SBS - The Best Value in QMS software

ISO 14971:2019: Criteria for overall residual risk

#1
Hi All

Per ISO14971:2019; the manufacturer must document the method and criteria for overall residual risk evaluation in the Risk management plan.

I am wondering if you have any idea what could be some possible method and criteria for overall residual risk evaluation.

I am slightly confused by difference between method and criteria.

if i say my criteria is :" " The overall residual risk level is acceptable if all individual risks are determined to be acceptable i.e. after all individual risks have been mitigated to acceptable levels or determined to be acceptable through the BRA analysis."

Then is my method just : "checking all residual risks in my risk files and confirming all risks are acceptable"?

Thank you

Mithilesh P.
 
Elsmar Forum Sponsor

Tagin

Trusted Information Resource
#2
I would look at TR24971:2020 Guidance on the application of ISO 14971. Specifically, at Clause 8 - Evaluation of overall residual risk.

You example above would not be acceptable, as they state in clause 8 (bold added):
The evaluation of overall residual risk is a challenging task that cannot be achieved by adding all individual risks numerically. The difficulty arises for the following reasons:
— Each probability of occurrence of harm is related to a different harm with different severity and can be related to different hazardous situations.
— Probabilities are often known with different degree of uncertainty. Some probabilities could be known precisely from either historical data or testing. Other probabilities might be known imprecisely such as estimates by expert judgment, or cannot be estimated such as the probability of a software failure.
— It is not possible to combine the severities of individual harms within the broad categories usually employed in risk analysis.
Furthermore, the criteria for acceptability of the overall residual risk can be different from the criteria for acceptability of individual risks. The criteria used to evaluate individual risks usually include limits for the probability of occurrence of harm with a particular severity. The criteria used to evaluate the overall residual risk are often based on additional elements, such as the benefits of the intended use of the medical device.
 

yodon

Staff member
Super Moderator
#3
The stars seem to be aligning here with FDA, EU, and 14971 (guidance) all kind of pointing to an analysis. FDA published a couple of guidance docs that give a pretty nice framework for doing your assessment:
We adapted the latter and have used on several projects. Seems to be a solid approach. No pushback yet.
 

ThatSinc

Involved In Discussions
#4
Criteria for overall risk acceptability is, by its nature, a more broad review of the risks of the device.

You could look at
  • Number of risks that are mitigated by IFU alone
  • Number of hazards that a user might be exposed to by the same hazardous situation
  • Where all of the risks sit together, is it a "high risk" device in general or does it just have one or two high risks?

Taking an unlikely example; you could individually have 100 number of risks that have a 1 in a million chance of killing the patient, and each could be acceptable in its own right - but if you took a higher level view of the product, could you say that overall having that many opportunities is acceptable for the product?

Where 14971 only requires benefit-risk analysis for risks that are outside of your risk acceptability criteria, yet MDR etc. require a benefit risk for all risks, consider the overall risk evaluation part of a broad benefit-risk for the device.
 
#5
Does anyone mind to share a Risk Analysis Matrix for Medical Devices and how to calculate the Residual Risk? Also, does someone use Residual Severity as part of the final Residual Risk calculation/acceptability? It will be very appreciate any feedback. Thanks.
 
#6
Does anyone mind to share a Risk Analysis Matrix for Medical Devices and how to calculate the Residual Risk? Also, does someone use Residual Severity as part of the final Residual Risk calculation/acceptability? It will be very appreciate any feedback. Thanks.
Hi all, I'm also curious to have an example of risk analysis matrix and see how to calculate the residual risks
 

Tidge

Trusted Information Resource
#7
I cannot share specific risk analysis documents, but what I have most commonly seen done generally follows this path:

(1) A serious review of literature to examine the market, use cases (and user profiles), medical condition treated with the device and the history of the type of device.

This will serve as the basis for the method and criteria used later for individual products. This review is intended to provide information for such questions like "is the device used only by experts", "is the device used only in extreme circumstances", "is the treated medical condition life-threatening or non-life threatening."

(2) Executive Management uses the review to establish the risk matrix for the product family, independent of any specific devices. Different product families can have different risk matrices. For example: infusion pumps almost certainly have a different risk acceptability matrix than hospital beds. This is where the criteria are established.

Once executive management establishes the risk matrices (per product type)...

(3) Within the risk management plan for a specific device (or a family of specific devices, essentially 1-per-DHF), the method is to a) copy the established criteria directly from the policy established by executive management. and b) apply an established policy of documenting and reducing risks (presumably via a 14971-compliant process). That policy will also have been established by executive management.

