Key Challenges for Risk Management in Medical Device Development

January 29, 2017

If you’re in the business of developing medical devices,. then risk and risk management become terms synonymous with your daily operations.

Your overall task is to bring a device to market that not only has an impact through providing a needed function to a patient, but is proven to be safe to use. A product that may be used by someone who is near and dear to you, too…

Risk management can be a daunting and often confusing subject. Even the most experienced businesses trip over from time to time, so it always pays to keep your knowledge up-to-date.

We looked into some key challenges that have been common in risk management lately, because it’s always better to know where others are being challenged and what to do about it!

Here is what we’ve found:

Keeping up with changes to ISO 13485

If one thing is certain in the world of medical device development, it’s that change is our constant companion. ISO 13485:2016 was published in the first quarter of 2016 and contains amendments for how companies are to ensure their quality management system (QMS) incorporates a risk-based approach.

The challenge here is that almost every company that is operating with an ISO 13485 QMS in place will have to take action to update procedures and processes to account for risk-based approaches. Depending on where your company is at, this could involve some major changes within your operations.

While the adoption period for 2016 is technically three years from its publication (or 2019), ISO registrars are already working with companies to transition to the new version. The bottom line? Knowing what is changing and making plans to comply early will save your company hassle down the line and possible issues with non-compliance.

Click here to instantly download a quick cheat sheet of the key changes you should know about with the introduction of ISO 13485:2016.

Tips for complying with ISO 13485:2016

Assuming your company is one that would like to be ahead of the game, now is the time to be conducting a gap analysis to determine impact of the changes and establishing quality plans to implement any updates as soon as possible.

Here are a few tips for ensuring you’re geared with the right information:

The full text of ISO 13485:2016 is available now for purchase. You will find appendices to compare changes versus the 2003 version of the standard.
Greenlight Guru has put together some webinars to help inform you about specific changes in ISO 13485:2016. You can find other related webinars here. on our website here.
Changes are wide-ranging but focus mainly on risk management. For example, there is now a specific requirement for documenting the maintenance of equipment that is used in production, control of the work environment and monitoring and measurement.
Seek assistance from an accredited ISO registrar to help with your transition.

Consistent application of ISO 14971

First of all, ISO 14971 is a standard for the application of risk management to medical devices. While this standard has been established for many years, many companies seem to struggle with consistent application and get flagged for compliance issues.

All product related risk management procedures and practices must be in alignment with ISO 14971, so it’s worth knowing about specific areas that continue to be an issue. This is the standard across the board, no matter which country you’re developing in.

Common challenges

Here are some of the common challenges we’re seeing:

Overuse or over-reliance on FMEA (failure modes and effects analysis) as a tool. While FMEA is a very good tool for assessing single-fault failure modes and reliability, using only FMEA means to identify, assess, and evaluate risks has shortcomings.

Specifically, FMEA only assesses failure modes and single-fault failures at that. ISO 14971 is very clear that a company needs to evaluate hazardous situations. This means considering foreseeable sequence of events. This also means considering non-failure mode situations. To learn more, check out a detailed blog post on the topic why FMEA is not ISO 14971 risk management.

Risk management is often not continued throughout the entire product lifecycle. Companies do a decent job of risk management during the product development process (aside from the above noted overuse of FMEA). However, once a device is transferred from development into production, risk management documentation is often neglected and not kept up to date. ISO 14971 is clear that risk management is a total product lifecycle process, including production and post-production.

Regulatory agencies (such as FDA, ISO registrars, and notified bodies) are becoming more and more sophisticated with their knowledge, understanding, and expectations regarding application of ISO 14971, regardless of the version in use. We go over the “plain English” of it here, including a handy infographic. You can also find webinars and risk management guides in our resources.

Risks associated with manufacturing processes

In our experience, many companies are neglecting to capture risks associated with manufacturing processes. ISO 14971 does specify that the risks associated with manufacturing processes are to be included as part of a product's risk management file. The actual practice of doing so is very inconsistent within the industry.

It’s important to remember that risk management is a full lifecycle activity for medical device development. Risk documents need to be transferred between each stage (such as product development to production) and a management plan needs to be in place for the manufacturing process.

Confusion over applicable ISO 14971 version

Do you sell medical devices into the European Union market? If so, this is for you in particular. There has been quite some confusion about ISO 14971:2007 versus EN ISO 14971:2012 and which is applicable to whom. If you sell into the EU, then the EN version is for you.

The normative requirements of these two standards are the same. The EN version introduced a few new "Z" annexes. The Z annexes specify the need to document risk / benefit analysis for every single risk item, regardless of how significant. The Z annexes also require risk controls be identified for every single risk item, regardless of how significant. The 2007 version specifies risk / benefit analysis and risk controls for higher risk items.

Many companies are still not clear if and/or when EN ISO 14971:2012 applies to them. Additionally, many companies do not consistently align with the Z annexes.

Tips for understanding ISO 14971 version compliance

If you’re manufacturing devices for the EU market, then EN ISO 14971:2012 is for you.
Pay attention to the “Z” annexes in particular, these are where the EN ISO 14971 standard does and does not meet the requirements of the European Directives.
The Annex Zs describe these differences as Content Deviations for each Directive.You must assess and take care of the gaps between the standard and the Directives.

Final thoughts

We’re seeing some key challenges appear for risk management in medical device manufacturing, but with a bit of planning, these can be overcome.

Be aware of the changes being implemented with ISO 13485:2016 and plan to be on top of them early. Know the common challenges with ISO 14971 compliance and be prepared to mitigate those in your own processes.

Risk management is a full life cycle activity for medical device development, be systematic and review often.

Click here to instantly download a quick cheat sheet of the key changes you should know about with the introduction of ISO 13485:2016.

Jon Speer

Jon Speer is a medical device expert with over 20 years of industry experience. Jon knows the best medical device companies in the world use quality as an accelerator. That's why he created Greenlight Guru to help companies move beyond compliance to True Quality.