SBS - The Best Value in QMS software

Risk Acceptance Criteria in ISO 14971

A

ariannas

#1
I need to take the lead in defining risk acceptability criteria for a new small business that is developing a Class I software-only medical device. They have a lot of expertise in their area but are not clinicians and they know even less about formal risk management than I do. :mg:

I?ve been studying ISO/TR 80002-1 in detail, I?ve worked through the GHTF?s SG3/N15R8, and I?ve been digging through Elsmar as well. (Certain people have been getting a flurry of ?thanks-es? on existing posts lately) :D So now I have at least a little understanding of the theory, but when it comes to putting this stuff into practice, this is my first go at it.

Given that back story, here is my question:
How much real-world guidance does ISO 14971 provide for establishing risk acceptability criteria beyond what is already in ISO/TR 80002)?
If all that ISO 14971 says is that a) establishing risk acceptance criteria is critical, b) every manufacturer has to do it differently, and c) that it should be ?state-of the-art?, I don?t think I will want to spend the $300. But if it can give me some tools to achieve the goals above, I?m interested and willing to pony up.

Some caveats:

Based on what I have learned so far, I am going to have to go with a qualitative rather than quantitative approach. So if 14971?s guidance for establishing risk acceptance criteria is more focused on quantitative side of things, I?m not as interested in buying the standard.

In the short term, my goal is to come up with an approach that is practical for a small company and acceptable to the FDA. Full ISO is a dream for another day.

Thanks in advance!!!
 
Elsmar Forum Sponsor

sagai

Quite Involved in Discussions
#2
If you are up to EU legislation, bare in mind (EN ISO 14971:2012):
2. Discretionary power of manufacturers as to the acceptability of risks:
a) ISO 14971 seems to imply that manufacturers have the freedom to decide upon the threshold for
risk acceptability5 and that only non-acceptable risks have to be integrated into the overall risk-benefit
analysis6.
b) However, Sections 1 and 6 of Annex I to Directive 90/385/EEC require that all risks have to be
reduced as far as possible.
c) Accordingly, the manufacturer may not apply any criteria
About your question than
How much real-world guidance does ISO 14971 provide for establishing risk acceptability criteria beyond what is already in ISO/TR 80002)?
For me None, and regardless it would provide, for EU it is questioned, see above.

I’m not as interested in buying the standard.
Ohhh, that's surprising.
It is a copyrighted material. So if you do not buy it, how would you know about its content to line up compliance in your QMS?

Full ISO is a dream for another day.
Well, that is interesting.
So, you would like to persuade FDA, that regardless you do not care about ISO14971, your method is comply with FD&CAct and with 21CFR820? Reealy?

Kind Regards

ps.: my recollection about risk acceptability is that it is a nonsense. Assessment carried out for risks by subjective decision, risk acceptability is also subjective, and than it would provide a universally acceptable criteria.
One recent example to remember:
http://online.wsj.com/article/SB10001424127887324798904578529103419237828.html
What probability would we assign to the case for body scanner detector falling to patient bed whilst he is examined? Incredibly? now a man had died.
 
Last edited:
#3
I would suggest that 14971 is so fundamental to the modern approach to medical device regulation that it has to be 'top of the shopping list'. I would go so far as to suggest it is more important than ISO 13485, a suggestion that may be a little controversial in these forums!

The informative annexes to 14971 are invaluable. They give many useful examples, and Annex D gives examples of risk acceptability criteria. It uses both qualitative and semi-quantitative methods.

And, just for information, 14971 is available direct from ISO for 196 Swiss francs - just over $200. There are, also, legitimate alternative sources. Best price (legitimate) I have found is less than 7 Euro! - so no excuses now.
 

sagai

Quite Involved in Discussions
#4
If they would be exposed to EU market, I would suggest to have the latest harmonised EN ISO version rather than ISO version due to these recently identified deviations are not in the ISO version, and the EN ISO version contains the identical text of the ISO version itself.
Hope I was clear :popcorn:
 
A

ariannas

#5
Thanks both for your replies!

