10 tips: Medical Device Risk Management

This article presents a strategy that benefits medical device manufacturers who initiate risk management early in the product development lifecycle. A risk management program compliant to the latest revisions of ISO14971, can support design, verification, validation efforts, improve post-market planning, and simplify regulatory compliance. Read below to find out how.  Copyright 2023, Saegert Solutions Inc.

Reducing the risk of harm to patients is paramount for regulatory approval, but a well-developed risk management strategy can support your company throughout the medical device development lifecycle. Read on to learn how a properly planned and implemented risk management file can supercharge your medical device development practices.  

One Risk Management File to Rule them all:  apart from ISO14971, there are lots of other quality and regulatory standards that include safety and risk management requirements. Standards for medical device usability (IEC62366), biocompatibility (ISO10993), electrical safety of medical equipment (IEC60601), software (IEC62304) even cardiac implants (ISO5840) all require some degree of risk assessment, evaluation, and management.

Because risk is defined in terms of potential harm to the patient, user, or environment, the risk of harm (type, severity, probability of occurrence) that is experienced will be the same, regardless of the origin of the hazard. Evaluating all relevant hazards in a single risk analysis improves the consistency and objectivity of the analysis, as well as the evaluation and control of risks.

For medical devices that comprise technologies covered under multiple standards (i.e.: software and electrical components, or software and usability requirements, etc.), the occurrence of a hazardous situation may result from contributions across multiple domains.  A single risk management file will capture events and interactions across multiple sources, and ensure that effective countermeasures are developed, if inputs from multiple teams are required. 

Establish and Control your Scope: Based on the concept and indications for the proposed medical device, some hazards may be more applicable than others. Completing the questions related to ‘Information for Safety’ in ISO24971 can document which hazards don’t apply to your device, reducing the scope of your analysis, reducing time and cost.

Make a list of Harms If the indications for treatment with a device are known, the harms associated with that treatment should also be known. Prepare a list of harm types, descriptions, and severity ratings for inclusion in the risk management file. Assign potential harms to each hazardous situation, with the understanding that any hazardous situation can result in harms of different types and with different severity levels. The probability that a hazardous situation will result in a harm of a specific type and severity is defined in 14971 as ‘P2’. 

Your residual risk analysis should resemble your list of harms, with descriptions of types, severity levels, and occurrence rates (P1 x P2) values summarized across all hazardous situations. This will quantify reductions in risk severity and occurrence, and clarify adverse event reporting.   

Evaluate Risks Early, and Re-Evaluate Often:  Once the user needs, treatment profile, and indicated use have been defined, your team will understand the components required, which hazards are relevant, and the harms that can result from treatment with - and without - the proposed device.

Now is the time to initiate your first risk evaluation, and use it to support your product’s development.

It is much easier and cost-effective to design a device with the intention to reduce risk at he outset, than it is to modify a device to address risk concerns late in development: imagine discovering high-severity risks in your clinical trials, justifying design actions taken months (or years!) earlier to convince a regulator that your design controls are adequate. Just do it right the first time!

Quantifying occurrence rates for risk streamlines clinical evaluation planning, because important risks have been defined, categorized by severity and have their occurrence rates have already been baselined. More importantly, you have an entire design history file documenting actions taken to reduce those risks.  

Even an initial risk evaluation, with broad-based estimates of occurrence rates, can identify pathways for to significant risk reductions. Your residual risk can, (and should be), re-assessed at each design review, as data from verification testing supplants  your initial estimates.    

Turn Design Controls as Risk Controls:  Risk reductions come from controlling the events that lead to hazardous situations. These events are then listed and controlled using FMEAs. In this way, your design controls (ensuring components performance meet or exceed requirements), also act as risk controls.

Risk Based Resource Planning: When evaluating controls for events that contribute to hazardous situations, specify the maximum severity rating of the harms assigned to the hazardous situation, as the severity rating for each of the events that contribute to that hazardous situation. It’s a good, conservative design practice to do so (and much easier to defend, compared to trying to explain why you didn’t), and the severity rating can be used to specify sample sizes, sample reliability, and sample confidence levels for design verification and validation activities.   

Target Risk Reduction Efforts: A single hazard can result in multiple hazardous situations, and each hazardous situation has its own probability of occurrence, P1. The path from hazard to hazardous situation is made up of sequences of events, where the probability of occurrence of each event, contributes to P1. In some cases, the same event can play a role in more than one hazardous situation.  

The best way to reduce risk associated with medical devices is to reduce the probability of occurrence for hazardous situations (P1). Events that contribute to more than one hazardous situation should be prioritized for risk reduction, as investments to reduce the probability of occurrence of those events will maximize risk reductions overall.  

Benchmark with Risk: Consider conducting risk analyses for incumbent technologies / procedures based on publicly available data, to benchmark the risks (severity and occurrence) for the current state of the art, and compare with those of the proposed device.

For example: a catheter-delivered prosthetic heart valve, developed as an improvement to ‘open heart’ valve replacement surgery, will share many of the same outcomes with the incumbent procedure. The types and severities of harms associated with both procedures will be similar, but reductions in the probabilities of occurrence of harms, the severity of the harms that occur, or both, will highlight the value proposition for your medical device. 

React Quickly to Risky Situations: Once you have created a detailed risk management system, you can use it to quickly assess changes in your device risk profile and react to unplanned situations. Engineering Change Request? Evaluate performance of the new design, to ensure your risk profile is unchanged. Reports of a new, off-label use? Use your risk file to assess the new hazardous situation, contributing events, and probability of harms. Quality non-conformance? Understand the potential risk impacts when planning your response.

More than just a ‘living document’, a well-developed risk management file can exist as a mathematical model, one where “new, unusual, or different events”, or changes to design and quality controls, and their impact on risk can quickly be evaluated to support the decision-making process.      

Post-Market Surveillance Planning: Medical device regulations stress the importance of post market surveillance for safety risk and product performance. A risk management practice that quantifies occurrence rates for contributing events, hazardous situations, and harms, facilitates planning and reporting of risk-related events from production non-conformances, verification testing, through early and late clinical trials, even during post-market clinical follow-up.

Quantifying occurrence rates for risk facilitates tracking and trending of known and emergent issues, and their potential impacts on risk, ensuring your team can plan and act while risks remain acceptable, instead of being forced to react to risks when they aren’t.   

A well-developed risk management plan, and a well-implemented strategy can do all these things and more, to support the development of your company’s medical devices. We leverage risk management plans to define objectives for your team, providing expert guidance while allowing your team to focus on what they do best. Please reach out to us to learn more about our approach to medical device risk management.  

About the author:

Alex Saegert is founder and principal consultant of Saegert Solutions. He is an ASQ certified reliability engineer (CRE) and supplier quality professional (CSQP), with a specialized ASQ credential in risk management. He has over 20 years experience engineering quality, reliability, and safety into products from such diverse fields as medical devices, hydrogen fuel cells, alternative energy powertrains for cars, trucks and locomotives, and in the nuclear power industry. He is licensed as a professional engineer in the provinces of Alberta, and British Columbia, Canada.