Medical Device

Risk Management 101

Learning the basics of how to analyze, evaluate,
control, and monitor risk.
 2

Overview
From a distance, risk management seems straightforward. You have a device, evaluate
its potential risks, mitigate those risks, monitor them over time, and you’re done. Seems
easy, right? Ah, if only life were so straightforward. The reality is that risk management
is one of the more complex aspects of regulatory compliance, simply because risk
comes in so many flavors and perceptions of severity. Plus, the probability of harm
actually occurring can be estimated quite differently. The thing that makes risk
management tricky is that we often don’t have enough real-world data to accurately
quantify risks, especially for new devices. Fortunately, there is a systematic process
you can establish to analyze, evaluate, control, and monitor risks. Before we get into
that, let’s step back and talk about the regulations and standards that dictate how you
should approach risk management.

Analyze
Risks

Monitor the RISK Evaluate

Controls MANAGEMENT Risks

Control
Risks

For medical devices, risk and risk management are defined as:
zz Risk is the combination of probability of occurrence of harm and the
severity of that harm.

zz Risk management is the systematic application of management policies, procedures,

and practices to the tasks of analyzing, controlling, and monitoring risk.

orielstat.com
 3

Why is risk management needed? Simply put, we have a collective interest in ensuring that
medical devices are safe and effective. For that reason, risk management is not optional
– it is a regulatory requirement worldwide. The US FDA mandates it in the Quality System
Regulation (21 CFR Part 820). Europe requires it in the Medical Device Regulation (MDR
2017/745). Likewise, Japan, Canada, Australia, Brazil, and all other major markets require
the application of risk management, which is either referenced in their national regulations
or ISO 13485:2016.

The role of ISO 14971

Fortunately, national governments have not created their own unique guidelines telling
you how to how to perform risk management. Instead, they defer to ISO 14971, the global
standard for medical device risk management. If you are just getting started implementing
risk management for your company, purchase the ISO 14971:2019 standard and its
guidance ISO/TR 24971:2020 (in draft as of May 2020), which provides support to
implementing risk management. Both are copyrighted documents and you can purchase
them online from ISO.org and other sources.

The intent of ISO 14971 is to define a standard process for identifying risks associated
with medical devices at all stages in a device’s life cycle, from product design to
procurement to production and postmarket use. In all cases, the goal is to analyze,
evaluate, control, and monitor the risks associated with each life-cycle stage.

The most recent version - ISO 14971:2019 - was published in December of 2019 by ISO
and as EN ISO 14971:2019 by CEN/CENELEC. This version replaces ISO 14971:2007 and
EN ISO 14971:2012 and while no tectonic shifts have occurred in the risk management
process, there are important changes and updates to be aware of. Read our blog post to
get up-to-speed on changes in ISO 14971:2019.

orielstat.com
 4

Evolution of ISO 14971 and

the elevation of ISO/TR 24971:2020

1998 2000 2007 2012 2019

2001 2009

ISO 14971:1:1998 ISO 14971:2000/2001 ISO 14971:2007/2009 EN ISO 14971:2012 ISO 14971:2019
+ Risk assessment only + Risk analysis + Risk analysis + MDD “alignment” + Risk policy
+ Risk evaluation + Risk evaluation + State of the Art
+ Risk control + ISO/TR 24971:2020

Structure of ISO 14971:2019 and ISO/TR 24971:2020

The main body of the ISO 14971 standard is surprisingly scant with only 18 pages plus
3 annexes. However, the reason this version is shorter than its predecessors is that
many annexes from the 2007 revision have been moved into guidance document ISO/TR
24971:2020 which has ballooned to nearly 100 pages with 8 annexes.

