QUALITY SYSTEM PROCEDURE

Document Title Risk Management

Document Code
Issue/Revision Number
Page 1 of 10 Effective Date

1- PURPOSE:

The purpose of this procedure is to describe how to perform the risk Management file for A Medical
Device manufactured in MEDICA-LAB in accordance to the ISO 14971:2019.

2- SCOPE:

This procedure covers all products manufactured in MEDICA-LAB.

3- RESPONSIBILITY:

QA Manager

Medical Expert

All departments Manager

General Manager

4- DEFINATIONS:

4.1 Harm: Physical injury or damage to the health of people, or damage to property or the
environment.
4.2 Hazard: Potential source of harm.
4.3 Hazardous Situation: Circumstance in which people, property, or the environment are exposed to
one or more hazard(s).

4.4 Risk: Combination of the probability of occurrence of harm and the severity of that harm.
4.5 Risk Analysis: Systematic use of available information to identify hazards and to estimate risks.
4.6 Severity: Measure of the possible consequences of a hazard.
4.7 Residual Risk: Risks remaining after risk control measures have been taken, excluding the
information given to users.

5- PROCEDURE:

5.1 Risk management process activities:

- Establishing documents and maintain a process of identifying the hazards related to the medical
device.
- There are the following elements to identifying the hazards.
1. Risk Analysis
2. Risk Evaluation
3. Risk Control
4. Evaluation of overall Residual Risk
5. Risk Management Review
6. Production and Post-Production Activities
 QUALITY SYSTEM PROCEDURE
Document Title Risk Management
Document Code
Issue/Revision Number
Page 2 of 10 Effective Date

- This process is followed throughout the lifecycle of the product and all documents of the new
product design/ development process and the appropriate parts of the risk management process
should be recorded and maintained as per Annex A of the ISO 14971: 2019

Risk Assessment
Risk Analysis

Intended use and reasonably

foreseeable misuse.
Identification of characteristics

Risk Management
related to the safety.
Identification of hazards and
hazardous situations.
Risk Estimation.

Risk Evaluation

Risk Control

Risk Control Option Analysis

Implementation of risks
control measures
Residual Risk evaluation
Risk/Benefit analysis
Risks arising from risk control
measures
Completeness of risk control

Evaluation of overall residual

risk

Risk Management Review

Production and Post- Production

- The top management is committed
Activitieswith regard to identification, evaluation and control of risks
related to product safety. They are responsible for collecting adequate sources of information and
Collection of Information
Review of Information
Actions
 QUALITY SYSTEM PROCEDURE
Document Title Risk Management
Document Code
Issue/Revision Number
Page 3 of 10 Effective Date

assigning the qualified personnel for risk management. They are also responsible for this policy on
how acceptable risks will be determined.

- Risk Management File Shall Contain Risk Management Plan, Risk Management Policy, Risk
Management Objective and should be communicated to ensure it is being understood within the
organization by:
 Displaying at various strategic area;
 Existing members briefed by their respective Heads on the policy;
 New members are to be briefed during their induction/orientation

- The following Risk Management Policy provides a direction to all employees to achieve our
Organization Risk Management Objective; it also provides a framework for establishing and
reviewing Risk Management objectives.

- In order to achieve the Risk Management Policy, employee at all levels throughout the
organization shall declare, implement and maintain Risk Management Objectives.

- The company’s management shall review the continuing suitability and effectiveness of the Quality
Management System at defined intervals to fulfil the requirement of customers and authorities
and to satisfy the company’s stated Risk Management Policy and meet the company’s Risk
Management objective. At least once a year, the management review shall be conducted to ensure
the system is effective and up-to-date. Compliance of the Risk Management file is checked during
the review.

- The Risk Management File has to document the risk management activities as below:
 Annex A Identification of medical device characteristics that could impact on safety
 Annex B Risk Management Plan
 Annex C Risk Management Process
 Annex D Risk Management Report
5.2 Risk management plan:
- shall include the following:
 Risk Management Team.
 The scope of the planned risk management activities.
 Identifying and describing the medical device and the life cycle phases for which the
plan is applicable.
 Allocation of responsibilities and authorities.
 Requirements for review of risk management activities.
 Criteria for risk acceptability.
 A method to evaluate the overall residual risk and the criteria for acceptability of the
overall residual risk.
 Activates related to Collection and review of the production and post- production
information.
- All records of the plan changes during the life cycle of the medical device shall be maintained in
the risk management file.
 QUALITY SYSTEM PROCEDURE
Document Title Risk Management
Document Code
Issue/Revision Number
Page 4 of 10 Effective Date

- MEDICA-LAB shall record and maintain the result of all risk management activities in the risk
management file for the medical device or accessory being considered the information is
maintained as per ISO/TS 24971. This provides the traceability for each identified hazard.

