Manufacturers of medical devices must define criteria for risk acceptance. This is often done on two levels:
- In the risk policy (see ISO 14971, Chapter 4.2)
- In the risk management plan (see ISO 14971, Chapter 4.4)
Risk policy
In the risk policy, manufacturers define (across all products) how they proceed to determine the (product-specific) criteria for risk acceptance.
Examples
- No device may lead to risks with a catastrophic severity of harm (e.g., death). (This could result in manufacturers being unable to place specific devices on the market).
- The risks must be minimized as far as possible for each device. Economic considerations must not play a role in risk minimization. (Both are already required by regulation.)
- Risks that do not lead to measurable harm are generally acceptable unless this is not in line with the state of the art (e.g., a small delay in a diagnosis that is not critical in terms of time).
Manufacturers can express their risk policy in a separate document or as part of a standard operating procedure.
Risk acceptance
Manufacturers must determine the risk acceptance criteria for each device. This is usually done in the form of a risk acceptance matrix.
The criteria for risk acceptance must meet the requirements of the risk policy.
The EU Medical Devices Regulation (MDR) regulates not only medical devices but also devices without an intended medical purpose, e.g., liposuction devices, breast implants, and colored contact lenses. In December 2022 – four and a half years after the MDR was published – the EU regulated the necessary details with two Commission Implementing Regulations (2022/2346 and…
Details
This article identifies the seven most common risk management errors that Johner Institute and its auditors encounter most often. It also offers advice on how to avoid these errors. Risk management is among the most important requirements medical device manufacturers must meet. Therefore, it is important that they avoid risk management errors. 1st error class:…
Details
The probability of software defects is difficult to estimate. It’s so difficult that the “old” DIN EN IEC 62304:2006 wrote: “However, there is no agreement on how to determine the probability of the occurrence of software failures using traditional statistical methods.” The standard concluded that “the probability of such a malfunction must be assumed to…
Details
Laws and standards require organizations to prepare a risk management report. Notified bodies and authorities examine these reports intensively because risk management is a key regulatory requirement. Therefore, it is important (not only) for manufacturers to prepare precise, complete, and correct risk management reports. This article provides assistance in this regard. 1. What is a…
Details
The MDR and IVDR require either a “Post-Market Surveillance Report” or a “Periodic Safety Update Report” from medical device manufacturers. The Periodic Safety Update Report is abbreviated as “PSUR”, the Post-Market Surveillance reports as “PMS report”. PSUR and PMS report: Regulatory background and objectives The European Commission has significantly increased the requirements for monitoring devices…
Details
TIR 57 is a “Technical Information Report” from the American AAMI. It is intended to assist in recognizing and controlling risks due to inadequate IT security of medical devices, thus fulfilling the requirements of ISO 14971 for risk management. TIR 57: Summary for readers in a hurry The AAMI TIR 57 is a guidance document…
Details