I SO 1 4 9 71:2019 ISO/TR 24971:2020

1 Scope Sections 1-10 correlate with ISO 14971:2019
2 Normative references
Plus:
3 Terms and definitions
Annex A Identification of hazards and
4 General requirements for risk
characteristics related to safety
management system
Annex B Techniques that support risk analysis
5 Risk analysis
Annex C Relation between the policy, criteria for risk
6 Risk evaluation
acceptability, risk control, and risk evaluation
7 Risk control
Annex D Information for safety and information on
8 Evaluation of overall residual risk residual risk
9 Risk management review Annex E Role of international standards on risk
management
10 Production and post production activities
Annex F Guidance on risks related to security
Plus: Annex G Components and devices designed without
using ISO 14971
Annex A Rationale for requirements
Annex H Guidance on in vitro diagnostic medical devices
Annex B Risk management process
for medical devices
Annex C Fundamental risk concepts

orielstat.com
 5

Creating your risk management procedure

So, now that you have downloaded these two critical documents, where to begin? It’s
important to think about risk management as a process that you must define and
manage in your quality management system just like any other QMS process. In fact,
ISO 13485:2016 clause 7.1 tells you that you must have “one or more [documented]
processes for risk management”. The best place to start is a documented risk
management procedure. But what should be included in that procedure?

First, ISO 14971 clause 4.2 details two important responsibilities for your top
management that you need to talk about in your procedure.

Management has to:

1. Ensure the right resources are available and responsible for conducting risk
management activities, and

2. Define a risk policy that guides how the company sets up the risk acceptability criteria
for each of their devices.

The company’s risk policy serves as a single reference point that teams working on risk
management can use to make sure they set up the appropriate criteria for a device.
The policy includes information that ensures the acceptability criteria meets all of the
applicable national or regional regulations and relevant International Standards and
considers topics like the generally acknowledged state of the art and the interests of
stakeholders for the device. The risk policy is where you usually find statements like
“reduce the risk as far as possible” or “reduce the risk as low as reasonably practicable”.

Make sure you also include information on how top management will review the suitability
of the risk management process. Usually this happens in Management Review.

orielstat.com
 6

Next, Clause 4.1 of ISO 14971:2019 states that you must have an ongoing process for
doing these things for each device or device family you manufacture:

zz Identifying hazards and hazardous situations associated with a medical device

zz Estimating and evaluating the associated risks
zz Controlling these risks
zz Monitoring the effectiveness of the risk control measures.
These are the basic steps that you’ll follow throughout the lifecycle of all the devices you
make. A big thing to remember - risk management never stops for your device!

Basic steps in the medical device risk management process.

You will go through these same basic steps for each device/device family you have.

Risk Management Plan

RISK ACTIVITIES

R I S K A N A LYS IS & E VA LUAT IO N R ISK M ANAGE M E NT TOOL S R ISK CONT R OL

xxIntended Use xxFMEA xxRisk Reduction Options

xxForeseeable Misuse xxFTA xxImplementation &
xxRisk Assessment xxHACCP Effectiveness

xxHAZOP xxResidual Risk

xxETA xxRisk-Benefit Analysis
xxOthers... xxVerification & Validation

Risk Management Report

orielstat.com
 7

1. Create a risk management plan for your device

Just like any good process, we want to start our activities with a plan. If you have just
one device or device family in your company, you may use your risk management
procedure as your risk management plan. But, if you manufacture multiple types of
devices, your risk management plan needs to be specific to each device/device family.
The information in your plan should include all of the appropriate steps you defined in
the risk management procedure.

G E N E RAL PR OC E DURE SPECIFIC PLAN

A top-level procedure for all risk management
projects per written risk procedures. You may
want to include this in the template you prepare in
your risk management standard operating
procedure (SOP).
How you will conduct a risk management project for a
specific product or process per the general risk procedures.
These details may be integrated into, or replace, parts of
your generic “boilerplate.”

The plan defines what detailed steps we’ll take for risk management for a particular
device including all of the risk analysis, risk evaluation, risk control, and review and
reporting. Document activities that will take place, assign responsibilities, establish your
risk acceptability criteria, plan risk control verification activities, determine risk review
requirements, and plan production/post-production activities.

zz Assemble your risk management team: Assemble a qualified team of people who
know how your device is constructed, its manufacturing processes, how it is used in
the field, etc.

