Regulatory Open Forum

You have, I infer, a Quality Management System, QMS, which has a Quality Policy that provides guidance to activities in the QMS.

You have, I infer, a Risk Management System, RMS, which has a Risk Policy that provides guidance to activities in the RMS.

The two policies operate in parallel, and could be combined.

For a given medical device (design, production, post-market, etc.) you would not have a Quality Policy for each device. Similarly, you would not have a Risk Policy for each device.

I tell my manufacturing clients that there is only one Quality Policy worth having, "We make good stuff on time". (Note that ISO 13485:2016 requires some other useless stuff.)

For medical devices, you might say, "We make safe and effective devices on time". This includes the risk management policy, as part of "safe". Safe means freedom from unacceptable risk.

ISO 14971:2019, 4.2 Note 1 says, "The manufacturer's policy for establishing criteria for risk acceptability can define the approaches to risk control: reducing risk as low as reasonably practicable, reducing risk as low as reasonably achievable, or reducing risk as far as possible without adversely affecting the benefit-risk ratio".

Note that there are three options to use the policy to set the criteria for risk acceptability. In other words, how would you apply the concept to "safe" to any particular medical device.

Unfortunately, EN ISO 14971:2019/A11:2021 reduces the options to only one. Annex ZA(3) says, "the manufacturer's policy for establishing criteria for risk acceptability (see 4.2 of this European standard) shall ensure that the criteria comply with the General Safety and Performance Requirements of that Regulation".

MDR Annex I(2) says, "The requirement in this Annex to reduce risks as far as possible means the reduction of risks as far as possible without adversely affecting the benefit-risk ratio".

When implementing the policy for each device covered by the EU-MDR, the acceptability policy must be, "reducing risk as far as possible without adversely affecting the benefit-risk ratio".

Consider, for example, the traditional 5 x 5 risk matrix with five levels of severity and five levels of frequency of occurrence (probability) resulting in 25 cells. Reducing risks as far as possible means getting the residual risk into best cell you can, i.e., the lowest severity and the lowest frequency of occurrence. When you have done this, check that this cell does not adversely affect the benefit-risk ratio.

The policy and the acceptability criteria apply to all devices covered by the RMS.

You have, I infer, a Quality Management System, QMS, which has a Quality Policy that provides guidance to activities in the QMS.

You have, I infer, a Risk Management System, RMS, which has a Risk Policy that provides guidance to activities in the RMS.

The two policies operate in parallel, and could be combined.

For a given medical device (design, production, post-market, etc.) you would not have a Quality Policy for each device. Similarly, you would not have a Risk Policy for each device.

I tell my manufacturing clients that there is only one Quality Policy worth having, "We make good stuff on time". (Note that ISO 13485:2016 requires some other useless stuff.)

For medical devices, you might say, "We make safe and effective devices on time". This includes the risk management policy, as part of "safe". Safe means freedom from unacceptable risk.

ISO 14971:2019, 4.2 Note 1 says, "The manufacturer's policy for establishing criteria for risk acceptability can define the approaches to risk control: reducing risk as low as reasonably practicable, reducing risk as low as reasonably achievable, or reducing risk as far as possible without adversely affecting the benefit-risk ratio".

Note that there are three options to use the policy to set the criteria for risk acceptability. In other words, how would you apply the concept to "safe" to any particular medical device.

Unfortunately, EN ISO 14971:2019/A11:2021 reduces the options to only one. Annex ZA(3) says, "the manufacturer's policy for establishing criteria for risk acceptability (see 4.2 of this European standard) shall ensure that the criteria comply with the General Safety and Performance Requirements of that Regulation".

MDR Annex I(2) says, "The requirement in this Annex to reduce risks as far as possible means the reduction of risks as far as possible without adversely affecting the benefit-risk ratio".

When implementing the policy for each device covered by the EU-MDR, the acceptability policy must be, "reducing risk as far as possible without adversely affecting the benefit-risk ratio".

