not.

Second, a risk matrix is not a risk acceptability criteria. A risk matrix is, at most, a risk ranking tool, that people usually use to decide in which risk to prioritize based on limited resources.

You are right in that, using the EN deviations, a risk matrix may not be necessary anymore, because you do not need to prioritize, you have to tackle all risks.

But you still need the risk acceptability criteria to decide if the risks are acceptable or not.
 
#3
Thanks for your reply!

..so do you mean to to decide if the risk is acceptable in terms of the medical benefit outweighing the residual risk? Sorry if this is a stupid question! :)
 
#4
I mean to say could it not be stated in our risk management policy that the basis for risk acceptability will depend solely upon the clinical risk/benefit analysis?
 

Marcelo

Inactive Registered Visitor
#5
Thanks for your reply!

..so do you mean to to decide if the risk is acceptable in terms of the medical benefit outweighing the residual risk? Sorry if this is a stupid question! :)
It's not a stupid question, it comes from the historical "bad" use of the risk matrix.

And not, it's not related to the benefit.

The problem is how you define your criteria for acceptability. The thing is, risk acceptability is not related only to severity and probability of harm, which is the definition of risk. It has to take into consideration other things (the current ISO 14971 mentions "criteria are based upon applicable national or regional regulations and relevant International Standards, and take into account available information such as the generally accepted state of the art and known stakeholder concerns" and we are expanding this in the revision).

One generic example of criteria (this is a step-by-step I created to show as an example during the revision of ISO 14971, but as it won't be used in the text, I think it would interesting to have it here as an example. Also, the example is not quite correct in some parts, but I'm trying to show the concept here):

1 - Determine the need to establish risk criteria. What risk decisions will be aided by the criteria?
Risk criteria will be used to show that risk related to medical device X are acceptable. The criteria will aid in the decision of:
- When identified and reasonably foreseeable individual risks related to the medical device are to be considered acceptable
- When the aggregate risks related to the medical device are to be considered acceptable

2 - Determine the risks to be addressed (Risk to what ?)
Risk of harm to patients, user and, where applicable, other persons

3 - Determine/classify the populations to be addressed
Individual patients, user, or other persons. The device is not expected to cause harm to groups of person at a time.

4 - Determine which risk criteria to develop.
Individual, societal, or other type of risk?
Will there be a criterion defining de minimis risk?
Individual risk - the risk to a person in the vicinity of a hazard. In particular, the individual risk type to be used will be the maximum individual risk (the individual risk to the person(s) exposed to the highest risk in an exposed population), for patient……because blahblahblah.

There won´t be a de minimis criteria.

5 - Determine philosophy for continuing risk reduction (e.g., ALARP, ALARA, AFAP)
ALARP will be used as philosophy for risk reduction.

6 - Develop individual risk criteria (based on policy)
See below

Example Develop individual risk criteria (based on policy)
1 - Identify possible criteria or basis of criteria in applicable regulatory requirements
Applicable regulations require that risks are acceptable when weighed against the benefits to the patient and are compatible with a high level of protection of health and safety. There´s no different or contradicting expectations in the applicable regulations.

2- Identify possible criteria or basis of criteria in applicable international standards
Device has applicable international safety product standard that can be used as basis (ISO XXX or IECXXX). Other applicable standards exist that can be used as basis for criteria for different aspects of device risks (example, biocompatibility)

3 - Identify state-of-the-art regarding intended use of device, including medical alternatives
There´s several similar devices in the market. Alternative treatment (example drug, manual, etc.) is considered safer but slow in recovery time when compared to devices (and for XXX reason it´s important to have a quicker recovery time)

4 - Identify known stakeholder concerns, including public perception of risk
Patients tend to think that risks related to the device are commonplace (the same risk as being punctured by a needle), and also are more willing to tolerate risks if treatment has quicker recovery time than current treatments
Users generally think that device do pose risks, but are more willing to accept it if protective equipment is required to be used with device so as to diminish involuntary risk.

5 - Identify probability /severity criteria
The following criteria is to be used as a basis, and shall take into consideration the additional criteria mentioned below

See attached image.

Maximum individual risk to patients (fatality /year): 10-3

6 - Identify additional criteria
Risks shall be reduced wherever practicable. This includes cases in which, even if the risk is already deemed acceptable by the criteria, the cost to include the additional risk control is considered so low as to be essentially free.
Further development should not pose any incremental risk.
No single failures/errors should lead to an accident.
Device shall comply with requirements from international standards X, Y, Z. Unless an evaluation shows otherwise, compliance with those standards shall be used as argument to consider the risk as reduced to an acceptable level (ALARP good practice argument).
Risks to patients than can be considered ALARP if:
- there´s a good practice argument which demonstrate that risk control measures comply with relevant good practice and similar solutions in similar devices. This situation can be accepted by the authority of design engineers.
- there´s a qualitative first principles argument based on common sense or professional judgment that weighs possible risk reduction against the gain in recovery time. This situation can be accepted only by the authority of the device design project leader and risk management leader.
- there´s a quantitative first principles arguments based on a Cost Benefit Analysis (CBA) that weighs possible risk reduction against the gain in recovery time (this case would only be required if individual risk is more than 10-4). This situation can be accepted only by the authority of the device design project leader and risk management leader, and top management.
A risk to the user may be acceptable if it can be justified that the use of a protective equipment which is required to be present will reduce the individual risk to less than 10-3
Risks more than 10-4 can only be accepted if it a risk-benefit analysis shows that the total benefits of the device outweighs the aggregate risk profile. This situation can only be accepted by top management.
 

Attachments

#7
This is great thank you! It will take me some time to digest this..