2. Perform risk activities

Based on the intended use and reasonably foreseeable misuse, identify hazards that could
lead to hazardous situations and harm.

zz Use risk analysis tools to identify risks: Choose the tools you will use to measure risk
(discussed more later) and then use them to identity risks posed by your processes,
users, suppliers, maintenance tasks, shipping, production equipment, etc.

orielstat.com
 8

zz Control risks: The goal here is to reduce risks to an acceptable level, as defined in your
risk policy, using design features, protective measures like alarms, and, of course,
information such as warning labels.

zz Weigh the risks versus the benefits: This is fairly self-explanatory, but the end goal is
to ensure that the clinical benefits of your device outweigh residual risks. This needs
to be reassessed throughout the life of the device.

3. Review the risk management outcomes and create a report

This is where you take credit for all your work. Tie it all back to your original plan. Did you
follow the plan? Did you document and justify any deviations? It is important that you
write clear and simple conclusions, some as simple and obvious as: “The risk management
process outcomes support that the implemented risk control measures reduce the
residual risks of my device as compared to the clinical benefits.” This goes a long way
toward giving credibility to your process. We’ll discuss the report contents later.

At this point, it’s a good idea to firm up your plans for monitoring risk throughout the
device life-cycle.

Last detail to mention: All of the documentation that you create throughout these three
basic steps becomes the content of the risk management file for your device.

orielstat.com
 9

Creating your risk management plan

Your plan outlines the process of how you will conduct risk management for a particular
device, and it becomes part of your risk management file. Importantly, the process should
be repeated throughout the life cycle of the device. The overall risk management process
usually is documented in a general procedure containing common risk management
activities for all devices. Then one or more individual risk management plans “personalize”
the content of the procedure to provide more exact details for managing the project for a
particular device or device family.

Several activities should be part of your risk management plan, and we will talk more
about them later. First, you need to define the scope of what you will be evaluating,
including a detailed device description and its life cycle. This is also the time to clearly lay
out your risk acceptability criteria, specific assessment, control, and verification activities,
and production and post-production plans. This is where you can leverage the process
outlined in your risk management procedure, referencing that procedure for elements of
the process that aren’t changing in the specific plan. For example, the procedure outlines
the organization’s risk policy and general acceptability criteria. These may not change
for an individual device risk management plan, so simply summarize it in your plan. Your
procedure, plan, and all other documentation need to be controlled as they become part of
the risk management file which is part of the technical documentation of the device.

Putting together your risk management team

About your team…they need to be well qualified. What does that mean? It means you
need to make sure you select people who truly understand how your device works, how
it’s made, and how it’s used. This not simply a collection of friendly colleagues who play no
real role in risk management. All team members need to be qualified to perform their risk
management role, and you must provide objective evidence of their qualifications. After all,
your team will be charged with determining what could happen, how likely it is to happen,
how bad it will be if it does happen, and how you can reduce the likelihood that it will
happen. Don’t take this lightly. Since we need to provide evidence of competency, the plan
documents the actual people on the team, while the procedure may call out functional
areas of responsibility (e.g. R&D, QA, RA).

orielstat.com
 10

Risk Management Flow Chart (ISO 14971:2019)

Implement Risk Establish intended use Identify characteristics
Start Management Plan and reasonably foreseeable related to safety (5.3)
RISK ANALYSIS misuse (5.2)

Identify hazards and hazardous

YES situations (5.4)

Estimate the risks(s) for each

hazardous situation (5.5)
EVALUATION

NO
Is risk control
RISK

required? (6)

YES

Identify appropriate risk control

measure(s) (7.1)

Is risk control NO
RISK MANAGEMENT PLAN (4.4)

practicable (7.1)

YES

YES
Implement and verify the identified
risk control measures (7.2)

YES
RISK CONTROL

Is the residual risk

acceptable? (7.3)
Do benefits outweigh
YES the risk? (7.4)

