Risk Benefit Analysis - ISO 14971:2012 Requirements

#1
Hi All

I'm looking for some advice on risk benefit analysis (RBA). In particular the 14971:2012 requirements.

Currently we only perform RBAs for individual risks that have the highest severity, regardless of final RPN. This is a severity of 10 in our 1-10 scoring where harm to the user starts at 6. Currently no one really knows what a best practice method of writing an RBA looks like. They usually end up being a few paragraphs explaining the risk and why its no problem.

I'm aware that within the 2012 version there is a requirement for RBA's for individual risks and an overall RBA.

I've been doing lots of background reading where it is suggested the overall RBA and individual RBA be linked to the clinical evaluation. Would this take the form of a bridging document referencing the risks from the RMF and where they are assessed in the clinical evaluation. With the overall risk benefit analysis being performed which is reviewed by a clinician.

Any advice, guidance or personal experience would be more than welcome.
Thanks
Will.
 

Mark Meer

Trusted Information Resource
Trusted
#2
...
I'm aware that within the 2012 version there is a requirement for RBA's for individual risks and an overall RBA.
...
Welcome! :bigwave:

Thanks for the question! I've also been curious about the same thing. RBA's for individual risks seems like it could be very onerous documentation wise, but add very little in terms of risk analysis.

Be very interested in what approaches others are taking so that meeting this requirement isn't a huge documentation burden.

(sorry I couldn't be more helpful :eek: )
MM
 

Marcelo Antunes

Addicted to standards
Staff member
Admin
#3
Please note that there's no requirement in ISO 14971 for that.

What does exist is that the annexes to the EN 2012 version mention this as one of the usually crazy deviations.

In fact, it does not make sense to perform a risk/benefit analysis for individual risks (which is the reason no one knows what do to - no one has ever done this before for any implementation of risk management that I know).

What it does make sense is to always perform a risk/benefit analysis for the aggregate risks (overall). In fact, this is one of the proposed changes in the new revision of ISO 14971.

Anyway, any risk/benefit analysis would obviously need to be linked to the clinical evaluation. You can have some thoughts reading the following FDA document: Factors to Consider Regarding Benefit-Risk in Medical Device Product Availability, Compliance, and Enforcement Decisions
 
Last edited:

Ronen E

Just a person
Super Moderator
#4
Hello Will and welcome to the Cove :bigwave:

The way I understand things, no bridging document is required because the Clinical Evaluation needs to address residual risks anyway. The Clnical Evaluation and Risk Management processes are supposed to feed each other, on a continuous basis (ie, if one's output changes, the other needs to be updated).
 

yodon

Forum Moderator
Staff member
Moderator
#5
What does exist is that the annexes to the EN 2012 version mention this as one of the usually crazy deviations.

In fact, it does not make sense to perform a risk/benefit analysis for individual risks (which is the reason no one knows what do to - no one has ever done this before for any implementation of risk management that I know).
Yet we STILL have to do it to provide a risk file that will be acceptable to the technical file reviewer!

What I have done (and I'm hoping this opens the discussion more) is, for each risk in my table, make the assertion that the company has reviewed the (individual) residual risk against the benefits and concluded that the benefits outweigh the risks. I realize that's mostly hand-waving but it's been acceptable so far.

Further, though, I *do* essentially bridge the assessment with clinical evaluation / actual use info in the risk management report. I state (in the report) that ongoing field use has demonstrated that the benefits are confirmed to outweigh the residual risk, both individually and in aggregate.

Again, I don't know if there's a better way but I had to do something and this has been working so far. I'd welcome a discussion of other approaches, flaws with this approach, etc.
 

Remus

Involved In Discussions
#6
Risk/benefit analysis is introduced to risk analysis by ISO/TR 24971:2013. Since there isn't any statistical data best way to close each individual residual risk is risk/benefit analysis. Since most of medical device manufacturers don't care anything they are reducing all risks to acceptable level, people are insisting risk/benefit analysis to each residual risk.
 
#7
HI All

Thanks for the welcome and the input. Lots of great stuff to think about.

The way I currently see/understand the requirements surrounding RBAs is similar to how Ronen E. describes. The clinical evaluation covers all the residual risks in making an overall risk benefit analysis decision.

The clinical evaluation references the risks in the RMF and the RMF references where the RBA decision is made for each risk. Essentially both documents will contain a section pointing at the other. I believe in this way both requirements (individual and overall RBA) can be met.

Just so we're on the same page, when I say risk I mean failure effect rather than failure mode.

Let me know what you think
Will.
 

Marcelo Antunes

Addicted to standards
Staff member
Admin
#9
Hello Will and welcome to the Cove :bigwave:

The way I understand things, no bridging document is required because the Clinical Evaluation needs to address residual risks anyway. The Clnical Evaluation and Risk Management processes are supposed to feed each other, on a continuous basis (ie, if one's output changes, the other needs to be updated).
That's right, however, why should it address only residual risks? It really needs to address all risks. Clinical residual risks are usually addressed in PMS/PMCF.
 

Top