Quick links

Medical Devices Risk Management Harmonised with Quality Management Systems

NIC Document


Risk management is developing and has become a fundamental tenet in the future development of the Medical Technology industry. The 1980’s and 90’s saw the integration of “Quality Assurance and Quality Management” throughout business and in doing so, affected each business role.

The implementation of Risk Management is currently starting to have a similar impact. In the past everyone had an idea of what “Customer Focus” or “Quality” was and what it meant, but there is however a lack of intrinsic understanding with what risk management and indeed what risk is about, so this adds a fundamental challenge.

In Biref

This document contains the following sections:

  1. Can risk be designed out
  2. What is risk?
  3. Risk subjectivity
  4. Risk assessment
  5. EN ISO 14971.2000 Medical Devices
  6. Top management buy in
  7. 80/20 rule
  8. What dos it mean to the manufacturer
  9. What does it mean to the researcher
  10. Who should be involved
  11. Conclusion

Summary concepts

  • Risk management is increasingly used in industry alongside quality management systems
  • EN ISO 14971:2000 Medical Devices lays out a full risk management process
  • Risk management of medical devices requires good understanding of the hazards arising and the end user environment
  • The manufacturer must hold documents evidencing the risk management process

There is an international standard on risk management, EN ISO 14971:2000, which fits neatly into a suite of harmonised standards that are established and being added to. Harmonised standards are so named as they fit together, utilising the same fundamental principles, so the implementation and conformance of one harmonised standard should not detrimentally impact in the implementation of another. ISO 13485:2003 Medical Devices, a harmonised standard, is the standard specifically related to medical devices and requires risk management to be interwoven fully, including during the design process.

1. Can risk be designed out? – Prevention is better than cure

Where possible the risks presented by a project should be examined and analysed before the design process so that risks, where practicable, can be avoided / reduced without the need for mitigation or rectification later. Everything points to the need for risk management planning. Risk management should not be added to the design process as an after-thought but should be established as a critical issue at each decision in the design pathway. Decisions related to risk must be implemented along with other decisions along the full process pathway.

Product manufacture must be attainable, however there are always limitations and you cannot control out a tolerance mismatch between product design and the manufacturing process. It is crucial that these limitations are understood at the design stage.

2. What is risk?

There are many misunderstandings surrounding the uses of the terms risk, hazard and harm. Most operations have some form of risk, and it is the management of that risk, whether actual or perceived, that is key.

Hazards are the properties of a substance or situation with the potential for creating harm. e.g. the misapplication of a bandage on a limb because of poor training (the hazard) could lead to tissue damage / injury (harm). The risk is the probability or chance that the hazard posed by the misapplication will lead to injury within a specified time. The risks can be and should be minimised by initially undertaking a suitable risk assessment.

3. Risk subjectivity

Risks are both objective and subjective – there is an inherent dichotomy in risk based decision making. Statisticians will look at the numbers but in reality this is only half the story. For example, the risk of being killed on the railways is only a fraction of the risk of being killed on the road but because of the subjective nature of perception, everyone remembers incidents like the Potters Bar train crash although “only” 7 people died which is less than the daily average of people killed on the UK roads (8.8). Maybe perception is skewed because of media coverage, the lack of personal control or politics but for whatever reason the management of subjective risk is crucial.

If risk management is to be as full as possible, the need to address this dichotomy pervades all business improvement processes; quality, customer focus and productivity. This in turn requires the skills of risk managers at each juncture.

4. Risk Assessment - Thinking about the user and using a crystal ball

Medical technology companies need to think about the uses that their products may be put to in practice; in this sector the uses are diverse and often not as described on the labelling. The company should look at the details of the user; who will be operating the device, how much training will be needed, both specifically and in general use, and in what environment will the device be used. It is important that when undertaking the risk assessment, the user and the patient are involved – it is far better to know at the risk management stage that the device may be used in non hospital areas than to find this out later during the investigation of an incident. The greater the knowledge about the actual usage of the device, the better the potential risk management strategy.

Different markets may also have different perceived risks. Even when the objective risks are similar, the subjective risks may be completely different because of differing media scrutiny, patient / clinician attitudes. Such calculated risk thresholds may persuade the company it is not even worth entering the market.

