A Brief Introduction to Medical Device Risk Management (Plus 5 Tips)

July 15, 2015 ░░░░░░

5 tips (5) Risk management will have the most significant impact on the medical device industry within the next 10 years.

Maybe you could present the case that risk management is already having a significant impact on the industry.

I would believe you.

During my 17+ year career in the medical device industry, the emergence and sudden importance of risk management has been the most striking phenomenon.

I started my career soon after FDA Design Controls became law in the U.S. At that time, the term risk management was not common. In fact, you won’t find the term “risk management” in FDA regulations at all.

In those days, the term that was used was “risk analysis” (which you will find one reference to in 820.30(g) Design Validation). And we loosely followed an industry standard known as EN 1441.

The tool most commonly used to conduct a risk analysis was a FMEA (failure mode effects analysis). Not a new or unique technique for the medical device industry. In fact, FMEA came into use first in the aerospace sector and came into fashion largely due the “big 3” from the automotive industry.

In the late 1990s / early 2000s, risk terminology started to infiltrate the medical device industry. But for most, when we heard “risk” we equated this to “FMEA”.

So much so, that even today, most medical device professionals will often use FMEA as a synonym for risk management.

I can take you through my own personal risk management history lessons but will spare you the boring details.

Instead, I want to do my best to get you as up to speed as possible with respect to risk management.

ISO 14971

Know this. If you are designing, developing, and/or manufacturing medical devices you better know about ISO 14971.

ISO 14971 is the standard accepted throughout the world for medical device risk management.

The medical device regulatory agencies have accepted ISO 14971 AND expect you to document risk management activities throughout the entire product lifecycle. From device inception through obsolescence.

FMEA is NOT Risk Management

I shared with you my early exposure to risk in the med device industry. For many, many years, I accepted the notion that a FMEA would satisfy risk management requirements.

If you think this way, you HAVE TO PURGE THIS from your brain.

FMEA is NOT risk management.

If you are up for a little bit of fun, post a discussion in a medical device LinkedIn group stating “FMEA is risk management”. The comments will come flying in.

Risk management can be a topic that is somewhat polarizing, at times.

There are the ISO 14971 purists who vehemently argue and defend all the clauses, definitions, and intent of the standard.

There are those clinging to FMEA = Risk Management argument, building the case for why the use of detection is a viable metric.

Most of us are just confused about risk

Frankly, most of us are more than just a little confused about risk management.

We know about ISO 14971:2007. We realize our company practices have been largely FMEA-centric. And we are trying to figure out how to satisfy both points of view without creating extra, busy work.

We are vaguely aware of EN ISO 14971:2012, yet have very little awareness as to whether this replaces the 2007 version, is in addition to 2007, or something unknown altogether.

Plus, we interact with regulatory agencies, such as FDA, who seem to have little guidance and working knowledge of risk management and ISO 14971.

When we seek knowledge about risk management, we go to the experts only to find that few of the experts seem to agree. In many cases, ISO 14971 risk management experts seem to be arguing with one another over the interpretation and meaning of the entire process.

In the end, because of our confusion, our risk management policies, procedures, and practices evolve very little because everyone in the medical device industry seems to be just as confused.

5 tips to help you manage risk management madness

1. Get a copy of ISO 14971:2007 and EN ISO 14971:2012 (especially if you plan to be in EU)

Yes, I know this seems like very trivial tip. However, you would be surprised how many medical device companies do NOT have a copy of ISO 14971.

I encourage you to get copies of both versions too. The main difference between 2007 and 2012 relates to the “Z” annexes. The normative standard is the SAME between the two. The 2012 version is currently required if you have medical devices in EU.

To sum it up, the expectations are slightly more stringent for the 2012 version.

Good news: If your risk management process meets 2012, it will also meet 2007.

2. Establish a Risk Management Policy and Procedure

You need to establish your company’s risk management policy.

You also need to establish your company’s risk management process. And this is where I find ISO 14971 is VERY good. This standard does a pretty decent job laying out the basic steps expected in a risk management process. Use the standard as your guide.

When you do, you should quickly grasp that ISO 14971 really does define risk management is a systematic, logical fashion.

3. Keep your severity, probability, and risk levels simple

When you read the official ISO 14971 definition for the term “risk”, it states:

Risk - combination of the probability of occurrence of harm and the severity of that harm

This implies that you will need to somehow assess severity of harm, probability of occurrence of harm, and risk levels.

A very common technique for doing so is to assign scores to severity and probability and to calculate a risk score. (NOTE: This technique is borrowed from FMEAs.)

Technically speaking, assigning scores and calculating a score is not wrong. However, the risk management purists will advise you to steer away from this practice.

Regardless, you do need to identify severity and probability levels, along with risk levels.

When doing so, keep it simple. I recommend having somewhere between 3 - 5 levels for severity and probability.

With respect to risk levels, I recommend 3 levels: high, medium, and low.

4. Use risk management as a tool during design & development

All too often, risk management is treated as a checkbox activity that has to be done during design and development.

Avoid this trap.

Do your best to incorporate risk management as an actual tool during design and development. The intent is to help make your medical devices safer. Ideally, risk management is incorporated as part of your design and development.

There is a natural flow and rhythm between risk and D&D. For example, hazards and hazardous situations should have an influence on design inputs and risk controls result in design outputs, verification, and/or validation activities.

5. Use risk management as a tool after design & development

Unfortunately, most risk management activities are buried once a product exits design and development. Risk management is not treated as a true lifecycle process.

Sometimes there are attempts to do so. But these attempts are usually flawed because the risk management file is not kept up to date and current.

And it’s no wonder. Very few companies have figured out how to keep risk management documentation as “living”.

Despite the challenges, you need to do this. You need to ensure your product risk management files live beyond product development. You need to make sure that production and post-production events, such as CAPAs, complaints, non-conformances, etc. find their way into your product’s risk management file.

Jon Speer

Jon Speer is a medical device expert with over 20 years of industry experience. Jon knows the best medical device companies in the world use quality as an accelerator. That's why he created Greenlight Guru to help companies move beyond compliance to True Quality.