As part of the general requirements for the risk management system, chapter 4.2 of 144971:2019 describes the ‘Responsibilities of management’. In the original English text of the standard, the term ‘top management’ is used for ‘management’, which should be easier to understand, although it is also vague. Who exactly is the ‘top management’ in a company? In a small company, this is relatively simple: the management. But in medium-sized and even more so in large companies, it is no longer so easy to define this group of people. A look at the quality management system often helps here. In this context, all persons who determine the company’s risk and/or quality policy on the basis of their function belong to top management.

It is important to make these people aware of their responsibilities in the context of risk management, as the quality of their implementation can be of great importance, especially in the event of liability. Nevertheless, in many companies the general requirements are seen more as a necessary compulsory exercise and are implemented in a correspondingly careless manner. However, there is great potential in these requirements, which have a significant influence on the appreciation of risk management and, as a result, its quality. ISO/TR 24971:2020 also emphasises the importance of this voluntary commitment to ensure an effective risk management process, which is reason enough to take a closer look at it.

Ensuring appropriate resources

The first responsibility of top management mentioned in the risk management process is to ensure that appropriate resources are available to carry out the activities mentioned in the rest of the standard. Interestingly, neither the standard nor ISO/TR 24971:2020 specify what exactly is meant by ‘resources’. The most important resource that must be ensured is definitely the personnel for carrying out risk management activities, which is discussed in detail in the next section. But what else can be considered a resource in this context? One of the most important resources is time – and therefore money, which top management is prepared to invest in good risk management. Risk management is a time-consuming process that requires a lot of research, discussion and documentation. The need for risk mitigation measures typically increases the complexity of the system design and generates additional costs through components and implementation effort. Good risk mitigation leads to safe and efficient products, which can paradoxically lead to the absence of device failures and patient hazards, causing it to be undervalued and attempts to minimise risk management efforts because ‘nothing ever happened’.

Other resources may include the procurement of dedicated risk management software or access to paid research facilities and literature databases that facilitate or enable the definition of risk acceptance criteria or the evaluation of risks. It may also be necessary to carry out certain preliminary investigations in order to determine the probability of errors occurring and, as a result, hazardous situations.

Assigning suitable personnel

The second item in the list of top management responsibilities is the appointment of competent risk management personnel. Chapter 4.3 (Competence of personnel) describes in more detail what top management must consider when selecting personnel. The personnel responsible for risk management (risk management team) must have appropriate education, training, skills and experience in relation to the medical device, the technologies used and the risk management methodology. Not all members of the risk management team must fulfil all qualifications; they can also complement each other. For example, the head of the risk management team may be familiar primarily with risk management methods in order to guide the other team members through the risk management process, medical personnel may contribute application knowledge and development engineers may contribute the necessary technical and system knowledge. Of course, the aim is for the various roles involved to learn from each other and build up cross-domain knowledge. In any case, the risk management team must be so interdisciplinary that it can cover all aspects and activities of risk management throughout the development, design transfer and downstream production phases.

Risk policy

Top management ‘must define and document a policy for establishing criteria for the acceptance of risks.’ This must be documented in the quality management system, but is not part of a product-related risk management file due to its global, company-wide nature. ISO/TR 24971 goes on to explain which aspects the risk policy should cover and provides further examples, including specific text suggestions:

Purpose of the risk policy, explaining its objectives, which should be fulfilled by defining the risk acceptance criteria, e.g. ensuring a high level of product safety while taking into account stakeholder expectations
Scope of application, e.g. the persons and activities for which the risk policy is to be applied. For companies with a large product portfolio, it may make sense to define an individual risk policy for different product families or categories, in which the other points mentioned here can be formulated more specifically.
Factors and considerations to be taken into account when defining risk acceptance criteria
Applicable national or regional regulations of the target markets for the product
International standards for certain types of medical devices, which also include tests for certain product characteristics including their limits
Recognised state of the art based on international standards, proven technologies, scientific research results, publications by authorities and information on similar (medical) devices
Validated reservations of stakeholders, which can be obtained directly through discussions with users, patients or regulatory authorities. Analysing patient forums, newspaper articles and social media can also provide information. The varying understanding of risk acceptance among the individual groups, depending on background knowledge and personal interests, must be taken into account
In a note, the standard also states that the risk policy can define the general approach to risk control. More on this later.
Requirements for the approval and (cyclical) evaluation of the risk policy. Here it can be determined who is authorised to approve it and at what intervals it should be reviewed.
Although ISO/TR 24971:2020’s specification of text templates in the examples given for the aforementioned points encourages the risk policy to be dealt with as quickly and generically as possible in order to fulfil the requirements of the standard with as little effort as possible, it is worthwhile for a company’s top management to think more carefully about its design. The great opportunity of a well-designed risk policy is to provide the teams and individuals responsible for risk management with clear guidelines and criteria in order to ensure that the results of these activities are standardised and of high quality. In doing so, the company’s own focal points must also be taken into account. The risk policy of a service provider that serves many different customers (and their individual risk policy specifications) will be much more generic than that of a company with its own products, which may even define different risk acceptance criteria for each device (family) (see scope of risk policy).

Approach to risk control
As outlined above, the standard suggests defining the general approach to risk control in the risk policy and presents the following methods:

Reduce risks to the extent reasonably practicable (‘as low as reasonably practicable’)
to minimise risks as low as reasonably achievable
to minimise risks as far as possible without adversely affecting the risk-benefit ratio
The first two methods are difficult to distinguish from each other without further explanation. The examples given in ISO/TR 24971:2020 are not particularly helpful either, because the example explaining the ALARA approach (‘as low as reasonably achievable’) is intended to take into account the practicability (!) of risk control measures. These two approaches therefore appear to be more of a remnant from the evolution of ISO 14971, which in 2007 still required that residual risks be ‘as low as reasonably practicable’, then in 2012 ‘as low as possible’, without economic considerations being allowed to play a role.

The third method is formulated in the most accessible way: Benefit-risk analysis is an integral part of risk governance and is therefore certainly the most obvious approach for many. For companies that have their main market in the EU, the fact that Regulation (EU) 2017/745 (MDR) requires this approach in Annex I, point 2, where the aim is to reduce risks ‘as far as possible’, certainly also plays a role. Fun question: As far as possible ‘practicable’ or ‘achievable’? Unfortunately, the MDR does not provide an answer to this question, so in reality it is most likely that an approach will be agreed upon that can be described as ‘as slow as possible/reasonably achievable without compromising the risk-benefit ratio’.

ISO/TR 24971:2020 then quickly introduces a fourth method based on the size of a risk, which would allow no risk control to be carried out for ‘small’ risks. This approach can or must be safely ignored in Europe with reference to the above MDR requirement.

Regular review of the suitability of the RM process

Last but not least, top management must review at regular intervals (e.g. as part of the management review anchored in the quality management system) whether the established risk management process is still suitable. As usual, ‘No work is done without documentation’, which is why all decisions and any activities derived from them must be documented.

ISO/TR 24971:2020 lists examples of which aspects of the risk management process should be reviewed

The effectiveness of the implemented risk management procedures
The appropriateness of the risk acceptance criteria and the need to adjust them
The effectiveness of the feedback loop between production and the downstream phase of production
Conclusion: Although this is only a short chapter of the standard with few requirements, there is a lot of substance and potential behind it. Especially if you take the trouble to provide risk management with the necessary resources and give it effective guidelines for action via an individual risk policy.

Please note that all details and lists are not intended to be exhaustive, are not guaranteed and are provided purely for information purposes.