ISO 14971 fundamentals - policy for establishing criteria for risk acceptability
ISO 14971 requires top management to define and document a policy for establishing criteria for risk acceptability. Here are 5 elements and best practices to consider when establishing your policy.
One of the most important step in the risk management process is to evaluate if each individual residual risk, and the overall residual risk, is acceptable based on pre-defined criteria for risk acceptability.
This step also proves to be quite challenging in practice, because there are no universal criteria for evaluating risk(s) of a medical device. What is acceptable for one device may not be acceptable for another. That is why ISO 14971 requires the top management at a medical device organization to define and document a policy for establishing the criteria for risk acceptability1 that can be consistently applied across the entire product portfolio:
Top management shall define and document a policy for establishing criteria for risk acceptability. The policy shall provide a framework to ensure that criteria are based upon national or regional regulations and relevant International Standards, and take into account available information such as the generally acknowledged state of the art and known stakeholder concerns.
Note: the terms in italics have a special meaning under ISO 14971 per the definitions in Clause 3.
At first glance, the requirement for a policy stated above seems simple and easy to satisfy. However, it proves to be challenging in practice, to balance the level of detail at the policy level, with the level of specificity required to facilitate risk acceptability decisions at the risk management plan level.
This article aims to build a better understanding of the ISO 14971 requirement and share a few best practices for effective implementation.
Why a policy and not a procedure?
Merriam-Webster dictionary defines the term policy as “prudence or wisdom in the management of affairs”, or from a legal perspective as “an overall plan, principle, or guideline”, or “a contract of insurance”2.
A procedure on the other hand is “a particular way of accomplishing something or acting”.
A procedure provides specific instructions, whereas a policy provides guidance for decision making on issues that are of material significance to an organization. A policy operates at a much higher level than a procedure.
Consequences of not following policy, generally, are more severe than not following a specific procedure. Changes to procedures are routine and frequent, as new knowledge becomes available. Changes to policy, however, are less frequent because a policy relates to the way business is done.
By requiring a policy for establishing risk acceptability criteria, ISO 14971:2019 is creating a mechanism for top management responsibility and commitment. The exact criteria for risk acceptability decisions may vary across the product portfolio; however, they should be consistent with the top level policy.
5 elements of a policy for establishing criteria for risk acceptability
When developing a policy for risk acceptability, consider these 5 key elements:
Purpose: The primary goal of a risk management policy is to provide guidance for establishing the criteria for risk acceptability. It does not mean that these criteria need to be spelled out in the policy. A best practice is to link the policy to the organization’s vision and/or mission statement to drive consistent action across the entire operation.
Scope: The policy needs to apply throughout the product lifecycle and all personnel involved.
Factors: The policy needs to consider stakeholder concerns, regulatory requirements, international standards and state of the art in guiding the criteria for risk acceptability.
Approach to risk control: The nature of the products, their intended use, and the markets in which they are sold may influence the approach to controlling risks. Note 1 to clause 4.2 of ISO 14971:2019 outlines a few possible approaches such as reducing risks to as low as reasonably practical (ALARP), as low as reasonably achievable (ALARA) or as far as possible without adversely affecting the benefit-risk ratio (AFAP).
Review and approval requirements: Specify who approves the policy and how often it is reviewed to ensure it continues to be applicable.
Best practices
Here are some best practices to develop a policy for establishing the criteria for risk acceptability, and a practical trick to simply enhance your Quality Policy to comply with the ISO 14971 requirement.
Watch this brief video clip from the fully on-demand ISO 14971 certification training course on ACHIEVE:
Register for this special offer below, if you are interested in mastering the requirements of ISO 14971 for risk management of medical devices, and receiving a certificate of competence.
See Clause 4.2 in ISO 14971:2019