Risk Benefit Analysis - ISO 14971:2012 Requirements

Marcelo

Inactive Registered Visitor
#11
Maybe I should have used the word "mitigate" rather than "address".
Hum, I don't think it would be better, because then your statement would say "because the Clinical Evaluation needs to mitigate residual risks anyway". The Clinical evaluation does not mitigate anything, it provides input to the risk management process to decide if the risk is acceptable or not (in particular, clinical risks, although did include several other stuff which I may not agree with - at least, not all the included stuff).
 
Elsmar Forum Sponsor

Marcelo

Inactive Registered Visitor
#12
Yet we STILL have to do it to provide a risk file that will be acceptable to the technical file reviewer!
Right, but if there's no way to do it, than it's very difficult to discuss. As you mentioned, anything would be "hand-waving". In fact, most anything that is not too crazy would have to be accepted. My approach to clients is similar to what you mention, I include a column in my risk management summary for risk/benefit analysis that links to the clinical evaluation (where the benefit assessment is right now) and to the justification for risk acceptability and write a small text explaining why the benefit outweighs the risk. But again, it's simply more "hand-waving".

... make the assertion that the company has reviewed the (individual) residual risk against the benefits and concluded that the benefits outweigh the risks.
...that ongoing field use has demonstrated that the benefits are confirmed to outweigh the residual risk, both individually and in aggregate...
I would take care with mentioning that you only reviewed the "residual" risks against benefits because it's a "risk/benefit analysis", not a "residual risk/benefit analysis". This is art of the current problem of ISO 14971, the way the "get out of jail free card"template was used included only residual risks, but this not make much sense, in particular when we are talking about clinical risks that may not really have ways for mitigation (beyond some general information for safety).
 

Marcelo

Inactive Registered Visitor
#13
In Reply to Parent Post by Willgray888 View Post

when I say risk I mean failure effect rather than failure mode.

Risk is the failure effect (severity of harm) factored together with its probability of occurrence. It's a little tricky for our intuition to grasp because it's a state rather than an object.
An easier way to think of it in this case is risk is what happens to the patient/user/etc. The same as the benefit.

We have to make comparison with comparable things. Failure modes that happen in the device cannot be compared to benefits that happens to patients.
 

Ronen E

Problem Solver
Staff member
Moderator
#14
Marcelo,

I don't understand the (apparent) extra-importance you place on the word "residual", in your replies both to me and to yodon. In my understanding, in the current context "residual" would mean, in everyday language, "actual" or "updated" (risk). It is simply the level of risks that actually (as verified) remains in real presence after the mitigation means have been implemented. If you follow this line, there is not much point in trying to account for (or mitigate) some theoretical risk level that existed earlier; rather, it seems reasonable and practical to further work with the residual risk, ie the one that is actually present.

In that sense I think that the clinical evaluation IS helpful in mitigating such risk, especially when you consider that risk is (at least as I stated) a perceived state of things. Such mitigation doesn't necessarily need to change anything about the device, or any other object or physical aspect of reality. It can, alternatively reduce the level of assessed/evaluated risk by providing new/more information, or new insight into existing information (eg through more analysis). Further, if the Clinical Evaluation includes clinical investigation (eg a clinical trial involving the subject device) it may actively provide information showing the risk to be lower, thus actively mitigating it.

Added in edit: The clinical evaluation will not always be able to mitigate the residual risk, however it should aim at that, and in case of failure (ie when the evaluation concludes that the residual risk is real and correct and can't be practically reduced by means of clinical investigation / assessment) it should be stated clearly in the updated CER. I guess this is why I initially used the term "address" rather than "mitigate" - it is more neutral and doesn't presuppose that risk reduction will always be possible / practicable.
 
Last edited:

Ronen E

Problem Solver
Staff member
Moderator
#15
An easier way to think of it in this case is risk is what happens to the patient/user/etc. The same as the benefit.

We have to make comparison with comparable things. Failure modes that happen in the device cannot be compared to benefits that happens to patients.
I think that the definition offered in the 1st paragraph is not complete. It's like saying that risk=potential harm, which is inaccurate in my opinion. It ignores the probability aspect of the risk, and once again treats risk as an object rather than as a state.

