Regulatory Open Forum

ISO 14971:2019 clause 4.2 requires that:

Top management shall define and document a policy for establishing criteria for risk acceptability. This policy shall provide a framework that ensures that criteria for risk acceptability are based on applicable national/regional regulations, relevant international standards, take into account the generally acknowledged state of the art, and known stakeholder concerns.

I am aware of the accompanying guidance in the ISO TR 24971 (Annex C) on the relationship between the policy, risk acceptability, criteria, risk estimation and evaluation. 

My question is specifically to do with considering regulatory requirements when establishing a criteria for risk acceptability. 

A common example cited in this example is considering EU MDR and IVDR, and specifically the "as far as possible without affecting benefit/risk ratio" approach to risk control. However, I cannot understand, apart from EU MDR/IVDR, how would one use regulatory requirements to inform the risk acceptability criteria? Let's assume there is an implantable medical device that is intended to be commercialised in US only. How can I now use the applicable US regulatory requirements (say in 21CFR878.4018 Hydrophilic wound dressing)? Should the scope of regulatory requirements be limited to those related to the specific device / classification or should it be broader (say the QSR)?  Should the scope also consider international standards? But this is the next factor to consider in this normative requirement of ISO 14971 and are not quite "regulatory requirements" unless they're recognised by the FDA (?).

I am well familiar with risk management and regulatory requirements, but I can't quite seem to connect the two when it comes to establishing the criteria for risk acceptability. Looking for practical advise and guidance for the hypothetical device above. 

It sounds as if you are trying to do too much at once within the "policy for establishing criteria for risk acceptability" as described in the standard.  As noted in ISO TIR24971:2020 "Medical devices- Guidance on the application of ISO 14971," the policy itself is intended establish a framework that "directs and guides the establishing of the criteria" that is called out in the risk management plan.  This policy does not need to refer to individual regulations or standards, rather it should ensure that the risk acceptability criteria consider them, as applicable.  If you consider the example in Annex C of the guidance you will see that the generic policy calls out the need to consider and take into account the factors referenced in the standard, but does not name which specifically as this should be determined based on the device/intended use and intended markets.  

On the other hand, the actual risk acceptability criteria in the risk management plan should be specific enough to ensure that they can be met by the planned risk management activities, see Table C.1 of ISO TIR24971:2020 for a useful example about International Standards.  So too, your design and development inputs should be considering applicable regulatory requirements and standards. 

ISO 14971:2019 clause 4.2 requires that:

Top management shall define and document a policy for establishing criteria for risk acceptability. This policy shall provide a framework that ensures that criteria for risk acceptability are based on applicable national/regional regulations, relevant international standards, take into account the generally acknowledged state of the art, and known stakeholder concerns.

I am aware of the accompanying guidance in the ISO TR 24971 (Annex C) on the relationship between the policy, risk acceptability, criteria, risk estimation and evaluation. 

My question is specifically to do with considering regulatory requirements when establishing a criteria for risk acceptability. 

A common example cited in this example is considering EU MDR and IVDR, and specifically the "as far as possible without affecting benefit/risk ratio" approach to risk control. However, I cannot understand, apart from EU MDR/IVDR, how would one use regulatory requirements to inform the risk acceptability criteria? Let's assume there is an implantable medical device that is intended to be commercialised in US only. How can I now use the applicable US regulatory requirements (say in 21CFR878.4018 Hydrophilic wound dressing)? Should the scope of regulatory requirements be limited to those related to the specific device / classification or should it be broader (say the QSR)?  Should the scope also consider international standards? But this is the next factor to consider in this normative requirement of ISO 14971 and are not quite "regulatory requirements" unless they're recognised by the FDA (?).

I am well familiar with risk management and regulatory requirements, but I can't quite seem to connect the two when it comes to establishing the criteria for risk acceptability. Looking for practical advise and guidance for the hypothetical device above. 

It sounds as if you are trying to do too much at once within the "policy for establishing criteria for risk acceptability" as described in the standard.  As noted in ISO TIR24971:2020 "Medical devices- Guidance on the application of ISO 14971," the policy itself is intended establish a framework that "directs and guides the establishing of the criteria" that is called out in the risk management plan.  This policy does not need to refer to individual regulations or standards, rather it should ensure that the risk acceptability criteria consider them, as applicable.  If you consider the example in Annex C of the guidance you will see that the generic policy calls out the need to consider and take into account the factors referenced in the standard, but does not name which specifically as this should be determined based on the device/intended use and intended markets.  

On the other hand, the actual risk acceptability criteria in the risk management plan should be specific enough to ensure that they can be met by the planned risk management activities, see Table C.1 of ISO TIR24971:2020 for a useful example about International Standards.  So too, your design and development inputs should be considering applicable regulatory requirements and standards. 

ISO 14971:2019 clause 4.2 requires that:

Top management shall define and document a policy for establishing criteria for risk acceptability. This policy shall provide a framework that ensures that criteria for risk acceptability are based on applicable national/regional regulations, relevant international standards, take into account the generally acknowledged state of the art, and known stakeholder concerns.

I am aware of the accompanying guidance in the ISO TR 24971 (Annex C) on the relationship between the policy, risk acceptability, criteria, risk estimation and evaluation. 

My question is specifically to do with considering regulatory requirements when establishing a criteria for risk acceptability. 

A common example cited in this example is considering EU MDR and IVDR, and specifically the "as far as possible without affecting benefit/risk ratio" approach to risk control. However, I cannot understand, apart from EU MDR/IVDR, how would one use regulatory requirements to inform the risk acceptability criteria? Let's assume there is an implantable medical device that is intended to be commercialised in US only. How can I now use the applicable US regulatory requirements (say in 21CFR878.4018 Hydrophilic wound dressing)? Should the scope of regulatory requirements be limited to those related to the specific device / classification or should it be broader (say the QSR)?  Should the scope also consider international standards? But this is the next factor to consider in this normative requirement of ISO 14971 and are not quite "regulatory requirements" unless they're recognised by the FDA (?).