Are new hazards

NO or hazardous situations
introduced or existing risk
affected? (7.5)
NO
NO YES

Have all identified

NO hazardous situations been
considered? (7.6)

YES
The manufacturer may
OVERALL RESIDUAL

consider implementing additional

EVALUATION OF

Is the overall residual risk control measures (go back to

risk acceptable in relation to NO 7.1) or modify the medical device
RISK

the benefits? (8) or its intended use (go back to

5.2). Otherwise the residual risk
YES remains unacceptable.
MANAGEMENT

Review the execution of the risk

REVIEW

management plan and prepare the risk

RISK

management report (9)

Collect production and

POST-PRODUCTION ACTIVITIES

post-production information (10.2)

Overall Residual
PRODUCTION &

NO Risk Remains
Review production and
post-production information (10.3) Unacceptable

YES Is reassessment of
the risk necessary? (10.4)
Based on Figure B.1 in ISO 14971:2019

orielstat.com
 11

Performing a risk analysis of your medical devices

Now that you have a plan and a team, it’s time to conduct an initial risk analysis. This
is the point at which you document intended use and characteristics related to device
safety under normal and fault conditions. Then, based on these inputs, identify known and
foreseeable hazards, and the sequence of events that might result in a hazard leading to a
hazardous situation. Note that not all hazards will result in a hazardous situation.

HAZARD
Potential source of harm.
(ISO 14971:2019 3.4)
HAZARDOUS
S ITUATION
Circumstance in which people,
property, or the environment is/are
exposed to one or more hazards.
(ISO 14971:2019 3.5)
HARM
Injury or damage to the health of people,
or damage to property or the environment.
(ISO 14971:2019 3.5)

Biological hazard Exposure to biohazardous Infection with blood-borne pathogen

substance

Electrical hazard Exposure to electrical shock Skin burns, heart stops, etc.

Mechanical hazard Exposure to mechanical hazard Laceration, bruise, consussion, etc.

The first step in the analysis is to start by asking questions. Annex A in ISO/TR
24971:2020 has a long list of questions to get you started on identifying characteristics
for safety and even some preliminary hazards in the design concept phase. Think about
the ways a user might inadvertently misuse the device, or how the device might fail.
Are there other similar products on the market? What has gone wrong with them? FDA
databases (MAUDE), published journal articles, online product reviews (consumer devices),
and user interviews are good sources for such information. The extent to which you
perform this analysis largely depends on the risk classification of your device.

After you have identified hazardous situations, you need to estimate the risks associated
with the situation. This includes the probability that the hazardous situation will occur,
probability that the situation will lead to harm, and the severity of that harm. Sometimes
the probability of harm cannot be estimated because of the role of the user in recognizing
the situation, so be sure to document the possible consequences in these cases.
Put yourself in the shoes of the user or patient. What could go wrong during typical
use situations? Could the device be misused in a way that would cause harm? What
environmental factors need to be considered? Is the device used at home? In a noisy,
chaotic are of a hospital or lab?

Here’s an example. Let’s suppose you make a blood glucose meter. Your product displays
the most important readings in very large text. If you examine the screen while sitting in

orielstat.com
 12

your office, you might assume that the probability of a misread by the user is quite low.
But what happens when you take it outside into bright sunlight?
Is the display screen highly reflective? Can you clearly read everything using sunglasses?
How about in low light? Is the battery meter clearly visible and does it provide adequate
warning of battery depletion? These are potentially hazardous situations and your mission
is to estimate the probability of those situations. Regulators expect you to anticipate these
issues. Never blame the user.

Let’s go back to the battery indictor issue we just mentioned. In this case, the “hazard”
might be a battery indicator that is too small on the LED screen and without any
supplemental warning light to signal that the battery is very low. A “hazardous situation”
that might result involves users who need to check their insulin level right away, only to
find their glucose meter is out of power. If the users do not have a way to recharge the
meter for 2 hours, they may simply guess how much insulin they need based on how
they are feeling. The harm that could result is hypo- or hyperglycemia caused by improper
dosing of insulin. This risk can be mitigated by making the battery meter larger, and/or by
adding a supplemental visual or audible indicator by which the battery warns users that
recharging is needed.

