Risk Acceptability – Deviation #2 in EN ISO 14971

This 7-part blog series continues with the author reviewing deviation #2, risk acceptability, in the EN ISO 14971:2012 Standard.
%name Risk Acceptability   Deviation #2 in EN ISO 14971

In 2012, the European National (EN) version of the Medical Device Risk Management Standard was revised, but there was no change to the content of Clauses 1 through 9. Instead, the European Commission identified seven content deviations between the 14971 Standard and the requirements of three device directives for Europe. This seven-part blog series reviews each of these changes individually. The second deviation is specific to risk acceptability.

Discretionary power of manufacturers as to Risk Acceptability

The second deviation is specific to determining risk acceptability in the risk evaluation process. The ISO 14971 Standard indicates in Annex D4 that the acceptability of risk is not specified by the Standard and must be determined by the manufacturer. Clause 3.2 of the 14971 Standard, it states that “Top management  shall: define and document the policy for determining criteria for risk acceptability.” This risk management policy is intended to indicate a threshold for risk acceptability. In Clause 5 of the 14971 Standard, the manufacturer is instructed to evaluate whether risks are acceptable using the risk management criteria defined in the risk management policy.

Essential requirements 1 and 2 require that risks be reduced as far as possible and that all risks shall be included in a risk-benefit analysis—not just the risks that exceed a certain threshold for risk acceptability. Therefore, the requirement to establish a risk policy for the acceptability of risk directly contradicts the MDD.

Since the 2nd edition of the 14971 Standard was first issued (i.e., -2007), clients have been asking me how to establish risk acceptability criteria, for new devices, I recommend benchmarking the risks of the new device against existing devices. In other words, if the new device presents equal or lower risks than existing devices, then the risks of the new device are acceptable. For existing devices, I recommend performing a risk-benefit analysis, evaluating adverse events observed with the device against the benefits of using the device. Unfortunately, most companies choose arbitrary thresholds for risk acceptability. Instead of relying upon benchmarking or risk-benefit analysis, companies will establish a policy that all risks must be below a quantitative value. For example, if the range of possible risk scores is from 1 to 1,000, all risks of 100 or less may be acceptable.

What is acceptable?

In order to comply with the EN ISO 14971:2012 version of the risk management standard, you will need to implement risk controls for all risks, regardless of acceptability. However, you will also need to perform a risk-benefit analysis. The risk-benefit analysis should consider not only the benefits to patients and the risks of using the device, but the analysis should also consider the relative benefits of using other devices.

The clinical evaluation report and the risk management report for the device should be based upon clinical evidence of the device for the intended use—including adverse events. For new devices that are evaluated based upon a literature review of equivalent devices, Notified Bodies expect a Post-Market Clinical Follow-up (PMCF) study to be conducted to verify that the actual risk-benefit of the device is consistent with the conclusions of the clinical evaluation. To perform this analysis, a clinical expert is necessary to properly evaluate the risk-benefit ratio of the device and to create a protocol for a PMCF study.

MEDDEV 2.12/2 rev 2, Post Market Clinical Follow-up Studies, indicates that the PMCF study protocol should indicate the study endpoints and the statistical considerations. In order to do this, your company will need to establish quantitative criteria for the acceptability of the identified risks. Therefore, the current 14971 Standard needs to be modified to clarify that risk acceptability criteria should be based upon clinical data, and evaluation of risks should be conducted at a later point in the risk management process (e.g., – as part of the overall risk-benefit analysis).

Impact of Deviation #2

As your company becomes aware of the second deviation between the 14971 Standard and the Essential Requirements of the device directives, your risk management team will need to change the risk management process to clarify when risk acceptability should be evaluated, and the risk management policy should specify how acceptability should be determined.

The risk management process at your company will need to specify that the implementation of risk controls is required for all risks—regardless of acceptability. You should also consider eliminating the evaluation of risk before the implementation of risk controls. Instead, your company should base the acceptability of risk solely upon the clinical risk-benefit analysis and should involve the manufacturer’s medical officer in making this determination.

Finally, your risk management process should specify the need for PMCF studies in order to verify that actual clinical data supports the conclusion that the risk-benefit ratio is acceptable over the lifetime of the device.

If you are interested in ISO 14971 training, we are conducting a risk management training webinar on October 19, 2018.

6 thoughts on “Risk Acceptability – Deviation #2 in EN ISO 14971”

  1. I wonder if the author has actually ever done risk management since what he advocates is likely to put a stop to any product introduction. It is a practical impossibility to consider all risks since, by definition, there is an infinity of them. Some common sense would be useful here.

    1. In 2007 when ISO 14971 was being taught by BSI to the company I worked at, the emphasis was to identify as many hazards and risks as possible but then to categorize the risks and neglect those that are negligible. This is no longer allowed by the EU Commission. If you read my recent postings on risk management you will find that I recommend only identifying those hazards that are likely to cause harm. I recommend starting with the TPLC database where you can find a list of actual device malfunctions for a similar device. I have designed dozens of devices and worked on 100+ risk management files. Some are excellent, but many are missing obvious hazards that they have already implemented risk controls for. You need to develop a systematic and rational process for identifying the hazards. It will also be required to document this list in future CE Technical Files.

  2. Michael Cejnar

    HI Rob
    I know you didn’t write the EN ISO, but you say “only identifying those hazards that are likely to cause harm”?

    So instead of documenting all hazards, and documenting your decision which need reduction, you and the Annex Z’s advocate deciding in our head which don’t need reducing and never listing them?
    You don;t think that’s reducing safety?

    1. When the 2007 standard was first issued, I trained people to identify as many hazards as possible. However, in order to comply with current EU requirements that approach is not feasible. I’m not arguing the process is better or worse, however, if you are distributing in Europe you have no choice.

  3. Pingback: Risk-Benefit Analysis - Medical Device Academy Deviation 4 in ISO 14971 Medical Device Academy

  4. Pingback: ISO 14971 - Medical Device Academy Risk Management Updates Medical Device Academy

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload the CAPTCHA.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Scroll to Top