5.3 Risk Analysis:

5.3.1 Risk Analysis Process:
- MEDICA-LAB shall maintain the record of the risk analysis in the risk management file and the
analysis involves the process for biological hazards as per ISO/TS 24971.

- The conduct and result of the risk analysis shall include at least the following:
 A description and identification of the medical device or accessory that was analysed
 Identification of the person(s) and organization which carried out the risk analysis
 Scope and date of risk analysis

- Risk Analysis process shall be documented and maintained in Risk Management File.

5.3.2 Intended Use, foreseeable misuse and Identification of characteristics related to Safety:
- A complete description of the product should be made to assist in the identification of all possible
risks associated with the product.

- The documentation should contain both quantitative as well as the qualitative characteristics that
could affect the safety of the medical device.

- MEDICA-LAB identifies those characteristics of the medical device that could affect safety and
consideration of these characteristics is an essential step in identifying the hazards of the medical
device which achieved by asking a series of questions concerning the manufacture, users, intended
use, reasonably foreseeable misuse, and ultimate disposal of the medical device as per ISO/TS
24971.

- The following shall be taken into consideration:

 Product Information
A complete description of our product should be made to assist in the identification of all possible risks
associated with the product.
The following shall be taken into consideration: -
 QUALITY SYSTEM PROCEDURE
Document Title Risk Management
Document Code
Issue/Revision Number
Page 5 of 10 Effective Date

 Information on raw materials “Suppliers, Delivery method, packaging & storage conditions,
preparation before use, etc”.
 Information on each product/product category “Raw materials use, a sensitive chemical
identified, storage and distribution conditions”.
 Potential users and consumers shall be identified for each product/product category.
Consumer groups known to be especially vulnerable shall be indicated. The intended use
with regard to storage, preparation and operation. To ensure optimum consumer safety, the
following conditions shall be taken into consideration: -
 Product storage, preparation, and operation where applicable.
 Distinctive product labeling, if any.
 Product with a specific requirement.
 Product shelf life/ lifetime and etc.

 Process Information
Quality Control Plan (in accordance with the product flow) is prepared for all categories of products
covered by the scope of the Quality Management System.
The Risk Management Team shall periodically (at least once annually) verify the Quality Control Plan and
the product flow in order to timely identify, document the changes/modifications of the process and to
be able to estimate the risks.
The Quality Control plan and product flow shall include the following:
 The sequence of all steps in the manufacturing process including critical process steps.
 Where raw materials and intermediate product (input) join the flow (including
subcontracted work).
 Where loops for reworking and recycling take place.
 Where intermediate products, by-products and waste (output) are removed where
necessary
 Provisions for cleansing and disinfection of machines, equipment and tools.
 Provisions with start-up, shutdown, emergency, stops etc.
MEDICA-LAB shall maintain the records in the risk management file.

5.3.3 Identification of Hazards and Hazardous Situation

- The hazards associated with the medical device in both normal and fault conditions shall be
documented and maintained in the risk management file.

- The identification should be based upon the safety characteristics and intended purpose of the
device.

- Reasonably foreseeable sequences or combinations of events that can result in a hazardous

situation shall be recorded in the risk management file. It needs to be emphasized that hazardous
situations can arise even when there are no faults, i.e. in the normal condition for the medical
device.