Estimating the probability of harm

Risk is a combination of the severity of a harm and the probability that it will occur. ISO
14971 requires you to estimate the probability of harm. But how is that done? You can
reference historical data or published FDA data, and try to better understand typical
use scenarios. A qualitative probability table similar to the one shown below will help
you tackle this process of evaluating potential hazardous situations. You can also do
something similar using a numerical system, rating the severity of the harm. Annex
D provides some guidance on risk analysis concepts, including risk estimation, but
you can create your own scale and descriptors as long as you define them in your risk
management procedure. Keep in mind that harms can have levels of categorized as first-,
second- or third-degree. An example of this would be burns.

orielstat.com
 13

Qualitative risk acceptability matrix

A risk matrix such as the one shown below helps the organization make objective
decisions on actions to take if a risk shifts from one box to another, based on a change in
probability or severity.

S E VE R I TY O F HA R M

Serious Catastrophic
Negligible Minor Critical
Medically Life-threatening
Permanent
Minor injury or Limited injury or reversible injury injury or
injury or serious
property damage property damage or significant catastrophic
property damage
property damage property damage

Frequent
Happens with CAPA Unacceptable Unacceptable Unacceptable Unacceptable
almost every use
of the device
P R O BA B I L I TY O F O CCU R E N CE

Probable
Occures the
majority of times CAPA CAPA Unacceptable Unacceptable Unacceptable
but not with
every use

Occasional
Occures with Acceptable CAPA CAPA Unacceptable Unacceptable
incresed
frequency

Remote
More than one
occurrence per Acceptable Acceptable CAPA Unacceptable Unacceptable
year but still
unlikely

Improbable
Less than one
occurrence per Acceptable Acceptable Acceptable CAPA CAPA
year; isolated
events

Ultimately, risk estimation should be viewed as a data-driven process. Gather as much

quantitative information as possible from your complaint-handling files, published
standards, technical data, clinical data, results of investigations, expert opinion, field data,
MDRs, and test data. You can document it using Excel, software tools, or a simple list.

orielstat.com
 14

Medical device risk control and risk management tools

Unless you have prior experience with risk management, it can be perplexing to figure out
which risk evaluation tools are best suited to your situation. There are many options, each
with pros and cons. The one(s) you use will depend on your product and company culture,
among other things. It would take far too long to go into depth about the options available
to you, but on the next page is a list of some of the more commonly used tools.

Using this list as a starting point, research the various options and find the best fit for your
situation. Typically, it is optimal to use more than one tool and a combination of top-down
and bottom-up tools.

Controlling medical device risks

A big portion of risk management is evaluating and reducing risk. However, sometimes
the likelihood of harm resulting from a hazard is quite low and mitigating that hazard may
not provide any tangible reduction in risk – in fact, it may diminish your device’s benefits.
Here’s a quick example. Let’s say you produce a blood glucose meter. To improve visibility,
you consider making the display color. However, doing so would introduce a new hazard:
color screens require more power, and this would decrease battery life. If the current
monochromatic display is quite readable you may actually increase overall risk by adding
this new “feature.”

To avoid making the wrong decision, evaluate risks using a disciplined, planned process.
In your risk management file, document the hazards you identify and the rationale behind
the decision to control or not control those risks. Remember, you cannot trade off safety
for cost!

Now that you have identified the risks, analyzed their severity, and assessed their
likelihood to occur, it’s time to look at how those risks can be controlled. Clause 7 of ISO
14971 is all about risk control. You will confront the following questions:

zz Can we reduce the risk?

zz What is the best way to do it?
zz Did the risk control work?
zz Is the residual risk acceptable?

orielstat.com
 15

Your risk management file must include evidence that you have conducted a risk analysis
and risk evaluation for each identified hazard, including foreseeable risks. This also
includes implementation and verification of risk control measures, and an assessment of
the acceptability of residual risk.