Consider, for example, the traditional 5 x 5 risk matrix with five levels of severity and five levels of frequency of occurrence (probability) resulting in 25 cells. Reducing risks as far as possible means getting the residual risk into best cell you can, i.e., the lowest severity and the lowest frequency of occurrence. When you have done this, check that this cell does not adversely affect the benefit-risk ratio.

The policy and the acceptability criteria apply to all devices covered by the RMS.

You have, I infer, a Quality Management System, QMS, which has a Quality Policy that provides guidance to activities in the QMS.

You have, I infer, a Risk Management System, RMS, which has a Risk Policy that provides guidance to activities in the RMS.

The two policies operate in parallel, and could be combined.

For a given medical device (design, production, post-market, etc.) you would not have a Quality Policy for each device. Similarly, you would not have a Risk Policy for each device.

I tell my manufacturing clients that there is only one Quality Policy worth having, "We make good stuff on time". (Note that ISO 13485:2016 requires some other useless stuff.)

For medical devices, you might say, "We make safe and effective devices on time". This includes the risk management policy, as part of "safe". Safe means freedom from unacceptable risk.

ISO 14971:2019, 4.2 Note 1 says, "The manufacturer's policy for establishing criteria for risk acceptability can define the approaches to risk control: reducing risk as low as reasonably practicable, reducing risk as low as reasonably achievable, or reducing risk as far as possible without adversely affecting the benefit-risk ratio".

Note that there are three options to use the policy to set the criteria for risk acceptability. In other words, how would you apply the concept to "safe" to any particular medical device.

Unfortunately, EN ISO 14971:2019/A11:2021 reduces the options to only one. Annex ZA(3) says, "the manufacturer's policy for establishing criteria for risk acceptability (see 4.2 of this European standard) shall ensure that the criteria comply with the General Safety and Performance Requirements of that Regulation".

MDR Annex I(2) says, "The requirement in this Annex to reduce risks as far as possible means the reduction of risks as far as possible without adversely affecting the benefit-risk ratio".

When implementing the policy for each device covered by the EU-MDR, the acceptability policy must be, "reducing risk as far as possible without adversely affecting the benefit-risk ratio".

Consider, for example, the traditional 5 x 5 risk matrix with five levels of severity and five levels of frequency of occurrence (probability) resulting in 25 cells. Reducing risks as far as possible means getting the residual risk into best cell you can, i.e., the lowest severity and the lowest frequency of occurrence. When you have done this, check that this cell does not adversely affect the benefit-risk ratio.

The policy and the acceptability criteria apply to all devices covered by the RMS.

I love this conversation!

I understand the benefits of having one, concisely stated QMS Policy which may include a Risk Policy. But, if that is the case, I should think there needs to be middle layer (map/manual/?) between this policy and the various SOP's. This is especially true for larger organizations with multiple classes of products and global regions, not to mention if non-device GxP products are involved as well.

Add to this, security risks. The AAMI TIR97:2019 includes an excellent policy example that goes beyond ISO 27001:2015. But again, more details that can or should be added/mapped to the Risk Policy.

You have, I infer, a Quality Management System, QMS, which has a Quality Policy that provides guidance to activities in the QMS.

You have, I infer, a Risk Management System, RMS, which has a Risk Policy that provides guidance to activities in the RMS.

The two policies operate in parallel, and could be combined.

For a given medical device (design, production, post-market, etc.) you would not have a Quality Policy for each device. Similarly, you would not have a Risk Policy for each device.

I tell my manufacturing clients that there is only one Quality Policy worth having, "We make good stuff on time". (Note that ISO 13485:2016 requires some other useless stuff.)

For medical devices, you might say, "We make safe and effective devices on time". This includes the risk management policy, as part of "safe". Safe means freedom from unacceptable risk.

ISO 14971:2019, 4.2 Note 1 says, "The manufacturer's policy for establishing criteria for risk acceptability can define the approaches to risk control: reducing risk as low as reasonably practicable, reducing risk as low as reasonably achievable, or reducing risk as far as possible without adversely affecting the benefit-risk ratio".

Note that there are three options to use the policy to set the criteria for risk acceptability. In other words, how would you apply the concept to "safe" to any particular medical device.

