The author reviews ISO 14971 Deviation 4, which is specific to the requirement for risk-benefit analysis. This blog is the fourth in a seven-part series.
This blog is the fourth installment in our seven-part series, which reviews each of the content deviations between the three device directives for Europe and international risk management standard (ISO 14971:2007). The deviations were identified in the new European National version of the Standard released in 2012. There was no change to the content of Clauses 1 through 9 in ISO 14971, but the there were seven deviations from the directives identified by the European Commission.
Discretion as to Whether a Risk-Benefit Analysis Needs to Take Place
The fourth deviation is specific to the requirement for risk-benefit analysis. Clauses 6.5 and 7 of the 14971 Standard both imply that a risk/benefit analysis is only required if risks exceed a threshold of acceptability, and Annex D.6.1 indicates that “A risk-benefit analysis is not required by this International Standard for every risk.” However, essential requirement 1 and 2 require that you perform a risk/benefit analysis for each risk and overall residual risk. Essential requirement 6a also requires a risk-benefit analysis as part of the conclusion in your Clinical Evaluation Report (http://bit.ly/ER6aMEDDEV).
Your company may have created a risk management procedure, which includes a matrix for severity and probability. The matrix is probably color-coded to identify red cells as unacceptable risks which require a risk/benefit analysis, yellow cells that are ALARP and green cells that are acceptable. Based upon the guidance provided in ISO 14971, your company probably identified that a risk/benefit analysis is only required for a risk which falls in the red zone of the matrix where the risk is “unacceptable.”
Unfortunately, this approach is not compliant with the European Directives, because the Directives require that a risk-benefit analysis be performed for each risk and all residual risks—not just the risks you identify as unacceptable. The fourth deviation between the ISO 14971 Standard and the Essential Requirements of the European Directives is relatively simple to address with a change to your risk management process. To comply with EN ISO 14971:2012, the “red zone” should not be labeled as risk-benefit analysis, because even risks in the “green zone” require risk/benefit analysis.
Impact of this Deviation
In a previous blog about deviation #2, we determined that all risks must be reduced by the implementation of risk controls. In this blog, we established that after implementation of risk controls, all residual risks must be subject to a risk-benefit analysis. Your company will need to eliminate the use of a risk evaluation matrix like the one shown above. Instead of relying on a risk management policy for evaluating the acceptability of risk, your company should be performing a risk/benefit analysis to determine the acceptability of risks.
The best way to integrate risk-benefit analysis for evaluation of acceptability of all risks is to integrate this with the clinical evaluation process. In addition to using clinical literature, clinical study data and post-market surveillance as inputs for your clinical evaluation, your company should also be using residual risks as inputs to the evaluation. The clinical evaluation should be used to assess the significance of these residual risks, and verify that there are not any risks identified in the clinical evaluation that were not considered in the risk analysis.
In order to document that your company has performed a risk-benefit analysis for each residual risk, you will need to reference the risk management report in the clinical evaluation and vice-versa. Both documents will need to provide traceability to each risk identified in the risk analysis, and conclusions of risk acceptability will need to be based upon the conclusions of the clinical evaluation.
Once the product is launched, you will need to update the clinical evaluation with adverse events and other post-market surveillance information. As part of updating clinical evaluations, you will need to determine the acceptability of the risk when weighed against the clinical benefits. These conclusions will then need to be updated in the risk management report—including any new or revised risks.
If you are interested in ISO 14971 training, we are conducting a risk management training webinar on October 19, 2018.