[summary] XP S99-223 – Medical Devices – Benefit/risk management

By Guillaume Promé
Sep. 29, 2021 Regulation (EU) 2017/745, Risk management

Summary of the XP S99-223 standard for managing the benefit/risk ratio of medical devices

This article summarizes the requirements of the standard XP S99-223, relating to the management of the benefit/risk (B/R) of medical devices. The standard is voluntary; all appendices are informative.

Introduction to XP S99-223

The requirements of the standard provide a framework for evaluating the acceptability of the benefit/risk ratio of medical devices.

Benefit/risk ratio management consists of:

  1. Identification,
  2. Selection,
  3. Analysis,
  4. Summary,
  5. Interpretation, and
  6. Follow-up

of key data, as well as informing and considering the views of stakeholders.


The standard is intended for medical device manufacturers and other stakeholders, including competent authorities and Notified Bodies.

The standard does not specify an acceptable benefit/risk ratio, but calls for defining methods for evaluating the acceptability of the benefit/risk ratio, for each intended use.

Normative References

  • ISO 14971
  • ISO/TR 24971
  • IEC 62366-1
  • ISO 13485
  • ISO 14155

Terms and definitions

The definitions repeat those of Regulation (EU) 2017/745, two new definitions are introduced:

  • Key Benefit and Key Risk: benefits and risks that may significantly affect the estimation of the benefit/risk ratio
  • Patient opinion: representative opinion of the target patients of the medical device

General Requirements

benefit risk ratio
The benefit/risk management process involves the following activities:

  1. Planning;
  2. Setting the context;
  3. Consideration of opinions;
  4. Analysis of benefits, risks, and benefit/risk ratio;
  5. Benefit/risk ratio acceptability evaluation;
  6. Definition of information provided;
  7. Communications;
  8. Postmarket surveillance; and
  9. Change management.

Benefit/risk management requires managing human resources, key data, records… These activities will of course be planned and reviewed.

Annex C provides an example of the expected content of the “benefit/risk management file” these elements may be a separate file or integrated with risk management and/or clinical evaluation.

Finally, like risk management or quality: management must define a policy to determine the criteria for acceptability of the B/R ratio.

Consideration of patient opinion

The consideration of opinions (at least those of patients) should be motivated by a risk approach.

Patients’ opinions can be identified during of the benefit/risk analysis, you can also involve patients for these analyses.

Patient opinion is relevant, if needed:

  • The perceived severity of risks,
  • The perceived importance of benefits,
  • The perception of probabilities,
  • Preferences among several possible scenarios with different benefit/risk ratios.

When appropriate, you should consider sensitive situations that may produce an adverse opinion, explain them, and gather opinions.

Finally, the representativeness of opinions will need to be demonstrated.

Annex D outlines techniques for taking opinions into account.

Benefits Analysis

Benefit analysis is thought of as symmetrical to risk analysis; they are identified by characterizing:

  • The favorable phenomenon (the hazard of a risk);
  • The intended use (the hazardous situation of a risk); and
  • The positive impact to the patient (the harm of a risk)

The benefits are estimated in terms of probability and importance.

A level of benefit is evaluated for each benefit and for the overall benefit.

Annex B explains the principles around benefits management.
Annex E provides techniques for estimating benefits.

The key data useful for identifications and estimates are identified (these will be used in post market surveillance).

Risk analysis

To be done according to the requirements of Regulation (EU) 2017/745 and the methods in ISO 14971.

Annex B explains the principles around risk management.
Annex E gives techniques for estimating risks.

The requirements for acceptability of risks are nevertheless specified:

  • Risks are controlled as much as possible, taking into account the identified technical limitations, hence the importance of defining the context well. Risk control measures should not alter the benefit/risk ratio.
  • Acceptability is evaluated for each residual risk and for the overall residual risk, for each intended use.
  • To be able to accept a risk, we will need to consider :
    1. the level of risk (the lowest possible)
    2. the applicable security requirements (to be met)
    3. the technical context identified (to be implemented, or do “as well” in case of innovation)
    4. the benefit/risk ratio (which must be favorable)

Estimating the benefit/risk ratio

The benefit/risk ratio is estimated for each residual risk and for each overall risk, in each intended use.

Where necessary, identify:

  • The extreme situations (ex: cases where a patient is only exposed to the risks)
  • The uncertainties about key data, which could challenge your conclusions
  • The evolution over time of the B/R ratio
Annex E provides techniques for estimation of the benefit/risk ratio.

Evaluation of Benefit/Risk Ratio Acceptability

The evaluation is planned. The input data to the evaluation are the output data from the previous activities: identifications, estimates, key data, patient opinions, medical context, consensus, uncertainties, extreme situations …

The conclusions are argued and recorded.

In response to the regulation, the standard considers – succinctly – the following special cases:

  • Clinical Investigations
  • Cases where the acceptability of the benefit/risk ratio must be approved prior to use of the device
  • Pregnant or nursing women
  • Minor patients
  • Impaired patients
Annex G provides guidance for evaluation of the acceptability of the benefit/risk ratio.

Information provided with devices

The IFUs should allow the patient (even the user) to form an opinion about the acceptability of the benefit/risk ratio. This information incorporates the findings of the evaluations.

Key messages – which must necessarily be understood – are identified and submitted to the Usability Engineering process. The form is tailored to the message and its Recipient.

Annex F provides examples of data formatting: scale, table, tree, forest, infographic…

When needed, health care professionals are enlisted to enlighten the patient.

Post Marketing Surveillance (PMS)

The data to be monitored during Post Markteing Surveillance are identified, based on key data and uncertainties. Thresholds and indicators are defined.

The context is also monitored: technologies, consensus, medical state of the art, stakeholder opinions …

Monitoring is an opportunity to make new identifications (of risks or even benefits) and to track actual use of the device (finalities, frequency of use, number of users…).

Monitoring is reactive (receiving information) and proactive (collecting information).

The data from the PMS results in a reassessment of the B/R ratio as needed; it is routinely reassessed in the event of a vigilance event.

Annex E provides techniques for postmarketing estimates.


Monitoring results in regulatory communications if:

  • a significant decrease in the benefit/risk ratio
  • a significant increase in risks
  • new information regarding a vigilance event
  • of revision of the PSUR