Professional Documents
Culture Documents
Overview
From a distance, risk management seems straightforward. You have a device, evaluate
its potential risks, mitigate those risks, monitor them over time, and you’re done. Seems
easy, right? Ah, if only life were so straightforward. The reality is that risk management
is one of the more complex aspects of regulatory compliance, simply because risk
comes in so many flavors and perceptions of severity. Plus, the probability of harm
actually occurring can be estimated quite differently. The thing that makes risk
management tricky is that we often don’t have enough real-world data to accurately
quantify risks, especially for new devices. Fortunately, there is a systematic process
you can establish to analyze, evaluate, control, and monitor risks. Before we get into
that, let’s step back and talk about the regulations and standards that dictate how you
should approach risk management.
Analyze
Risks
Control
Risks
For medical devices, risk and risk management are defined as:
zz Risk is the combination of probability of occurrence of harm and the
severity of that harm.
orielstat.com
3
Why is risk management needed? Simply put, we have a collective interest in ensuring that
medical devices are safe and effective. For that reason, risk management is not optional
– it is a regulatory requirement worldwide. The US FDA mandates it in the Quality System
Regulation (21 CFR Part 820). Europe requires it in the Medical Device Regulation (MDR
2017/745). Likewise, Japan, Canada, Australia, Brazil, and all other major markets require
the application of risk management, which is either referenced in their national regulations
or ISO 13485:2016.
The intent of ISO 14971 is to define a standard process for identifying risks associated
with medical devices at all stages in a device’s life cycle, from product design to
procurement to production and postmarket use. In all cases, the goal is to analyze,
evaluate, control, and monitor the risks associated with each life-cycle stage.
The most recent version - ISO 14971:2019 - was published in December of 2019 by ISO
and as EN ISO 14971:2019 by CEN/CENELEC. This version replaces ISO 14971:2007 and
EN ISO 14971:2012 and while no tectonic shifts have occurred in the risk management
process, there are important changes and updates to be aware of. Read our blog post to
get up-to-speed on changes in ISO 14971:2019.
orielstat.com
4
ISO 14971:1:1998 ISO 14971:2000/2001 ISO 14971:2007/2009 EN ISO 14971:2012 ISO 14971:2019
+ Risk assessment only + Risk analysis + Risk analysis + MDD “alignment” + Risk policy
+ Risk evaluation + Risk evaluation + State of the Art
+ Risk control + ISO/TR 24971:2020
orielstat.com
5
First, ISO 14971 clause 4.2 details two important responsibilities for your top
management that you need to talk about in your procedure.
1. Ensure the right resources are available and responsible for conducting risk
management activities, and
2. Define a risk policy that guides how the company sets up the risk acceptability criteria
for each of their devices.
The company’s risk policy serves as a single reference point that teams working on risk
management can use to make sure they set up the appropriate criteria for a device.
The policy includes information that ensures the acceptability criteria meets all of the
applicable national or regional regulations and relevant International Standards and
considers topics like the generally acknowledged state of the art and the interests of
stakeholders for the device. The risk policy is where you usually find statements like
“reduce the risk as far as possible” or “reduce the risk as low as reasonably practicable”.
Make sure you also include information on how top management will review the suitability
of the risk management process. Usually this happens in Management Review.
orielstat.com
6
Next, Clause 4.1 of ISO 14971:2019 states that you must have an ongoing process for
doing these things for each device or device family you manufacture:
RISK ACTIVITIES
orielstat.com
7
The plan defines what detailed steps we’ll take for risk management for a particular
device including all of the risk analysis, risk evaluation, risk control, and review and
reporting. Document activities that will take place, assign responsibilities, establish your
risk acceptability criteria, plan risk control verification activities, determine risk review
requirements, and plan production/post-production activities.
zz Assemble your risk management team: Assemble a qualified team of people who
know how your device is constructed, its manufacturing processes, how it is used in
the field, etc.
zz Use risk analysis tools to identify risks: Choose the tools you will use to measure risk
(discussed more later) and then use them to identity risks posed by your processes,
users, suppliers, maintenance tasks, shipping, production equipment, etc.
orielstat.com
8
zz Control risks: The goal here is to reduce risks to an acceptable level, as defined in your
risk policy, using design features, protective measures like alarms, and, of course,
information such as warning labels.
zz Weigh the risks versus the benefits: This is fairly self-explanatory, but the end goal is
to ensure that the clinical benefits of your device outweigh residual risks. This needs
to be reassessed throughout the life of the device.
