What is risk management?
Risk management in medical devices is a systematic process for identifying, assessing, and mitigating potential hazards associated with medical device design, production, and use. Governed by ISO 14971, this framework ensures device safety and effectiveness by minimising risks to patients, users, and others.
The process begins with risk analysis, where the device’s intended use and possible hazards are identified. Each hazard’s potential harm and likelihood are evaluated, allowing for risk estimation. This leads to risk evaluation, where risks are compared against acceptability criteria to determine if mitigation is necessary.
Risk control measures are then implemented to reduce identified risks. These measures include designing safer devices, implementing protective measures, and providing safety information. Residual risks remaining after mitigation are reassessed to ensure they are acceptable.
Continuous monitoring is crucial; production and post-production information, including user feedback and incident reports, are collected and analysed. This data informs ongoing risk management activities, ensuring that new risks are addressed promptly.
ISO 14971:2019
ISO 14971:2019 is an international standard that provides a framework for risk management in the design and manufacturing of medical devices. It ensures that potential hazards associated with medical devices are systematically identified, evaluated, and controlled to minimise risks to patients, users, and others.
Compliance with ISO 14971:2019 is important as it:
- Ensures a systematic approach to identifying and mitigating risks.
- Enhances the safety and effectiveness of medical devices.
- Helps manufacturers comply with regulatory requirements.
- Improves patient and user confidence in medical devices.
The risk management process in ISO 14971:2019 involves several key steps outlined below:
Intended Purpose
- Define the intended use of the medical device and identify its essential performance characteristics.
Hazard Identification
- List all possible hazards associated with the device.
- Consider all phases: normal use, reasonably foreseeable misuse, installation, maintenance, and disposal.
Risk Estimation
- Estimate the risks associated with each identified hazard.
- Assess the severity of potential harm and the probability of occurrence.
- Compare estimated risks against predefined risk acceptability criteria.
- Decide if the risk is acceptable or if risk reduction is necessary.
Risk Reduction Measures
- Identify and implement measures to reduce risks.
- Apply a hierarchy of control measures: inherently safe design, protective measures, and information for safety.
Residual Risk Evaluation
- Assess the residual risk after implementing control measures.
- Ensure that the residual risk is acceptable.
Risk/Benefit Analysis
- Perform a risk/benefit analysis if the residual risk is not acceptable.
- Determine if the benefits of the medical device outweigh the residual risks.
- Evaluate the overall residual risk by considering all individual residual risks collectively.
- Ensure that the overall residual risk is acceptable according to the risk acceptability criteria.
- Conduct periodic reviews of the risk management process.
- Ensure that all identified risks are controlled and that the risk management plan is effective.
Collecting Information
- Gather information from production and post-production activities.
- Monitor feedback from users, complaints, and adverse event reports.
Review and Update Risk Management
- Update the risk management file based on new information.
- Adjust risk control measures and the risk management plan as necessary.
ISO 14971:2019 documentation
- Risk Management Plan: A document outlining the risk management activities, responsibilities, and criteria for risk acceptability.
- Risk Management File: A compilation of all documents and records generated during the risk management process.
- Risk Management Report: A summary of the risk management activities and outcomes, including overall residual risk acceptability.
Conclusion
Using ISO 14971:2019 as a medical device risk management framework ensures that all potential risks are identified, evaluated, and controlled effectively. This systematic approach helps maintain high safety standards and regulatory compliance, ultimately leading to safer medical devices and better patient outcomes.
Resources
MedDev Central Academy:
MedDev Central Knowledge Hub:
International Medical Device Regulators Forum (IMDRF):
United State of America (USA):
Food and Drug Administration (FDA) guidance document:
European Union (EU):
Medical Devices Regulation (MDR) 2017/745: Risk management is covered in:
- General obligations of manufacturers: Chapter I, Article 10(2)
- General Safety and Performance Requirements: ANNEX I, Chapter 1 (3), (4) and (5)
In Vitro Diagnostic Medical Devices Regulation (IVDR) 2017/746
- General obligations of manufacturers: Chapter I, Article 10(2)
- General Safety and Performance Requirements: ANNEX I, Chapter 1 (3), (4) and (5)
United States of America (USA):
Food and Drug Administration (FDA), Federal Food, Drug, and Cosmetic Act (FD&C Act) has no statutory or regulatory definition for “risk-based decision”, but it is incorporated into how FDA determines the safety and effectiveness of a device (PART 860.7 (d)(1))
- Further references to “risk” are specified in the QMS requirements PART 820 Quality System Regulation Procedures
International Standards:
Acceptance Criteria: The predefined standards and specifications that a device must meet during testing and evaluation to be deemed suitable for its intended use and to comply with regulatory requirements.
