Is risk acceptability really needed if all risks must be reduced as far as possible?

#1
Hello! :bigwave:
I'm revising a risk procedure based on ISO 14971 for my company ( an SME selling mainly class I (some class IIa), pressure relieving devices)).

I want to pull in the requirements of the MDD 93/42/EEC as there are some deviations as per annex ZA of ISO 14971 and I'm stuck on risk acceptability....

Do I have to include a quantitative measure for determine risk acceptability (i.e. risk acceptability table) when it is a requirement of the MDD that all risks be reduced as far as possible, using cumulative risk control measures if needs be?? It seems like this is additional work that isn't necessary when each risk must be reviewed individually to assess its medical benefit?

Would we still compliant with ISO 14971 if I omitted risk acceptability criteria from the procedure?

Any help you can provide will be greatly appreciated, thank you! :)
 
Last edited:
Elsmar Forum Sponsor

Marcelo

Inactive Registered Visitor
#2
I think you are confusing some concepts. First, risk acceptability criteria is always required, otherwise you cannot decide if the risk is acceptable or not.

Second, a risk matrix is not a risk acceptability criteria. A risk matrix is, at most, a risk ranking tool, that people usually use to decide in which risk to prioritize based on limited resources.

You are right in that, using the EN deviations, a risk matrix may not be necessary anymore, because you do not need to prioritize, you have to tackle all risks.

But you still need the risk acceptability criteria to decide if the risks are acceptable or not.
 
#3
Thanks for your reply!

..so do you mean to to decide if the risk is acceptable in terms of the medical benefit outweighing the residual risk? Sorry if this is a stupid question! :)
 
#4
I mean to say could it not be stated in our risk management policy that the basis for risk acceptability will depend solely upon the clinical risk/benefit analysis?
 

Marcelo

Inactive Registered Visitor
#5
Thanks for your reply!

..so do you mean to to decide if the risk is acceptable in terms of the medical benefit outweighing the residual risk? Sorry if this is a stupid question! :)
It's not a stupid question, it comes from the historical "bad" use of the risk matrix.

And not, it's not related to the benefit.

The problem is how you define your criteria for acceptability. The thing is, risk acceptability is not related only to severity and probability of harm, which is the definition of risk. It has to take into consideration other things (the current ISO 14971 mentions "criteria are based upon applicable national or regional regulations and relevant International Standards, and take into account available information such as the generally accepted state of the art and known stakeholder concerns" and we are expanding this in the revision).

One generic example of criteria (this is a step-by-step I created to show as an example during the revision of ISO 14971, but as it won't be used in the text, I think it would interesting to have it here as an example. Also, the example is not quite correct in some parts, but I'm trying to show the concept here):

1 - Determine the need to establish risk criteria. What risk decisions will be aided by the criteria?
Risk criteria will be used to show that risk related to medical device X are acceptable. The criteria will aid in the decision of:
- When identified and reasonably foreseeable individual risks related to the medical device are to be considered acceptable
- When the aggregate risks related to the medical device are to be considered acceptable

2 - Determine the risks to be addressed (Risk to what ?)
Risk of harm to patients, user and, where applicable, other persons

3 - Determine/classify the populations to be addressed
Individual patients, user, or other persons. The device is not expected to cause harm to groups of person at a time.

4 - Determine which risk criteria to develop.
Individual, societal, or other type of risk?
Will there be a criterion defining de minimis risk?
Individual risk - the risk to a person in the vicinity of a hazard. In particular, the individual risk type to be used will be the maximum individual risk (the individual risk to the person(s) exposed to the highest risk in an exposed population), for patient……because blahblahblah.

There won´t be a de minimis criteria.

5 - Determine philosophy for continuing risk reduction (e.g., ALARP, ALARA, AFAP)
ALARP will be used as philosophy for risk reduction.

6 - Develop individual risk criteria (based on policy)
See below

Example Develop individual risk criteria (based on policy)
1 - Identify possible criteria or basis of criteria in applicable regulatory requirements
Applicable regulations require that risks are acceptable when weighed against the benefits to the patient and are compatible with a high level of protection of health and safety. There´s no different or contradicting expectations in the applicable regulations.