5. EN ISO 14971:2000 Medical Devices – Application of risk management to medical devices

This is the harmonised risk management standard and lays out a full risk management process. 13 steps are described considering all possibilities, however because of the complexity it should be asked if this is the correct route for most companies – maybe the way to go is to look at a simplified 4 stage process:

  • Analyse the data
  • Evaluate what the data means
  • Control the process
  • Feedback real data to the decision makers

6. Top management buy-in, carrot or stick?

As with any change management / quality management system, it is of primary importance to get the “buy in” of the top management. Risk management and the advantages that are brought to a company should not be described to the management in the manner that it is a legal requirement, so forcing the company to do it. The carrot approach is better, “selling the advantages” that it will help protect the business and add to the efficiency because the processes are more controlled.

7. The 80/20 Rule

Think about the risks and implement a system of management as early as it practicable. Most projects conform to a Pareto distribution, i.e. 80% of the commitments of the projects are made in the first 20% of the time. Of course this causes a potential problem in that most of the commitments are made without much data to form an accurate risk assessment with. Bearing this in mind the risk management process must be flexible enough to include new data as it becomes available. Top management must, in line with the quality management system, make resources available to fulfil the developing needs.

8. What does it mean to the manufacturer?

The manufacturer must hold documents evidencing the risk management process. The process must cover the whole life cycle of the medical device from design to ultimate decommissioning and disposal. The documents should include:

  • The intended use / purpose of the device Identification of the hazards
  • An estimation of the probability of occurrence (of harm)
  • An estimation of the hazard severity
  • Evaluation of the risks
  • Monitoring of effectiveness of the mitigation techniques

9. What does it mean to the researcher?

Risk management is not the preserve of the manufacturer, designing experiments and programmes of research all benefit from an element of risk analysis and management. This can ensure that the right research paths are being followed, and that contingency plans are in place for alternative research lines (including compromise on buying-in available commercial technologies where necessary). In some cases, funding bodies (this has happened in European Framework programmes) wish to see evidence of a risk management approach. Documents here might include:

  • Risk management strategy
  • Identification and evaluation of risk elements
  • Contingency plans

10. Who should be involved?

As with all good implemented quality management systems the use of process mapping will indicate cross department responsibility and process ownership, however under most circumstances the majority of the risk management can be done within one department. Where there is cross-departmental input it may be necessary for the contribution of a senior manager for decisions. This can slow the process down depending on the number and severity of criteria. There is however, the need to use multidisciplinary teams; no one person has all the answers. Where possible the teams should contain internal participants (from the manufacturing company) but maybe more importantly external interested parties, e.g. patients and clinicians. Outside input from “the user” is crucial if the product is not to be made just with an accountants’ view. The user will also be able to ascertain whether the risk posed by the device is worth the perceived benefits – something that the medical technology company often has a “candied” view upon.

11. Risk management tools

There are a number of tools that can be used in the risk assessment process, some are more suitable than others and some are more easy to use than others. They all assist in the “inside the box” objective analysis.

  • Functional analysis – a technique often used in the development phase of a project. This method describes the relationships between the inputs and outputs of the most significant functions when developing a new product, including medical devices.
  • Fault tree analysis – a technique used in the early stages of development for identifying hazards and, by following it back, their root causes. The use of “and” / “or” gates aids in logical analysis.
  • Failure Mode Effect Analysis – where individual components are “isolated” and the effect or consequence of them failing is systematically identified. This technique is more appropriate as a verification tool towards the end of the process, after the design is finalised and / or a prototype is available.
  • Hazard and operability study / hazard analysis and critical control point – often used later on in development. It helps to control manufacturing risk and in the analysis of manufacture changes.

Whichever risk assessment technique(s) is used there is one overriding rule; when the process of assessing the risk using a tool is finished, look again but this time outside the box to cover the subjective bases.

Some risks are inherent to a device because of the device function; these should be carefully managed alongside the benefits that it will bring. The cost of device should not be prohibitive because the manufacturer is attempting to manage out the inherent risks, causing the product to be too expensive for the benefits (perceived or actual) that it will bring.

12. Conclusions

As medical technology companies increasingly adopt risk management systems in the same way as they adopted quality management systems, the interaction of processes and their control are defined at all levels of the business. The greater the top management involvement the better the integration of the system and the better the understanding of the risks the product poses at all levels. The integration of risk management and quality systems within the fundamental ethos of the business promotes resource planning throughout an organisation and the change of the decision making process. This in turn will make good, safe product available on the UK market.