At this point, it’s a good idea to firm up your plans for monitoring risk throughout the
device life-cycle.
Last detail to mention: All of the documentation that you create throughout these three
basic steps becomes the content of the risk management file for your device.
orielstat.com
9
Several activities should be part of your risk management plan, and we will talk more
about them later. First, you need to define the scope of what you will be evaluating,
including a detailed device description and its life cycle. This is also the time to clearly lay
out your risk acceptability criteria, specific assessment, control, and verification activities,
and production and post-production plans. This is where you can leverage the process
outlined in your risk management procedure, referencing that procedure for elements of
the process that aren’t changing in the specific plan. For example, the procedure outlines
the organization’s risk policy and general acceptability criteria. These may not change
for an individual device risk management plan, so simply summarize it in your plan. Your
procedure, plan, and all other documentation need to be controlled as they become part of
the risk management file which is part of the technical documentation of the device.
orielstat.com
10
NO
Is risk control
RISK
required? (6)
YES
Is risk control NO
RISK MANAGEMENT PLAN (4.4)
practicable (7.1)
YES
YES
Implement and verify the identified
risk control measures (7.2)
YES
RISK CONTROL
YES
The manufacturer may
OVERALL RESIDUAL
NO Risk Remains
Review production and
post-production information (10.3) Unacceptable
YES Is reassessment of
the risk necessary? (10.4)
Based on Figure B.1 in ISO 14971:2019
orielstat.com
11
HAZARDOUS
HAZARD S ITUATION HARM
Circumstance in which people, Injury or damage to the health of people,
Potential source of harm.
property, or the environment is/are or damage to property or the environment.
(ISO 14971:2019 3.4)
exposed to one or more hazards. (ISO 14971:2019 3.5)
(ISO 14971:2019 3.5)
Electrical hazard Exposure to electrical shock Skin burns, heart stops, etc.
The first step in the analysis is to start by asking questions. Annex A in ISO/TR
24971:2020 has a long list of questions to get you started on identifying characteristics
for safety and even some preliminary hazards in the design concept phase. Think about
the ways a user might inadvertently misuse the device, or how the device might fail.
Are there other similar products on the market? What has gone wrong with them? FDA
databases (MAUDE), published journal articles, online product reviews (consumer devices),
and user interviews are good sources for such information. The extent to which you
perform this analysis largely depends on the risk classification of your device.
After you have identified hazardous situations, you need to estimate the risks associated
with the situation. This includes the probability that the hazardous situation will occur,
probability that the situation will lead to harm, and the severity of that harm. Sometimes
the probability of harm cannot be estimated because of the role of the user in recognizing
the situation, so be sure to document the possible consequences in these cases.
Put yourself in the shoes of the user or patient. What could go wrong during typical
use situations? Could the device be misused in a way that would cause harm? What
environmental factors need to be considered? Is the device used at home? In a noisy,
chaotic are of a hospital or lab?
Here’s an example. Let’s suppose you make a blood glucose meter. Your product displays
the most important readings in very large text. If you examine the screen while sitting in
orielstat.com
12
your office, you might assume that the probability of a misread by the user is quite low.
But what happens when you take it outside into bright sunlight?
Is the display screen highly reflective? Can you clearly read everything using sunglasses?
How about in low light? Is the battery meter clearly visible and does it provide adequate
warning of battery depletion? These are potentially hazardous situations and your mission
is to estimate the probability of those situations. Regulators expect you to anticipate these
issues. Never blame the user.
