Evaluating and Accepting Medical Device and IVD Residual Risk

January 24, 2022

Medical device manufacturers and regulators generally have different goals, but one thing they have in common is a desire to make sure devices are safe and effective. To achieve that, regulatory managers often spend a substantial amount of time analyzing, evaluating, and controlling all manner of risks.

Of course, risk can never be entirely eliminated, and despite your best efforts at controlling them, there will always be what is called “residual risk.” The question for many is how residual risk should be evaluated and deemed acceptable (or not) based on a benefit-risk analysis. Let us take a look.

This article focuses specifically on residual risk. If you want an in-depth primer on the entire medical device risk management process, start here.

What Is Residual Risk?

Residual risk analysis takes individual risks that meet your acceptance criteria and examines the risk they pose individually as well as all risks in aggregate. It is entirely possible that individual risks might meet your risk acceptance criteria on their own but not when evaluated in aggregate. An example of this might be cybersecurity threats for an insulin pump. Individual vulnerabilities might be analyzed, evaluated, and mitigated as far as possible. While some risks remain, they are determined to be acceptable. Collectively, those small vulnerabilities may allow a hacker easier access to penetrate the software than initially thought and control the device, causing harm to the patient.

Clauses 7.4 and 8 of ISO 14971:2019 – the international risk management standard – emphasize the need to evaluate residual risk, noting that it should “be evaluated in relation to the benefits of the intended use of the medical device.” Likewise, Annex I of the EU Medical Device Regulation (2017/745) says that you should “reduce risks as far as possible” without adversely impacting the benefit-risk ratio. This includes known and foreseeable risks, including intentional and unintentional misuse of your device.

Practical or practicable?
You may see the word “practicable” in ISO 14971 and ISO 24971 and assume it is a typo. However, “practicable” is a word and means something that can actually be put into practice, whereas “practical” means something that is useful or matter-of-fact. In the case of risk assessment, there is little point in focusing on residual risks if practicable actions cannot be taken to mitigate them.

How to Approach Residual Risk Analysis

During this process, you will perform a benefit-risk analysis on individual residual risks that do not meet your risk acceptability criteria, as well as on the overall residual risk. Residual risks should be evaluated using the same methods you use to evaluate individual risks. However, the risk acceptability criteria for residual risks should be based on the benefit of the product. ISO/TR 24971 notes: “The criteria used to evaluate individual risks usually include limits for the probability of occurrence of harm with a particular severity. The criteria used to evaluate the overall residual risk are often based on additional elements, such as the benefits of the intended use of the medical device.” Annex A of ISO/TR 24971 provides many pages of factors to identify characteristics of your product that you should consider to recognize potential hazards and harms.

Medical device and in vitro diagnostic (IVD) manufacturers typically take one of two approaches to risk acceptability.

ALARP – As Low as Reasonably Practicable

ALARP refers to controls that are considered viable or capable of being implemented and has two components. First, look at the technical practicability in reducing risks, ensuring that the controls do not reduce the effectiveness of the device and are not overly complex or confusing for users. Then, consider the economic practicability, ensuring risk controls do not reduce the availability of the device to protect human health by making it too expensive for users.

AFAP – As Far as Possible

AFAP is more stringent than ALARP. This is the policy of reducing risk as far as possible without adversely affecting the benefit-risk ratio. It takes into account the generally acknowledged “state of the art” and is required by EU MDR General Safety and Performance Requirements (GSPR) Annex I.

If you sell in the US and Europe, we highly recommend adopting AFAP as your risk control approach. While Section 4.1 (Note 1) of ISO 14971:2019 mentions the general concept of reducing risk to ALARP and Annex D of ISO/TR 24971:2020 does mention the “cost of further reduction” in the definition of practicability, it is generally not acceptable to trade device safety for cost. The rationale for your decision must be documented in your risk management file, so cost as a rationale for not mitigating a risk is not something you want to share with your Notified Body.