Commonly used risk management tools

This tables shows some common tools you can use to evaluate risk. A powerful
combination of tools is the FMEA and FTA which combine the bottom-up and top-down
approaches, providing a robust and thorough risk analysis. See Annex B of ISO/TR 24971
for more information on the application of several techniques noted below.

BOT TO M - UP TOOL S H OW IT IS USED

Preliminary Hazard Analysis “What if” analysis takes a hazard and traces it to harm. Useful early in the risk
(PHA) management process.

Failure Mode and Effects “What if” analysis that takes a failure and traces it to an injury or hazard.
Analysis (FMEA) Often used in design and process phases. Focuses on one piece of the
puzzle, but don’t rely on it alone for your risk management process. Best for
manufacturing and use instructions.

TO P - DOW N TOOL S H OW IT IS USED

Ishikawa or Fishbone Imagine this is a diagram resembling an artery with veins that branch
(Cause-and-Effect) Diagram off from it. It starts with six primary possible causes (veins) and then
branches off further to show more specific causes related to that primary
potential cause.

Fault Tree Analysis (FTA) Starts with failure and works back to teh component. Focuses on the big
picture, unlike FMEA. Good choice for design activities. Use with FMEA for
new design technology unless failure modes are unknown.

MO R E TOOL S H OW IT IS USED
Brainstorming Generates a wide variety of ideas. It’s important to crystalize the true
objective so time is not wasted. Clusters can then be grouped to form an
Ishikawa diagram.

Turtle Method Starts with a process and examines factors that influence the process such as
training, equipment, procedures, installation, etc.

Hazard Analysis and Critical Identifies various errors and hazards in production processes that can
Control Points (HAACP) cause finished products to be unsafe. Designs measurements to reduce risks
to a safe level.

Hazard and Operability Assumes accidents are caused by deviations from design or operating
Analysis (HAZOP) intentions. Uses keywords to focus attention on specific aspects fo design
intent or associated process condition.

orielstat.com
 16

Residual risk: Avoiding analysis paralysis

The number of possible hazardous scenarios is limited only by imagination. Does that
mean you must document all possible risks, including the likelihood that Godzilla will
invade your city and crush your manufacturing plant? No.

Clauses 7.4 and 8 of ISO 14971:2019 emphasize the need to evaluate residual risk.
Likewise, Annex I of the European Medical Device Regulation (2017/745) says that you
should “reduce risks as far as possible” without adversely impacting the benefit-risk ratio.

To ensure that you do not go overboard in analyzing residual risks, establish a

systematic process and focus on the risks that are within your control. For example, you
shouldn’t fixate on the device risks posed by a new global pandemic. That’s completely
out of your control. However, you should identify organizational risks posed by potential
supply chain issues.

This process will reveal the strength (or blind spots) of the team you have assembled.
You need to assemble people who fully understand how your device is manufactured,
distributed, and used. Someone without any knowledge of how your device is
manufactured will not be able to foresee scenarios that could create hazardous situations.

How low should you go?

An important part of the risk analysis process is to ensure that you do not introduce new
hazards in your quest to eliminate or minimize hazards. FDA describes their expectations
about risk-based decisions. In the preamble of 21 CFR Part 820, FDA states that if any risk
is judged to be unacceptable, it should be reduced to acceptable levels by the appropriate
means, which may include a redesign or warnings. ISO 14971:2019 refers you to your
own risk acceptability policy to determine risk control options. Your risk policy establishes
criteria for the level of control and may employ the one of the following two approaches.

