GG Webinar - Structure Risk Management File

How to Structure a Risk
Management File
A Practical Guide
24 June 2021
© Copyright 2021 Kapstone Medical, LLC

MEDICAL DEVICE IS ALL WE DO,
AND WE’RE ALWAYS AHEAD OF THE GAME.
STAY AHEAD, WITH US.

75 275k #1 114k RISK MANAGEMENT CERTIFICATION
years industry podcast listeners blog and podcast look to us for the
experience in the industry latest in quality
Gain on-demand knowledge and insights to
align with the latest version of ISO 14971:2019
and how to define and address risk
management to design safer medical devices.
QMS SOFTWARE LEADER FOR 11
STRAIGHT QUARTERS
“After using multiple types of eQMS software over the
years, this is the best by far!”
“My QMS is world “Design controls

class” lifesaver”
“One-stop shop” “Fantastic product, even better https://academy.greenlight.guru/

team”
3
Agenda / Take-aways
• How Risk Management activities fit into QMS activities
• How to complete the Risk Management activities
• What does a Risk Management File look like?

How Risk Management activities fit
into QMS activities.

5
What is Risk Management?

• ISO 14971 is the internationally recognized harmonized
standard describing the “application of risk management
to medical devices”
• Recognized by FDA, EU and many other regions
• This process shall apply throughout the life cycle of the
medical device.

6
FDA QSR
• The word “risk” only appears once in the QSR
• Design controls 820.30(g): “Design validation shall include
software validation and risk analysis, where appropriate.”

EU Medical Device Regulations
7
(2017/745)(examples)
• Article 10 General obligations of manufacturers
• (2) Manufacturers shall establish, document, implement and
maintain a system for risk management as described in Section 3
of Annex I (General Safety and Performance Requirements).
• Article 61 Clinical Evaluation
• 1. Confirmation of conformity with relevant general safety and
performance requirements set out in Annex I under the normal
conditions of the intended use of the device, and the evaluation
of the undesirable side-effects and of the acceptability of the
benefit-risk- ratio referred to in Sections 1 and 8 of Annex I, shall
be based on clinical data providing sufficient clinical evidence,
including where applicable relevant data as referred to in Annex
III.

8
ISO 13485: 2016 (examples)

• Section 7.1 Planning of product realization:
• The organization shall document one or more processes for risk
management in product realization.
• Records of risk management activities shall be maintained
• Section 7.3.3 Design and development inputs:
• c) applicable output(s) of risk management
• Section 8.21 Feedback
• The information gathered in the feedback process shall serve as
potential input into risk management for monitoring and
maintaining the product requirements as well as the product
realization or improvement processes.

9
Where to include “risk” in the QMS?

• Design controls – application of and interaction with ISO 14971
• Technical documentation (GSPR)
• Management responsibility – adequate resources, competent
personnel
• Internal audits – suitability of risk management process
• Management review – suitability of risk management process
• Clinical evaluation – risk management as an input, and as an
output
• Postmarket Surveillance - risk management as an input, and as
an output
• Risk Management – the process itself described

10
The Risk Management Process

• Risk Process Planning
• Risk Analysis:
• identifying hazards and hazardous situations associated with a
medical device;
• Risk Evaluation:
• estimating and evaluating the associated risks;
• Risk Control
• controlling these risks, and
• Production and Post-production activities
• monitoring the effectiveness of the risk control measures.

Establishing a Risk Management
11
Process
• Risk acceptability
• A company policy established for risk acceptability
• Depends on the type of device (i.e. risk classification and
complexity of the device)
• For example, can describe “reducing risk as low as reasonably
practicable, reducing risk as low as reasonably achievable, or
reducing risk as far as possible without adversely affecting the
benefit-risk ratio.”

12
Example of Criteria for Risk Acceptability

Taken from
Greenlight
Guru

Example of Criteria for Risk
13
Acceptability

Establishing a Risk Management
14
Process
• Personnel
• Criteria for competence described in ISO 14971
• Competence can be achieved by representatives of several
functions
• Competence: education, training, knowledge and experience
with the medical device (or similar) and it’s use, technologies, risk
management techniques

How to complete the Risk
Management activities?

