Cutting through all the high level stuff, the policy will be something like, "Reduce the risk to as low as reasonably practical".
When you set up the risk matrix, you will tailor the frequency and severity to the device. For example, if the device is an oral digital thermometer, the severity would not include death, but if it were an automated external defibrillator, severity would include death. Various products could have different frequency scales as well.
If you set up the risk matrix correctly, then the cell in the lower left hand corner is the lowest severity and the lowest frequency. (Think of Cartesian coordinates marked off into the cells.) In practical terms, the policy means that the residual risk cell is as low as practical and as far to left as practical.
------------------------------
Dan O'Leary CQA, CQE
Swanzey NH
United States
------------------------------
Original Message:
Sent: 10-Mar-2024 16:17
From: Anonymous Member
Subject: Criteria for risk acceptability - considering regulatory requirements
This message was posted by a user wishing to remain anonymous
Thanks for your responses! My question was more to do with using the policy to establish the risk acceptability criteria, rather than the policy itself.
Dan's advise also makes perfect sense to me as reducing it to the bare minimum, there are no US requirements that would provide any input to establishment of the risk acceptability matrix.
Original Message:
Sent: 10-Mar-2024 10:22
From: Dan O'Leary
Subject: Criteria for risk acceptability - considering regulatory requirements
Reducing your question to the bare minimum, you are asking about the use of US regulatory requirements which don't seem to fit into the risk management structure.
ISO 14971:2019 gives you the "out" when it says, "based on applicable national/regional regulations". For your example, there are no applicable regulations, so they don't contribute to the risk acceptability criteria.
------------------------------
Dan O'Leary CQA, CQE
Swanzey NH
United States
Original Message:
Sent: 06-Mar-2024 18:23
From: Anonymous Member
Subject: Criteria for risk acceptability - considering regulatory requirements
This message was posted by a user wishing to remain anonymous
ISO 14971:2019 clause 4.2 requires that:
Top management shall define and document a policy for establishing criteria for risk acceptability. This policy shall provide a framework that ensures that criteria for risk acceptability are based on applicable national/regional regulations, relevant international standards, take into account the generally acknowledged state of the art, and known stakeholder concerns.
I am aware of the accompanying guidance in the ISO TR 24971 (Annex C) on the relationship between the policy, risk acceptability, criteria, risk estimation and evaluation.
My question is specifically to do with considering regulatory requirements when establishing a criteria for risk acceptability.
A common example cited in this example is considering EU MDR and IVDR, and specifically the "as far as possible without affecting benefit/risk ratio" approach to risk control. However, I cannot understand, apart from EU MDR/IVDR, how would one use regulatory requirements to inform the risk acceptability criteria? Let's assume there is an implantable medical device that is intended to be commercialised in US only. How can I now use the applicable US regulatory requirements (say in 21CFR878.4018 Hydrophilic wound dressing)? Should the scope of regulatory requirements be limited to those related to the specific device / classification or should it be broader (say the QSR)? Should the scope also consider international standards? But this is the next factor to consider in this normative requirement of ISO 14971 and are not quite "regulatory requirements" unless they're recognised by the FDA (?).
I am well familiar with risk management and regulatory requirements, but I can't quite seem to connect the two when it comes to establishing the criteria for risk acceptability. Looking for practical advise and guidance for the hypothetical device above.