Risk Acceptance - Consequence Matrix

N

netseal

#1
Hello Forum,

I have done Rsik management for a medical device here in Germany with the definition
of Risk acceptance Matrix shown below.

In accordance to 14971 I can define the ALARP (yellow) by my self. It depends on
the device and what makes sense. What restriction (soft and hard) are there in general?

greetings
Florian Hillen
 

Attachments

Last edited by a moderator:
Elsmar Forum Sponsor
#2
Hi Florian,

For the less linguistically gifted amongst us could you translate the headings from your matrix so that we can understand better.
 
#4
As you suggest the Implications of the Determined Risk are for the manufacturer to set, and consequently to justify.

On a three level scale you may, perhaps, use something like:

Green - Insignificant risk; no further mitigation is required. (**but see below)

Amber - Undesirable risk; Risk is acceptable only if it cannot be reduced by controls that do not reduce the clinical benefit of the device.

Red - Unacceptable risk; Risk must be reduced.

That is similar to the definitions and concepts that we have been using successfully for some time now. But it is always better to develop your own levels and process. As an example, we went from 5 probability levels down to 4 as we really had no way, other than guess work, to separate out probabilities caused by component failure.

Similarly, we went from 3 levels of severity to 4, which helped keep a rare but serious risk done to a sensible level. (We always find that the determined risk of service personnel getting a mains shock is one of our highest remaining risks. It is always going to be potentially serious if rare).


**A caution about using a phrase like "no further mitigation required". Some auditor's or reviewers may say that that is not acceptable because of the Content Deviations brought in by Annex ZA of the EN 2012 version of 14971. See Content deviations 1,2 and 3 and the discussions on that topic in these forums and elsewhere.
 

Wes Bucey

Quite Involved in Discussions
#5
Risk and FMEA (Failure Mode & Effects Analysis) are two sides of the same coin - we attempt to quantify or rank the things that could go wrong by how frequently they "might" occur and then rank them again by how horrible the outcome if a product with that defect reaches the user/consumer.

All the effort is expended at eliminating the opportunities for the horrible outcomes to reach an end user. Sometimes, the mitigation is put in the hands of the end user/consumer with a label warning "don't use this product if the protective seal is broken or missing!"

Most often, though, the effort to eliminate or "mitigate" defective products reaching end users is concentrated on prevention during production rather than by detection after production. Given that concept, what happens AFTER the risk level is defined is much more crucial than who defines it. Do the mitigation and elimination processes actually keep defective product from harming end users?
 

Ronen E

Problem Solver
Staff member
Moderator
#6
Risk and FMEA (Failure Mode & Effects Analysis) are two sides of the same coin - we attempt to quantify or rank the things that could go wrong by how frequently they "might" occur and then rank them again by how horrible the outcome if a product with that defect reaches the user/consumer.

All the effort is expended at eliminating the opportunities for the horrible outcomes to reach an end user. Sometimes, the mitigation is put in the hands of the end user/consumer with a label warning "don't use this product if the protective seal is broken or missing!"

Most often, though, the effort to eliminate or "mitigate" defective products reaching end users is concentrated on prevention during production rather than by detection after production. Given that concept, what happens AFTER the risk level is defined is much more crucial than who defines it. Do the mitigation and elimination processes actually keep defective product from harming end users?
On medical devices, a great deal of the risk management activity is focused on user / patient risks that exist without any defect. Some are inherent to the intended use and some stem from poor usability (i.e. higher susceptibility to misuse).
 

Ronen E

Problem Solver
Staff member
Moderator
#7
Hello Forum,

I have done Rsik management for a medical device here in Germany with the definition
of Risk acceptance Matrix shown below.

In accordance to 14971 I can define the ALARP (yellow) by my self. It depends on
the device and what makes sense. What restriction (soft and hard) are there in general?

greetings
Florian Hillen
Hello Florian,

I'm going to assume that you place your devices on the EC market.

The ALARP concept was practically scrapped by the Z annexes of EN ISO 14971:2012, which is the applicable standard (rather than ISO 14971:2007). You must continue to reduce risks as long as this is possible, regardless of economical considerations. This is what the content deviations actually mean.

:(
Ronen.
 

TWA - not the airline

Trusted Information Resource
#8
There are a lot of threads in the Cove regarding the new annexes in EN ISO 14971:2012 and I strongly recommend to read them all (it really helped me a lot!). ALARP is practically dead even though the directive itself only requires you to be state of the art and in the preamble also mentions economic considerations when talking about that requirement. I haven't heard about any NB who still accepts this approach. You might try something like "as low as technically feasible" thus just leaving out the economic considerations but still having a cut-off based on the wording of the directive. That way you could kill the obviously absurd (like 100% destructive testing) and maybe more, depending on your NB. You probably should talk to your NB and discuss this. And in that case do not make the same mistake that I did: Do not ask what or how you should do it (you won't get an useful answer), but rather have a proposal and ask if that would be acceptable...
 
N

netseal

#9
Tanks to all your answers. I see that to a simple thing is no simple answer.
If I talk to my NB if they accept this or that, they tell me only that they are not allowed to advise us.

Florian Hillen
 

TWA - not the airline

Trusted Information Resource
#10
If I talk to my NB if they accept this or that, they tell me only that they are not allowed to advise us.
This is technically true, however as you hire and pay your NB for their services a lot of them show a little flexibility. It really does not make any sense for them to refuse to assess the acceptability of your proposals and later on during the audits hit you with a non-conformance that could have been avoided. Of course this can also depend on who you talk to and how you phrase things. Maybe this is something to ask your auditor informally over lunch rather than phoning some guy/gal at the HQ.