16
Risk Management Plan

• Scope (device, life cycle phase)
• Responsibilities and authorities
• Requirements for review (can reference QMS)
• Criteria for risk acceptability (appropriate for device, can
reference the QMS if possible)
• Method to evaluate and criteria for acceptability of overall
residual risk (refer to company policy)
• Activities for verification of the implementation and
effectiveness of risk control measures
• Activities related to collection and review of relevant
production and post-production information.
17
Risk Management Plan

• Not all parts of the plan need to be created at the same
time.
• The plan or parts of it can be developed over time, as
development is performed

18
Risk Analysis
• Can be defined as “systematic use of available information to
identify hazards and hazardous situations, and to estimate the
risk associated with a medical device according to it’s
intended use / intended purpose and reasonably foreseeable
misuse”
• An overview of the medical device can be included in the risk
management plan, and should include:
• Description of the device
• Intended use
• Characteristics related to safety
• Human behavior should be accounted for in reasonably
foreseeable misuse

19
Risk Analysis
• The scope of a risk analysis can be broad or limited
depending on the intent (initial design or a change) and
should be defined in the risk management plan
• The records of risk analysis activities (conduct and results)
shall include:
• identification of the person(s) and organization who carried out
the risk analysis; and
• scope and date of the risk analysis.
• matrix format is most easy to use
• Initiated early in design, to allow risk control measures to
contribute to design inputs

20
Risk Analysis
• Identification of hazards and hazardous situations
• Hazard: potential source of harm (injury or damage to the
health of people, or damage to property or the environment)
• Refer to Table C.1 of ISO 14971:2019
• Hazardous situation: circumstance in which people, property or
the environment is/are exposed to one or more hazards
• Reasonably foreseeable sequences of events
• Refer to Table C.2 of ISO 14971:2019
• Device specific (intended use, foreseeable misuse, safety) and in
normal and fault conditions

Relationship between hazards, 21
foreseeable sequences of events,

hazardous situations and the harm that
can occur
Hazard Foreseeable Hazardous Harm O S Risk Risk
sequence of situation Control/Mitigation
events
Owning a Driving to work Person in front Whiplash
car suddenly slams (injury to the
on breaks driver)
Biological Inadequate Bacteria Bacterial
(Microbial instructions released at Infection
contaminati provided for site of implant
on) sterilization at user into soft tissue
facility, causing a
contaminated
implant placed
into patient

22
Risk Analysis
• Risk estimation
• Estimate the associated risk(s) for each identified hazardous
situation using available information or data.
• Risk: combination of the probability of occurrence of harm and the
severity) of that harm
• For hazardous situations for which the probability of the
occurrence of harm cannot be estimated, the possible
consequences shall be listed for use in risk evaluation and risk
control.
• The system used for qualitative or quantitative categorization of
probability of occurrence of harm and severity of harm shall be
documented (an SOP can be referenced in the Risk
Management File)

23
Acceptability
• Taken from Greenlight Guru


can occur
events
Owning a Driving to work Person in front Whiplash 3 3 Low
on breaks driver)
Biological Inadequate Bacteria Bacterial 2 4 Med
facility, causing a
contaminated
implant placed
into patient

25
Risk Evaluation
• For each identified hazardous situation, evaluate the
estimated risks
• Determine if the risk is acceptable or not, using the criteria
for risk acceptability defined in the risk management plan
and / or policy.
• Risk acceptable = no further activity = residual risk
• Risk not acceptable = risk control measures

26
Acceptability


can occur
events
Owning a Driving to work Person in front Whiplash 3 3 Low None required
on breaks driver)
Biological Inadequate Bacteria Bacterial 2 4 Med Required
facility, causing a
contaminated
implant placed
into patient