One point: right now we are not seeking EU markets.

you would like to persuade FDA, that regardless you do not care about ISO14971, your method is comply with FD&CAct and with 21CFR820? Reealy?
That's not what I am saying at all. TR 80002 has been very useful, and it quotes ISO 14971 frequently. But given that the medical device in question is software-only, and given the generally agreed-on lack of software oriented guidance in 14971, I think it is fair for me to explore where not I should get 14971 as well. I don't think it is correct to interpret my OP as "do not care about ISO 14971." :nope:



b) However, Sections 1 and 6 of Annex I to Directive 90/385/EEC require that all risks have to be
reduced as far as possible.
c) Accordingly, the manufacturer may not apply any criteria
Looking at a copy of Directive 90/385/EEC here, it appears to me that this directive is related to implantable medical devices in the EU. If I end up supporting development of such devices for the EU, its good to know that this directive exists. I'd be curious if this applied to non-implantable devices as well... but my curiosity is a bit academic at this point



The informative annexes to 14971 are invaluable. They give many useful examples, and Annex D gives examples of risk acceptability criteria. It uses both qualitative and semi-quantitative methods.
EXAMPLES. That is the magic word I was hoping for. Time to do some shopping. :thanx:
 
A

ariannas

#6
Below is a link to a blog by Robert Packard that talks about some of the versions of 14971 and why one might chose one version over another.

http://13485cert.com/iso-14971-buy-the-new-2012-version/

There is also an embedded link in the blog back to an Elsmar post. That post talks about the technical deviations in the 14791 for European Directive compliance. Its a small world. :D
 

sagai

Quite Involved in Discussions
#7
FDA recognizing the 14971, not the corresponding guidance.
without knowing the whole content, it is difficult for me to understand how to form compliance.
to affix ce mark lightyearsly easier than 510k, however retrospectively doing risk analysis based on en version sounds a bit tricky.
regards
 
I

ISmith

#8
Hi ariannas,
I, as well, think you should go shopping (if you haven?t gone already) based on my personal experience. I work in the software development group for an IVD instrument and have been working on Risk management process for our product since the beginning of the project. I found the ISO 14971 standard to do a good job keep you focused on the system and not just the software. Even though your product is SW-only device you will still consider all other inputs and interactions external to the software.

TR 80002 while useful is just a Technical Report and should be an extension and not a replacement for ISO 14971. Software can be complicated when trying to establish Risk Management process since there are many standards and guidance that deal with software (most use IEC 62304 where the word Hazard only creates confusions J) Use ISO 14971 to keep you focused on the product and follow it very closely.
 
A

ariannas

#9
..... ce mark lightyearsly easier than 510k, however retrospectively doing risk analysis based on en version sounds a bit tricky. regards
In this case the device is class I and is 510(K)-exempt. :)
And this is not retrospective....yet.

AAMI has a copy of 14971 for half of what is on the ISO site. :D
 
I

ISmith

#10
That might be a stupid question but do you need Risk Management if your device is an exempt. Do you need to follow the Guidance for the Content of Premarket Submissions for Software Contained in Medical Devicesif you are not doing a submission? What is required for Class I device?
 