ISO/TR 24971:2020 as Your Risk Management Cookbook

Performing risk management without ISO/TR 24971:2020 is like trying to make cupcakes without sugar. It is not going to end well. This 103-page technical report is your user manual for deciphering ISO 14971:2019. Residual risk is mentioned 132 times in this document, and these are some sections you will want to reference:

  • Section 7.3 – Residual risk evaluation
  • Section 7.4 – Benefit-risk analysis (also see Annex A)
  • Section 8 – Evaluation of overall residual risk
  • Annex C – Relation between the policy, criteria for risk acceptability, risk control, and risk evaluation
  • Annex D – Information for safety and information on residual risk

When evaluating risk, many people use a table such as this to look at the probability of occurrence and severity of harm. With residual risk, you can consider additional factors, such as the benefit the product offers when used as intended.

How Low Should You Go?

To ensure that you do not go overboard in analyzing residual risks, establish a systematic process and focus on the risks that are within your control. An important part of the risk analysis process is to ensure that you do not introduce new hazards in your quest to eliminate or minimize hazards. In the preamble of 21 CFR Part 820, FDA states that if any risk is judged to be unacceptable, it should be reduced to acceptable levels by the appropriate means, which may include a redesign or warnings. ISO 14971:2019 refers you to your own risk acceptability policy to determine risk control options. Your risk policy establishes criteria for the level of control. Section 4.2 of ISO 14971 requires top management to set this policy for the acceptability of risk. This may include reducing risk as low as reasonably practicable, as low as reasonably achievable, or as far as possible without impacting the benefit-risk ratio. You may wonder about the difference in these policies, and you can get more guidance on defining a policy in Annex C of ISO/TR 24971.

Residual risk analysis – like other aspects of risk management – is not a one-time project. Evaluations should be completed throughout the life cycle of the device, especially when postmarket information comes to light.

Benefit-Risk Analysis

As you go through the process of evaluating residual risk, you will discover some risks that are known but are not practicable to avoid. In this case, you will perform a benefit-risk analysis to determine if the risk posed is acceptable when weighed against the benefits. Here is an example from ISO/TR 24971:2020, the guide to the application of ISO 14971:2019.

Burns can occur where the return electrode of a high-frequency surgery device is improperly attached to the patient. Although conformance to the relevant product standard minimizes the probability of such burns, they can still occur. Nevertheless, the benefit of using a high-frequency surgery device outweighs the residual risk of burns.”

There is no magic formula for determining how much risk is acceptable, and you should avoid coming up with numerical point systems as a means of making this determination. As previously stated, while the criteria for measuring the residual risk may be the same as the initial evaluation, the criteria for determining the acceptability of the risk should be based on the benefit of the product to the patient. It is up to you to establish a method of evaluation, but you should involve people who have the knowledge, experience (medical and / or clinical knowledge), and authority to make this determination. The results of your evaluation will become a part of your risk management file.

More Diversity = Better Results
When we talk about diversity, we are talking about assembling a team that covers the gamut of manufacturing, distribution, customer service, sales, packaging, and so on. For instance, without a colleague from manufacturing, nobody will be able to foresee potential manufacturing problems that could create hazardous situations. Without someone from customer service, you may not get insight into how consumers might use your device outside of its indications for use despite your well-labeled warnings and magnificent instructions for use. Residual risk is often an exercise in brainstorming, and you will get far more ideas on what can go wrong with a team that represents many areas of your company beyond RA/QA.

Disclosure Requirements for Residual Risks

Even if you may have evaluated residual risks and deemed them to be acceptable, this does not mean that you do not need to disclose them. Annex I, Chapter I(4) of the EU MDR states that “manufacturers shall inform users of any residual risks.” However, Section 8 of ISO 14971:2019 confuses the issue somewhat by saying that you should inform users of “significant residual risks.” While ISO 14971:2019 is not (yet) harmonized with the MDR or IVDR, it is considered the “state of the art,” so if there is any question about whether you should disclose or not, you could probably argue this either way with your Notified Body until the issue is settled by future Medical Device Coordination Group (MDCG) guidance. Annex A, Section 2.8 provides more detail on this issue, so if in doubt, read this section and Annex D(3) of ISO/TR 24971.

Want to Learn More? Need Help?

If you want to take a deep dive into ISO 14971, consider the Oriel STAT A MATRIX risk management training course. Our team is also available to help you comply with EU MDR or FDA risk management requirements.

Our team is here to help. Call 1.800.472.6477 or contact us online ›