Risk management is a vital part of medical device development and lifecycle processes. Most regulatory agencies, including central authorities such as the European Union and the Food and Drug Administration (FDA), include risk-based methods in their internal processes for medical device and manufacturer evaluations. They also require medical device manufacturers to apply risk management processes in every stage of a device's lifetime.
ISO 14971 Medical devices – application of risk management to medical devices explains the requirements, expectations, and different stages of risk management processes.
The standard was updated to its current version in December 2019 and is considered the gold standard for medical device risk management.
As described in ISO 14971, the risk management process is a way to establish and document processes for identifying hazards associated with medical devices. It includes estimating and evaluating associated risks, controlling them, and monitoring how effective the controls are. The risk management process is part of the design of a medical device and is thus tied closely to design controls.
ISO 14971 emphasizes the need for continuous risk management even after a device is put on the market, using post-production, post-market surveillance, and post-market clinical follow-up information to update the risk management documentation. The manufacturers' quality management system (QMS) should fully integrate risk management processes.
The risk management file is your risk management activity record. It is where you document your risk management activities and keep all the related documentation. Risk management files are necessary for individual medical devices or medical device families.
Your risk management file should include evidence of the required risk management processes:
The risk management plan should identify and explain the risk management activities planned throughout a medical device's lifetime. It includes a discussion of which activities can be expected and how to handle unexpected situations that might lead to changes in risk management processes.
Risk analysis is where you identify the specific risks related to your medical device. This includes estimating the risks for each hazard and hazardous situation identified, as well as the severity of harm and the probability of that harm occurring. ISO 14971 has a great list of potential hazards in Annex C (thermal energy, line voltage, bacteria, etc.) to help you identify all possible hazards.
Frequently used risk analysis techniques include preliminary hazards analysis, FMEA, and fault tree analysis. Risk analysis should always be based on the device's intended use.
Risk evaluation is about determining which risks are acceptable and which require risk reduction. The European Medical Device Regulation (MDR; 2017/745) requires risks to be reduced as far as possible, which means risk reduction should be considered for all risks, regardless of their risk level.
Once your risks are identified and evaluated, you must reduce those risks to acceptable levels. This is done through risk controls, which minimize the risk associated with using the medical device. For example, you can add additional information to the label or instructions for use to reduce the probability of occurrence of harm.
Preferably, the overall residual risk of your medical device is acceptable. If not, you can conduct a benefit-risk analysis and justify why the medical benefits of your medical device outweigh the risk. The decision should be documented, justified, and included in your risk management file.
Before putting your medical device on the market, the risk management processes and results must be reviewed, preferably by executive management. A risk management report should be drafted to summarize all the risk management activities and procedures and the overall risk acceptability. The report should also include how you plan to manage risk in the lifetime of your medical device.
Risk management is a living thing that must be performed in the entirety of your device's lifetime. The risk management process continues once your product goes to market. Production and post-production risk management activities, as well as any other post-production process that is in your QMS, should feed into your risk management process.
Risk estimated and the probability of occurrence of harm are vital parts of the risk management process. But what happens when you cannot accurately estimate the probability of occurrence of harm? Systematic faults, software failures, sabotage, novel hazards that are poorly understood, and toxicological hazards are all examples of situations where the accuracy of the probability estimate is difficult to foresee. In these cases, it is necessary to evaluate the risk purely on its potential harm. For lower-level harm, the risk can usually be considered acceptable. For higher-level harm, the risk estimate should be based on the worst-case probability estimate.