September 4, 2024 Medical Device - Regulatory

Under the EU MDR, Risk is defined as the combination of the probability of occurrence of harm and the severity of that harm.

Benefit risk is defined as the analysis of all assessments of benefit and risk of possible relevance for the use of the device for the intended purpose, when used in accordance with the intended purpose given by the manufacturer.

Risk Management Under the MDR

Risk-Benefit Analysis

Risk management is emphasized in the regulation as an iterative process throughout the entire lifecycle of a device (a key input in developing the new regulation was to implement more of a lifecycle approach). Annex I Chapter I (2) states that the risks must be reduced as far as possible, meaning the reduction of risks as far as possible without adversely affecting the benefit-risk ratio.  The following are required for each device:

  • Establish and document a risk management plan for each device
  • Identification and analysis of possible hazards associated with each device
  • Estimation and evaluation of risks associated with the intended use and misuse of the device
  • Risk mitigation (reduction or elimination of risk)
  • Assessment of production and post-market information on the documented risk assessment, and the overall risk, benefit-risk ratio, and risk acceptability
  • Changes to control measures (e.g. safety by design, alarms, safety information) when required based on the assessment of production and post-market information

ISO TR 24971:2020 Clause 7.4 includes extensive coverage of benefit and benefit-risk analysis, including that benefit does not encompass economic or business advantages. Clause 7.4.5 mentions three specific examples of benefit-risk analysis conclusions, and Clause 7.4.2 provides an extensive overview of clinical benefits. Most vulnerability among the points above are with respect to production and post-market information, and the risk management file. This is because, while using a “checkbox approach” for risk management, device design (specifically, control measures) may not be adequately evaluated in response to production and post-market information. Therefore, manufacturers must consider strengthening procedures around risk management and production and post-market information to comply with these requirements.  Also, ensure that you are evaluating the device design in response to post-market information. In totality, per the regulation, a thorough documentation of requirements and procedures for risk management is required. The technical file for each device must include the results of the risk management process including the benefit-risk analysis, the solutions adopted to address risks, and the updated PSUR. All risk documentation for each product must be maintained and readily available per record retention requirements.

Risk Management During Design and Beyond

The most detailed information for manufacturers regarding risk management that must be adopted during design are provided in Annex I. The annex provides the order of priority that the manufacturers must consider while selecting the most appropriate solutions. These include:

  • Eliminate or reduce risks as far as possible through safe design and manufacture
  • Adequate protection measures for risks that cannot be eliminated (e.g. alarms)
  • Provide information or user training for safety and disclose any residual risks

Line item 3 diverges from the requirement of EN ISO 14971:2012 which allows the manufacturer to determine which residual risks are to be disclosed (for residual risks deemed acceptable). The EU MDR simply states that the manufacturer “shall inform users of any residual risks.”

Requirement for Acceptable Benefit/Risk

  • Evaluation of the description of the intended purpose of the device
  • Evaluation of the device’s benefits to the patient
  • Quantification of benefits to the patients
    • Probability of the patient experiencing one or more benefits
    • Duration of effects
  • Evaluation of the clinical risks of devices (extent of risks / harms, the following should be addressed individually and in aggregate):
    • Severity, number, and rates of harmful events
    • Probability of a harmful event
    • Duration of harmful events
    • Risk from false-positive or false-negative results (diagnostic medical devices)
  • Evaluation of acceptability of the benefit/risk profile

Risk management is an important lifecycle product development requirement for all medical device organizations when developing, manufacturing, and commercially distributing medical products. To effectively meet regulatory requirements, manufacturers must utilize the harmonized standard, EN ISO 14971:2019. Risk Management Standard and the technical report that accompanies, ISO TR 24971:2020 to address issues of potential risk within the European Economic Area (EEA).

Residual risk analysis is an important part of the process of developing medical devices, and its use is expected by medical device regulators. Rather than being a professional discipline per se, residual risk analysis is an analytical method that may and should be practiced by people from many disciplines.

Residual risk analysis comes after what product developers hope will be their last usability test: a test alternately called a human factors validation test or a summative usability test. This involves a sample of intended users engaging in use scenarios that put the product of interest through its paces, including scenarios involving so-called critical tasks. A critical task is one that, if performed incorrectly (i.e., there are one or more use errors) or if not performed at all, could lead to harm and/or compromise medical care. For example, setting the correct dose on an insulin pen-injector is a critical task. So is placing an AED’s electrode pads in the correct position on a victim’s torso, or inhaling deeply when taking asthma medication through a metered dose inhaler. These pivotal tests usually show that a medical device is designed well, but not always perfectly. Perfection requires that none of the test participants make a mistake. Accordingly, if any devices are perfect, that require a root cause analysis and assessment of residual risk.

Possible outcomes ultimately, a device developer will take into consideration the results of the analyses listed above and perhaps arrive at one of these three decisions:

  1. The product is adequately safe and effective in its current form. Making it safer is not feasible, which could be due to the limits of science and technology.
  2. The product is reasonably safe and effective in its current form. Making it safer is not feasible due to any number of factors, such as high costs that would make the product unaffordable, prohibitive negative impact on other important factors (e.g., portability), or perhaps a radical departure from accepted practice and public expectations regarding what constitutes acceptable risk.
  3. The product is not reasonably safe and effective in its current form and requires a rework. In the first two cases, a product developer would proceed on a path toward submission to a regulator for an approval or clearance to market the given device. In the latter case, it’s back to the workshop, so to speak. Regarding the FDA, the agency expects submissions to explain the developer’s analysis of residual risks. The following information must be integrated into the submission:
    • An assertion that the residual risk posed by an interaction problem is not cause for significant concern. This essentially means that the product is acceptable “as is.”
    • The use scenario, particular task, use error, and type of participant(s) who made the error (e.g., physician, nurse, patient).
    • The root cause(s) of the use error, stated in either a factual or strong hypothesis form depending on how certainly you can state your conclusion.
    • Results of any analysis that changed your view of the type and severity of harm that might arise from the use error.
    • Clarification about why there is no available means to reduce the chance of the use error occurring or reduce the harm that might ensue.
    • Commentary on the presumably low likelihood of the use error occurring; a factor that is dismissed when initially considering how to mitigate the chance of significant harms due to use error, but may come back into play when considering residual risk analysis.

In essence, your residual risk analysis is making the case for “exoneration,” much as one might make a closing argument in a trial.