Let’s go back to the battery indictor issue we just mentioned. In this case, the “hazard”
might be a battery indicator that is too small on the LED screen and without any
supplemental warning light to signal that the battery is very low. A “hazardous situation”
that might result involves users who need to check their insulin level right away, only to
find their glucose meter is out of power. If the users do not have a way to recharge the
meter for 2 hours, they may simply guess how much insulin they need based on how
they are feeling. The harm that could result is hypo- or hyperglycemia caused by improper
dosing of insulin. This risk can be mitigated by making the battery meter larger, and/or by
adding a supplemental visual or audible indicator by which the battery warns users that
recharging is needed.
orielstat.com
13
S E VE R I TY O F HA R M
Serious Catastrophic
Negligible Minor Critical
Medically Life-threatening
Permanent
Minor injury or Limited injury or reversible injury injury or
injury or serious
property damage property damage or significant catastrophic
property damage
property damage property damage
Frequent
Happens with CAPA Unacceptable Unacceptable Unacceptable Unacceptable
almost every use
of the device
P R O BA B I L I TY O F O CCU R E N CE
Probable
Occures the
majority of times CAPA CAPA Unacceptable Unacceptable Unacceptable
but not with
every use
Occasional
Occures with Acceptable CAPA CAPA Unacceptable Unacceptable
incresed
frequency
Remote
More than one
occurrence per Acceptable Acceptable CAPA Unacceptable Unacceptable
year but still
unlikely
Improbable
Less than one
occurrence per Acceptable Acceptable Acceptable CAPA CAPA
year; isolated
events
orielstat.com
14
Using this list as a starting point, research the various options and find the best fit for your
situation. Typically, it is optimal to use more than one tool and a combination of top-down
and bottom-up tools.
To avoid making the wrong decision, evaluate risks using a disciplined, planned process.
In your risk management file, document the hazards you identify and the rationale behind
the decision to control or not control those risks. Remember, you cannot trade off safety
for cost!
Now that you have identified the risks, analyzed their severity, and assessed their
likelihood to occur, it’s time to look at how those risks can be controlled. Clause 7 of ISO
14971 is all about risk control. You will confront the following questions:
orielstat.com
15
Your risk management file must include evidence that you have conducted a risk analysis
and risk evaluation for each identified hazard, including foreseeable risks. This also
includes implementation and verification of risk control measures, and an assessment of
the acceptability of residual risk.
Failure Mode and Effects “What if” analysis that takes a failure and traces it to an injury or hazard.
Analysis (FMEA) Often used in design and process phases. Focuses on one piece of the
puzzle, but don’t rely on it alone for your risk management process. Best for
manufacturing and use instructions.
Fault Tree Analysis (FTA) Starts with failure and works back to teh component. Focuses on the big
picture, unlike FMEA. Good choice for design activities. Use with FMEA for
new design technology unless failure modes are unknown.
MO R E TOOL S H OW IT IS USED
Brainstorming Generates a wide variety of ideas. It’s important to crystalize the true
objective so time is not wasted. Clusters can then be grouped to form an
Ishikawa diagram.
Turtle Method Starts with a process and examines factors that influence the process such as
training, equipment, procedures, installation, etc.
Hazard Analysis and Critical Identifies various errors and hazards in production processes that can
Control Points (HAACP) cause finished products to be unsafe. Designs measurements to reduce risks
to a safe level.
Hazard and Operability Assumes accidents are caused by deviations from design or operating
Analysis (HAZOP) intentions. Uses keywords to focus attention on specific aspects fo design
intent or associated process condition.
orielstat.com
16
Clauses 7.4 and 8 of ISO 14971:2019 emphasize the need to evaluate residual risk.
Likewise, Annex I of the European Medical Device Regulation (2017/745) says that you
should “reduce risks as far as possible” without adversely impacting the benefit-risk ratio.
