In 2012, the European National (EN) version of the Medical Device Risk Management Standard was revised, but there was no change to the content of Clauses 1 through 9. Instead, the European Commission identified seven content deviations between the 14971 Standard and the requirements of three device directives for Europe. This seven-part blog series reviews each of these changes individually.
Discretionary Power of Manufacturers as to the Acceptability of Risks: The Risk Evaluation Process
The second deviation is specific to the risk evaluation process. The ISO 14971 Standard indicates in Annex D4 that the acceptability of risk is not specified by the Standard and must be determined by the manufacturer. In Clause 3.2 of the 14971 Standard, it states that, “Top management shall: define and document the policy for determining criteria for risk acceptability.” This risk management policy is intended to indicate a threshold for risk acceptability. In Clause 5 of the 14971 Standard, the manufacturer is instructed to evaluate whether risks are acceptable using the risk management criteria defined in the risk management policy.
Essential requirements 1 and 2 require that risks be reduced as far as possible, and that all risks shall be included in a risk/benefit analysis—not just the risks above a certain threshold. Therefore, the requirement to establish a risk policy for the acceptability of risk directly contradicts the MDD.
Since the 2nd edition of the 14971 Standard was first issued (i.e., -2007), clients have been asking me how to establish acceptability criteria. For new devices, I recommend benchmarking the risks of the new device against existing devices. In other words, if the new device presents equal or lower risks than existing devices, then the risks of the new device are acceptable. For existing devices, I recommend performing a risk/benefit analysis, evaluating adverse events observed with the device against the benefits of using the device. Unfortunately, most companies choose arbitrary thresholds for acceptability of risk. Instead of relying upon benchmarking or risk/benefit analysis, companies will establish a policy that all risks must be below a quantitative value. For example, if the range of possible risks scores are from 1 to 1,000, all risks of 100 or less may be acceptable.
What is Acceptable?
In order to comply with the EN ISO 14971:2012 version of the risk management standard, you will need to implement risk controls for all risks, regardless of acceptability. However, you will also need to perform a risk/benefit analysis. The risk/benefit analysis should consider not only the benefits to patients and the risks of using the device, but the analysis should also consider relative benefits of using other devices.
The clinical evaluation report and the risk management report for the device should be based upon clinical evidence of the device for the intended use—including adverse events. For new devices that are evaluated based upon literature review of equivalent devices, Notified Bodies expect a Post-Market Clinical Follow-up (PMCF) study to be conducted in order to verify that the actual risk/benefit of the device is consistent with the conclusions of the clinical evaluation. In order to perform this analysis, a clinical expert is necessary to properly evaluate the risk/benefit ratio of the device, and to create a protocol for a PMCF study.
MEDDEV 2.12/2 rev 2, Post Market Clinical Follow-up Studies, indicates that the PMCF study protocol should indicate the study endpoints and the statistical considerations. In order to do this, your company will need to establish quantitative criteria for acceptability of the identified risks. Therefore, the existing 14971 Standard needs to be modified to clarify that risk acceptability criteria should be based upon clinical data, and evaluation of risks should be conducted at a later point in the risk management process (e.g., – as part of the overall risk/benefit analysis).
Impact of this Deviation
As your company becomes aware of the second deviation between the 14971 Standard and the Essential Requirements of the device directives, your risk management team will need to change the risk management process to clarify when risk acceptability should be evaluated, and the risk management policy should specify how acceptability should be determined.
The risk management process at your company will need to specify that implementation of risk controls is required for all risks—regardless of acceptability. You should also consider eliminating the evaluation of risk prior to implementation of risk controls. Instead, your company should base acceptability of risk solely upon the clinical risk/benefit analysis, and should involve the manufacturer’s medical officer in making this determination.
Finally, your risk management process should specify the need for PMCF studies in order to verify that actual clinical data supports the conclusion that the risk/benefit ratio is acceptable over the lifetime of the device.