ISO 14971:2019 vs MDR Annex 1, Requirement #4 - "Manufacturers shall inform users of any residual risks"

[DamienL]

Hi. Our organisation uses FMEAs for evalulaton and control of risks. It works something like this, which I hope is similar to the way some of you might also do it. Firstly, we would identity Risk control measures to reduce the risk associated with a particular hazard. After implementation, we would then re-evaluate the risk (i.e., re-score it) and then determine whether this "residual risk" is considered acceptable or not. If acceptable, then we would be done and dusted --> move on to the next hazard.

So firstly, I want to get thoughts as to whether that sounds about right to any other folks using FMEA? Secondly, and the point of this post, is what then are we supposed to do about MDR Annex 1, Requirement #4 - "Manufacturers shall inform users of any residual risks". Like it or not, our FMEAs are often full of every possible, hypothetical risk we can think of - are we really supposed to discuss each one in the labelling? Sometimes the risk to start with is so low that we wouldn't even implement additional risk control measures. In this case, section 6 of 14971:2019 says to treat this initial risk estimate as the "Residual Risk". So every hazard that is risk assessed in the FMEA ends up with a "residual risk" estimate. And we could have a hundred of these (in a bad FMEA).

14971 says that "the manufacturer shall inform users of significant residual risks" which makes total sense, but that's not what the MDR is saying. I'm obviously missing something here so any direction would be appreciated.

PS - I know some may feel that FMEA is the root of many a problem, but it's what we've been using for ever and won't be switching. Old dogs, etc.

Thanks, Damien

 

[v9991]

hope you considered the interim step wrt Benefit-Risk analysis.,

"(81) Any statistically significant increase in the number or severity of incidents that are not serious or in expected side-effects that could have a significant impact on the benefit-risk analysis and which could lead to unacceptable risks should be reported to the competent authorities in order to permit their assessment and the adoption of appropriate measures. "

https://www.medical-device-regulation.eu/wp-content/uploads/2019/05/CELEX_32017R0745_EN_TXT.pdf

and integrating each of the remaining risks after benefit-risk analysis; to be mapped against each of the constituent element of labelling.

CHAPTER III REQUIREMENTS REGARDING THE INFORMATION SUPPLIED WITH THE DEVICE
23. Label and instructions for use
23.1. General requirements regarding the information supplied by the manufacturer
23.2. Information on the label
23.3. Information on the packaging which maintains the sterile condition of a device (‘sterile packaging’)

https://www.medical-device-regulation.eu/wp-content/uploads/2019/05/CELEX_32017R0745_EN_TXT.pdf


Further, in the context of ISO 14971, "Annexure J , J.3 Disclosure of residual risk(s)" provides certain guidance.

note :- I am new to device regulation, and my post is more of an conversation, than experience or expertize.

 

[mihzago]

@DamienL I had the same question a few months ago, which I posed here and on RAPS forum; never got an answer, and frankly I still don't know.

As you noticed, the MDR states that "Manufacturers shall inform users of any residual risks" whereas ISO 14971:2019 mentions significant residual risks, which is more practical and reasonable. I hope that everyone, including the NBs are conveniently ignoring the "any residual risk" requirement.

 

[ThatSinc]

I don't see how it can be considered feasible to notify the users of all residual risk - where even basic devices can have multiple risks and, by definition, once control measures are taken whatever is left is residual risk.
It will essentially require all devices to have literature provided.

I appreciate that 14971 is a global standard, and is not meant to directly align with any given regulation, but there are a number of concepts between the MDR and 14971 that I feel that there will still have to be a number content deviations if 14971 is to be harmonised.

 

[indubioush]

PS - I know some may feel that FMEA is the root of many a problem, but it's what we've been using for ever and won't be switching. Old dogs, etc.

Perhaps you have been told this before, but FMEAs alone will not ensure compliance to ISO 14971 unless you are doing modified FMEAs in which you account for risks that could happen without a "fault condition."

I think it is apparent that the MDR has a lot of issues with confusing wording. I would argue that ISO 14971:2019 is considered state of the art. I think it would be reasonable for you to make a statement in your risk management report that residual risks below a certain level will not be disclosed to the end user. However, you may want to take a second look at the way you are writing up these residual risks. You may be able to combine them in to a smaller list of potential harms. It is the residual risk you need to disclose, not all of the potential hazardous situations.

 

[ThatSinc]

statement in your risk management report that residual risks below a certain level will not be disclosed to the end user

I have incorporated this into my risk acceptability criteria.

Where under the MDD and MDR any risk must be reduced, and be weighed against the benefits before being considered acceptable, the risk acceptability criteria become somewhat redundant

The acceptability matrix includes 4 regions from negligible to critical, including consideration for control measures in accordance with harmonised standards, and that the risk will be considered acceptable if further control measures would introduce new risks etc, and the requirement for the top two tiers that residual risk must be disclosed.