Risk Acceptance Criteria in ISO 14971

A

ariannas

I need to take the lead in defining risk acceptability criteria for a new small business that is developing a Class I software-only medical device. They have a lot of expertise in their area but are not clinicians and they know even less about formal risk management than I do. :mg:

I?ve been studying ISO/TR 80002-1 in detail, I?ve worked through the GHTF?s SG3/N15R8, and I?ve been digging through Elsmar as well. (Certain people have been getting a flurry of ?thanks-es? on existing posts lately) :D So now I have at least a little understanding of the theory, but when it comes to putting this stuff into practice, this is my first go at it.

Given that back story, here is my question:
How much real-world guidance does ISO 14971 provide for establishing risk acceptability criteria beyond what is already in ISO/TR 80002)?
If all that ISO 14971 says is that a) establishing risk acceptance criteria is critical, b) every manufacturer has to do it differently, and c) that it should be ?state-of the-art?, I don?t think I will want to spend the $300. But if it can give me some tools to achieve the goals above, I?m interested and willing to pony up.

Some caveats:

Based on what I have learned so far, I am going to have to go with a qualitative rather than quantitative approach. So if 14971?s guidance for establishing risk acceptance criteria is more focused on quantitative side of things, I?m not as interested in buying the standard.

In the short term, my goal is to come up with an approach that is practical for a small company and acceptable to the FDA. Full ISO is a dream for another day.

Thanks in advance!!!
 

sagai

Quite Involved in Discussions
If you are up to EU legislation, bare in mind (EN ISO 14971:2012):
2. Discretionary power of manufacturers as to the acceptability of risks:
a) ISO 14971 seems to imply that manufacturers have the freedom to decide upon the threshold for
risk acceptability5 and that only non-acceptable risks have to be integrated into the overall risk-benefit
analysis6.
b) However, Sections 1 and 6 of Annex I to Directive 90/385/EEC require that all risks have to be
reduced as far as possible.
c) Accordingly, the manufacturer may not apply any criteria

About your question than
How much real-world guidance does ISO 14971 provide for establishing risk acceptability criteria beyond what is already in ISO/TR 80002)?
For me None, and regardless it would provide, for EU it is questioned, see above.

I’m not as interested in buying the standard.
Ohhh, that's surprising.
It is a copyrighted material. So if you do not buy it, how would you know about its content to line up compliance in your QMS?

Full ISO is a dream for another day.
Well, that is interesting.
So, you would like to persuade FDA, that regardless you do not care about ISO14971, your method is comply with FD&CAct and with 21CFR820? Reealy?

Kind Regards

ps.: my recollection about risk acceptability is that it is a nonsense. Assessment carried out for risks by subjective decision, risk acceptability is also subjective, and than it would provide a universally acceptable criteria.
One recent example to remember:
http://online.wsj.com/article/SB10001424127887324798904578529103419237828.html
What probability would we assign to the case for body scanner detector falling to patient bed whilst he is examined? Incredibly? now a man had died.
 
Last edited:

Pads38

Moderator
I would suggest that 14971 is so fundamental to the modern approach to medical device regulation that it has to be 'top of the shopping list'. I would go so far as to suggest it is more important than ISO 13485, a suggestion that may be a little controversial in these forums!

The informative annexes to 14971 are invaluable. They give many useful examples, and Annex D gives examples of risk acceptability criteria. It uses both qualitative and semi-quantitative methods.

And, just for information, 14971 is available direct from ISO for 196 Swiss francs - just over $200. There are, also, legitimate alternative sources. Best price (legitimate) I have found is less than 7 Euro! - so no excuses now.
 

sagai

Quite Involved in Discussions
If they would be exposed to EU market, I would suggest to have the latest harmonised EN ISO version rather than ISO version due to these recently identified deviations are not in the ISO version, and the EN ISO version contains the identical text of the ISO version itself.
Hope I was clear :popcorn:
 
A

ariannas

Thanks both for your replies!

One point: right now we are not seeking EU markets.

you would like to persuade FDA, that regardless you do not care about ISO14971, your method is comply with FD&CAct and with 21CFR820? Reealy?

That's not what I am saying at all. TR 80002 has been very useful, and it quotes ISO 14971 frequently. But given that the medical device in question is software-only, and given the generally agreed-on lack of software oriented guidance in 14971, I think it is fair for me to explore where not I should get 14971 as well. I don't think it is correct to interpret my OP as "do not care about ISO 14971." :nope:



b) However, Sections 1 and 6 of Annex I to Directive 90/385/EEC require that all risks have to be
reduced as far as possible.
c) Accordingly, the manufacturer may not apply any criteria

Looking at a copy of Directive 90/385/EEC here, it appears to me that this directive is related to implantable medical devices in the EU. If I end up supporting development of such devices for the EU, its good to know that this directive exists. I'd be curious if this applied to non-implantable devices as well... but my curiosity is a bit academic at this point



The informative annexes to 14971 are invaluable. They give many useful examples, and Annex D gives examples of risk acceptability criteria. It uses both qualitative and semi-quantitative methods.

EXAMPLES. That is the magic word I was hoping for. Time to do some shopping. :thanx:
 
A

ariannas

Below is a link to a blog by Robert Packard that talks about some of the versions of 14971 and why one might chose one version over another.

http://13485cert.com/iso-14971-buy-the-new-2012-version/

There is also an embedded link in the blog back to an Elsmar post. That post talks about the technical deviations in the 14791 for European Directive compliance. Its a small world. :D
 

sagai

Quite Involved in Discussions
FDA recognizing the 14971, not the corresponding guidance.
without knowing the whole content, it is difficult for me to understand how to form compliance.
to affix ce mark lightyearsly easier than 510k, however retrospectively doing risk analysis based on en version sounds a bit tricky.
regards
 
I

ISmith

Hi ariannas,
I, as well, think you should go shopping (if you haven?t gone already) based on my personal experience. I work in the software development group for an IVD instrument and have been working on Risk management process for our product since the beginning of the project. I found the ISO 14971 standard to do a good job keep you focused on the system and not just the software. Even though your product is SW-only device you will still consider all other inputs and interactions external to the software.

TR 80002 while useful is just a Technical Report and should be an extension and not a replacement for ISO 14971. Software can be complicated when trying to establish Risk Management process since there are many standards and guidance that deal with software (most use IEC 62304 where the word Hazard only creates confusions J) Use ISO 14971 to keep you focused on the product and follow it very closely.
 
A

ariannas

..... ce mark lightyearsly easier than 510k, however retrospectively doing risk analysis based on en version sounds a bit tricky. regards

In this case the device is class I and is 510(K)-exempt. :)
And this is not retrospective....yet.

AAMI has a copy of 14971 for half of what is on the ISO site. :D
 
I

ISmith

That might be a stupid question but do you need Risk Management if your device is an exempt. Do you need to follow the Guidance for the Content of Premarket Submissions for Software Contained in Medical Devicesif you are not doing a submission? What is required for Class I device?
 
Top Bottom