Professional Documents
Culture Documents
Management File
A Practical Guide
24 June 2021
Agenda / Take-aways
• How Risk Management activities fit into QMS activities
FDA QSR
• The word “risk” only appears once in the QSR
• Design controls 820.30(g): “Design validation shall include
software validation and risk analysis, where appropriate.”
(2017/745)(examples)
• Article 10 General obligations of manufacturers
• (2) Manufacturers shall establish, document, implement and
maintain a system for risk management as described in Section 3
of Annex I (General Safety and Performance Requirements).
• Article 61 Clinical Evaluation
• 1. Confirmation of conformity with relevant general safety and
performance requirements set out in Annex I under the normal
conditions of the intended use of the device, and the evaluation
of the undesirable side-effects and of the acceptability of the
benefit-risk- ratio referred to in Sections 1 and 8 of Annex I, shall
be based on clinical data providing sufficient clinical evidence,
including where applicable relevant data as referred to in Annex
III.
Process
• Risk acceptability
• A company policy established for risk acceptability
• Depends on the type of device (i.e. risk classification and
complexity of the device)
• For example, can describe “reducing risk as low as reasonably
practicable, reducing risk as low as reasonably achievable, or
reducing risk as far as possible without adversely affecting the
benefit-risk ratio.”
Acceptability
Process
• Personnel
• Criteria for competence described in ISO 14971
• Competence can be achieved by representatives of several
functions
• Competence: education, training, knowledge and experience
with the medical device (or similar) and it’s use, technologies, risk
management techniques
Risk Analysis
• Can be defined as “systematic use of available information to
identify hazards and hazardous situations, and to estimate the
risk associated with a medical device according to it’s
intended use / intended purpose and reasonably foreseeable
misuse”
• An overview of the medical device can be included in the risk
management plan, and should include:
• Description of the device
• Intended use
• Characteristics related to safety
• Human behavior should be accounted for in reasonably
foreseeable misuse
Risk Analysis
• The scope of a risk analysis can be broad or limited
depending on the intent (initial design or a change) and
should be defined in the risk management plan
• The records of risk analysis activities (conduct and results)
shall include:
• identification of the person(s) and organization who carried out
the risk analysis; and
• scope and date of the risk analysis.
• matrix format is most easy to use
• Initiated early in design, to allow risk control measures to
contribute to design inputs
Risk Analysis
• Identification of hazards and hazardous situations
• Hazard: potential source of harm (injury or damage to the
health of people, or damage to property or the environment)
• Refer to Table C.1 of ISO 14971:2019
• Hazardous situation: circumstance in which people, property or
the environment is/are exposed to one or more hazards
• Reasonably foreseeable sequences of events
• Refer to Table C.2 of ISO 14971:2019
• Device specific (intended use, foreseeable misuse, safety) and in
normal and fault conditions
Risk Analysis
• Risk estimation
• Estimate the associated risk(s) for each identified hazardous
situation using available information or data.
• Risk: combination of the probability of occurrence of harm and the
severity) of that harm
• For hazardous situations for which the probability of the
occurrence of harm cannot be estimated, the possible
consequences shall be listed for use in risk evaluation and risk
control.
• The system used for qualitative or quantitative categorization of
probability of occurrence of harm and severity of harm shall be
documented (an SOP can be referenced in the Risk
Management File)
Acceptability
• Taken from Greenlight Guru
Risk Evaluation
• For each identified hazardous situation, evaluate the
estimated risks
• Determine if the risk is acceptable or not, using the criteria
for risk acceptability defined in the risk management plan
and / or policy.
• Risk acceptable = no further activity = residual risk
• Risk not acceptable = risk control measures
Acceptability
Risk Control
• Measures for risk control (in priority order)
• inherently safe design and manufacture
• protective measures in the medical device itself or in the
manufacturing process;
• information for safety and, where appropriate, training to users.
• Intended to reduce the severity of the harm or reduce the
probability of occurrence of the harm, or both.
• Standards are a good resource for risk control measures
• Many standards address inherent safety, protective measures,
and information for safety for medical devices. In addition, some
medical device standards have integrated elements of the risk
management process.
Benefit-risk analysis
• If risk is still judged as unacceptable, data and literature
should be reviewed to determine if the benefits of the
intended use outweigh this residual risk
• Outcomes:
• Benefits outweigh this residual risk = no further action to reduce
• Residual risk outweighs benefit = modify device or intended use
activities
• Aligned with postmarket surveillance and clinical
evaluation activities
• Collection of information:
• Production
• User
• Installation / Servicing
• Supply Chain
• Publicly available information (including similar devices)
• State of the art information (new or revised standards, published
data, alternative devices / therapies)
activities
• Review of Information:
• Review information collected with relevance to safety, with
consideration to the risk management activities
• Postmarket surveillance data should have a feedback loop into
the risk management file
• Clinical evaluation should have a feedback loop into the risk
management file
activities
• Relationships between
Clinical Evaluation, Risk
Management, Postmarket
Surveillance and Post-
market Clinical Follow-up
activities
• Actions to be taken if information relevant to safety:
• Device related:
• Is reassessment of risks necessary?
• Is assessment of new risks necessary?
• If a residual risk is no longer acceptable, the impact on previously
implemented risk control measures shall be evaluated and should be
considered as an input for modification of the medical device
• Action on the market?
• Risk management process related
• Impact on previously implemented risk management activities
• An input into the review of suitability of the process in management review
• Questions?