I suppose that you could do all this is an ad hoc way, by trying to justify specific risk matrices within an individual products Risk Management Plan and by coming up with some peculiar sort of different Risk Management processes for individual products (again, documented in the RM Plan), but I (personally) feel like such ad hoc approaches have too many risks (not just to patients and users!). Ad hoc approaches to risk management will often result in gaps (in the process, in the analysis, in the product) that will eventually be exposed at extremely inopportune times. Ad hoc approaches also lead to inconsistencies (between similar products) that can have serious consequences for patients/users (safety) as well as the manufacturer (legal, regulatory).
 
#8
I cannot share specific risk analysis documents, but what I have most commonly seen done generally follows this path:

(1) A serious review of literature to examine the market, use cases (and user profiles), medical condition treated with the device and the history of the type of device.

This will serve as the basis for the method and criteria used later for individual products. This review is intended to provide information for such questions like "is the device used only by experts", "is the device used only in extreme circumstances", "is the treated medical condition life-threatening or non-life threatening."

(2) Executive Management uses the review to establish the risk matrix for the product family, independent of any specific devices. Different product families can have different risk matrices. For example: infusion pumps almost certainly have a different risk acceptability matrix than hospital beds. This is where the criteria are established.
Hi, this is super helpful but I'm still struggling with the statement:

"Executive management uses the review to establish the risk matrix for the product family"

In my case, I'm trying to do just this - come up with a rational, justified set of criteria for risk acceptability for my company's device. I've hunted the internet high and low and have found a few statements like yours, i.e. that a review of literature, adverse event reports and so on can provide input into determining the acceptability of risk, but I'm completely flummoxed on how exactly. There's a difference (in my mind) between knowing the types of risks and their likelihoods based on objective data, and determining whether that combination of likelihood and severity is considered "acceptable". In my experience the literature doesn't tend to delve into the issue of acceptability!

Do you or anyone else have any tips on how to get from a body of data on the risks associated with a device when used according to your intended use, and the decision of acceptability of risk? I'm a bit stuck.

Thanks heaps!
 

Ed Panek

QA RA Small Med Dev Company
Staff member
Super Moderator
#9
First, there are design mitigations, then there are risk mitigations and the final score. If the final score is still too high you need to perform a risk-benefit analysis on that item to demonstrate its ok as a residual risk.
 

Tidge

Trusted Information Resource
#10
Do you or anyone else have any tips on how to get from a body of data on the risks associated with a device when used according to your intended use, and the decision of acceptability of risk? I'm a bit stuck.
Some potential guidelines:

The longer the type of device (and its underlying interaction with human physiology) has been in practice, then it is more typical that a family of similar products has less tolerance for risk. That is: more of the risk space is unacceptable.

If there are alternative treatment options to the underlying technology used for physiological interaction with the patient, A new family of products using the alternative approach to treatment should NOT accept risks at a higher rate than the competing technology. Nobody should let you market a fancy new hospital bed if it could electrically shock people or pinch them, no matter how many USB ports you include (for example).

If the medical outcomes are particularly poor in the absence of the device (or alternative treatments), then it is typical that the new product family will be more accepting of higher risks.

If the family of products will be used in limited circumstances with a well-understood group of users (because of the nature of the device) it is more typical that there is a tolerance for higher risks when compared to a medical device that could be used by almost anyone almost anywhere. Compare dental x-ray device with toothbrush. Both need to be safe, but there are acceptable risks with an X-ray machine that would never be accepted with a toothbrush.

At the very least, you can use the collected data to show that as far as risk tolerance you are aligned with, or better than what is on the market (or in medical use).
 