5.3 Risk Evaluation:

 QUALITY SYSTEM PROCEDURE
Document Title Risk Management
Document Code
Issue/Revision Number
Page 6 of 10 Effective Date

 General
A risk can only be estimated once a hazardous situation has been identified. Risks can be estimated by
qualitative or quantitative categorization of harm or severity of harm.
Quantitative risk estimation is preferable when suitable data are available; however, without suitable
data, qualitative methods of risk estimation can be sufficient.
The concept of risk is the multiplication of “probability of occurrence of harm (P)” and “the
consequences of that harm (S) Severity”.
Risk Management Team shall specify the criteria for risk acceptability in order to estimate and evaluate
risks for each hazardous situation to decide if risk reduction is required.
Risk Estimation should examine, for example:
 Initiating event or circumstance
 The sequence of events that could lead to a hazardous situation
 Likelihood of such a situation arising
 The likelihood that the hazardous situation leads to harm
 Nature of harm that could result.

 Probability Estimation
Seven approaches are commonly employed to estimate probabilities:
 Use of relevant historical data;
 Prediction of probabilities using analytical or simulation techniques;
 Use of experimental data;
 Reliability estimates;
 Production data;
 Post-production information;
 Use of expert judgement

Wherever possible multiple approaches should be used. In this way, they work as independent works on
each other and this might serve to increase confidence in the results. When these approaches cannot be
used or are not sufficient, it might be necessary to rely only on expert judgement.

 Risks whose probability cannot be estimated

In the absence of any data on the probability of occurrence of harm, it is not possible to reach any risk
based on the nature of the harm alone. If it can be concluded that the hazard is of little practical
consequence, the risk can be judged acceptable and no risk control measures are necessary. However,
for significant hazards which could inflict harm of high severity, then the risk estimate should be on the
basis of a reasonable worst-case estimate of probability.

Probability (P)
Grade Rank Description
Extreme
P1 Unlikely to occur within the product’s useful life
remote
Remote P2 Low, but not negligible likelihood
Occasional P3 Occasional failures at irregular, infrequent intervals
Probable P4 Likely to happen
 QUALITY SYSTEM PROCEDURE
Document Title Risk Management
Document Code
Issue/Revision Number
Page 7 of 10 Effective Date

Frequent P5 Highly likely to occur

 Severity Estimation
Severity levels will need to be chosen and justified by the manufacturer for a particular device under
clearly defined conditions of use.

Severity (S)
Grade Rank Description
Negligible I – S1 Inconvenience or temporary discomfort
Results in temporary injury or impairment not requiring professional medical
Minor II – S2
intervention
Serious III – S3 Results in injury or impairment requiring professional medical intervention
Critical IV – S4 Results in permanent impairment or life-threatening injury
Catastrophic V – S5 Results in patient death

The estimated risks in a hazardous situation are entered into the appropriate cells in a 5 x 5 semi-
quantitative risk matrix.

 Identification of the possible hazards and estimate of relative risks to each hazard:
- In this step, identifying the possible hazards associated to the product and evaluating the risk
related to each hazard by the consideration of the probability of the hazard occurrence and the
severity of the same one once happened. The hazard of a product is inherent to its technology
although naturally this risk is minimized in its design and production.
- The probability and the severity are coded according to the following table:

Qualitative severity levels

(5) Frequent
(AFAP Unacceptabl
(4) Probable
Zone) e Risk
Probability

(3) Occasional

(2) Remote

(1) Extremely
remote
Negligible Minor Serious Critical Catastrophic
(I) (II) (III) (IV) (V)
Severity

Unacceptable Risk
Investigate Further Risk Reduction ( AFAP: As Far AS Possible)
Insignificant Risk

- The entire identified hazards require to be removing or reducing as far as possible and all the
record of risk evaluation should be maintained.
 QUALITY SYSTEM PROCEDURE
Document Title Risk Management
Document Code
Issue/Revision Number
Page 8 of 10 Effective Date

- A summary is performed of risk distribution in a table of accepted risk limits.

- The distripution of the zones of acceptance and non acceptance of the risk is established by the
criterion that any risk that may cause a severe accident with the patient / client is unacceptable.
- The acceptable region of the matrix will be depending on product complexity and intended use
which is explained in the Risk Management File.
- The risk acceptability is based on the following criteria:
 using applicable standards that specify requirements which will indicate achievement of
acceptability concerning particular kinds of medical devices or particular risks;
 comparing levels of risk evident from medical devices already in use;
 evaluating clinical study data, especially for new technology or new intended uses;
 Taking into account state of art and technology and practice existing at the time of design,
 using standards used for the same or similar devices;
 best practices as used in other devices of the same or similar type;
 Results of accepted scientific research.