Annex I of the EU MDR and ISO 14971:2019 7.1 also require you to minimize all known
and foreseeable risks to an acceptable level when weighed against the medical device
benefits. This includes intentional and unintentional misuse of your device.

orielstat.com
 17

ALARP - As Low As Reasonably Practicable

zz ALARP refers to controls that are considered viable or capable of being implemented
and has two components

zz First, look at technical practicability in reducing risks, ensuring that the controls do
not reduce the effectiveness of the device and are not overly complex or confusing for
users.

zz Then, consider the economic practicability, ensuring risk controls do not reduce the
availability of the device to protect human health by making it too expensive for users.

zz Note that “practicable” (versus practical) means something that can actually be put
into practice.

AFAP – As Far As Possible

zz Policy of reducing risk as far as possible without adversely affecting the
benefit-risk ratio.

zz Takes into account the generally acknowledged “state of the art”

zz Required by EU MDR General Safety and Performance Requirements (GSPR) Annex I.
If you sell in the US and Europe, we recommend you adopt AFAP as your risk control
approach. While Section 4.1 (Note 1) of ISO 14971:2019 mentions the general concept
of reducing risk to ALARP and Annex D of ISO/TR 24971:2020 does mention the “cost
of further reduction” in the definition of practicability, it is never acceptable to trade off
device safety against cost. The rationale for your decision must be documented in your risk
management file so don’t even think about mentioning cost in your justification.

orielstat.com
 18

Don’t forget to evaluate benefits!

ISO 14971:2019 does not change the risk management process, but it does finally define
“benefit” – something ISO 14971:2007 and EN ISO 14971:2012 did not. Benefit is now
defined as:

“Positive impact or desirable outcome of the use of a medical

device on the health of an individual, or a positive impact on patient
management or public health.”

The US FDA also publishes an excellent guidance document discussing the risk-benefit
evaluation process for medical devices. Ultimately, FDA recommends that you take the
following factors into account:

zz Type of benefit – quality of life, relief from symptoms, reduced probability of

death, etc.

zz Magnitude of benefit – anticipated change in condition or clinical management

zz Probability of benefit – can be based on prior investigations, demographics,
health status, etc.

zz Duration of benefit – curative or repeated interventions required

zz Availability of alternatives – safety and effectiveness of other options

Notice that the definition of benefit and the

factors above extend beyond the impact
on the patient. See this article on how to

BENEFIT
properly evaluate benefits. Finally, just
remember that the benefit-risk analysis is
not a calculatable ratio. There is no formula
for determining the correct balance. Let

RISK common sense drive your analysis.

orielstat.com
 19

Risk management review, reporting and post market planning

As part of the risk review process, you’ll need to assess your risk management activities
against the risk management plan on three levels:

1. Has the plan been implemented appropriately?

2. Is the overall residual risk acceptable?
3. Are production and post-production information collection methods implemented?

The summation of answers to these questions becomes your risk management report,
which is part of your larger risk management file. The report documents the conduct
and results of your risk management activities. Your risk management file includes or
references all required documents and provides traceability for each hazard and is what
you will use to demonstrate compliance with standards and regulations. It should contain:

Deviations

Risk Plan and

Assessments Process
Status

Risk
Management
Report
Conclusions Risk-Benefit
Summary

Residual Risk
Evaluation

orielstat.com
 20

Be judicious with the amount of information contained in the risk management report
– it’s a useful internal reference, but it may contain more information than you need to
show auditors. Instead we recommend that you prepare a risk management summary.
This should be a standalone document, not a prologue to your larger risk management file.
The summary provides an overview for auditors, contains a synopsis for executives and
references detailed information. It complements your detailed risk management report
which should be reserved for internal use and as a working living document.

Production and post-production activities

Once your device is for sale on the market, congratulations: your risk management work is
done. Ok, just kidding – your work is never done! Risk management is an ongoing process
for as long as the device is in service. Typically, you will find yourself dealing with two
types of post-production issues as shown in the table below.

