ISO 14971: 2012 Compliance Content Deviations #1 and #2: Treatment of Negligible Risks and Risk Acceptability

  • Post author:
Read Time: 5 minutes
Written by: John Lafferty.

In a previous blog, we discussed the changes to EN 14971: 2012 in broad terms and we have seen that to comply with the EN version of the standard, manufacturers will have to move away from the ALARP system of risk analysis and evaluation. This will mean significant changes to the risk management process. In this newsletter and subsequent newsletters, we will deal with each of the seven Content Deviations* in detail. In this newsletter, we deal with the first two Content Deviations: Treatment of Negligible Risks and Risk Acceptability Assessment. In Annex D8.2 ISO 14971 Standard indicates that the manufacturer may ignore negligible risks. However, the Essential Requirements of the three Medical Device Directives (MDD), state that “All risks, regardless of their dimension, need to be reduced as much as possible and need to be balanced, together with all other risks, against the benefit of the device”.

Content Deviation 1: Treatment of Negligible Risks

In Annex D8.2 ISO 14971 Standard indicates that the manufacturer may ignore negligible risks. However, the Essential Requirements of the three Medical Device Directives, state that “All risks, regardless of their dimension, need to be reduced as much as possible and need to be balanced, together with all other risks, against the benefit of the device” The first step in risk analysis process is to identify hazards – best practice is to identify as many as possible at the beginning of the process and divide them into two categories – those that need to be analysed for risk as they could cause harm and those that cannot possibly cause harm (even in the case of misuse) often due to the design of the device. If you choose not to analyse a hazard, you must record the rationale for choosing not to conduct the analysis. Another alternative is to analyse the hazard and show that it has been reduced as far as possible.

How to Address Content Deviation No. 1

Annex D8.2, of ISO 14971 indicates that negligible risks may be disregarded. However, the Essential Requirement 1 and 2 of the MDD specifically require that all risks must be considered. This means that where possible controls need to be generated for all risks listed in your risk analysis documents (such as FMEAs). If no further controls are possible, then record a statement to this effect in the risk analysis documentation. It is important to remember that even for negligible risks an economic justification is not permissible for not reducing the risk as far as possible (See also Content Deviation No. 3 Risk Reduction Economic Considerations the subject of our next Newsletter). In achieving compliance with EN 14971: 2012 the Treatment of Negligible Risk will not be your highest priority. Discuss with your Notified Body a timeframe for implementation of reducing Negligible Risk as far as possible.
Tip: Do not include business risks or risks to manufacturing personnel in the risk analysis that you conduct to fulfil the Medical Devices Directives; this will simplify your risk analysis and exclude a number of (negligible) risks that would otherwise have to be reduced as far as possible in order to comply with EN 14971: 2012 and the MDD.

Content Deviation No. 2: Risk Acceptability Assessment

This Deviation relates to the process of evaluating risks. The ISO 14971 states that the acceptability of risk must be decided by the manufacturer. Clause 3.2 of the 14971 Standard, states that, “Top management shall: define and document the policy for determining criteria for risk acceptability.” The manufacturer’s risk management policy must define and record the criteria that it uses for deciding which risks are acceptable or not. Essential Requirements 1 and 2 states that risks be reduced as far as possible, and that all risks shall be included in a risk/benefit analysis—not just the risks that meet a certain criteria. Therefore, the requirement to establish a risk policy for the acceptability of risk directly contradicts the MDD.
The question is: how does a manufacturer establish acceptability criteria?
Robert Packard of in his excellent blog on the Content Deviations recommends the following: “For new devices, I recommend benchmarking the risks of the new device against existing devices. In other words, if the new device presents equal or lower risks than existing devices, then the risks of the new device are acceptable. For existing devices, I recommend performing a risk/benefit analysis, evaluating adverse events observed with the device against the benefits of using the device”.

What is Acceptable?

In order to comply with the EN ISO 14971:2012 version of the risk management standard, you will need to implement risk controls for all risks, regardless of acceptability. However, you will also need to perform a risk/benefit analysis. The risk/benefit analysis should consider not only the benefits to patients and the risks of using the device, but the analysis should also consider relative benefits of using other devices.
The clinical evaluation report and the risk management report for the device should be based upon clinical evidence of the device for the intended use—including adverse events. For new devices that are evaluated based upon literature review of equivalent devices, Notified Bodies expect a Post-Market Clinical Follow-up (PMCF) study to be conducted in order to verify that the actual risk/benefit of the device is consistent with the conclusions of the clinical evaluation. In order to perform this analysis, a clinical expert is necessary to properly evaluate the risk/benefit ratio of the device, and to create a protocol for a PMCF study.
MEDDEV 2.12/2 rev 2, Post Market Clinical Follow-up Studies, indicates that the PMCF study protocol should indicate the study endpoints and the statistical considerations. In order to do this, your company will need to establish quantitative criteria for acceptability of the identified risks. Therefore, your documentation should make it clear that risk acceptability criteria should be based upon clinical data. Acceptance of risks should be conducted at a later point in the risk management process than under the ALARP system (e.g., – as part of the overall risk/benefit analysis).

How to Address Deviation #2

As your company becomes aware of the second deviation between the ISO 14971 Standard and the Essential Requirements of the MDD, your risk management team will need to change the risk management process to clarify when risk acceptability should be evaluated, and the risk management policy should specify how acceptability should be determined.
The risk management process at your company will need to specify that implementation of risk controls is required for all risks—regardless of acceptability. You should also consider eliminating the evaluation of risk prior to implementation of risk controls. Instead, your company should base acceptability of risk solely upon the clinical risk/benefit analysis, and should involve the manufacturer’s medical expertise in making this determination.
Finally, your risk management process should specify the need for Post Market Clinical Follow-up Studies in order to verify that actual clinical data supports the conclusion that the risk/benefit ratio is acceptable over the lifetime of the device.
The proper place to document this conclusion is in the conclusions of the clinical evaluation report and risk management report. Both of these documents should cross-reference to one another and the conclusion should be reassessed as new post-production data is collected over time.
*Content Deviation: During the process of making ISO 14971 an EN standard (a process known as harmonisation), it became apparent that the standard did not comply with all the requirements of the Medical Devices European Directives, namely 90/385/EEC, 93/42/EEC and 98/79/EC. The differences between EN 14971: 2012 and the Medical Devices Directives are known as Content Deviations.
 The seven Content Deviations are:
 1 Treatment of Negligible Risk
 2 Risk Acceptability Assessment
 3 Risk Reduction Economic Considerations
 4 Risk-Benefit Analysis Not Optional
 5 Risk Control Options
 6 First Risk Control Option
 7 Labelling Information Cannot Influence Residual Risk

Course on Quality Risk Management and ISO 14971 for Medical Devices

 To find out more, why not come along to our Quality Risk Management and ISO 14971 – Medical Devices course, which we run through our training partner SQT Training. To enquire further or to book, simply visit SQT Training 

John Lafferty – Tutor

John Lafferty is the tutor on the above training course. John also delivers courses in areas such as Quality Systems, Process Validation, Software Validation and Quality Risk Management on behalf of SQT. John runs a Quality Management Consultancy, Northridge Quality & Validation, which specialises in providing assistance to the Medical Devices and Pharmaceutical sector.