Risk Analysis and "Information for Safety" / Labeling

keldez

Involved In Discussions
#1
Hello all,
So I'm performing risk analysis using ISO 14971:2012 for a dental software product. I've hit a brick wall on a common topic that I've searched and searched and have found tons of input but not a consistent enough stance to know what approach to take.
Most of our risk analysis for this product references a statement in the manual as a risk control. None of the hazards reach a level in which mitigation is required. Also, we have no alternative controls for these specific hazards we have listed except a prompt in the software that does not require the user to take an action (click "I understand", etc).
Please don't throw rocks quite yet.
So, I've found folks stating everything from "Labeling cannot be considered as risk control" to "Labeling must be considered, but cannot change your severity", to what I'm reading in Annex J.1 as "Information for safety is the least preferred method of risk control, to be used only when other risk control measures have been exhausted".
Someone has mentioned Annex Z as the source for not using labeling (I cannot find a statement in this section).
Again I read in section 6.2 of 14971 that information for safety is an option (albeit the lowest prioritized) as a risk control; the statement "one or more" also reinforces that if information for safety is your only control, that is your one control.
Forgive me if I've missed a section that should lead me to believe otherwise, but I'm reading verbatim from the standard that it is allowed, but not optimal. I'm preparing this for a 510(k) submission, so any feedback or rock throwing is welcomed, I just want to understand this.

Thanks
 
Elsmar Forum Sponsor

Mark Meer

Trusted Information Resource
#2
Someone has mentioned Annex Z as the source for not using labeling...
The "Annex Z" you are referring to is specific to the latest EN (Europe) release, so really need not factor into your 510(k).

None of the hazards reach a level in which mitigation is required.
So, if I was reviewing your risk-analysis, I wouldn't make a big deal that, despite not needing them (as per your analysis), you've added controls - even if they are just labelling measures.

-----

The important thing, I think, is to understand the intent of the risk-management process. That is: are your controls appropriate to mitigate the risks you've identified?

Regardless of what the standard says or calls for, you should be confident in your analysis and controls, and be prepared to defend them.
 

Ronen E

Problem Solver
Staff member
Moderator
#3
Hello all,
So I'm performing risk analysis using ISO 14971:2012 for a dental software product. I've hit a brick wall on a common topic that I've searched and searched and have found tons of input but not a consistent enough stance to know what approach to take.
Most of our risk analysis for this product references a statement in the manual as a risk control. None of the hazards reach a level in which mitigation is required. Also, we have no alternative controls for these specific hazards we have listed except a prompt in the software that does not require the user to take an action (click "I understand", etc).
Please don't throw rocks quite yet.
So, I've found folks stating everything from "Labeling cannot be considered as risk control" to "Labeling must be considered, but cannot change your severity", to what I'm reading in Annex J.1 as "Information for safety is the least preferred method of risk control, to be used only when other risk control measures have been exhausted".
Someone has mentioned Annex Z as the source for not using labeling (I cannot find a statement in this section).
Again I read in section 6.2 of 14971 that information for safety is an option (albeit the lowest prioritized) as a risk control; the statement "one or more" also reinforces that if information for safety is your only control, that is your one control.
Forgive me if I've missed a section that should lead me to believe otherwise, but I'm reading verbatim from the standard that it is allowed, but not optimal. I'm preparing this for a 510(k) submission, so any feedback or rock throwing is welcomed, I just want to understand this.

Thanks
Hi keldez,

It's important to maintain a clear and consistent context. You mentioned "ISO 14971:2012" - no such standard AFAIK. There is either ISO 14971:2007, or EN ISO 14971:2012 (and its national derivatives). The FDA recognizes the former in full, for 510(k) purposes. The latter is the harmonised version in the EU - you could use it to gain some presumption of compliance with some MDD requirements.

The "normative" (binding) parts of those 2 standards are identical. The annexes only have the "informative" (non-normative) status, though the Foreword section in the EN version states: "For relationship with EU Directives, see informative Annexes ZA, ZB and ZC, which are an integral part of this document." (the emphasis is mine) - which is IMO ambiguousness at its best...

The "labeling-as-a-risk-mitigation-measure" debate stems from EN ISO 14971:2012 annexes Z (ZA for medical devices under the MDD). Those annexes are only in the EN version, so they shouldn't concern you unless you are after the CE marking.

The relevant clause in EN ISO 14971:2012 annex ZA reads:

7. Information of the users influencing the residual risk:
a) The residual risk is in 2.15 and in 6.4 of ISO 14971 defined as the risk remaining after application of the risk control measures. 6.2 of ISO 14971 regards "information for safety" to be a control option.
b) However, the last indent of Section 2 of Annex I to Directive 93/42/EEC says that users shall be informed about the residual risks. This indicates that, according to Annex I to Directive 93/42/EEC and contrary to the concept of the standard, the information given to the users does not reduce the (residual) risk any further.
c) Accordingly, manufacturers shall not attribute any additional risk reduction to the information given to the users.
Cheers,
Ronen.
 

keldez

Involved In Discussions
#4
Ok great news! Thank you for the detailed explanation.
Looks like my focus should be directed at the specific version of ISO 14971 we plan on using to guide the activities supporting our 510(k) and to define it clearly (ISO 14971:2007 in our case).

