Managing residual risk and understanding risk tolerance are crucial aspects of ISO 13485 compliance.

ISO 13485:2016 is an international standard that outlines the requirements for a quality management system (QMS) in the medical device industry. Clause 7.1 requires risk management in relation to operations and, in a note (not, therefore, a requirement), refers to ISO 14971. How, then, should you approach questions of residual risk and risk tolerance?

ISO 13485 and ISO 14971 - complimentary Standards

The standard ISO 14971:2019, application of risk management to medical devices, provides guidance and risk management methods frequently applied to managing risk throughout a medical device's lifecycle. So, whether you adopt the use of ISO 14971 or not, Certification Body Auditors will expect risk to be formally managed throughout a medical device's lifecycle.

Note: deGRANDSON offers a choice of Risk Management Courses.

Here are some key considerations:

Residual Risk Management

1. Risk Identification:
   1. Identify and document potential risks associated with your medical devices throughout their lifecycle, from design and development to manufacturing, distribution, and post-market activities.
2. Risk Assessment:
   1. Conduct risk assessments to evaluate the severity, probability, and detectability of identified risks. Use tools such as Failure Mode and Effects Analysis (FMEA) to assess and prioritize risks systematically.
   2. Other tools, such as Preliminary Hazard Analysis at the design stage and HACCP applied during manufacturing, are much underutilized in practice.
3. Risk Mitigation:
   1. Implement risk mitigation strategies to reduce the likelihood and impact of identified risks. Such mitigation could involve design changes, process improvements, or the introduction of safety features.
4. Monitoring and Control:
   1. Regularly monitor and control identified risks. Establish controls and procedures to minimize the likelihood of risks occurring and promptly respond if they do.
5. Documentation:
   1. Document all aspects of risk management, including risk assessments, mitigation strategies, and ongoing monitoring. This documentation is essential for compliance with ISO 13485.
6. Residual Risk:
   1. The risk remaining after risk controls and precautions have been applied.
7. Post-Market Surveillance
   1. Implement a robust post-market surveillance system to monitor the performance of medical devices once they are in the market. This helps identify and address emerging risks, which for new devices may only emerge after product launch.
   2. Preventing Field Safety Corrective Actions (FSCA) for devices already placed on the market saves on costs and resources in the long term. It assures the well-being of patients, users, and the environment.

Risk Tolerance

1. Define Risk Tolerance:
   • Clearly define the organization's risk tolerance. This involves determining the acceptable level of risk for various aspects of your QMS, considering factors such as patient safety, regulatory compliance, and business objectives.
   • A complication arises under EU Medical Device Regulations (MDR/2017/745). The ALARP approach (as-low-as-reasonably-practibale) is not permitted. MDR Annex I clearly states that risks (related to harm to patients/users/third parties) are only acceptable if they are "minimized as much as possible" and "reasonable compared to the benefits." Note: ISO TR 24971:2020 provides several approaches to resolving matters). Here, the MDR's legal requirements out-rank the standard's requirements and must be applied to the European marketplace.
2. Risk Acceptance Criteria:
   • Establish criteria for accepting or rejecting risks based on the defined risk tolerance. Clearly communicate these criteria to relevant stakeholders.
   • A risk matrix is a tool medical device engineers use to quantify the risk level associated with a medical device. Risk matrices are helpful because they offer standardized criteria and consistent methodology for assessing the risk of medical devices and classifying them appropriately in support of good decision-making.
3. Decision-Making Processes:
   • Integrate risk tolerance considerations into decision-making processes. Ensure that decisions related to design changes, process improvements, and other QMS aspects align with the organization's risk tolerance.
4. Periodic Review:
   • Regularly review and reassess risk tolerance based on changes in the business environment, regulatory requirements, and the performance of the QMS.
5. Communication:
   • Communicate the organization's risk tolerance to all relevant stakeholders. This includes employees, suppliers, and regulatory authorities.
6. Training and Awareness:
   • Ensure that employees are trained and aware of the organization's risk tolerance. This helps in fostering a risk-aware culture within the organization.

By effectively managing residual risks and aligning activities with defined risk tolerance, organizations can enhance the quality and safety of their medical devices in accordance with ISO 13485 requirements. Regular audits and reviews must be conducted to ensure ongoing compliance and continuous improvement in the risk management process.

Related Articles

• ISO 14971: Choosing the Right Risk Management Tool
• The Swiss Cheese Model of Risk Mitigation explained
• ISO 9001 and Risk-based Thinking (RBT): DO's & DON'Ts
• Risk Evaluation for Medical Devices explained

deGRANDSON Global is an ISO Certified Educational Organization

We have chosen ISO 21001 certification because, unlike IRCA and Exemplar badges (which, in our opinion, are commercially compromised), it is based on independent third-party assessment. It is a 'university grade' standard used globally by schools, colleges, and universities to demonstrate competence.

We provide courses for ISO 9001, ISO 13485, ISO 14001, ISO 17025, ISO 27001, ISO 45001, Risk Management, Data Protection and more.

We have Offices in Didsbury, Manchester, UK, and Pembroke Pines, Florida, USA. Our Head-office is in Limassol, Cyprus