Thread starter Similar threads Forum Replies Date
B Timeframe for updating QMS / transitioning from ISO 14971:2012 to ISO 14971:2019 ISO 14971 - Medical Device Risk Management 10
D ISO 14971:2019 vs MDR Annex 1, Requirement #4 - "Manufacturers shall inform users of any residual risks" ISO 14971 - Medical Device Risk Management 5
K Overall residual risk according to ISO 14971:2019 ISO 14971 - Medical Device Risk Management 5
M Gap analysis on ISO 14971:2019 with previous revision ISO 14971 - Medical Device Risk Management 12
Bill Hansen New ISO 14971:2019 Harm: unreasonable psychological stress, and cybersecurity ISO 14971 - Medical Device Risk Management 13
A EN ISO 14971:2019 does not include the Annex Zs ISO 14971 - Medical Device Risk Management 4
Ronen E Informational What's new in ISO 14971:2019 ISO 14971 - Medical Device Risk Management 2
T ISO 14971-2019 doubt - Evaluate if estimated risks are acceptable ISO 14971 - Medical Device Risk Management 9
Y When will Notified Bodies require MedDev manufacturers to fully implement ISO 14971:2019? ISO 14971 - Medical Device Risk Management 1
R ISO 14971 not harmonized ISO 14971 - Medical Device Risk Management 4
D ISO 14971 applicability in ISO 13485 ISO 13485:2016 - Medical Device Quality Management Systems 7
M ISO 14971 Determination of Competent Persons ISO 14971 - Medical Device Risk Management 4
R Risk control measures as per ISO 14971 ISO 14971 - Medical Device Risk Management 6
S Practical Implementation of ISO 14971 ISO 14971 - Medical Device Risk Management 6
R Identify Medical Device characterstics as Annex C of ISO 14971 Risk Management ISO 14971 - Medical Device Risk Management 5
A ISO 14971 PFMEA Manufacturing Risk ISO 14971 - Medical Device Risk Management 2
M Risk Analysis Flow - Confusion between ISO 14971 and IEC 62304 IEC 62304 - Medical Device Software Life Cycle Processes 8
B ISO 14971 Applied to Software ISO 14971 - Medical Device Risk Management 2
D Recent changes to ISO 14971 - SOP required for managing standard revisions ISO 13485:2016 - Medical Device Quality Management Systems 1
J ISO 14971 applied to ISO 13485? Low risk class 1 devices ISO 13485:2016 - Medical Device Quality Management Systems 5
A We are ISO 13485:2016 should we be audited to ISO 14971 ISO 13485:2016 - Medical Device Quality Management Systems 16
P Risk acceptability alignment between ISO 14971 and IEC 62304 IEC 62304 - Medical Device Software Life Cycle Processes 6
S ISO 14971 Risk Management - Questions for Hazard identification ISO 14971 - Medical Device Risk Management 2
M Informational ISO 14971 / ISO TR 24971 revision update – atualizações sobre a revisão Medical Device and FDA Regulations and Standards News 1
R The difference b/w FMEA & Risk analysis as per iso 14971 ISO 14971 - Medical Device Risk Management 8
D Risk management according to ISO 14971 - When to document risk controls? ISO 14971 - Medical Device Risk Management 10
D Where does FMEA fit in your ISO 14971 Risk Management process? ISO 14971 - Medical Device Risk Management 13
Q Information for safety EN ISO 14971:2012 - Customer Risk Reduction ISO 14971 - Medical Device Risk Management 6
M Informational ISO TC 210 JWG 1 meeting in São Paulo – Revision of ISO 14971 and ISO TR 24971 – Medical Device Risk Management Medical Device and FDA Regulations and Standards News 0
A Our auditor requires us to attend a training on EN ISO 14971:2012 Other ISO and International Standards and European Regulations 3
S In a risk analysis, how can we tie mobile app security breach to ISO 14971? 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 4
F IMDRF opened a Consultation on Annex E & F and the link to ISO 14971 ISO 14971 - Medical Device Risk Management 4
M Updates to EN 62366 & ISO 14971? Other Medical Device Related Standards 3
D IEC 60601-1 and ISO 14971 Assessment IEC 60601 - Medical Electrical Equipment Safety Standards Series 25
M Example ISO 14971 policy and risk criteria ISO 14971 - Medical Device Risk Management 0
P ISO 13485 and ISO 14971 - one mandates the other? ISO 13485:2016 - Medical Device Quality Management Systems 8
D Rationale for Risk Acceptability Matrix - ISO 14971 ISO 14971 - Medical Device Risk Management 9
H Task analysis and ISO 14971 ISO 14971 - Medical Device Risk Management 9
M ISO 14971 and Stand-Alone Diagnostic Software ISO 14971 - Medical Device Risk Management 4
dgrainger Benefit - What is the definition of Benefit in ISO 14971? ISO 14971 - Medical Device Risk Management 7
Y Training as a risk control for ISO 14971 ISO 14971 - Medical Device Risk Management 13
W Risk Benefit Analysis - ISO 14971:2012 Requirements ISO 14971 - Medical Device Risk Management 27
thisby_ ISO 14971 - ALARP and P2 - New ISO 14971 does not allow the concept of ALARP? ISO 14971 - Medical Device Risk Management 3
C What is the difference between "Overall Risk" and "Risk"? (ISO 14971) ISO 14971 - Medical Device Risk Management 10
B New EU Medical Device Regulation & Reconciling with EN ISO 14971 EU Medical Device Regulations 41
B IFU and deviation 7 in ISO 14971 Annex ZA ISO 14971 - Medical Device Risk Management 1
B Interpreting Deviations 5 & 6 in Annex ZA in ISO 14971:2012 ISO 14971 - Medical Device Risk Management 1
B Our NB says that IEC 62304 is an ISO 14971 Requirement ISO 14971 - Medical Device Risk Management 1
B Clarification on interpretation of some EN ISO 14971:2012 & IEC 62304:2006 req's ISO 14971 - Medical Device Risk Management 46
H ISO 14971 vs. IEC 62304 vs. 98/79/EC vs. ISO 13485 (Software Medical Device) ISO 14971 - Medical Device Risk Management 1

Similar threads

Top Bottom