Thread starter Similar threads Forum Replies Date
A 5.5.3 - Software Unit Acceptance Criteria (Risk Control Measures) IEC 62304 - Medical Device Software Life Cycle Processes 3
V How to define Risk Acceptance Criteria? ISO 13485:2016 - Medical Device Quality Management Systems 3
W Need risk acceptance policy/criteria ISO 14971 - Medical Device Risk Management 3
N Risk Acceptance - Consequence Matrix ISO 14971 - Medical Device Risk Management 12
D Use Error Risk Controls and Control Verification ISO 14971 - Medical Device Risk Management 5
J Risk Assessment of Lithium Ion Batteries FMEA and Control Plans 3
Melissa Risk Management Process, How far do I need to go? ISO 14971 - Medical Device Risk Management 10
D Does Risk Management apply to re-labeler (MDR) EU Medical Device Regulations 1
H Risk Management Plan in agile process ISO 14971 - Medical Device Risk Management 11
H Risk Analysis and Probability of Occurrence ISO 14971 - Medical Device Risk Management 3
B Risk analysis for defective measuring or measuring equipment out of calibration General Measurement Device and Calibration Topics 2
P Benefit risk analysis on pFMEA ISO 14971 - Medical Device Risk Management 9
B AS9102 - 3D printing a special tool required for assembly (counterfeit risk?) AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 12
K Defining risk control measures IEC 62304 - Medical Device Software Life Cycle Processes 14
U Supply risk management Manufacturing and Related Processes 4
T Biological Evaluation (10993) & Risk Management ISO 14971 - Medical Device Risk Management 9
D Cybersecurity and Risk Management: Loss of confidentiality IEC 62304 - Medical Device Software Life Cycle Processes 5
Q FMEA and Risk assessment in Microsoft Access FMEA and Control Plans 6
I Realization processes input into overall risk ISO 14971 - Medical Device Risk Management 2
M Need Help With Information Security Asset Risk Register IEC 27001 - Information Security Management Systems (ISMS) 2
thisby_ Post Market/Production Risk Assessment ISO 14971 - Medical Device Risk Management 0
S Risk Management Review ISO 14971 - Medical Device Risk Management 4
D Low risk IVD study in the UK, do I need MHRA approval? UK Medical Device Regulations 1
S Risk Management and other Files ISO 14971 - Medical Device Risk Management 8
silentmonkey Overall Benefit/Risk Analysis - Risk Management VS Clinical Evaluation ISO 14971 - Medical Device Risk Management 3
N ISO 27001 for Jumb Burger - Risk Assessment sheet IEC 27001 - Information Security Management Systems (ISMS) 11
C Risk Assessment Tools ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 3
qualprod Examples to mitigate risk from Covid ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 7
G Risk of stopping your customer's line IATF 16949 - Automotive Quality Systems Standard 4
C Risk Matrix vs FMEAs ISO 14971 - Medical Device Risk Management 12
S IVD risk class II devices for Brazil and MDSAP Other Medical Device Regulations World-Wide 0
M ISO 14971:2019: Criteria for overall residual risk ISO 14971 - Medical Device Risk Management 11
M ISO14971:2019 - Verification of implementation and effectiveness of risk control ISO 14971 - Medical Device Risk Management 3
Aymaneh Medical Device Cybersecurity Risk Management IEC 27001 - Information Security Management Systems (ISMS) 2
S Traceability of requirements to design and risk Design and Development of Products and Processes 3
R Risk control measures as per ISO 14971 ISO 14971 - Medical Device Risk Management 6
D Deciding whether or not pre-market clinical investigation is required for low risk device EU Medical Device Regulations 5
R The term "Benefit Risk Ratio" in EU MDR, do I need to present benefit risk analysis as a RATIO Risk Management Principles and Generic Guidelines 4
_robinsingh Security Risk Assessment Tool IEC 27001 - Information Security Management Systems (ISMS) 0
A 21 CFR 820 - Risk Management - Looking for some guidance US Food and Drug Administration (FDA) 3
bryan willemot Contract Review and risk managment AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 2
D Risk Analysis using Monte Carlo Simulation instead of Scoring and Heat Map Risk Management Principles and Generic Guidelines 2
Sravan Manchikanti Software Risk Management & probability of occurrence as per IEC 62304 IEC 62304 - Medical Device Software Life Cycle Processes 8
E Normal Condition Hazards in Risk Analysis ISO 14971 - Medical Device Risk Management 3
silentmonkey Rationalising the level of effort and depth of software validation based on risk ISO 13485:2016 - Medical Device Quality Management Systems 10
R Risk assessment on IT containers and the information they contain IEC 27001 - Information Security Management Systems (ISMS) 4
B Threat/Vulnerability Catalogue for risk assessment IEC 27001 - Information Security Management Systems (ISMS) 4
R Opportunity For Improvement vs Opportunity (Positive Risk) ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 18
R FOD Risk Assessment - What tools would you recommend for assessing FOD risk? AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 1
R Identify Medical Device characterstics as Annex C of ISO 14971 Risk Management ISO 14971 - Medical Device Risk Management 5

Similar threads

Top Bottom