Unfortunately, EN ISO 14971:2019/A11:2021 reduces the options to only one. Annex ZA(3) says, "the manufacturer's policy for establishing criteria for risk acceptability (see 4.2 of this European standard) shall ensure that the criteria comply with the General Safety and Performance Requirements of that Regulation".

MDR Annex I(2) says, "The requirement in this Annex to reduce risks as far as possible means the reduction of risks as far as possible without adversely affecting the benefit-risk ratio".

When implementing the policy for each device covered by the EU-MDR, the acceptability policy must be, "reducing risk as far as possible without adversely affecting the benefit-risk ratio".

Consider, for example, the traditional 5 x 5 risk matrix with five levels of severity and five levels of frequency of occurrence (probability) resulting in 25 cells. Reducing risks as far as possible means getting the residual risk into best cell you can, i.e., the lowest severity and the lowest frequency of occurrence. When you have done this, check that this cell does not adversely affect the benefit-risk ratio.

The policy and the acceptability criteria apply to all devices covered by the RMS.

I love this conversation!

I understand the benefits of having one, concisely stated QMS Policy which may include a Risk Policy. But, if that is the case, I should think there needs to be middle layer (map/manual/?) between this policy and the various SOP's. This is especially true for larger organizations with multiple classes of products and global regions, not to mention if non-device GxP products are involved as well.

Add to this, security risks. The AAMI TIR97:2019 includes an excellent policy example that goes beyond ISO 27001:2015. But again, more details that can or should be added/mapped to the Risk Policy.

You have, I infer, a Quality Management System, QMS, which has a Quality Policy that provides guidance to activities in the QMS.

You have, I infer, a Risk Management System, RMS, which has a Risk Policy that provides guidance to activities in the RMS.

The two policies operate in parallel, and could be combined.

For a given medical device (design, production, post-market, etc.) you would not have a Quality Policy for each device. Similarly, you would not have a Risk Policy for each device.

I tell my manufacturing clients that there is only one Quality Policy worth having, "We make good stuff on time". (Note that ISO 13485:2016 requires some other useless stuff.)

For medical devices, you might say, "We make safe and effective devices on time". This includes the risk management policy, as part of "safe". Safe means freedom from unacceptable risk.

ISO 14971:2019, 4.2 Note 1 says, "The manufacturer's policy for establishing criteria for risk acceptability can define the approaches to risk control: reducing risk as low as reasonably practicable, reducing risk as low as reasonably achievable, or reducing risk as far as possible without adversely affecting the benefit-risk ratio".

Note that there are three options to use the policy to set the criteria for risk acceptability. In other words, how would you apply the concept to "safe" to any particular medical device.

Unfortunately, EN ISO 14971:2019/A11:2021 reduces the options to only one. Annex ZA(3) says, "the manufacturer's policy for establishing criteria for risk acceptability (see 4.2 of this European standard) shall ensure that the criteria comply with the General Safety and Performance Requirements of that Regulation".

MDR Annex I(2) says, "The requirement in this Annex to reduce risks as far as possible means the reduction of risks as far as possible without adversely affecting the benefit-risk ratio".

When implementing the policy for each device covered by the EU-MDR, the acceptability policy must be, "reducing risk as far as possible without adversely affecting the benefit-risk ratio".

Consider, for example, the traditional 5 x 5 risk matrix with five levels of severity and five levels of frequency of occurrence (probability) resulting in 25 cells. Reducing risks as far as possible means getting the residual risk into best cell you can, i.e., the lowest severity and the lowest frequency of occurrence. When you have done this, check that this cell does not adversely affect the benefit-risk ratio.

The policy and the acceptability criteria apply to all devices covered by the RMS.

I love this conversation!

I understand the benefits of having one, concisely stated QMS Policy which may include a Risk Policy. But, if that is the case, I should think there needs to be middle layer (map/manual/?) between this policy and the various SOP's. This is especially true for larger organizations with multiple classes of products and global regions, not to mention if non-device GxP products are involved as well.

Add to this, security risks. The AAMI TIR97:2019 includes an excellent policy example that goes beyond ISO 27001:2015. But again, more details that can or should be added/mapped to the Risk Policy.