Thank you for taking the time to help me with this matter, it's greatly appreciated! :)
 
Thread starter Similar threads Forum Replies Date
P Risk acceptability alignment between ISO 14971 and IEC 62304 IEC 62304 - Medical Device Software Life Cycle Processes 6
D Rationale for Risk Acceptability Matrix - ISO 14971 ISO 14971 - Medical Device Risk Management 9
A Risk Acceptability Criteria - Probability and Acceptability Level ISO 14971 - Medical Device Risk Management 1
K What is the policy for Risk Acceptability per ISO 14971 ISO 13485:2016 - Medical Device Quality Management Systems 2
Sam Lazzara ISO 14971 Clause 7 - Evaluation of Overall Residual Risk Acceptability ISO 14971 - Medical Device Risk Management 3
M How to create the Policy for determining criteria for Risk Acceptability ISO 14971 - Medical Device Risk Management 11
B Residual Risk Acceptability - Where do I get this Data/Figures from? CE Marking (Conformité Européene) / CB Scheme 9
A How to Rate a Risk Acceptability and on What Basis is it Measured? ISO 13485 ISO 13485:2016 - Medical Device Quality Management Systems 7
A Correlating Hazard Analysis and DFMEA Risk Acceptability Criteria FMEA and Control Plans 8
T Defining Criteria for Risk Acceptability - ISO 14971 Clause 3.2 ISO 14971 - Medical Device Risk Management 4
S Risk Management Review ISO 14971 - Medical Device Risk Management 4
D Low risk IVD study in the UK, do I need MHRA approval? UK Medical Device Regulations 1
S Risk Management and other Files ISO 14971 - Medical Device Risk Management 8
silentmonkey Overall Benefit/Risk Analysis - Risk Management VS Clinical Evaluation ISO 14971 - Medical Device Risk Management 3
N ISO 27001 for Jumb Burger - Risk Assessment sheet IEC 27001 - Information Security Management Systems (ISMS) 10
C Risk Assessment Tools ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 3
qualprod Examples to mitigate risk from Covid ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 5
G Risk of stopping your customer's line IATF 16949 - Automotive Quality Systems Standard 4
C Risk Matrix vs FMEAs ISO 14971 - Medical Device Risk Management 3
S IVD risk class II devices for Brazil and MDSAP Other Medical Device Regulations World-Wide 0
M ISO 14971:2019: Criteria for overall residual risk ISO 14971 - Medical Device Risk Management 4
M ISO14971:2019 - Verification of implementation and effectiveness of risk control ISO 14971 - Medical Device Risk Management 3
Aymaneh Medical Device Cybersecurity Risk Management IEC 27001 - Information Security Management Systems (ISMS) 2
S Traceability of requirements to design and risk Design and Development of Products and Processes 3
R Risk control measures as per ISO 14971 ISO 14971 - Medical Device Risk Management 6
D Deciding whether or not pre-market clinical investigation is required for low risk device EU Medical Device Regulations 5
R The term "Benefit Risk Ratio" in EU MDR, do I need to present benefit risk analysis as a RATIO Risk Management Principles and Generic Guidelines 4
_robinsingh Security Risk Assessment Tool IEC 27001 - Information Security Management Systems (ISMS) 0
A 21 CFR 820 - Risk Management - Looking for some guidance US Food and Drug Administration (FDA) 3
bryan willemot Contract Review and risk managment AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 2
D Risk Analysis using Monte Carlo Simulation instead of Scoring and Heat Map Risk Management Principles and Generic Guidelines 2
Sravan Manchikanti Software Risk Management & probability of occurrence as per IEC 62304 IEC 62304 - Medical Device Software Life Cycle Processes 8
E Normal Condition Hazards in Risk Analysis ISO 14971 - Medical Device Risk Management 3
silentmonkey Rationalising the level of effort and depth of software validation based on risk ISO 13485:2016 - Medical Device Quality Management Systems 10
R Risk assessment on IT containers and the information they contain IEC 27001 - Information Security Management Systems (ISMS) 4
B Threat/Vulnerability Catalogue for risk assessment IEC 27001 - Information Security Management Systems (ISMS) 4
R Opportunity For Improvement vs Opportunity (Positive Risk) ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 18
R FOD Risk Assessment - What tools would you recommend for assessing FOD risk? AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 1
R Identify Medical Device characterstics as Annex C of ISO 14971 Risk Management ISO 14971 - Medical Device Risk Management 5
A ISO 14971 PFMEA Manufacturing Risk ISO 14971 - Medical Device Risk Management 2
Q Example of the Risk Template Document Control Systems, Procedures, Forms and Templates 1
K Overall residual risk according to ISO 14971:2019 ISO 14971 - Medical Device Risk Management 5
A Risk Number for each software requirement IEC 62304 - Medical Device Software Life Cycle Processes 7
A IEC 60601 11.2.2.1 Risk of Fire in an Oxygen Rich Environment, Source of Ignition IEC 60601 - Medical Electrical Equipment Safety Standards Series 0
D Importing a general wellness low risk product Other US Medical Device Regulations 3
C Quantifying risk in choosing the number of parts, operators and replicates in a GR&R Gage R&R (GR&R) and MSA (Measurement Systems Analysis) 4
R AQL, Consumer Risk and MA Statistical Analysis Tools, Techniques and SPC 2
M Risk managment report of Surgical Mask Example ISO 14971 - Medical Device Risk Management 14
M Risk Analysis Flow - Confusion between ISO 14971 and IEC 62304 IEC 62304 - Medical Device Software Life Cycle Processes 8
R ECG Risk Analysis Standards ISO 14971 - Medical Device Risk Management 2

Similar threads

Top Bottom