The same applies to benefit, because benefits (especially clinical ones) also have a probabilistic nature. Attaining a given benefit is usually not 100% guaranteed. So, the presence of a benefit is also a (probabilistic) state, and thus they can be compared. I would say that benefit is exactly the negative of risk (and vice versa of course).
 

Marcelo

Inactive Registered Visitor
#16
Marcelo,

I don't understand the (apparent) extra-importance you place on the word "residual", in your replies both to me and to yodon. In my understanding, in the current context "residual" would mean, in everyday language, "actual" or "updated" (risk). It is simply the level of risks that actually (as verified) remains in real presence after the mitigation means have been implemented. If you follow this line, there is not much point in trying to account for (or mitigate) some theoretical risk level that existed earlier; rather, it seems reasonable and practical to further work with the residual risk, ie the one that is actually present.
I was trying to point out that the regulations, such as the MDD/MDR, require a risk/benefit analysis, not a residual risk/benefit analysis. What it means in practice is that all risks, including residuals risks, need to be taken into consideration.

In particular, there are risks that may be acceptable without mitigation, for example. By definition, they are risks, but not residual risks. And they are one factor that need to be taken into consideration on the risk/benefit analysis.

In that sense I think that the clinical evaluation IS helpful in mitigating such risk, especially when you consider that risk is (at least as I stated) a perceived state of things. Such mitigation doesn't necessarily need to change anything about the device, or any other object or physical aspect of reality. It can, alternatively reduce the level of assessed/evaluated risk by providing new/more information, or new insight into existing information (eg through more analysis). Further, if the Clinical Evaluation includes clinical investigation (eg a clinical trial involving the subject device) it may actively provide information showing the risk to be lower, thus actively mitigating it.
If we are following general risk management principles, such as the ones defined in ISO 14971, there are only three ways to mitigate risks - inherit safety, protective measures or information for safety. A clinical evaluation does not do any of the 3. It does help to get information so any of the 3 can be included or changed. But the information it gives in itself do not mitigate the risk.
 

Marcelo

Inactive Registered Visitor
#17
I think that the definition offered in the 1st paragraph is not complete. It's like saying that risk=potential harm, which is inaccurate in my opinion. It ignores the probability aspect of the risk, and once again treats risk as an object rather than as a state.

The same applies to benefit, because benefits (especially clinical ones) also have a probabilistic nature. Attaining a given benefit is usually not 100% guaranteed. So, the presence of a benefit is also a (probabilistic) state, and thus they can be compared.
You are right, I did not want to give a complete definition (which is rather difficult, in fact) but to give another general way of looking at risk, and trying to point out that we need to focus on what might happen to the patient/user/etc.

As you know from discussion here and in practice, a lot of people still think that they should stop analyzing when they identify the device failure.
 

Ronen E

Problem Solver
Staff member
Moderator
#19
the regulations, such as the MDD/MDR, require a risk/benefit analysis, not a residual risk/benefit analysis.
While you are technically right, I think that the intent was to address residual risks in the RBA. There is no point in considering the current state of expected benefits ("benefit" in short) against risks that exited earlier but are not real any more. What's relevant for the RBA (id we look at it not as a purely theoretical exercise but as something meaningful and realistic) is considering the current benefit against the current (=residual) risk.

all risks, including residuals risks, need to be taken into consideration.

In particular, there are risks that may be acceptable without mitigation, for example. By definition, they are risks, but not residual risks.
I think that this is where we diverge. In my interpretation "residual risks" are the current ones, whether any mitigation means were applied or not. The "dry" definition says that residual risks are those that remain after mitigation means have been applied. "Mitigation means that have been applied" for a given risk may be an empty set, eg when there are no possible / practical mitigation means available, or - as you noted - when the risk is already deemed acceptable.

If we are following general risk management principles, such as the ones defined in ISO 14971, there are only three ways to mitigate risks - inherit safety, protective measures or information for safety. A clinical evaluation does not do any of the 3. It does help to get information so any of the 3 can be included or changed. But the information it gives in itself do not mitigate the risk.
The MDD says (ER 2):

In selecting the most appropriate solutions [The solutions adopted by the manufacturer for the design and construction of the devices], the manufacturer must apply the following principles in the following order:

— eliminate or reduce risks as far as possible (inherently safe design and construction),

— where appropriate take adequate protection measures including alarms if necessary, in relation to risks that cannot be eliminated,

— inform users of the residual risks due to any shortcomings of the protection measures adopted.
It speaks of the device's design and manufacture in general (in my interpretation first and foremost of the initial design), not specifically of risk mitigation. In my understanding risk mitigation is the attempt to bring risk (again, in my interpretation a perceived state, not an objective physical aspect ot reality) down, to at least an acceptable level. Following this line of thought, any means that can do it with confidence (including collection and analysis of new/existing information) should be considered mitigation means.