Thanks
 

Marcelo

Inactive Registered Visitor
#5
Most of our risk analysis for this product references a statement in the manual as a risk control. None of the hazards reach a level in which mitigation is required.
This statement makes no sense. If you do not need risk control (None of the hazards reach a level in which mitigation is required), why do you risk analysis uses references in the manual as risk control?

Anyway, as mentioned, you "could" include risk controls even if not needed, but in this case, you need rationales on why you are not using inherit safe design or protective measures in the medical device itself or in the manufacturing process. Directly putting information in the manual is not a good practice (and not correct according to ISO 14971, if someone is correctly evaluating it).

Also, if you use those information on the manual as risk control, you have to include them in the usability engineering process.

But all this is only valid if you are really trying to correctly following the standards (which really is not a requirement in the US).
 
#6
Hi Marcelo,

I'm curious what you mean here:

But all this is only valid if you are really trying to correctly following the standards (which really is not a requirement in the US).
I take it you mean when correctly following the annexes in the 2012 EN version, as opposed to following 14971 in general? Or am I missing something?

Stephen
 

Marcelo

Inactive Registered Visitor
#7
Quote:
In Reply to Parent Post by Marcelo Antunes View Post

But all this is only valid if you are really trying to correctly following the standards (which really is not a requirement in the US).
I take it you mean when correctly following the annexes in the 2012 EN version, as opposed to following 14971 in general? Or am I missing something?

Stephen
No, I?m just saying in general people do not follow ISO 14971 clause by clause in a correct way

Also, in the US, the recognized standard is ISO 14971, not the EN version. But even in the EU, such as in the US, the standard is not mandatory.
 

keldez

Involved In Discussions
#8
This statement makes no sense. If you do not need risk control (None of the hazards reach a level in which mitigation is required), why do you risk analysis uses references in the manual as risk control?

Anyway, as mentioned, you "could" include risk controls even if not needed, but in this case, you need rationales on why you are not using inherit safe design or protective measures in the medical device itself or in the manufacturing process. Directly putting information in the manual is not a good practice (and not correct according to ISO 14971, if someone is correctly evaluating it).

Also, if you use those information on the manual as risk control, you have to include them in the usability engineering process.

But all this is only valid if you are really trying to correctly following the standards (which really is not a requirement in the US).
What I mean by this is none of our hazards reach a risk level (as defined internally) where we absolutely require risk mitigation.
If your perspective of it not being "good practice" is derived from what I quoted above from ISO 14971 "Information for safety is the least preferred method of risk control, to be used only when other risk control measures have been exhausted", then we are on the same page. We have added controls to the software that require the user to perform an action that they understand a certain element that could present a hazard. With a strictly software product, I'm not exactly sure how far you can take your controls that remains reasonable.
 

Mark Meer

Trusted Information Resource
#9
This statement makes no sense. If you do not need risk control (None of the hazards reach a level in which mitigation is required), why do you risk analysis uses references in the manual as risk control?
I don't agree.
It is hard to fathom something having too many considerations for safety.

In otherwords, just because your evaluation of a hazard meet your threshold of "no mitigations required", this doesn't mean it "makes no sense" to document any further mitigations anyway.
 

Marcelo

Inactive Registered Visitor
#10
I?m just saying that if do need information for safety in the manual, and you say that "non of our hazards reach a risk level (as defined internally) where we absolutely require risk mitigation", you estimation using your internal definition may be biased.

In otherwords, just because your evaluation of a hazard meet your threshold of "no mitigations required", this doesn't mean it "makes no sense" to document any further mitigations anyway.
The same as above, if you have further mitigation, you probably need them. Not reaching your "threshold" usually means that it was wrongly set from the beginning.
 
