Benefit-Risk Analysis – Deviation #4 in ISO 14971
Review of ISO 14971 Deviation #4 specific to the requirement for benefit-risk analysis. This blog is the fourth in a seven-part series.
This blog is the fourth installment in our seven-part series, which reviews each of the content deviations between the three device directives for Europe and international risk management standard (ISO 14971:2007). The deviations were identified in the new European National version of the Standard released in 2012. There was no change to the content of Clauses 1 through 9 in ISO 14971, but then there were seven deviations from the directives identified by the European Commission.
Discretion as to Whether a Benefit-Risk Analysis Needs to Take Place
The fourth deviation is specific to the requirement for risk-benefit analysis. Clauses 6.5 and 7 of the 14971 Standard both imply that a risk/benefit analysis is only required if risks exceed a threshold of acceptability, and Annex D.6.1 indicates that “This International Standard does not require a benefit-risk analysis for every risk.” However, essential requirements 1 and 2 require that you perform a risk/benefit analysis for each risk and overall residual risk. Essential requirement 6a also requires a risk-benefit analysis as part of the conclusion in your Clinical Evaluation Report (http://bit.ly/ER6aMEDDEV).
Your company may have created a risk management procedure, which includes a matrix for severity and probability. The matrix is probably color-coded to identify red cells as unacceptable risks that require a benefit-risk analysis, yellow cells that are ALARP, and green cells that are acceptable. Based upon the guidance provided in ISO 14971, your company probably identified that a benefit-risk analysis is only required for a risk that falls in the red zone of the matrix where the risk is “unacceptable.”
Unfortunately, this approach is not compliant with the European Directives, because the Directives require that a benefit-risk analysis be performed for each risk and all residual risks—not just the risks you identify as unacceptable. The fourth deviation between the ISO 14971 Standard and the Essential Requirements of the European Directives is relatively simple to address with a change to your risk management process. To comply with EN ISO 14971:2012, the “red zone” should not be labeled as a benefit-risk analysis, because even risks in the “green zone” require benefit-risk analysis.
Impact of this Deviation
In a previous blog about deviation #2, we determined that the implementation of risk controls must reduce all risks. In this blog, we established that after the implementation of risk controls, all residual risks must be subject to a benefit-risk analysis. Your company will need to eliminate the use of a risk evaluation matrix like the one shown above. Instead of relying on a risk management policy for evaluating the acceptability of risk, your company should be performing a benefit-risk analysis to determine the acceptability of risks.
The best way to integrate benefit-risk analysis for the evaluation of the acceptability of all risks is to integrate this with the clinical evaluation process. In addition to using clinical literature, clinical study data, and post-market surveillance as inputs for your clinical evaluation, your company should also be using residual risks as inputs to the evaluation. The clinical evaluation should be used to assess the significance of these residual risks, and verify that there are not any risks identified in the clinical evaluation that were not considered in the risk analysis.
In order to document that your company has performed a benefit-risk analysis for each residual risk, you will need to reference the risk management report in the clinical evaluation and vice-versa. Both documents will need to provide traceability to each risk identified in the risk analysis, and conclusions of risk acceptability will need to be based upon the conclusions of the clinical evaluation.
Once the product is launched, you will need to update the clinical evaluation with adverse events and other post-market surveillance information. As part of updating clinical evaluations, you will need to determine the acceptability of the risk when weighed against the clinical benefits. These conclusions will then need to be updated in the risk management report—including any new or revised risks.
If you are interested in ISO 14971 training, we were conducting a risk management training webinar on October 19, 2018.
Would it be correct to summarise then that quantitative risk acceptability table essentially redundant since the harmonisation of ISO 14971 with the MDD? and that it is better to define risk acceptability by assessing whether the medical benefits outweigh the individual residual risks? this makes sense to me if so
Risk acceptability for CE Marked devices is essentially only a function of the benefit-risk analysis. However, most devices are sold in multiple countries. Rather than acceptability, most companies have modified the table to categorize risk as low, medium and high risks. Therefore, you can still prioritize your risk control implementation and design activities based upon risk levels–but ultimately the decision to release a product is not based upon your risk table and you must perform a risk-benefit analysis for all risks. I wouldn’t say that the table is redundant, but it certainly is not required and has less value to most manufacturers.