As to ISO 14971, I think that there is a wide consensus (probably including yourself) that it is currently worded in a flawed / problematic way, in various clauses. What I'm trying to do here is to offer a fresh perspective that might hopefully be of some utility in that standard's upcoming update (probably being a little naive here :))
 

thelastdon99

Starting to get Involved
#20
Time to jump start this conversation again... I recently went through an audit that resulted in these two risk related findings:

1. Risk Analysis is incomplete. Cannot asses if all 3 risk control options(D.P.I.) have been applied to each risk mitigation.
2. Risk Benefit Analysis was not applied for each risk individually.

1. a) My risk assessment has a checkbox for "Design, Process, and Information" for each risk. Some of the risks only have one of three, others two of three, and some have all checked. According to the auditor and their interpretation of 14971:2012 ZA #5 The manufacturer must apply all control options even if previous control options have reduced the risk to an
acceptable level. Why would you apply "labeling" for something if you've already designed it out and it no longer needs labeling as a mitigation? You wouldn't! So how can I check that box if I didn't apply labeling? I can't. So what do I do? Provide a justification each time I apply less than all three options? Can anyone show me how you are meeting this requirement and what evidence you are providing to auditors because i'm at a loss as to how i can meet this requirement.

2. a) How is everyone applying RB to individual items? My only thoughts mirror what Yodon mentioned earlier in the post, to just do some handwaving by adding a column with a canned statement for each item that RB has been assessed by the members of the cross-functional risk analysis team and determined that the benefits outweigh the risks. Pretty silly since the overarching RB assessment/conclusion already accomplishes this. Or do i need to provide a justification of how the team came to the conclusion specific to each line item?
 
