Policy for determining criteria for risk acceptability Risk criteria development flowchart

Determine the need to establish risk criteria. What risk decisions will be aided by the criteria?

Determine the risks to be addressed (Risk to what ?)

Determine/classify the populations to be addressed

Determine which risk criteria to develop.

Individual, societal, or other type of risk?

Will there be a criterion defining de minimis risk?

Determine philosophy for continuing risk reduction (e.g., ALARP, ALARA, AFAP)

Qualify/Validate risk criteria

Periodically revalidate risk criteria

Develop societal risk criteria (based

on policy)

Develop societal risk criteria (based

on policy)

Develop individual risk criteria (based

on policy)

[m1] Comentário: Having this option will enable use of other types of risk(environmental, cybersecurity)

[m2] Comentário: Having this option will enable use of other types of risk

(environmental, cybersecurity)

[m3] Comentário: Some regulations may not allow the use of de minimis risk (Broadly acceptable, not requiring further reduction)

[m4] Comentário: This will enable use of differing approaches for risk reduction based on regulations

Develop individual risk criteria flowchart

Develop individual risk criteria (based on policy)

Identify possible criteria or basis of criteria in

applicable regulatory requirements

Identify additional criteria

Identify possible criteria or basis of criteria in

applicable international standards

Identify state-of-the-art regarding intended use of device, including medical

alternatives

Identify known stakeholder concerns, including public

perception of risk

Identify probability

/severity criteria

Define overall risk criteria

From Risk criteria development flowchart

Goes back to Risk criteria development flowchart

[m5] Comentário: Regulations may have specific criteria or indications to develop criteria

[m6] Comentário: International standards may have specific criteria or indications to develop criteria

[m7] Comentário: Risk perception may include scale of possible incidents, Tolerance of the Commonplace/Fear of the Unusual, Control Over the Risk. Voluntary vs. Involuntary Risk., Patient tolerance of risk and other factors

Examples

Example Policy for determining criteria for risk acceptability - Company X defines the following as our policy for determining criteria for risk acceptability related to our medical devices: Our policy for determining criteria for risk acceptability related to medical devices we manufacture shall be define by top management and will guide all organization activities towards risks related to our medical devices. Our policy for determining criteria for risk acceptability shall be reviewed from time to time to make sure that it is in consonance with expectations from the stakeholders involved in our medical devices lifecycles. The definition of our criteria for risk acceptability, and all other risk management activities related to our medical devices, shall be performed only by personnel with adequate competence. Our criteria for risk acceptability shall take into consideration applicable regulations from target markets in which our devices are marketed. Different or contradicting expectations from different regulations will be treated on a case-by-case basis and will be duly justified. Our criteria for risk acceptability shall take into consideration relevant international standards. The risk acceptability criteria for each device or family shall clearly define how international standards will be treated as part of the risk management process. Our products shall have at least risk control measures detailed in all applicable international standards, and when risk control options are not defined in international standards, we will implement risk control measures that reflect current practice and current perceptions of all involved, including all regulatory expectations. Our products shall always have a degree of safety comparable to, and if possible better, than other treatment solutions on the market, including similar devices in the market. Our criteria for risk acceptability shall identify known stakeholder concerns, including public perception of risk. This includes concerns from user and patient, besides others.

Example Risk criteria development flowchart

1 - Determine the need to establish risk criteria. What risk decisions will be aided by the criteria?

Risk criteria will be used to show that risk related to medical device X are acceptable. The criteria will aid in the decision of:

- When identified and reasonably foreseeable individual risks related to the medical device are to be considered acceptable

- When the aggregate risks related to the medical device are to be considered acceptable

2 - Determine the risks to be addressed (Risk to what ?)

Risk of harm to patients, user and, where applicable, other persons

3 - Determine/classify the populations to be addressed

Individual patients, user, or other persons. The device is not expected to cause harm to groups of person at a time.

4 - Determine which risk criteria to develop.

Individual, societal, or other type of risk?

Will there be a criterion defining de minimis risk?

Individual risk - the risk to a person in the vicinity of a hazard. In particular, the individual risk type to be used will be the maximum individual risk (the individual risk to the person(s) exposed to the highest risk in an exposed population), for patient because blahblahblah.

There won´t be a de minimis criteria.

5 - Determine philosophy for continuing risk reduction (e.g., ALARP, ALARA, AFAP)

ALARP will be used as philosophy for risk reduction.

6 - Develop individual risk criteria (based on policy)

See below

Example Develop individual risk criteria (based on policy)

1 - Identify possible criteria or basis of criteria in applicable regulatory requirements

Applicable regulations require that risks are acceptable when weighed against the benefits to the patient and are compatible with a high level of protection of health and safety. There´s no different or contradicting expectations in the applicable regulations.

2- Identify possible criteria or basis of criteria in applicable international standards

Device has applicable international safety product standard that can be used as basis (ISO XXX or IECXXX). Other applicable standards exist that can be used as basis for criteria for different aspects of device risks (example, biocompatibility)

3 - Identify state-of-the-art regarding intended use of device, including medical alternatives

There´s several similar devices in the market. Alternative treatment (example drug, manual, etc.) is considered safer but slow in recovery time when compared to devices (and for XXX reason it´s important to have a quicker recovery time)

4 - Identify known stakeholder concerns, including public perception of risk

Patients tend to think that risks related to the device are commonplace (the same risk as being punctured by a needle), and also are more willing to tolerate risks if treatment has quicker recovery time than current treatments

Users generally think that device do pose risks, but are more willing to accept it if protective equipment is required to be used with device so as to diminish involuntary risk.

5 - Identify probability /severity criteria

The following criteria is to be used as a basis, and shall take into consideration the additional criteria mentioned below

(for this example, disregard the de minimis region, all risks have to be justified)

Maximum individual risk to patients (fatality /year): 10-3

6 - Identify additional criteria

Risks shall be reduced wherever practicable. This includes cases in which, even if the risk is already deemed acceptable by the criteria, the cost to include the additional risk control is considered so low as to be essentially free.

Further development should not pose any incremental risk.

No single failures/errors should lead to an accident.

Device shall comply with requirements from international standards X, Y, Z. Unless an evaluation shows otherwise, compliance with those standards shall be used as argument to consider the risk as reduced to an acceptable level (ALARP good practice argument).

Risks to patients than can be considered ALARP if:

- there´s a good practice argument which demonstrate that risk control measures comply with relevant good practice and similar solutions in similar devices. This situation can be accepted by the authority of design engineers.

- there´s a qualitative first principles argument based on common sense or professional judgment that weighs possible risk reduction against the gain in recovery time. This situation can be accepted only by the authority of the device design project leader and risk management leader.

- there´s a quantitative first principles arguments based on a Cost Benefit Analysis (CBA) that weighs possible risk reduction against the gain in recovery time (this case would only be required if individual risk is more than 10-3). This situation can be accepted only by the authority of the device design project leader and risk management leader, and top management.

A risk to the user may be acceptable if it can be justified that the use of a protective equipment which is required to be present will reduce the individual risk to less than 10-3.

Risks more than 10-3 can only be accepted if it a risk-benefit analysis shows that the total benefits of the device outweighs the aggregate risk profile. This situation can only be accepted by top management.