Thread starter Similar threads Forum Replies Date
M Risk Analysis using FMEA Process Flow Chart - Health Care Information System FMEA and Control Plans 6
M Risk Analysis Flow - Confusion between ISO 14971 and IEC 62304 IEC 62304 - Medical Device Software Life Cycle Processes 8
R ECG Risk Analysis Standards ISO 14971 - Medical Device Risk Management 2
adir88 Documenting Risk Control Option Analysis ISO 14971 - Medical Device Risk Management 8
MrTetris Should potential bugs be considered in software risk analysis? ISO 14971 - Medical Device Risk Management 5
M IATF 16949 (6.1.1 - Planning and Risk Analysis for a remote site) Process Maps, Process Mapping and Turtle Diagrams 5
D Risk Analysis & Technical File - What detail goes in the Risk Management Report ISO 14971 - Medical Device Risk Management 5
M An example of risk analysis of class I MD ISO 14971 - Medical Device Risk Management 36
T Risk analysis of QMS software - Validating software we use for QMS ISO 13485:2016 - Medical Device Quality Management Systems 5
B Grouping of Products for Risk Analysis ISO 14971 - Medical Device Risk Management 9
A Risk-benefit Analysis - Hazard Analysis (HA) and FMEAs ISO 14971 - Medical Device Risk Management 18
R The difference b/w FMEA & Risk analysis as per iso 14971 ISO 14971 - Medical Device Risk Management 8
K Risk Analysis Updates due to complaints ISO 14971 - Medical Device Risk Management 10
S The Severity of a Medical Device Hazard - Risk Analysis Clarification ISO 14971 - Medical Device Risk Management 6
Ed Panek Transition to IEC 60601 4th Edition - Risk Analysis and test submissions CE Marking (Conformité Européene) / CB Scheme 2
S In a risk analysis, how can we tie mobile app security breach to ISO 14971? 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 4
Q Risk / benefit Analysis in Risk Management Report CE Marking (Conformité Européene) / CB Scheme 12
R IATF 16949 Clause 6.1.2.1 - Lessons Learned and Risk Analysis IATF 16949 - Automotive Quality Systems Standard 6
S Risk analysis 6.1 and contingency plans 6.1.2.3, are they related? IATF 16949 - Automotive Quality Systems Standard 26
B Software Class A - Lengthy further risk analysis IEC 62304 - Medical Device Software Life Cycle Processes 9
W Biocompatibility Risk Analysis for Clinical Practitioner 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 4
F Risk Analysis of a Medical Device Accessory ISO 14971 - Medical Device Risk Management 4
S How we can use risk analysis for suppliers IATF 16949 - Automotive Quality Systems Standard 6
I Medical Device Software Risk Analysis ISO 14971 - Medical Device Risk Management 4
Q Risk Analysis - Same Risk Treatment for Context and Interested Parties ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 7
C Risk Analysis for COTS/OTS Risk Management Principles and Generic Guidelines 4
M IATF 16949 Cl. 8.7.1.4 - Risk analysis for decision making about rework IATF 16949 - Automotive Quality Systems Standard 2
E Risk Analysis - Events which may cause to Data Loss ISO 14971 - Medical Device Risk Management 12
W Risk Benefit Analysis - ISO 14971:2012 Requirements ISO 14971 - Medical Device Risk Management 27
F Medical Device HACCP (Hazard Analysis and Critical Control Point) Risk Management ISO 14971 - Medical Device Risk Management 2
Q Risk Tools in ISO 31010 - Root Cause Analysis vs. Cause-and-effect Analysis ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 1
S Organizing Risk Analysis and Controls for a New Medical Device (ISO 14971) ISO 14971 - Medical Device Risk Management 4
S Please review my Risk Analysis Table ISO 14971 - Medical Device Risk Management 13
M Risk analysis - ISO/TS 16949 clause 7.2.2.2 IATF 16949 - Automotive Quality Systems Standard 2
C Help with Risk/Benefit Analysis Self-help Device for Diabetics ISO 14971 - Medical Device Risk Management 3
A FTA-Top/Down approach to Risk Analysis ISO 14971 - Medical Device Risk Management 2
A Industry best practice about Post-Market Surveillance and Risk Analysis ISO 14971 - Medical Device Risk Management 6
T Risk Analysis help for CE Marking Class I Medical Device ISO 14971 - Medical Device Risk Management 10
T Risk Analysis for moving manufacturing equipment ISO 14971 - Medical Device Risk Management 17
D Different kinds of Risk Analysis for various Hazards ISO 14971 - Medical Device Risk Management 3
L GHTF/SG3/N15R8 - Process Validation and Risk Analysis ISO 13485:2016 - Medical Device Quality Management Systems 4
R Risk Analysis of Class IIb Disinfectant ISO 14971 - Medical Device Risk Management 6
J Does anyone have an example of Risk-Benefit Analysis per ISO 14971? Other ISO and International Standards and European Regulations 2
P FMEA Risk Analysis Recommended Action Priority FMEA and Control Plans 2
N ISO 14971 Risk Analysis - Sections 4.2 and 4.3 ISO 14971 - Medical Device Risk Management 2
D ISO 14971 - Risk Analysis Best Practices ISO 14971 - Medical Device Risk Management 5
S Internal Audit Plan per Risk Analysis Internal Auditing 5
K RISK ANALYSIS SAMPLE according to Annex ZA of EN ISO-14971-2012 Other Medical Device and Orthopedic Related Topics 1
S Help me with preparing Internal Audit Schedule based on Risk analysis 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 2
R Risk Analysis and Hazard Identification concerning Clinical Decision Support Systems ISO 14971 - Medical Device Risk Management 1

Similar threads

Top Bottom