PO ST- P RODUC TI ON I S S UE S
Incident-Driven Requires your immediate attention

Review-Driven Discovered during data analysis

Your risk management process should document both pathways for analysis. As part of
your ongoing efforts, you should be evaluating complaints, incidents, product failures, and
design process changes for potential safety impact. You will also take into account any
changes in installation, use, and servicing. Are previously unrecognized hazards present?
Is the estimated risk no longer acceptable? Is the original assessment still valid? Possible
incident-driven triggers include:

zz Design/materials changes zz Medical device record

zz Manufacturing changes zz Incidents
zz Vendor changes zz Malfunctions
zz Individual complaints zz Standards changes

orielstat.com
 21

You are required to analyze all incidents, near-incidents, and malfunctions to categorize
their risk level. The triggers can also be review-driven and prompted by:

zz Management review information including complaints, audits, CAPA

zz Postmarket surveillance report
zz Clinical evaluation report
zz Ongoing supplier evaluation report
zz Predefined risk management plan review intervals
Whatever the trigger, your assessment must be documented, becomes part of your risk
management file, and may result in a corrective and preventive action (CAPA) or having to
file a vigilance report or other regulatory notification.

Production and post-production information collection

As we have mentioned, risk management is best managed as a process and a series of
projects . That means it is ongoing and the continuous collection of information is essential
and required. This collection should include information about device performance, device
patient populations, reasonably foreseeable misuse and previously unknown hazards and
risks. You can gather this data from users of the devices, installation/maintenance records,
your supply chain, or public information relevant to your device. All of this collected
information must be reviewed for potential application to the safety of the device. Here
are some examples of specific things to consider during that review:

zz Has intended use of the device been modified?

zz Are the expected benefits of the device still valid?
zz Is there a new risk or a risk not considered before?
zz Has the benefit-risk ratio changed?
zz Have new misuses been identified?
zz Are the estimated severities of harm appropriate?
zz Have risk control measures performed as expected?

orielstat.com
 22

zz Have any changes taken place in the state of the art for the device?
zz Is there evidence that the overall residual risk is still acceptable?

After this initial review has been done, you may come to one of the following conclusions:
zz Overall residual risk remains acceptable with no new hazards or hazardous situations
identified

zz Overall residual risk has changed and no longer is acceptable – action is required
zz A new hazard was identified and requires further action
zz State of the art related to the device has changed and must be evaluated for further
action

Make sure your review is documented in your risk management file even if no changes are
needed! Also use the information you collect and review for the device to see if there are
opportunities to improve the risk management process itself. For example, did a complaint
from the field highlight a gap in how you originally identified the hazards associated with
the device – maybe a missing type of expertise on your risk management teams? Be sure
to look at the collected information from the process improvement perspective, too.

Pulling it all together

Risk management plays a vital role in promoting the safety of medical devices. A well-
designed program of risk management is an ongoing exercise in proactive problem solving
that saves headaches in the long run. It also benefits patients or users and can result in
higher user satisfaction and more insights into how you make your products better. Top-
tier companies take the responsibility very seriously.

orielstat.com
 23

Want to Learn More?

Oriel STAT A MATRIX has been assisting medical device manufacturers with compliance issues
for over 50 years. If you are just starting out to set up a risk management system in your
company, you’ll definitely want to check out our intensive training course on ISO 14971 and risk
management. Our expert consultants can also provide hands-on risk management support.

VIEW PUBLIC RA/QA TRAINING SCHEDULE

VIEW RA/QA CONSULTING SERVICES

Call us at 1.800.472.6477 or go online to orielstat.com to learn more.

Oriel STAT A MATRIX Also Offers a Wide Variety

of RA/QA Training Courses

REGULATORY COMPLIANCE QMS COMPLIANCE AND AUDITING

EU MDR (2017/745) Transition EU MDR (2017/745) Auditing

ISO 14971 Risk Management ISO 13485:2016 Auditing

Complaint Management/Vigilance Medical Device QMS Training

EU Clinical Evaluation Reports MDSAP Auditing

Medical Device Software V&V Supplier Quality Management

CAPA Process Optimization SOP Writing/Process Mapping

SEE ALL TRAINING CLASSES

1095 Morris Avenue, Suite 103B

Union, NJ 07083
© 2020 Oriel STAT A MATRIX