5.4 Risk Control:

- For the unacceptable and AFAP zone risks, we can control those risks by the following three ways
listed (according to ISO 14971:2019):
 Inherent safety by design (design measure of control).
 Protective measures in the medical device itself or in the manufacturing process
(Protective measure of control).
 Information for safety (Information measure of control).

5.5 Overall Residual Risk:

 Residual Risk Evaluation:

- To re-evaluate the risks.
- It is by using the same criteria of establishing for severity, occurrence, risk levels, and risk
acceptability as discussed before.
- The objective is to evaluate the residual risks to determine if the risk level has been reduced to
acceptable levels (or is reduced as far as possible).
- In the event the residual risks are still unacceptable, revisit Risk Controls to identify other means to
reduce.
 Benefit Risk Analysis:
- The concept of a benefit-risk analysis is this: the medical benefits of the medical device outweigh
the residual risk.
- After you identify Risk Controls and evaluate residual risks, it is still possible that you will have
some risks that are still in the unacceptable level. In these cases, it might make sense to conduct
and document a benefit-risk analysis (BRA).
- The BRA must be documented and provided objective evidence and rationale for why the medical
benefits outweigh the unacceptable risks. If you are able to do so, the BRA is a special provision for
moving forward with unacceptable risks. An important thing to remember is financial reasoning
should never be included in a BRA.
 QUALITY SYSTEM PROCEDURE
Document Title Risk Management
Document Code
Issue/Revision Number
Page 9 of 10 Effective Date

- The benefit-risk analysis topic can be a slippery slope. You should definitely take every possible
measure to reduce the risk first via Risk Controls.
- The BRA is required for all risks, the regulations state that all risks shall be reduced as far as
possible. This is something to consider when you are drafting your risk management plan.
 Overall Residual Risk Acceptability:

 Using the same severity, occurrence, risk level, and risk acceptability criteria you use throughout
the process:
- If you determine that the overall residual risk of the entire product is not acceptable, this is
another case where you can conduct a benefit-risk analysis. The overall BRA should be included
with your Risk Management Report.
- If you determine that the overall residual risk of the entire product is acceptable, document this
decision and support your rationale, then include this in the Risk Management Report.

5.6 Risk Review:

- Before going to market with the medical device, the results of all steps in the risk management
process shall be reviewed to ensure completeness.
- It is needed to establish a Risk Management Report which will summarize all the risk management
activities and include any benefit-risk analyses and explanation of overall risk acceptability.
- The Risk Management Report should also discuss the plans for evaluating risks in production and
post-production.
- The executive management of the company should approve the Risk Management Report.

5.7 Production and Post Production Information:

- The manufacturer maintains a systematic procedure to review QMS, the information is being
evaluated and other risks should be added as the following:
- Complaints need to tie into Risk Management. Did the complaint identify a new hazard or
hazardous situation not captured? Does the occurrence of harm align with what you estimated?
- Customer feedback needs to tie into Risk Management. Did you learn something about your
product that impacts the Risk Management?
- Non-conformances need to tie into Risk Management.
- CAPAs need to tie into Risk Management.
- Once you begin manufacturing and launch your medical device into the market, you are going to
learn a great deal about the product.
- You need to make sure that your Risk Management documentation is current and as best as
possible, an accurate reflection of the actual risks your product poses.
- The risk management file should be updated at least annually.

5.8 Relation of RMF with other files:

- The Risk Management report should be submitted to the PSUR and SS&CP as per their QPs.
- The risk management should be related to the PMCF.
- The risk management should be correlated with the PMS files
- The risk management should be updated proactively and reactively periodically.

6- REFRENCE:

EN ISO 13485: 2016 Medical Devices - Quality Management System

 QUALITY SYSTEM PROCEDURE
Document Title Risk Management
Document Code
Issue/Revision Number
Page 10 of 10 Effective Date

EN ISO 14971:2019 Medical devices — Application of risk management to medical Devices

EU 217/745 Medical Device Regulation

7- ATTACHMENTS:

NIL

8- FORMS:

Risk Management File F-QP 45-01

9- REVISION HISTORY:

Page no. Revision No. Release Date Reason

- 00 01-06-2021 1st issue
7,8&9 01 01-02-2022 According to MDR

Prepared by: Approved by: Control Status: