Whether risk mitigation through information is permitted regularly leads to discussions. The answer to this question is important because it determines the conformity and non-conformity of medical devices.
This article provides the answer and thus resolves a “historical misunderstanding.”
1. Regulatory framework
All manufacturers are obliged to minimize the risks posed by their medical devices. In relation to the benefit of the device, the residual risks must be acceptable.
To minimize the risks, there are several types of measures. Laws such as MDR and IVDR and the risk management standard ISO 14971 specify these types and the order in which they must be applied (see Fig. 1).
Thus, there is no general prohibition of risk control or risk mitigation through information.
2. Types of information
To answer the question of whether risk mitigation through information is permitted, an overview of the different types helps:
- Warnings on the device, e.g., labels or pop-ups on software interfaces
- Information in instructions for use and other accompanying materials about the correct use of the device
- Information in instructions for use about residual risks
- Training of users
3. Trigger of the confusion
When harmonizing ISO 14971:2012, the harmonization service provider lawyers wrote in Annex Z:
… manufacturers shall not attribute additional risk reduction to the information given to the users…
Annex Z of ISO 14971
In doing so, the lawyers, unfortunately, lumped together two types of information:
- Information that “only” lists any residual risks. This is a requirement of the MDR Annex I, Section 4 (“Manufacturers shall inform users of any residual risks.”).
- Information that presents concrete and specific measures to minimize risks. These contain specific instructions for persons to take action when handling the device.
4. The resolution
The list of residual risks is …
- comparable to the package insert with the side effects of drugs,
- a regulatory requirement, and
- no (!) risk minimizing measure.
Instructions for action for the users …
- are regulatory required, if risks can be minimized with it,
- then count as risk-minimizing measures, and
- are also allowed as such.
Team-NB also shared this assessment in a consensus paper in 2014.
With every electrically operated medical device, there is a risk of electric shock. This (residual) risk exists even if the manufacturer complies with all measures prescribed by IEC 60601-1 (e.g., on clearance and creepage distances). The manufacturer must enter and publish this risk in the list of residual risks.
The user can consider this information when making a risk-based decision for or against the use of the device. He cannot prevent the electric shock itself (e.g., in the event of a product defect). Accordingly, providing this information to the user is not a risk-minimizing measure.
If, on the other hand, the manufacturer specifies in the instructions for use that the technician must disconnect the mains plug before carrying out repairs and before opening the enclosure, then this is a clear instruction for action that, if fulfilled, minimizes the risk, namely, the risk of getting an electric shock when coming into contact with electrical components inside the device.
5. Conclusion
Risk mitigation through information is, therefore, perfectly permissible. A distinction must be made between:
- Information listing all residual risks
Publication of the list of residual risks is required by regulation and is not a risk mitigation measure.
- Instructions for users
They are required by regulation if they can be used to minimize risks. They are permitted as a risk-minimizing measure.
The manufacturers must prove the implementation and effectiveness of risk-minimizing measures. Usability tests usually review risk-minimizing measures by information.
Training documents and instructions for use are part of the user interface and are, therefore, subject to the regulatory requirements for usability and within the scope of IEC 62366-1.
Do you still have questions about risk management? Then benefit from
- the free micro-consulting of the Johner Institute or
- the help of the risk management team in creating and reviewing your risk management files.
This will ensure that there are no problems with audits and inspections of your technical documentation and no delays in the approval of your devices.
Read more about risk mitigation and more about risk management in general.