Policy for establishing criteria for risk acceptability
The requirement on having a policy for establishing criteria for risk acceptability was added to the ISO 14971:2019 version of the standard. The requirement is particularly important to meet MDR and IVDR requirements on risk management.
The reason for the addition of the requirement of having a policy for establishing criteria for risk acceptability in the ISO 14971:2019 version of the standard was that the concept was often misunderstood in the previous 2007 version of the standard. The “risk policy” was often replaced with only a risk evaluation matrix as seen below. This was not the intent of the standard.
As part of your risk management system, top management must define and document a policy that is the starting point for the determination of criteria for risk acceptability. Thus, the risk acceptability criteria should be derived from the policy, similarly to how quality objectives are derived from the quality policy according to ISO 13485.
The policy is supposed to provide a framework that ensures that criteria are based on applicable national or regional regulations, such as the MDR or the IVDR, and relevant international standards, and take into account available information such as generally acknowledged state of the art and known stakeholder concerns.
This policy should be included in your documented procedures or Standard Operating Procedures (SOPs), outlining how your organisation views and manages risk, thus setting the tone for your overall risk approach. Having this documented within your SOPs ensures continuity, consistency, and clarity when managing risks in multiple phases or aspects of your operations.
The criteria for risk acceptability that are derived from the policy must be documented in the risk management planning. The risk management planning does not have to be one document with the name risk management plan, but it can be documented in different formats and in different documents. But it is generally a good idea to not deviate too much from having one document called risk management plan.
Content of the policy
The policy for establishing criteria for risk acceptability should typically include:
- Scope
- Factors and considerations for determining acceptable risk
- Approaches to risk control
Policy for establishing risk acceptability criteria, the MDR, and the IVDR
The policy is particularly important when considering MDR and IVDR requirements as the General Safety and Performance Requirements (GSPR) clause 2, states the following:
The requirement in this Annex to reduce risks as far as possible means the reduction of risks as far as possible without adversely affecting the benefit-risk ratio.
This means that merely reducing risks to a level where the magnitude of risk is reduced below a threshold is not sufficient; the risks must be reduced as far as possible without adversely affecting the benefit-risk ratio. Thus, this is a relative measure of risk reduction. And when claiming compliance with MDR and IVDR requirements, the policy must include the principle.
Example of policy for establishing criteria for risk acceptability for the EU market with MDR and IVDR:
Scope
This policy applies to all persons involved in establishing, reviewing, updating, and approving the criteria for risk acceptability in risk management plans for medical devices that are within the scope of our operations.
Factors and considerations for determining acceptable risk
The following factors and considerations should be taken into account when establishing the criteria
for risk acceptability:
- Applicable regulatory requirements in the EU,
- Standards according to the norms and standards list, see document ID X,
- The generally acknowledged state of the art, see document ID Y, and
- Validated concerns from stakeholders.
Approaches to risk control
As a general principle:
- Whenever a risk control or the verification of risk control measures are available in a harmonised standard, they shall be considered before any other risk control measures are considered.
- When reducing risk, consideration shall be given to whether technically practicable measures would reduce the risk without impacting the intended use or the benefit of the medical device.
Individual risks:
- Must be reduced as far as possible without adversely affecting the benefit-risk ratio, and
- The magnitude of risks shall be reduced to an acceptable level as determined by using a risk evaluation matrix where the limit between acceptable and unacceptable risk shall be based on state of the art.
Who should approve the policy for establishing criteria for risk acceptability?
It is the responsibility of top management to define and document the policy, and therefore also to approve it. Top management is defined in ISO 14971 as:
Person or group of people who directs and controls a manufacturer at the highest level.
