Risk Assessment, Risk Acceptance Matrix

Each medical device comes with risks. Manufacturers must determine which risks they deem acceptable and which unacceptable. This is usually expressed in the form of a matrix of risk acceptance (or risk assessment matrix).

In this article you can read more about:

  • The regulatory requirements for the risk assessment matrix
  • The typical difficulties and errors when creating the risk assessment matrix
  • Notes on video training in our e-learning library
  • Tips for creating standard-compliant risk assessment of the risk/acceptance Matrix

Regulatory Requirements for the Risk Assessment Matrix

The first thing to note is that there is no regulatory requirement for manufacturers of medical products, neither in Europe nor in the United States, to create a risk assessment matrix. However, the risk assessment matrix has been established as a tool to express the risk policy.

Requirements of the Medical Device Directive MDD (93/42 / EEC)

The MDD requires that the manufacturer’s risks may only be defined as acceptable by medical devices if the benefits of the product outweigh the risks or damages. The benefit is determined by comparison with an alternative approach such as the non-application of the product, the use of a competing product, or an alternative product.

Requirements of the Medical Device Regulation MDR

The requirements of the MDR are more specific and match those of the ISO 14971:2012 much closer than the requirements stated by the MDD.

ISO 14971 and risk assessment matrix

The ISO 14971 does not require a risk assessment matrix, even if it displayed one in older issues of the informative Annex. In these older editions of the ISO 14971, it differentiated between acceptable risks, unacceptable risks, and risks related to ALARP (“As low as reasonably practical”). Since the 2012 edition of ISO 14971, there are no fixed acceptable risks anymore. The subdivision into acceptable, unacceptable, and ALARP risk is thus obsolete. Risks should be “as low as reasonably possible”.

Fig. 1: Risk Acceptance Matrix expresses the Risk Policy

Read more about these changes in the contribution to the ISO 14971: 2012, and the annexes ZA.

Difficulties and Typical Errors While Creating the Risk Acceptance Matrix

Already during the first step in risk management, namely the definition of risk policy (Expressed in the risk assessment matrix as a distinction between red and yellow areas), numerous errors occur for medical device manufacturers that absurdity leads to all the other activities.

1. Error: Risk Assessment Matrix in the QM manual

The risk-benefit analysis and thus risk assessment matrix must be product-specific. Therefore, it generally does not make sense to define the risk assessment matrix in the QM manual or in a “risk SOP management”.

2. Error: Risk Acceptance is Not Derived Quantitatively

Many manufacturers instinctively set risk politics. A typical indication for this is when they determine the acceptance criteria based on a risk priority number. But that does not make sense for the most part because

  1. The number that separates red and yellow areas, cannot be systematically and quantitatively derived. 
  2. The separation of red and yellow areas would have to be discussed in the risk assessment matrix for each severity. It applies for each severity class to estimate the benefits and risks separately.

A risk priority number, which can incorporate three parameters (e.g. severity of the damage, the likelihood of errors, probability of detection) contradicts the definition.

3. Error: The Risk Policy and Risk Assessment Matrix are Not Updated

One of our clients created a stand-alone software that runs on genetic data of patients and from literature data derived based on concrete treatment recommendations. And we came across a rare phenomenon:

The risk acceptance matrix must define acceptable and unacceptable risks on qualitative criteria, as with all manufacturers as defined in ISO 14971. The acceptance depends on whether the process and the product are better or worse than the alternatives. In this specific case, it would be the treatment in ignorance of the literature situation that can handle only one software in the existing amount.

However, since the literature situation constantly changes – and improves in this case – better data for decision treatment is always available for the physicians. That means that the software must be measured with an increasingly sophisticated alternative. If it doesn’t keep up, risks caused by the software would be increasingly less acceptable.

In other words, an ISO 14971-compliant risk acceptance matrix of this manufacturer must be very dynamic and be colored from upper right to read without continuous improvement of the product. The challenge for us in risk management is to quantify this improvement.

Training Video on Risk Management

The E-learning library shows step by step how to create a risk acceptance matrix:

  1. Define severity axis, specify criteria for severity axes
  2. Define probability axis and probability classes
  3. Formulate risk policy and derive acceptance criteria quantitatively