28
Risk Control
• Measures for risk control (in priority order)
• inherently safe design and manufacture
• protective measures in the medical device itself or in the
manufacturing process;
• information for safety and, where appropriate, training to users.
• Intended to reduce the severity of the harm or reduce the
probability of occurrence of the harm, or both.
• Standards are a good resource for risk control measures
• Many standards address inherent safety, protective measures,
and information for safety for medical devices. In addition, some
medical device standards have integrated elements of the risk
management process.


can occur
events
Owning a Driving to work Person in front Whiplash 3 3 Low None required
on breaks driver)
Biological Inadequate Bacteria Bacterial 2 4 Med Add prominent non-
(Microbial instructions released at Infection sterile symbol onto
contaminati provided for site of implant label
facility, causing a Ensure instructions
contaminated for sterilization are
implant placed easy to identify in the
into patient IFU

30
Verification of Risk Control Measures

• The implementation and effectiveness of the risk control
measure should be verified
• Can be performed as part of design V&V
• Can be performed as part of process qualification

31
Residual Risk Evaluation

• Performed following risk control measures
• Performed using risk acceptability criteria defined in risk
management plan / company policy
• Outcomes:
• Residual risk acceptable = no further action
• Residual risk not acceptable = further risk control measures
• Residual risk not acceptable = further risk control is not
practicable, benefit-risk analysis

32
Benefit-risk analysis
• If risk is still judged as unacceptable, data and literature
should be reviewed to determine if the benefits of the
intended use outweigh this residual risk
• Outcomes:
• Benefits outweigh this residual risk = no further action to reduce
• Residual risk outweighs benefit = modify device or intended use

33
Risks arising from risk control measures

• As new design features, or other risk control measures, are
being implemented, additional risk may be introduced or
changed
• Review whether:
• new hazards or hazardous situations are introduced; or
• the estimated risks for previously identified hazardous situations
are affected by the introduction of the risk control measures.
• These are then analyzed, evaluated and controlled as
described above

34
Overall Residual Risk

• Once all risk control measures have been implemented
and verified, overall residual risk is evaluated
• Contributions of all individual residual risks in relation to the
benefits of the intended use
• gathering and reviewing data and literature for the medical
device being considered and similar medical devices
• judgment by a cross-functional team of experts with application
knowledge and clinical expertise
• Overall residual risk evaluated using risk acceptability
criteria defined in risk management plan / company
policy

35
Overall Residual Risk

• Outcomes:
• Overall residual risk acceptable = users informed of significant
residual risks (e.g. IFU)
• Overall residual risk not acceptable = additional risk control
measures or modifying device or intended use

36
Risk Management Review

• Prior to commercialization (incorporate as part of final
design review)
• the risk management plan has been appropriately implemented,
including:
• Risk control activities for hazardous situations requiring mitigation have
been considered
• Risk control activities are complete
• Risk arising from risk control measures have been reviewed
• the overall residual risk is acceptable; and
• appropriate methods are in place to collect and review
information in the production and post-production phases.
• Performed by authority stated in risk management plan

Production and post-production
37
activities
• Aligned with postmarket surveillance and clinical
evaluation activities
• Collection of information:
• Production
• User
• Installation / Servicing
• Supply Chain
• Publicly available information (including similar devices)
• State of the art information (new or revised standards, published
data, alternative devices / therapies)

38
activities
• Review of Information:
• Review information collected with relevance to safety, with
consideration to the risk management activities
• Postmarket surveillance data should have a feedback loop into
the risk management file
• Clinical evaluation should have a feedback loop into the risk
management file

39
activities
• Relationships between
Clinical Evaluation, Risk
Management, Postmarket
Surveillance and Post-
market Clinical Follow-up

40
activities
• Actions to be taken if information relevant to safety:
• Device related:
• Is reassessment of risks necessary?
• Is assessment of new risks necessary?
• If a residual risk is no longer acceptable, the impact on previously
implemented risk control measures shall be evaluated and should be
considered as an input for modification of the medical device
• Action on the market?
• Risk management process related
• Impact on previously implemented risk management activities
• An input into the review of suitability of the process in management review

What does a Risk Management
File look like?

