Skip to main content

Risk vs Benefit => Residual

Written by Karl Larsson on . Posted in Tips & Tricks.

Whenever we come across risk management SOPs from different companies, we always keep an eye open for how that company solved the requirement 7.4 in ISO 14971 to perform a Risk vs Benefit Analysis as well as the handling of Residual Risks.

In excel-based approaches it is not uncommon to see something similar to the table below:

The QMS expects that each risk (representing one row) should be addressed in the spreadsheet. When I see this, I personally feel inclined to ask:

- What happens if someone in the team does not agree that the risk is acceptable, claims that the risk does not outweigh the benefits or simply cannot decide?

In many cases, these extra columns made it into the template after an audit of the QMS to quickly fix any audit findings, a somewhat unfortunate result of increasing regulations.

Let’s look at these requirements in a bit more detail.

Is the risk acceptable?

Answering this question is very much like shooting from the hip. Either the answer is trivial, e.g. the risk is frequent and severe, in which case we should definitely control the risk as per the procedure. The other complex scenario is that it very much depends on a lot of different factors. The complex scenario is only possible to answer in the scope of the benefit of the device. Still, we often come across it as an individual item in the risk analysis.

The solution is straightforward

The principle of lowering risks as much as possible should be applied and when all possibilities for applying risk measures have been looked at, the company needs to do a proper Risk vs Benefit Assessment for the complete device.

Hint: The risk management report is a good location for this. 

Benefit-Risk Analysis

One could imagine that looking at an isolated function and weighing the risk towards the benefit of that function may give us an insight into if the function is acceptable for the device. In most cases, a function cannot be handled as an isolated part of the system, nor can the benefits of that function be easily compared to the risks it may impose on a user, patient, or operator. E.g. Trying to argue that a power unit may impose risks to a patient but having the benefit that the device needs electricity to work is not a meaningful exercise. ISO 14971 (2019) is exceptionally clear in this matter:

 

Good reasoning and sensible pros and cons are asked for

Here we recommend looking at the Device as a whole. Will the discovered residual risks still make it beneficial in the scope of the intended use of the device? In case of doubt, look at trying to apply additional Risk Control Measures to open risks. Remember that all identified risks acceptable or not are considered residual risks for the device. See ISO 14971 (2019) Section 6:

 

Once again: The risk management report is a good location for this. 

New Risks?

Claiming that there are no residual risks involved is in our opinion not possible to handle in a spreadsheet column. The questions cannot simply be answered with a yes or no. Let me be a bit provocative and suggest that this question alone could replace any risk analysis method altogether. Something like this:

Although I’ve seen similar approaches at very large established medical device manufacturers, I do not recommend this approach!

Here is what ISO 14971 (2019) has to say about it:

Bring the analysis to completion

Here we need to use our toolset properly and link the risk control measures to any implementing functions and continue with a new loop of risk analysis.

The outcome of that task will answer if there are still any residual risks present. This exercise may need to be repeated for any suggested risk control measures.

Finally, summarize all your findings in the risk management report and do not forget to remove these columns from your risk analysis templates!