Classification: The process of categorising devices into different classes based on their intended use, level of risk to patients and users, and regulatory controls necessary to ensure safety and effectiveness.
Compliance: Adherence to regulations, standards, and guidelines set forth by regulatory authorities.
Control Measure: An action or activity that can prevent, eliminate or reduce a hazard to an acceptable level.
Fault Tree Analysis (FTA): A top-down, deductive failure analysis used to determine the chain of events that could cause a system-level failure.
Failure Mode and Effects Analysis (FMEA): A systematic method for identifying potential failure modes of a device and assessing their potential effects on device performance and patient safety.
Harm: Physical injury or damage to the health of people or damage to property or the environment.
Harmonisation: The process of aligning standards, requirements, and procedures across different jurisdictions to ensure consistent safety and efficacy evaluations and market access for medical devices.
Hazard: A potential source of harm.
Hazardous Situation: Circumstances in which people, property, or the environment are exposed to one or more hazards.
ISO 13485: An international standard that specifies requirements for a quality management system (QMS) specific to the medical devices industry.
ISO 14971: An international standard for the application of risk management to medical devices.
Manufacturer: A legal entity that designs, produces, assembles, or labels a medical device with the intention of placing it on the market.
Preliminary Hazard Analysis (PHA): Brainstorming structured process to identify hazards and hazardous situations early in medical device development.
Post-Market Surveillance (PMS): The proactive collection and review of experiences and data related to a device after it has been released onto the market to ensure continued safety and performance.
Probability of Occurrence: The likelihood that a specific hazard will occur.
Quality Assurance (QA): The systematic activities implemented to ensure that devices consistently meet regulatory requirements and standards while meeting user needs and expectations.
Quality Management System (QMS): A formalised system that documents the structure, responsibilities, and procedures required to achieve effective quality management.
Record: A documented piece of evidence detailing activities, decisions, or results, created and maintained to demonstrate compliance with regulatory requirements and quality management standards.
Regulation: The rules, laws, standards, and requirements set by regulatory authorities to ensure the safety, efficacy, and quality of devices intended for medical use.
Regulatory Authority: An official body overseeing and enforcing laws, regulations, and standards within a specific industry or sector to ensure compliance and protect public interests. Also known as a Regulatory Authority. Also see Competent Authority and Notified Body.
Regulatory Submission: The formal process of submitting documentation and data to regulatory authorities for review and approval to market or sell the device within a specific jurisdiction.
Residual Risk: The risk remaining after risk control measures have been taken.
Risk: The combination of the probability of occurrence of harm and the severity of that harm.
Risk Analysis: The systematic use of available information to identify hazards and to estimate the risk.
Risk Assessment: The overall process comprising risk analysis and risk evaluation.
Risk Communication: The exchange of information about risks between decision-makers and other stakeholders.
Risk Control: The process by which decisions are made, and measures are implemented to reduce or maintain risks within specified levels. It is also known as Risk Mitigation.
Risk Evaluation: The process of comparing the estimated risk against given risk criteria to determine the acceptability of the risk.
Risk Management (RM): The systematic application of management policies, procedures, and practices to the tasks of analysing, evaluating, controlling, and monitoring risk.
Risk Management Plan (RMP): A document that outlines the risk management process for a medical device throughout its lifecycle.
Risk Management File (RMF): A compilation of all documents and records generated during the risk management process.
Risk Management Report (RMR): A summary of the risk management activities and outcomes, including overall residual risk acceptability.
Safety: The condition of being protected from or unlikely to cause danger, risk, or injury.
Severity: A measure of the possible consequences of a hazard. Also see Risk and Probability of Occurrence.
Standard: A document that provides guidance, requirements, or specifications established by regulatory bodies, industry organisations, or international consensus groups.
Technical Documentation: All documents that demonstrate the design, manufacture, and performance of the device, essential for ensuring compliance with regulatory requirements. This is also known as the Technical File.
Traceability: The ability to verify an item’s history, location, or application by means of documented recorded identification.
Traceability Matrix: A document that maps and links requirements throughout the development lifecycle, ensuring that each requirement is tested and validated, thereby demonstrating compliance with regulatory standards.
User Requirements: The requirements and preferences of the intended users, which must be considered and addressed in the device design. Also known as User Needs or Customer Specifications.