A common practice in the medical industry is to document benefit-risk analysis of all individual residual risk as an added column in risk assessments. Is this necessary?
I have read your article and here are my comments.
I totally agree with you, that the 7.4 chapter about benefit-risk-evaluation of individual risks (!) is only necessary, if the residual risk is not acceptable and there are no more countermeasures possible.
I also agree with you that there are sometimes auditors insisting on all individual benefit-risk-evaluations and also medical device manufacturers that are doing it voluntarily because they think they have to do it.
In both cases my personal assumption is, that they did not read chapter 7.4 carefully and simply overlooked the restriction to the "non-acceptable risks". Especially auditors are often not well trained or experienced with ISO 14971 and thus have a lack of understanding.
Your hypothesis is, that auditors in Europe might refer to the statement in Annex I of the MDR about reducing risks "as far as possible without adversely affecting the benefit-risk ratio". And this might lead to the interpretation that every single residual risk needs a benefit-risk-evaluation.
The question is: what does MDR instead mean by "reducing risks as far as possible without adversely affecting the benefit-risk ratio"? I think they wanted to express: If you introduce more and more and more countermeasures, there will get the point where the risk is close to zero, but so is also the benefit! This does not mean, that you formally have to do a benefit-risk-evaluation. It just means that you stop with countermeasures if they will have a heavy impact on the benefit of the device.
What you have to do in every row of the risk table: do not judge the residual risk by the acceptance graph only, evaluate also whether it is reduced as far as possible. But I would never do a benefit-risk-evaluation for every residual risk in every row.
The benefit-risk-ratio is by the way already determined at the beginning of the risk management process when designing the ratio of the red and green area in the risk graph. The more benefit the device has, the more risks you can except. And this is expressed not only qualitatively but also quantitatively based on the classes and their defintions. By that a residual risk that lays in the green area, already is evaluated indirectly for benefit-risk-ratio.
In speaking with BSI people, I specifically asked about this and the answer may surprise you...
According to BSI (and other consultants who have sat with the Commission asking the same question), EVERY risk has to have a B-RA. Now, the question as to HOW is interesting.
There is division on whether to have a B-RA immediately written inline with the risk on your risk management documents (FMEA, PHA, etc.) OR if a collection of acceptable risks can be all combined within your risk management documentation as a "risk catch-all." Some companies prefer to have their B-RA right at the end of each line item and some like to have a reference to a document that talks about the acceptable risk.
I realize, Naveen, this contradicts your post somewhat, but realize that what is written in the regulations and what the Commission is asking for are sometimes two different things. I have numerous examples of that in the MDR. ISO 13485 and ISO 14971 have some of that going on, as well. For now, I'm told, make sure you have a B-RA for every line item, whether right there in that line item or referenced to an overall document that calls out the risk OF that line item.
I completely agree. What's more important is the overall risk. While individual risks do matter and can bite you on an individual basis, they combine to form the overall risk profile for a product or service -- which is more important. 14971 reflects that.
Hi Naveen,
I have read your article and here are my comments.
I totally agree with you, that the 7.4 chapter about benefit-risk-evaluation of individual risks (!) is only necessary, if the residual risk is not acceptable and there are no more countermeasures possible.
I also agree with you that there are sometimes auditors insisting on all individual benefit-risk-evaluations and also medical device manufacturers that are doing it voluntarily because they think they have to do it.
In both cases my personal assumption is, that they did not read chapter 7.4 carefully and simply overlooked the restriction to the "non-acceptable risks". Especially auditors are often not well trained or experienced with ISO 14971 and thus have a lack of understanding.
Your hypothesis is, that auditors in Europe might refer to the statement in Annex I of the MDR about reducing risks "as far as possible without adversely affecting the benefit-risk ratio". And this might lead to the interpretation that every single residual risk needs a benefit-risk-evaluation.
The question is: what does MDR instead mean by "reducing risks as far as possible without adversely affecting the benefit-risk ratio"? I think they wanted to express: If you introduce more and more and more countermeasures, there will get the point where the risk is close to zero, but so is also the benefit! This does not mean, that you formally have to do a benefit-risk-evaluation. It just means that you stop with countermeasures if they will have a heavy impact on the benefit of the device.
What you have to do in every row of the risk table: do not judge the residual risk by the acceptance graph only, evaluate also whether it is reduced as far as possible. But I would never do a benefit-risk-evaluation for every residual risk in every row.
The benefit-risk-ratio is by the way already determined at the beginning of the risk management process when designing the ratio of the red and green area in the risk graph. The more benefit the device has, the more risks you can except. And this is expressed not only qualitatively but also quantitatively based on the classes and their defintions. By that a residual risk that lays in the green area, already is evaluated indirectly for benefit-risk-ratio.
Best regards
Christian
In speaking with BSI people, I specifically asked about this and the answer may surprise you...
According to BSI (and other consultants who have sat with the Commission asking the same question), EVERY risk has to have a B-RA. Now, the question as to HOW is interesting.
There is division on whether to have a B-RA immediately written inline with the risk on your risk management documents (FMEA, PHA, etc.) OR if a collection of acceptable risks can be all combined within your risk management documentation as a "risk catch-all." Some companies prefer to have their B-RA right at the end of each line item and some like to have a reference to a document that talks about the acceptable risk.
I realize, Naveen, this contradicts your post somewhat, but realize that what is written in the regulations and what the Commission is asking for are sometimes two different things. I have numerous examples of that in the MDR. ISO 13485 and ISO 14971 have some of that going on, as well. For now, I'm told, make sure you have a B-RA for every line item, whether right there in that line item or referenced to an overall document that calls out the risk OF that line item.
I completely agree. What's more important is the overall risk. While individual risks do matter and can bite you on an individual basis, they combine to form the overall risk profile for a product or service -- which is more important. 14971 reflects that.