Thread starter Similar threads Forum Replies Date
A Risk-benefit Analysis - Hazard Analysis (HA) and FMEAs ISO 14971 - Medical Device Risk Management 17
Q Risk / benefit Analysis in Risk Management Report CE Marking (Conformité Européene) / CB Scheme 12
C Help with Risk/Benefit Analysis Self-help Device for Diabetics ISO 14971 - Medical Device Risk Management 3
J Does anyone have an example of Risk-Benefit Analysis per ISO 14971? Other ISO and International Standards and European Regulations 2
M Estimating the benefit-risk ration under MDR EU Medical Device Regulations 1
M Informational Final guidance – GUIDELINES on the benefit-risk assessment of the presence of phthalates in certain medical devices covering phthalates which are carc Medical Device and FDA Regulations and Standards News 0
M Informational FDA discussion paper – Consideration of Benefit-Risk Approaches for Weight-Loss Devices Medical Device and FDA Regulations and Standards News 0
M Informational US FDA Final Guidance – Consideration of Uncertainty in Making Benefit-Risk Determinations in Medical Device Premarket Approvals, De Novo Classificati Medical Device and FDA Regulations and Standards News 0
M Risk/Benefit vs. benefit-risk - Revising an SOP covering Risk Management with the MDR in mind EU Medical Device Regulations 10
M Informational EU – 12th Meeting of the Working Group on Guidelines on benefit – risk assessment of Phthalates in Medical Devices Medical Device and FDA Regulations and Standards News 0
M Informational EU – SCHEER – Minutes of the Working Group meeting on guidelines on the benefit-risk assessment of the presence of phthalates in certain medical devic Medical Device and FDA Regulations and Standards News 1
M Medical Device News FDA News - 14-09-18 - Benefit-Risk Factors to Consider for Substantial Equivalence Other US Medical Device Regulations 0
M Medical Device News FDA news - 05-09-18 - Draft - Uncertainty in Benefit-Risk Determinations Other US Medical Device Regulations 0
A MDSAP benefit for manufacturer of low-risk devices Canada Medical Device Regulations 3
AnaMariaVR2 Structured Approach to Benefit-Risk Assessment in Drug Regulatory Decision-Making Pharmaceuticals (21 CFR Part 210, 21 CFR Part 211 and related Regulations) 0
sagai New Draft Guidance from FDA - Factors considered for Risk/Benefit Determination Other US Medical Device Regulations 4
A IEC 60601 11.2.2.1 Risk of Fire in an Oxygen Rich Environment, Source of Ignition IEC 60601 - Medical Electrical Equipment Safety Standards Series 0
D Importing a general wellness low risk product Other US Medical Device Regulations 3
C Quantifying risk in choosing the number of parts, operators and replicates in a GR&R Gage R&R (GR&R) and MSA (Measurement Systems Analysis) 4
R AQL, Consumer Risk and MA Statistical Analysis Tools, Techniques and SPC 2
M Risk managment report of Surgical Mask Example ISO 14971 - Medical Device Risk Management 14
M Risk Analysis Flow - Confusion between ISO 14971 and IEC 62304 IEC 62304 - Medical Device Software Life Cycle Processes 7
R ECG Risk Analysis Standards ISO 14971 - Medical Device Risk Management 2
N Device Labeling - Medtronic Ventilator Files (Risk Management documents) Coffee Break and Water Cooler Discussions 2
A 5 x 5 Risk Matrix - Looking for a good example Manufacturing and Related Processes 2
F Risk for Quality Assurance Department in a Hospital - Hospital Incident Reporting ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 7
M Should volume of sales be factored into risk probability assessments? ISO 14971 - Medical Device Risk Management 33
T How do you define your Hazards? <a Risk Management discussion> ISO 14971 - Medical Device Risk Management 16
adir88 Documenting Risk Control Option Analysis ISO 14971 - Medical Device Risk Management 8
B Risk Assessment Checklist for Non product Software IEC 62304 - Medical Device Software Life Cycle Processes 1
MrTetris Should potential bugs be considered in software risk analysis? ISO 14971 - Medical Device Risk Management 5
K Identification of hazards and Risk file IEC 62366 - Medical Device Usability Engineering 7
S Risk based internal auditing Internal Auditing 6
Robert Stanley I'm @ RISK of not showing my RISKS! ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 20
adir88 Information of safety can reduce risk now? ISO 14971 - Medical Device Risk Management 12
G Any good examples of CAPA forms that include a risk based approach? ISO 13485:2016 - Medical Device Quality Management Systems 5
adir88 MDR requirement: Risk Management Plan for "each device" ISO 14971 - Medical Device Risk Management 5
M Has anyone heard of Run at Risk? Manufacturing and Related Processes 14
Tagin Is SARS-CoV-2/COVID-19 on your risk register? Misc. Quality Assurance and Business Systems Related Topics 11
D IEC 62304 Risk Classification - With and without hardware control IEC 62304 - Medical Device Software Life Cycle Processes 2
J ISO 14971 applied to ISO 13485? Low risk class 1 devices ISO 13485:2016 - Medical Device Quality Management Systems 3
DuncanGibbons Classification of aerospace parts depending on their risk and criticality etc. Federal Aviation Administration (FAA) Standards and Requirements 3
D Performance specification as a Risk Control Measure, EN 14971 ISO 14971 - Medical Device Risk Management 7
M Risk Classification For Supplier - Clinical Research Organisation (CRO) Supply Chain Security Management Systems 3
Sidney Vianna IAQG SCMH explains "positive risk"..........but does it? AS9100, IAQG 9100, Nadcap and related Aerospace Standards and Requirements 3
MrTetris Unacceptable risk and information for safety ISO 14971 - Medical Device Risk Management 16
M IATF 16949 (6.1.1 - Planning and Risk Analysis for a remote site) Process Maps, Process Mapping and Turtle Diagrams 5
D Risk Analysis & Technical File - What detail goes in the Risk Management Report ISO 14971 - Medical Device Risk Management 5
C AS9100 Rev D 8.1.1 & APQP - Operational risk management process AS9100, IAQG 9100, Nadcap and related Aerospace Standards and Requirements 0
B ATP 5-19 "Risk Management" Misc. Quality Assurance and Business Systems Related Topics 2
Similar threads


















































Top Bottom