You have, I infer, a Quality Management System, QMS, which has a Quality Policy that provides guidance to activities in the QMS.

You have, I infer, a Risk Management System, RMS, which has a Risk Policy that provides guidance to activities in the RMS.

The two policies operate in parallel, and could be combined.

For a given medical device (design, production, post-market, etc.) you would not have a Quality Policy for each device. Similarly, you would not have a Risk Policy for each device.

I tell my manufacturing clients that there is only one Quality Policy worth having, "We make good stuff on time". (Note that ISO 13485:2016 requires some other useless stuff.)

For medical devices, you might say, "We make safe and effective devices on time". This includes the risk management policy, as part of "safe". Safe means freedom from unacceptable risk.

ISO 14971:2019, 4.2 Note 1 says, "The manufacturer's policy for establishing criteria for risk acceptability can define the approaches to risk control: reducing risk as low as reasonably practicable, reducing risk as low as reasonably achievable, or reducing risk as far as possible without adversely affecting the benefit-risk ratio".

Note that there are three options to use the policy to set the criteria for risk acceptability. In other words, how would you apply the concept to "safe" to any particular medical device.

Unfortunately, EN ISO 14971:2019/A11:2021 reduces the options to only one. Annex ZA(3) says, "the manufacturer's policy for establishing criteria for risk acceptability (see 4.2 of this European standard) shall ensure that the criteria comply with the General Safety and Performance Requirements of that Regulation".

MDR Annex I(2) says, "The requirement in this Annex to reduce risks as far as possible means the reduction of risks as far as possible without adversely affecting the benefit-risk ratio".

When implementing the policy for each device covered by the EU-MDR, the acceptability policy must be, "reducing risk as far as possible without adversely affecting the benefit-risk ratio".

Consider, for example, the traditional 5 x 5 risk matrix with five levels of severity and five levels of frequency of occurrence (probability) resulting in 25 cells. Reducing risks as far as possible means getting the residual risk into best cell you can, i.e., the lowest severity and the lowest frequency of occurrence. When you have done this, check that this cell does not adversely affect the benefit-risk ratio.

The policy and the acceptability criteria apply to all devices covered by the RMS.

The issue I see with such a policy is that it does not satisfy the intent of the standard.  Part of the reason for such a disconnect is that the standard calls for top management to define and document a policy for establishing criteria for risk acceptability, rather than simply a risk policy.  Specifically, such a policy needs to ensure risk acceptability criteria are specified in the risk management plan and address:

• Applicable national or regional regulations 
• Relevant International Standards
• The generally acknowledged state of the art
• Known stakeholder concerns

A blanket statement that a firm will never market nor keep on the market a device that would impose unacceptable risk lacks a policy on determining acceptability in general.  Likewise, the balance of a benefit-risk ratio is impossible to calculate, though TIR/ISO 24971:2020 has guidance on conducting the analysis in section 7.4.  

Note too that the IVDR (Regulation (EU) 2017/746) states in the introduction (section 13) that "the requirement to reduce risks as far as possible should be fulfilled taking into account the generally acknowledged state of the art in the field of medicine."  Likewise both the MDR (Regulation (EU) 2017/745) and IVDR note in Chapter 1 of each respective Annex I that the requirement to "reduce risks as far as possible means the reduction of risks as far as possible without adversely affecting the benefit-risk ratio." Additionally, each state that "risk control measures adopted by manufacturers for the design and manufacture of the devices shall conform to safety principles, taking account of the generally acknowledged state of the art. To reduce risks, Manufacturers shall manage risks so that the residual risk associated with each hazard as well as the overall residual risk is judged acceptable."  Depending on the medical device and intended market, this may be an applicable regulation or just a good point to keep in mind.

I love this conversation!

I understand the benefits of having one, concisely stated QMS Policy which may include a Risk Policy. But, if that is the case, I should think there needs to be middle layer (map/manual/?) between this policy and the various SOP's. This is especially true for larger organizations with multiple classes of products and global regions, not to mention if non-device GxP products are involved as well.