42
Risk Management File

• Can reference the documents included in the QMS or
point to other documents or files
• Traceability is required for each identified hazard to:
• the risk analysis
• the risk evaluation
• implementation and verification of the risk control measures
• the results of the evaluation of the residual risks.

43

• Risk management plan
• Can include overview of device, intended use and foreseeable
misuse, safety characteristics
• Competences and authorities of persons responsible for risk
management activities

44

• The implementation of the planned risk analysis activities
and the results of the risk analysis
• Most easily achieved using a matrix format:
• Hazards, foreseeable events and hazardous situations
• Risk (probability and severity of harm) Evaluation
• Risk Control Measures
• Residual Risk Evaluation
• Benefit-risk analysis for residual risk

45

• Verification of risk control measures
• Overall residual risk evaluation
• Risk management report
• Results of the risk management review
• On-going review of production and post production
information, and actions taken

46
• Questions?

GG Webinar - Structure Risk Management File

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

GG Webinar - Structure Risk Management File

Uploaded by

Copyright:

Available Formats

How to Structure a Risk

© Copyright 2021 Kapstone Medical, LLC

STAY AHEAD, WITH US.

“My QMS is world “Design controls

“One-stop shop” “Fantastic product, even better https://academy.greenlight.guru/

• How to complete the Risk Management activities

• What does a Risk Management File look like?

© Copyright 2021 Kapstone Medical, LLC

© Copyright 2021 Kapstone Medical, LLC

What is Risk Management?

© Copyright 2021 Kapstone Medical, LLC

© Copyright 2021 Kapstone Medical, LLC

© Copyright 2021 Kapstone Medical, LLC

ISO 13485: 2016 (examples)

© Copyright 2021 Kapstone Medical, LLC

Where to include “risk” in the QMS?

© Copyright 2021 Kapstone Medical, LLC

The Risk Management Process

© Copyright 2021 Kapstone Medical, LLC

© Copyright 2021 Kapstone Medical, LLC

Example of Criteria for Risk Acceptability

© Copyright 2021 Kapstone Medical, LLC

© Copyright 2021 Kapstone Medical, LLC

© Copyright 2021 Kapstone Medical, LLC

© Copyright 2021 Kapstone Medical, LLC

Risk Management Plan

Risk Management Plan

© Copyright 2021 Kapstone Medical, LLC

© Copyright 2021 Kapstone Medical, LLC

© Copyright 2021 Kapstone Medical, LLC

© Copyright 2021 Kapstone Medical, LLC

foreseeable sequences of events,

© Copyright 2021 Kapstone Medical, LLC

© Copyright 2021 Kapstone Medical, LLC

© Copyright 2021 Kapstone Medical, LLC

foreseeable sequences of events,

© Copyright 2021 Kapstone Medical, LLC

© Copyright 2021 Kapstone Medical, LLC

© Copyright 2021 Kapstone Medical, LLC

foreseeable sequences of events,

© Copyright 2021 Kapstone Medical, LLC

© Copyright 2021 Kapstone Medical, LLC

foreseeable sequences of events,

© Copyright 2021 Kapstone Medical, LLC

Verification of Risk Control Measures

© Copyright 2021 Kapstone Medical, LLC

Residual Risk Evaluation

© Copyright 2021 Kapstone Medical, LLC

© Copyright 2021 Kapstone Medical, LLC

Risks arising from risk control measures

© Copyright 2021 Kapstone Medical, LLC

Overall Residual Risk

© Copyright 2021 Kapstone Medical, LLC

Overall Residual Risk

© Copyright 2021 Kapstone Medical, LLC

Risk Management Review

© Copyright 2021 Kapstone Medical, LLC

© Copyright 2021 Kapstone Medical, LLC

© Copyright 2021 Kapstone Medical, LLC

© Copyright 2021 Kapstone Medical, LLC

© Copyright 2021 Kapstone Medical, LLC

© Copyright 2021 Kapstone Medical, LLC

Risk Management File

© Copyright 2021 Kapstone Medical, LLC