Medical device companies MUST have established risk management processes that comply with ISO 14971.
And it doesn’t matter if you are developing medical devices in the U.S., EU, Canada, and so on.
EVERY INTERNATIONAL REGULATORY AGENCY YOU’VE EVER HEARD OF ACCEPTS ISO 14971 AS THE RISK MANAGEMENT STANDARD FOR THE MEDICAL DEVICE INDUSTRY.
Changes in Nurse Staffing Answer Clinician Demands
The ongoing nursing shortage facilitates high turnover rates since nurses know they won’t have difficulties finding new jobs. In order to retain and attract staff, it’s in a facility’s best interest to understand what nurses want.
ISO 14971 is a good standard. Informative and descriptive. Easy (enough) to comprehend.
Let’s do a brief walk-through of the standard in plain English and provide an overview of key definitions and concepts.
ISO 14971 Risk Management Key & Definitions
Section 2 of ISO 14971 provides a thorough list of key terms and definitions relating to risk management. I am not going to go through every single term. However, I will share a few key definitions.
Tackling Rising Drug Costs and Growing Popularity of GLP-1’s
See how Quantum Health is providing the steps to help their members tackle the cost of specialty medications and other drugs.
RISK -combination of the probability of occurrence of harm and the severity of that harm
HAZARD -potential source of harm
HAZARDOUS SITUATION – circumstance in which people, property, or the environment are exposed to one or more hazard(s)
HARM – physical injury or damage to the health of people, or damage to property or the environment
SEVERITY -measure of the possible consequences of a hazard
RISK ANALYSIS -systematic use of available information to identify hazards and to estimate the risk
RISK ESTIMATION– process used to assign values to the probability of occurrence of harm and the severity of that harm
RISK EVALUATION -process of comparing the estimated risk against given risk criteria to determine the acceptability of the risk
RISK ASSESSMENT -overall process comprising a risk analysis and a risk evaluation
RISK CONTROL – process in which decisions are made and measures implemented by which risks are reduced to, or maintained within, specified levels
RESIDUAL RISK– risk remaining after risk control measures have been taken
Getting a grasp on the list of terms above is critical to understanding medical device risk management. These terms need to become ingrained in the lexicon of medical device professionals.
Yes, I realize you might be using other tools–such as FMEA– to capture risk management activities. And I realize that these other tools might have similar terminology. Terms such as:
- Failure Modes
- Causes
- Criticality
- Detection
- Risk Priority Number
It will be easy for you to fall into the trap that these other terms from your other risk tools are close enough to ISO 14971 to be more or less the same.
Please do not fall into this trap.
ISO 14971 is different than FMEA.
ISO 14971 Risk Management Process Overview
This infographic aligns with the standard directly on a one to one basis. And when you let this soak in a minute or two, you can start to see how this image can and should become the foundation for your company’s internal risk management process.
You don’t have to re-invent the wheel.
You don’t need to try and twist and contort your current non-ISO 14971 based processes.
Make your lives a little bit easier. Make sure your risk management process aligns with ISO 14971 standard.
Risk Analysis
Based on figure 1 from ISO 14971 outlining the risk management process for medical device manufacturers, the first major phase is risk analysis.
Risk analysis is the systematic use of available information to identify hazards and to estimate the risk.
In order to do so, you need to define the scope of your medical device.
You need to specify the intended use of the product.
And then you start to identify hazards and hazardous situations. (NOTE: Refer to Annexes E and H in ISO 14971 for guidance on this).
Once hazards and hazardous situations are captured, you need toestimate risks.
Remember, RISK is acombination of the probability of occurrence of harm and the severity of that harm.
This can be read as:
RISK = SEVERITY (S) x OCCURRENCE (O)
However you interpret this, you need to estimate the severity of harm that can result from hazards / hazardous situations.
You then need to estimate the probability of occurrence of each harm.
Risk Evaluation
After estimating risk by definingseverity and occurrence, you now need to evaluate the risks.
A very common approach for doing so is to define a risk evaluation matrix.
Risk evaluation involves deciding which risks are acceptable and which are unacceptable.
Risk Control
Risk controls are implemented as a means to reduce and mitigate unacceptable risks.
There are a few options to consider when implementing risk controls.
By far the most common risk control measure is to edit product labeling. But know that labeling as a risk control is absolutely the least effective.
Ideally, risk controls should be considered according to the following priorities:
- Product Design
- Protective measures incorporated within the medical device
- Labeling, instructions for use
Once implemented you need to confirm and document the effectiveness of each and every risk control measure.
Residual Risk Evaluation
After confirming effectiveness of risk controls, you then re-evaluate the resulting risks.
And if risks are still unacceptable, additional risk controls will be necessary.
Interestingly, as you implement risk controls, you could be introducing new hazards and hazardous situations.
These possiblenew hazards and hazardous situationsalso need to be estimated and evaluated.
Risk / Benefit Analysis
Sometimes additional risk controls are not practical.
In these events, you have an opportunity to conduct a risk / benefit analysis where you compare the medical benefits of your device and the residual risks.
(NOTE: I am not going to go through the differences between ISO 14971:2007 and EN ISO 14971:2012 in this post. It is quite the ongoing debate!)
Evaluation of Overall Residual Risk Acceptability
Evaluating risks and residual risks for individual hazards and hazardous situation is not enough.
You also need to evaluate the entire medical device and the overall residual risk acceptability.
It is possible for risks associated with individual hazards to be acceptable but that the entire product may not be acceptable.
Either way, you need to evaluate and document whether or not the product meets the acceptability criteria defined by the company.
Risk Management Report
When all the steps mentioned above have been addressed, a Risk Management Report shall summarize all the risk activities.
Production & Post-Production
Medical device risk management is a total product lifecycle process.
This means you need to keep the risk management records up-to-date even after the product exits product development.
The process should involve systematic review of risk management file and be updated when events such as complaints, product feedback, non-conformances, etc. occur.
Jon Speer is the founder and VP of QA/RA at Greenlight Guru, a software company that produces the only modern quality management software solution exclusively for medical device companies. Device makers in hundreds of cities in more than 30 countries use Greenlight Guru to get safer products to market faster while pushing beyond compliance to True Quality.
Jon is a medical device industry veteran with over 20 years experience having helped dozens of devices get to market over his career in a variety of roles including product development, project management, quality and regulatory. He is a thought leader, speaker and regular contributor at numerous leading industry publications. He is also the host of the #1 most downloaded podcast in the industry, The Global Medical Device Podcast.
This post appears through the MedCity Influencers program. Anyone can publish their perspective on business and innovation in healthcare on MedCity News through MedCity Influencers. Click here to find out how.