The Big Picture for Medical Device Risk Management

Understanding all the details of risk analysis methods and compliance with the ISO 14971 risk management standard can be quite complicated but fundamentally, for development of a new medical device, risk management is about answering these seven key questions:

1. What are all the possible things that could go wrong? 
2. What are we most worried about? 
3. What are we doing to control those risks? 
4. Have the controls been implemented? 
5. Do they work as intended? 
6. Are the remaining risks acceptable? 
7. How will we continue to monitor and control risks throughout the life of the product?

For commercial medical device development the answers to these seven questions need to be formally documented in great detail and the documentation needs to be rigorously controlled.  However, it’s important to always emphasize the following:

“Risk management documentation does not make your product safe; the processes (activities) of risk management are what make it safe.”

In other words, there are important activities that a medical device company undertakes to make sure a new medical device is safe; then the results of these activities are captured in a set of documents (which will become the “Risk Management File”).  If a development team thinks they can wait to do risk analysis until after designing a new product, they’re missing the whole point of risk management! Risk analysis is a key input to the design process.  It determines crucial safety features of the product (interlocks, temperature monitoring, etc.) and is a fundamental part of V&V testing, manufacturing process development, supply chain management, user training and support, and many other processes associated with manufacturing and supporting a new medical device.

Over the years I’ve worked on more than 30 medical device development projects of all different types, from sterile disposables to complex capital equipment.  From that experience I’ve learned the following basic lessons about risk management:

Lesson 1: Make sure your risk assessment is comprehensive

• Fully research issues with similar devices,
• Include use errors (human factors / usability), 
• Include packaging and accessories (like battery chargers),
• Include interfaces to other products/systems,
• Include cybersecurity,
• And for capital equipment, include maintenance and service

Lesson 2: Use methods of risk assessment which are appropriate to your product

• Don’t try to use design FMEA for everything (it is just one of many tools)
• For software-intensive and connected medical devices, make sure to start with a top-down system hazard analysis that covers all the parts of The System at a high level and highlights which parts will need more detailed analysis
• Consider methods that will integrate well with a development partner or contract manufacturer
• Consider methods for managing key interfaces with other products (interoperability)
• Use your Risk Mgmt Plan to define which risk assessment methods the team will utilize and who is responsible for each part

Lesson 3: It’s all about the risk controls

• Always keep in mind that the primary goal of risk management is identifying, implementing, and testing the risk controls (mitigations)
• If your risk management methods are not productive at identifying risk controls, change your methods (don’t spend long hours on analyses that don’t produce actionable output)
• Start risk analysis early in development so the team can efficiently incorporate the hardware and software changes needed to implement necessary risk controls

Lesson 4: Risk analysis is a complement to testing

• Risk analysis can identify those events that are rare but potentially catastrophic 
• These very low probability events won’t show up in testing but could occur eventually in clinical use

Lesson 5: Make sure risk management is maintained for the life of the product

• Your responsibilities for risk management don’t end when a new product is launched
• You need to monitor issues from manufacturing, from customer complaints, and from other market data and regularly update the Risk Management File
• Any subsequent changes to product hardware and software should also trigger an examination of their possible effects on the Risk Management File 

The diagram below summarizes the ‘Big Picture’ for risk management and illustrates the large number of inputs to risk assessment and the ongoing feedback loops from testing, manufacturing, and supporting a medical device. Note that the results of testing as well as production and post-production information are used to update the Risk Management File; any updates are evaluated to determine if residual risks are still acceptable.

If you’re currently involved in the development of a new medical device, does your team have detailed answers to all seven questions of risk management?   And can you readily trace from all the defined risks for the new product to the required risk controls to testing of those risk controls? If not, give me a call and I’ll explain some straightforward ways to efficiently manage this crucial part of your product development.