And remember: If your NB is too inflexible and you are not satisfied with their services then maybe it is a good idea to have someone of your top management tell them about it...
 
Thread starter Similar threads Forum Replies Date
A 5.5.3 - Software Unit Acceptance Criteria (Risk Control Measures) IEC 62304 - Medical Device Software Life Cycle Processes 3
A Risk Acceptance Criteria in ISO 14971 ISO 14971 - Medical Device Risk Management 19
V How to define Risk Acceptance Criteria? ISO 13485:2016 - Medical Device Quality Management Systems 3
W Need risk acceptance policy/criteria ISO 14971 - Medical Device Risk Management 3
B ISO 17025:2017 risk management Risk Management Principles and Generic Guidelines 0
Q FMEA and Risk assessment in MS ACCESS FMEA and Control Plans 2
I Realization processes input into overall risk ISO 14971 - Medical Device Risk Management 2
M Need Help With Information Security Asset Risk Register IEC 27001 - Information Security Management Systems (ISMS) 2
thisby_ Post Market/Production Risk Assessment ISO 14971 - Medical Device Risk Management 0
S Risk Management Review ISO 14971 - Medical Device Risk Management 4
D Low risk IVD study in the UK, do I need MHRA approval? UK Medical Device Regulations 1
S Risk Management and other Files ISO 14971 - Medical Device Risk Management 8
silentmonkey Overall Benefit/Risk Analysis - Risk Management VS Clinical Evaluation ISO 14971 - Medical Device Risk Management 3
N ISO 27001 for Jumb Burger - Risk Assessment sheet IEC 27001 - Information Security Management Systems (ISMS) 11
C Risk Assessment Tools ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 3
qualprod Examples to mitigate risk from Covid ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 5
G Risk of stopping your customer's line IATF 16949 - Automotive Quality Systems Standard 4
C Risk Matrix vs FMEAs ISO 14971 - Medical Device Risk Management 3
S IVD risk class II devices for Brazil and MDSAP Other Medical Device Regulations World-Wide 0
M ISO 14971:2019: Criteria for overall residual risk ISO 14971 - Medical Device Risk Management 6
M ISO14971:2019 - Verification of implementation and effectiveness of risk control ISO 14971 - Medical Device Risk Management 3
Aymaneh Medical Device Cybersecurity Risk Management IEC 27001 - Information Security Management Systems (ISMS) 2
S Traceability of requirements to design and risk Design and Development of Products and Processes 3
R Risk control measures as per ISO 14971 ISO 14971 - Medical Device Risk Management 6
D Deciding whether or not pre-market clinical investigation is required for low risk device EU Medical Device Regulations 5
R The term "Benefit Risk Ratio" in EU MDR, do I need to present benefit risk analysis as a RATIO Risk Management Principles and Generic Guidelines 4
_robinsingh Security Risk Assessment Tool IEC 27001 - Information Security Management Systems (ISMS) 0
A 21 CFR 820 - Risk Management - Looking for some guidance US Food and Drug Administration (FDA) 3
bryan willemot Contract Review and risk managment AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 2
D Risk Analysis using Monte Carlo Simulation instead of Scoring and Heat Map Risk Management Principles and Generic Guidelines 2
Sravan Manchikanti Software Risk Management & probability of occurrence as per IEC 62304 IEC 62304 - Medical Device Software Life Cycle Processes 8
E Normal Condition Hazards in Risk Analysis ISO 14971 - Medical Device Risk Management 3
silentmonkey Rationalising the level of effort and depth of software validation based on risk ISO 13485:2016 - Medical Device Quality Management Systems 10
R Risk assessment on IT containers and the information they contain IEC 27001 - Information Security Management Systems (ISMS) 4
B Threat/Vulnerability Catalogue for risk assessment IEC 27001 - Information Security Management Systems (ISMS) 4
R Opportunity For Improvement vs Opportunity (Positive Risk) ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 18
R FOD Risk Assessment - What tools would you recommend for assessing FOD risk? AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 1
R Identify Medical Device characterstics as Annex C of ISO 14971 Risk Management ISO 14971 - Medical Device Risk Management 5
A ISO 14971 PFMEA Manufacturing Risk ISO 14971 - Medical Device Risk Management 2
Q Example of the Risk Template Document Control Systems, Procedures, Forms and Templates 1
K Overall residual risk according to ISO 14971:2019 ISO 14971 - Medical Device Risk Management 5
A Risk Number for each software requirement IEC 62304 - Medical Device Software Life Cycle Processes 7
A IEC 60601 11.2.2.1 Risk of Fire in an Oxygen Rich Environment, Source of Ignition IEC 60601 - Medical Electrical Equipment Safety Standards Series 0
D Importing a general wellness low risk product Other US Medical Device Regulations 3
C Quantifying risk in choosing the number of parts, operators and replicates in a GR&R Gage R&R (GR&R) and MSA (Measurement Systems Analysis) 4
R AQL, Consumer Risk and MA Statistical Analysis Tools, Techniques and SPC 2
M Risk managment report of Surgical Mask Example ISO 14971 - Medical Device Risk Management 14
M Risk Analysis Flow - Confusion between ISO 14971 and IEC 62304 IEC 62304 - Medical Device Software Life Cycle Processes 8
R ECG Risk Analysis Standards ISO 14971 - Medical Device Risk Management 2
N Device Labeling - Medtronic Ventilator Files (Risk Management documents) Coffee Break and Water Cooler Discussions 2

Similar threads

Top Bottom