Overall residual risk and the new ISO 14971

When one gets to the stage of evaluating overall residual risk in the risk management process described in ISO 14971, all individual risks have been controlled and judged acceptable. In some cases, a benefit–risk analysis has been performed with the conclusion that the benefits outweigh a particular risk. Although each risk is acceptable, it is important to also consider the contributions of all risks together (i.e. the overall residual risk). The reason is that the combination of several small risks could pose an unexpected big risk. For example, there could be a particular risk control measure that is designed to control two independent risks simultaneously, which could be deemed unacceptable.

The clause on the evaluation of the overall residual risk has undergone considerable change in the third edition of ISO 14971. The second edition provided for a two-step approach, where the overall residual risk was first evaluated against the acceptability criteria. Second, if the overall residual risk was not judged acceptable, the manufacturer could gather data and literature to determine if the benefits of using the medical device would outweigh the overall residual risk. In this approach it was unclear which criteria for risk acceptability should be used and if the benefits of the intended use should or could also be considered in the first evaluation. Further, it was not clear which individual risks should be included in the evaluation of the overall residual risk.

The two-step approach is replaced with one evaluation in the third edition of ISO 14971. It is required that the contributions of all individual residual risks are taken into account, and that the overall residual risk is evaluated in relation to the benefits of the intended use of the medical device. The manufacturer is required to document the evaluation method and the criteria for acceptability of the overall residual risk in the risk management plan. This ensures an objective evaluation. The method can include gathering data and literature for similar medical devices available on the market and judgement by a cross-functional team of experts with knowledge of and experience in application of the medical device.

ISO/TR 24971 provides further guidance on possible approaches that can be used in the evaluation and on inputs and other considerations that can be taken into account. It is explained that the criteria for acceptability of the overall residual risk can be different from the criteria for acceptability of individual risks. In any case, these criteria must be based on the manufacturer’s policy for acceptable risk. If the overall residual risk is not judged acceptable, the manufacturer needs to go back in the process and apply additional risk control measures. The manufacturer may also consider modifying the medical device or restricting the intended use (for example, excluding vulnerable patient groups). Otherwise, the overall residual risk remains unacceptable and development must be abandoned.

The manufacturer is instructed to inform users of any significant residual risks and to disclose those risks by providing relevant information in the accompanying documentation. Since ISO 14971 focuses on risks related to the design of the medical device and how the manufacturer can control them, it is important to disclose the residual risks inherent in the use of the medical device after all risk control measures have been implemented. The residual risks can relate to side-effects or after-effects of using the medical device in a particular procedure, for example, erythema, that can occur after radiation therapy, patients experiencing blood in their urine after lithotripsy of kidney stones and swelling or inflammation of the eye after ophthalmic surgery. The disclosed information enables the user to make informed decisions on whether to use this medical device in a particular situation or to choose a different medical device, taking account of the condition of the individual patient. The disclosure of residual risks needs to be distinguished from information for safety, which is a risk control measure.

While the disclosure of residual risk is descriptive and provides the user with information on risks inherent to the use of the medical device, information for safety is instructive and provides the user with information on how to use the medical device and on actions to take or to avoid to prevent a particular hazardous situation or harm from occurring. ISO/TR 24971 provides further guidance on information for safety and the disclosure of residual risk.

This is an excerpt from the BSI medical devices white paper Risk management for medical devices and the new ISO 14971. To download our other medical device white papers, please visit the Insight page on the Compliance Navigator website.