ISO 14971-2019 doubt - Evaluate if estimated risks are acceptable

Teyla

Posts Moderated
Hi everyone!
I hope someone can help me with this... :rolleyes:
The new ISO 14971-2019 in 6. Risk evaluation states that if manufacturer evaluate if estimated risks are acceptable. These that are, are treated as residual risk and risk control is not required to be applied.
My question is - that is it? There is a risk and that's OK?
 

dubrizo

Involved In Discussions
Yes, there is almost always residual risk. It's incumbent upon the manufacturer to identify, evaluate and reduce risk to acceptable levels; typically done and recorded via FMEA. Residual risk is essentially your accepted/acceptable risk.

I'm sure others will expound on what I've said, but I wanted to provide a direct answer.
 

Ronen E

Problem Solver
Moderator
typically done and recorded via FMEA.
Actually FMEA is not the best tool for an ISO 14971-style risk assessment. It's acceptable, but it's not ideal. I won't elaborate here because we've already had many, lengthy discussions about that at Elsmar.
 
Last edited:
The new ISO 14971-2019 in 6. Risk evaluation states that if manufacturer evaluate if estimated risks are acceptable. These that are, are treated as residual risk and risk control is not required to be applied.
My question is - that is it? There is a risk and that's OK?
Yes. If a particular hazardous situation has an acceptable level of risk, it is treated as a "residual risk." You then evaluate the overall residual risk taking into account each residual risk.

However, if your device's intended market includes Europe, go read the MDR and annexes in the EU 2012 version of ISO 14971.
 

big boss

Starting to get Involved
dear All
I am working on risk management plan according to 2019 edition
and need help to understand the requirement clearly
1-the scope of the planned risk management activities, identifying and describing the medical device and the life cycle phases for which each element of the plan is applicable
* for this point i highlight the product description /intended purpose and highlight the product life cycle (design /product realization / post-production )
2- assignment of responsibilities and authorities;
* for this point we provide a list of the team member,role and duties and of course cross-reference their competence
3-requirements for review of risk management activities;
* indeed i don't clearly understand this point, (however in old edition its written how and when these review activities did) ,
4-criteria for risk acceptability, based on the manufacturer’s policy for determining acceptable
* this point clear for me to determine the Accebptiblity level
5-a method to evaluate the overall residual risk, and criteria for acceptability of the overall residual
* in this point i don't understand if we need to create another acceptability level for residual risk ???
Also if based on the estimated Probability & severity the risk is acceptable so result considers a residual risk ??
6-activities for verification of the implementation and effectiveness of risk control measures;
* as per my understanding verification of implementation may through
  • Compliance to applicable standards and guidelines
  • Clinical evaluation data
  • Comparison with predicate devices
  • Instruction for use of predicate devices
  • Suppliers information
  • Bench-Top tests.
  • Inspection
  • Validation activities and Expert opinion
  • 7-activities related to collection and review of relevant production and post-production information.for
  • for this point below information could be used
  • Data from production and post market surveillance include the following:
  • Customer complaint
  • Customer feedback
  • Clinical evaluation data
  • Nonconformities
  • so can any one help to execute good plan
 

Tidge

Trusted Information Resource
I'll try to tackle just one point:
3-requirements for review of risk management activities;
* indeed i don't clearly understand this point, (however in old edition its written how and when these review activities did) ,

This part of the RM Plan is to establish the requirements for RM activities up front for a couple of different reasons:
  1. It avoids having a completely ad hoc approach to RM.
  2. It allows effective remediation should some element of the RM activities be defective.
Here is some (hopefully) practical advice:

RM Plans are different than RM Procedures (or Policies). RM plans should be focused on the device (or family of devices). The RM Plan should identify the specific files that are identified as containing the RM information. Most companies have a dedicated document suite for this purposes.

During development you will likely only need certain RM activities done at certain points of the development. For example, you might want to plan a review of (design) RM files prior to design verification to check the allocation of design outputs to design input requirements. Another example may be delaying development of things like process FMEA until establishing manufacturing methods. In any case, prior to marketing the device you ought to require (i.e. plan) a review of complete RM files.

For the actual 'requirements' of the review, the most solid pre-market question to answer is if the RM file content is that all risks are acceptable (and that any potentially unacceptable risks be disclosed). I want to tread lightly here because of NB-enforced concepts of 'as low as possible' and detailed risk-benefit analyses for every identified risk.. the broader point is the manufacturer establishes (by policy) what is acceptable and that the RM plan reinforces it. The RM Plan would also ideally call out the responsible parties for making the assessment.

A RM Plan is also where you can establish the data sources to be reviewed (at specified intervals) once the device is on the market. Data sources typically include complaints and CA/PA databases.

The Plan is what you are committing to, so don't inflate the plan with non-value added activities.
 

Ed Panek

QA RA Small Med Dev Company
Leader
Super Moderator
ISO 14971 Section 4.1 Risk Management Process requires you to C) Control risks. How you control it is in the form of a Risk Management Plan (4.4)

Risk acceptability is a policy from your company, even if you cannot estimate the occurrence chance. Residual Risk is allowed based upon your own policies.


An FMEA may be more practical for a discrete operation rather than an encompassing product lifecycle. An FMEA may be part of a risk management plan, however.
 

InSituTech

Registered
How would one go about putting together a risk management policy?
What expectations are there to have in the policy?
 

adir88

Involved In Discussions
How would one go about putting together a risk management policy?
What expectations are there to have in the policy?

ISO/TR 24971 has an entire annex dedicated to this topic. I think the information in there is very helpful. You should take a look.
 
Top Bottom