2- Identify possible criteria or basis of criteria in applicable international standards
Device has applicable international safety product standard that can be used as basis (ISO XXX or IECXXX). Other applicable standards exist that can be used as basis for criteria for different aspects of device risks (example, biocompatibility)

3 - Identify state-of-the-art regarding intended use of device, including medical alternatives
There´s several similar devices in the market. Alternative treatment (example drug, manual, etc.) is considered safer but slow in recovery time when compared to devices (and for XXX reason it´s important to have a quicker recovery time)

4 - Identify known stakeholder concerns, including public perception of risk
Patients tend to think that risks related to the device are commonplace (the same risk as being punctured by a needle), and also are more willing to tolerate risks if treatment has quicker recovery time than current treatments
Users generally think that device do pose risks, but are more willing to accept it if protective equipment is required to be used with device so as to diminish involuntary risk.

5 - Identify probability /severity criteria
The following criteria is to be used as a basis, and shall take into consideration the additional criteria mentioned below

See attached image.

Maximum individual risk to patients (fatality /year): 10-3

6 - Identify additional criteria
Risks shall be reduced wherever practicable. This includes cases in which, even if the risk is already deemed acceptable by the criteria, the cost to include the additional risk control is considered so low as to be essentially free.
Further development should not pose any incremental risk.
No single failures/errors should lead to an accident.
Device shall comply with requirements from international standards X, Y, Z. Unless an evaluation shows otherwise, compliance with those standards shall be used as argument to consider the risk as reduced to an acceptable level (ALARP good practice argument).
Risks to patients than can be considered ALARP if:
- there´s a good practice argument which demonstrate that risk control measures comply with relevant good practice and similar solutions in similar devices. This situation can be accepted by the authority of design engineers.
- there´s a qualitative first principles argument based on common sense or professional judgment that weighs possible risk reduction against the gain in recovery time. This situation can be accepted only by the authority of the device design project leader and risk management leader.
- there´s a quantitative first principles arguments based on a Cost Benefit Analysis (CBA) that weighs possible risk reduction against the gain in recovery time (this case would only be required if individual risk is more than 10-4). This situation can be accepted only by the authority of the device design project leader and risk management leader, and top management.
A risk to the user may be acceptable if it can be justified that the use of a protective equipment which is required to be present will reduce the individual risk to less than 10-3
Risks more than 10-4 can only be accepted if it a risk-benefit analysis shows that the total benefits of the device outweighs the aggregate risk profile. This situation can only be accepted by top management.
 

Attachments

#7
This is great thank you! It will take me some time to digest this..

Thank you for taking the time to help me with this matter, it's greatly appreciated! :)
 