Add to this, security risks. The AAMI TIR97:2019 includes an excellent policy example that goes beyond ISO 27001:2015. But again, more details that can or should be added/mapped to the Risk Policy.

You have, I infer, a Quality Management System, QMS, which has a Quality Policy that provides guidance to activities in the QMS.

You have, I infer, a Risk Management System, RMS, which has a Risk Policy that provides guidance to activities in the RMS.

The two policies operate in parallel, and could be combined.

For a given medical device (design, production, post-market, etc.) you would not have a Quality Policy for each device. Similarly, you would not have a Risk Policy for each device.

I tell my manufacturing clients that there is only one Quality Policy worth having, "We make good stuff on time". (Note that ISO 13485:2016 requires some other useless stuff.)

For medical devices, you might say, "We make safe and effective devices on time". This includes the risk management policy, as part of "safe". Safe means freedom from unacceptable risk.

ISO 14971:2019, 4.2 Note 1 says, "The manufacturer's policy for establishing criteria for risk acceptability can define the approaches to risk control: reducing risk as low as reasonably practicable, reducing risk as low as reasonably achievable, or reducing risk as far as possible without adversely affecting the benefit-risk ratio".

Note that there are three options to use the policy to set the criteria for risk acceptability. In other words, how would you apply the concept to "safe" to any particular medical device.

Unfortunately, EN ISO 14971:2019/A11:2021 reduces the options to only one. Annex ZA(3) says, "the manufacturer's policy for establishing criteria for risk acceptability (see 4.2 of this European standard) shall ensure that the criteria comply with the General Safety and Performance Requirements of that Regulation".

MDR Annex I(2) says, "The requirement in this Annex to reduce risks as far as possible means the reduction of risks as far as possible without adversely affecting the benefit-risk ratio".

When implementing the policy for each device covered by the EU-MDR, the acceptability policy must be, "reducing risk as far as possible without adversely affecting the benefit-risk ratio".

Consider, for example, the traditional 5 x 5 risk matrix with five levels of severity and five levels of frequency of occurrence (probability) resulting in 25 cells. Reducing risks as far as possible means getting the residual risk into best cell you can, i.e., the lowest severity and the lowest frequency of occurrence. When you have done this, check that this cell does not adversely affect the benefit-risk ratio.

The policy and the acceptability criteria apply to all devices covered by the RMS.

Hi Christopher,

We both go for the same target, nevertheless I don't see a way to place a complex part of the standard into a policy. The risk policy needs to be embedded in a quality system which in turn ensures training (even for the top management).

>> So, may we just have a misalignment what a >risk policy< is? >> For me it is a summative, high-level statement being embedded in a quality system; and I personally see such risk policy on a high-level statement, maybe in parallel with the quality policy / claims. This statement may be placed in many locations, including the coffee break room. 

If the top management commitment contains "never allow unacceptable risk" it is straightforward, that acceptance criteria, applicable to the product must be established.   

As soon as a company has products in different risk classes (let's assume a class I SaMD and a class III passive implantable device (a "piece of steal")); establishing a joint policy / joint risk acceptance criterion becomes virtual impossible. Hence the related details should be in the applicable risk management plan.

Here it may be a pragmatic approach, that top management release a plan template with proposes the "normal" wording and that later the top management may only be involved if for a particular product the risk policy needs a refinement.

Maybe the following addition would help: We (the company) will never place products on the market or maintain products in the market if any product would impose an unacceptable risk based on established acceptance criteria for each product. 

So if top management signs such policy statement and also the related risk management plan (if criteria are modified) / report for any product, I would claim that top management Involvement is compliant to the standard.

About benefit-risk-ratio [BRR]. We may question whether it can be calculated and conclude that the BRR can only be qualitatively estimated based on SME judgment. Anyhow, that does not change the fact of being a core principle in MDR Annex I.

PS my proposal is somewhat influenced by the title of the 2015 2015 AAMI/FDA Risk Management Summit report (link) "Making Risk Management Everybody's Business".