This process will reveal the strength (or blind spots) of the team you have assembled.
You need to assemble people who fully understand how your device is manufactured,
distributed, and used. Someone without any knowledge of how your device is
manufactured will not be able to foresee scenarios that could create hazardous situations.
Annex I of the EU MDR and ISO 14971:2019 7.1 also require you to minimize all known
and foreseeable risks to an acceptable level when weighed against the medical device
benefits. This includes intentional and unintentional misuse of your device.
orielstat.com
17
zz First, look at technical practicability in reducing risks, ensuring that the controls do
not reduce the effectiveness of the device and are not overly complex or confusing for
users.
zz Then, consider the economic practicability, ensuring risk controls do not reduce the
availability of the device to protect human health by making it too expensive for users.
zz Note that “practicable” (versus practical) means something that can actually be put
into practice.
orielstat.com
18
The US FDA also publishes an excellent guidance document discussing the risk-benefit
evaluation process for medical devices. Ultimately, FDA recommends that you take the
following factors into account:
BENEFIT
properly evaluate benefits. Finally, just
remember that the benefit-risk analysis is
not a calculatable ratio. There is no formula
for determining the correct balance. Let
orielstat.com
19
The summation of answers to these questions becomes your risk management report,
which is part of your larger risk management file. The report documents the conduct
and results of your risk management activities. Your risk management file includes or
references all required documents and provides traceability for each hazard and is what
you will use to demonstrate compliance with standards and regulations. It should contain:
Deviations
Risk
Management
Report
Conclusions Risk-Benefit
Summary
Residual Risk
Evaluation
orielstat.com
20
Be judicious with the amount of information contained in the risk management report
– it’s a useful internal reference, but it may contain more information than you need to
show auditors. Instead we recommend that you prepare a risk management summary.
This should be a standalone document, not a prologue to your larger risk management file.
The summary provides an overview for auditors, contains a synopsis for executives and
references detailed information. It complements your detailed risk management report
which should be reserved for internal use and as a working living document.
Once your device is for sale on the market, congratulations: your risk management work is
done. Ok, just kidding – your work is never done! Risk management is an ongoing process
for as long as the device is in service. Typically, you will find yourself dealing with two
types of post-production issues as shown in the table below.
PO ST- P RODUC TI ON I S S UE S
Incident-Driven Requires your immediate attention
Your risk management process should document both pathways for analysis. As part of
your ongoing efforts, you should be evaluating complaints, incidents, product failures, and
design process changes for potential safety impact. You will also take into account any
changes in installation, use, and servicing. Are previously unrecognized hazards present?
Is the estimated risk no longer acceptable? Is the original assessment still valid? Possible
incident-driven triggers include:
orielstat.com
21
You are required to analyze all incidents, near-incidents, and malfunctions to categorize
their risk level. The triggers can also be review-driven and prompted by:
orielstat.com
22
zz Have any changes taken place in the state of the art for the device?
zz Is there evidence that the overall residual risk is still acceptable?
After this initial review has been done, you may come to one of the following conclusions:
zz Overall residual risk remains acceptable with no new hazards or hazardous situations
identified
zz Overall residual risk has changed and no longer is acceptable – action is required
zz A new hazard was identified and requires further action
zz State of the art related to the device has changed and must be evaluated for further
action
Make sure your review is documented in your risk management file even if no changes are
needed! Also use the information you collect and review for the device to see if there are
opportunities to improve the risk management process itself. For example, did a complaint
from the field highlight a gap in how you originally identified the hazards associated with
the device – maybe a missing type of expertise on your risk management teams? Be sure
to look at the collected information from the process improvement perspective, too.
orielstat.com
23
Oriel STAT A MATRIX has been assisting medical device manufacturers with compliance issues
for over 50 years. If you are just starting out to set up a risk management system in your
company, you’ll definitely want to check out our intensive training course on ISO 14971 and risk
management. Our expert consultants can also provide hands-on risk management support.