Thread starter Similar threads Forum Replies Date
P Risk acceptability alignment between ISO 14971 and IEC 62304 IEC 62304 - Medical Device Software Life Cycle Processes 6
D Rationale for Risk Acceptability Matrix - ISO 14971 ISO 14971 - Medical Device Risk Management 9
A Risk Acceptability Criteria - Probability and Acceptability Level ISO 14971 - Medical Device Risk Management 1
K What is the policy for Risk Acceptability per ISO 14971 ISO 13485:2016 - Medical Device Quality Management Systems 2
Sam Lazzara ISO 14971 Clause 7 - Evaluation of Overall Residual Risk Acceptability ISO 14971 - Medical Device Risk Management 3
M How to create the Policy for determining criteria for Risk Acceptability ISO 14971 - Medical Device Risk Management 11
B Residual Risk Acceptability - Where do I get this Data/Figures from? CE Marking (Conformité Européene) / CB Scheme 9
A How to Rate a Risk Acceptability and on What Basis is it Measured? ISO 13485 ISO 13485:2016 - Medical Device Quality Management Systems 7
A Correlating Hazard Analysis and DFMEA Risk Acceptability Criteria FMEA and Control Plans 8
T Defining Criteria for Risk Acceptability - ISO 14971 Clause 3.2 ISO 14971 - Medical Device Risk Management 4
A Calculating Risk Estimation ISO 14971 - Medical Device Risk Management 5
M Intended Use vs Actual Use and Scope of Risk Management EU Medical Device Regulations 8
S IDCB 0129/0160 Clinical Risk Management ISO 14971 - Medical Device Risk Management 2
H At what level (harm, hazardous situation, seq. of events, etc) is "risk" estimated? ISO 14971 - Medical Device Risk Management 12
A Risk Management Team IEC 60601 - Medical Electrical Equipment Safety Standards Series 11
S Risk Management File - Procedure Packs ISO 14971 - Medical Device Risk Management 3
B ISO 14001 Risk assesment ISO 14001:2015 Specific Discussions 1
J What risk to cover when NOT using ISO 17025 accredited/certified labs for calibration ISO 17025 related Discussions 3
G Risk Management for IEC 60601-1 and IEC 60601-1-2 IEC 60601 - Medical Electrical Equipment Safety Standards Series 8
S What is your favorite Usability Risk Analysis tool? IEC 62366 - Medical Device Usability Engineering 5
T Assessing risk where harm is indirect - Generic devices / accessories / intermediates ISO 14971 - Medical Device Risk Management 8
K Do you have separate clinical risk management group or experts in your manufactures? EU Medical Device Regulations 4
W IATF 9.2.2.1 Internal Audit how to determine risk IATF 16949 - Automotive Quality Systems Standard 12
S Risk control through Information for safety ISO 14971 - Medical Device Risk Management 8
A Derive Risk Acceptance Matrix from Risk Policy ISO 14971 - Medical Device Risk Management 8
B ERP software validation - risk assessment vs validation scope ISO 13485:2016 - Medical Device Quality Management Systems 11
I Estimation of overall residual risk. How to? EU Medical Device Regulations 11
Sidney Vianna ISO Practical Guide on ISO 31000:2018 - Risk Management Other ISO and International Standards and European Regulations 0
T IEC 62304 : Risk control for SaMD IEC 62304 - Medical Device Software Life Cycle Processes 8
T Risk Assessment and Management Misc. Quality Assurance and Business Systems Related Topics 0
P Scenario based risk assessment IEC 27001 - Information Security Management Systems (ISMS) 1
Q KPI risk assessment - Criteria for the given score IATF 16949 - Automotive Quality Systems Standard 3
S Foreign Risk Notification Canada Medical Device Regulations 2
J HELP NEEDED ! Risk Management Exercise ISO 14971 - Medical Device Risk Management 12
O Should a Covid vaccine and testing policy be included as part of ISO9001 or AS9100 risk management? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 6
M Does 4.5 - Alternative RISK CONTROL apply to the Particular Standards? IEC 60601 - Medical Electrical Equipment Safety Standards Series 3
Q Measurement Equipment Revocation - Looking for a Disposal Form with Risk Assessment IATF 16949 - Automotive Quality Systems Standard 10
B ISO13485 Risk managment implementation for suppliers ISO 14971 - Medical Device Risk Management 2
Moncia Chemical risk assessment / COSHH Manufacturing and Related Processes 5
E Supply chain main policies ,scope, risk assessments & relavant KPI Supply Chain Security Management Systems 2
D Use Error Risk Controls and Control Verification ISO 14971 - Medical Device Risk Management 6
J Risk Assessment of Lithium Ion Batteries FMEA and Control Plans 3
Melissa Risk Management Process, How far do I need to go? ISO 14971 - Medical Device Risk Management 13
D Does Risk Management apply to re-labeler (MDR) EU Medical Device Regulations 1
H Risk Management Plan in agile process ISO 14971 - Medical Device Risk Management 14
H Risk Analysis and Probability of Occurrence ISO 14971 - Medical Device Risk Management 3
B Risk analysis for defective measuring or measuring equipment out of calibration General Measurement Device and Calibration Topics 2
P Benefit risk analysis on pFMEA ISO 14971 - Medical Device Risk Management 10
B AS9102 - 3D printing a special tool required for assembly (counterfeit risk?) AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 12
K Defining risk control measures IEC 62304 - Medical Device Software Life Cycle Processes 14

Similar threads

Top Bottom