The issue I see with such a policy is that it does not satisfy the intent of the standard.  Part of the reason for such a disconnect is that the standard calls for top management to define and document a policy for establishing criteria for risk acceptability, rather than simply a risk policy.  Specifically, such a policy needs to ensure risk acceptability criteria are specified in the risk management plan and address:

• Applicable national or regional regulations 
• Relevant International Standards
• The generally acknowledged state of the art
• Known stakeholder concerns

A blanket statement that a firm will never market nor keep on the market a device that would impose unacceptable risk lacks a policy on determining acceptability in general.  Likewise, the balance of a benefit-risk ratio is impossible to calculate, though TIR/ISO 24971:2020 has guidance on conducting the analysis in section 7.4.  

Note too that the IVDR (Regulation (EU) 2017/746) states in the introduction (section 13) that "the requirement to reduce risks as far as possible should be fulfilled taking into account the generally acknowledged state of the art in the field of medicine."  Likewise both the MDR (Regulation (EU) 2017/745) and IVDR note in Chapter 1 of each respective Annex I that the requirement to "reduce risks as far as possible means the reduction of risks as far as possible without adversely affecting the benefit-risk ratio." Additionally, each state that "risk control measures adopted by manufacturers for the design and manufacture of the devices shall conform to safety principles, taking account of the generally acknowledged state of the art. To reduce risks, Manufacturers shall manage risks so that the residual risk associated with each hazard as well as the overall residual risk is judged acceptable."  Depending on the medical device and intended market, this may be an applicable regulation or just a good point to keep in mind.

I love this conversation!

I understand the benefits of having one, concisely stated QMS Policy which may include a Risk Policy. But, if that is the case, I should think there needs to be middle layer (map/manual/?) between this policy and the various SOP's. This is especially true for larger organizations with multiple classes of products and global regions, not to mention if non-device GxP products are involved as well.

Add to this, security risks. The AAMI TIR97:2019 includes an excellent policy example that goes beyond ISO 27001:2015. But again, more details that can or should be added/mapped to the Risk Policy.

You have, I infer, a Quality Management System, QMS, which has a Quality Policy that provides guidance to activities in the QMS.

You have, I infer, a Risk Management System, RMS, which has a Risk Policy that provides guidance to activities in the RMS.

The two policies operate in parallel, and could be combined.

For a given medical device (design, production, post-market, etc.) you would not have a Quality Policy for each device. Similarly, you would not have a Risk Policy for each device.

I tell my manufacturing clients that there is only one Quality Policy worth having, "We make good stuff on time". (Note that ISO 13485:2016 requires some other useless stuff.)

For medical devices, you might say, "We make safe and effective devices on time". This includes the risk management policy, as part of "safe". Safe means freedom from unacceptable risk.

ISO 14971:2019, 4.2 Note 1 says, "The manufacturer's policy for establishing criteria for risk acceptability can define the approaches to risk control: reducing risk as low as reasonably practicable, reducing risk as low as reasonably achievable, or reducing risk as far as possible without adversely affecting the benefit-risk ratio".

Note that there are three options to use the policy to set the criteria for risk acceptability. In other words, how would you apply the concept to "safe" to any particular medical device.

Unfortunately, EN ISO 14971:2019/A11:2021 reduces the options to only one. Annex ZA(3) says, "the manufacturer's policy for establishing criteria for risk acceptability (see 4.2 of this European standard) shall ensure that the criteria comply with the General Safety and Performance Requirements of that Regulation".

MDR Annex I(2) says, "The requirement in this Annex to reduce risks as far as possible means the reduction of risks as far as possible without adversely affecting the benefit-risk ratio".

When implementing the policy for each device covered by the EU-MDR, the acceptability policy must be, "reducing risk as far as possible without adversely affecting the benefit-risk ratio".

Consider, for example, the traditional 5 x 5 risk matrix with five levels of severity and five levels of frequency of occurrence (probability) resulting in 25 cells. Reducing risks as far as possible means getting the residual risk into best cell you can, i.e., the lowest severity and the lowest frequency of occurrence. When you have done this, check that this cell does not adversely affect the benefit-risk ratio.

The policy and the acceptability criteria apply to all devices covered by the RMS.