I am well familiar with risk management and regulatory requirements, but I can't quite seem to connect the two when it comes to establishing the criteria for risk acceptability. Looking for practical advise and guidance for the hypothetical device above. 

ISO 14971:2019 clause 4.2 requires that:

Top management shall define and document a policy for establishing criteria for risk acceptability. This policy shall provide a framework that ensures that criteria for risk acceptability are based on applicable national/regional regulations, relevant international standards, take into account the generally acknowledged state of the art, and known stakeholder concerns.

I am aware of the accompanying guidance in the ISO TR 24971 (Annex C) on the relationship between the policy, risk acceptability, criteria, risk estimation and evaluation. 

My question is specifically to do with considering regulatory requirements when establishing a criteria for risk acceptability. 

A common example cited in this example is considering EU MDR and IVDR, and specifically the "as far as possible without affecting benefit/risk ratio" approach to risk control. However, I cannot understand, apart from EU MDR/IVDR, how would one use regulatory requirements to inform the risk acceptability criteria? Let's assume there is an implantable medical device that is intended to be commercialised in US only. How can I now use the applicable US regulatory requirements (say in 21CFR878.4018 Hydrophilic wound dressing)? Should the scope of regulatory requirements be limited to those related to the specific device / classification or should it be broader (say the QSR)?  Should the scope also consider international standards? But this is the next factor to consider in this normative requirement of ISO 14971 and are not quite "regulatory requirements" unless they're recognised by the FDA (?).

I am well familiar with risk management and regulatory requirements, but I can't quite seem to connect the two when it comes to establishing the criteria for risk acceptability. Looking for practical advise and guidance for the hypothetical device above. 

Reducing your question to the bare minimum, you are asking about the use of US regulatory requirements which don't seem to fit into the risk management structure.

ISO 14971:2019 gives you the "out" when it says, "based on applicable national/regional regulations". For your example, there are no applicable regulations, so they don't contribute to the risk acceptability criteria.

ISO 14971:2019 clause 4.2 requires that:

Top management shall define and document a policy for establishing criteria for risk acceptability. This policy shall provide a framework that ensures that criteria for risk acceptability are based on applicable national/regional regulations, relevant international standards, take into account the generally acknowledged state of the art, and known stakeholder concerns.

I am aware of the accompanying guidance in the ISO TR 24971 (Annex C) on the relationship between the policy, risk acceptability, criteria, risk estimation and evaluation. 

My question is specifically to do with considering regulatory requirements when establishing a criteria for risk acceptability. 

A common example cited in this example is considering EU MDR and IVDR, and specifically the "as far as possible without affecting benefit/risk ratio" approach to risk control. However, I cannot understand, apart from EU MDR/IVDR, how would one use regulatory requirements to inform the risk acceptability criteria? Let's assume there is an implantable medical device that is intended to be commercialised in US only. How can I now use the applicable US regulatory requirements (say in 21CFR878.4018 Hydrophilic wound dressing)? Should the scope of regulatory requirements be limited to those related to the specific device / classification or should it be broader (say the QSR)?  Should the scope also consider international standards? But this is the next factor to consider in this normative requirement of ISO 14971 and are not quite "regulatory requirements" unless they're recognised by the FDA (?).

I am well familiar with risk management and regulatory requirements, but I can't quite seem to connect the two when it comes to establishing the criteria for risk acceptability. Looking for practical advise and guidance for the hypothetical device above. 

Thanks for your responses! My question was more to do with using the policy to establish the risk acceptability criteria, rather than the policy itself. 

Dan's advise also makes perfect sense to me as reducing it to the bare minimum, there are no US requirements that would provide any input to establishment of the risk acceptability matrix. 

Reducing your question to the bare minimum, you are asking about the use of US regulatory requirements which don't seem to fit into the risk management structure.

ISO 14971:2019 gives you the "out" when it says, "based on applicable national/regional regulations". For your example, there are no applicable regulations, so they don't contribute to the risk acceptability criteria.

ISO 14971:2019 clause 4.2 requires that:

Top management shall define and document a policy for establishing criteria for risk acceptability. This policy shall provide a framework that ensures that criteria for risk acceptability are based on applicable national/regional regulations, relevant international standards, take into account the generally acknowledged state of the art, and known stakeholder concerns.

I am aware of the accompanying guidance in the ISO TR 24971 (Annex C) on the relationship between the policy, risk acceptability, criteria, risk estimation and evaluation. 

My question is specifically to do with considering regulatory requirements when establishing a criteria for risk acceptability. 

A common example cited in this example is considering EU MDR and IVDR, and specifically the "as far as possible without affecting benefit/risk ratio" approach to risk control. However, I cannot understand, apart from EU MDR/IVDR, how would one use regulatory requirements to inform the risk acceptability criteria? Let's assume there is an implantable medical device that is intended to be commercialised in US only. How can I now use the applicable US regulatory requirements (say in 21CFR878.4018 Hydrophilic wound dressing)? Should the scope of regulatory requirements be limited to those related to the specific device / classification or should it be broader (say the QSR)?  Should the scope also consider international standards? But this is the next factor to consider in this normative requirement of ISO 14971 and are not quite "regulatory requirements" unless they're recognised by the FDA (?).

I am well familiar with risk management and regulatory requirements, but I can't quite seem to connect the two when it comes to establishing the criteria for risk acceptability. Looking for practical advise and guidance for the hypothetical device above.