Common risk management mistakes and misconceptions
Risk management is crucial to medical device development but there’s still a lot of confusion about what it is and why we do it. Here’s a list of the most common risk management mistakes and misconceptions I’ve encountered. Hopefully, greater awareness of these will help product teams and companies make better, safer medical devices.
When I started compiling this I thought it would be a “Top 10” list but as I reviewed my notes and discussed these problems with other experienced consultants, the list became much longer. In that context, any company that can avoid all or most of these errors will be doing considerably better than average in risk management.
The List
- Isolated from product development: outputs from risk assessments are not used as inputs to product design or the product design evolves but no updates are made to risk assessments
- Not comprehensive: risk assessments don’t cover all aspects of the product (overlook packaging, accessories, product maintenance, or interfaces with other products)
- Focusing only on hardware and software failures: risk assessments ignore other sources of risk such as use error, interoperability, and cybersecurity threats
- Emphasizing risk analysis over risk controls: risk controls were not implemented or were not tested
- Underestimating supplier risks: a huge part of the device risk lives in the parts produced by third parties; if risk management doesn’t meaningfully extend into the supply chain then these risks can be easily underestimated
- Waiting until the end of development to perform risk assessments and to analyze residual risks (What if additional risk controls are needed?)
- Using the wrong risk analysis method: There are many ways to perform risk analysis; often a combination of methods is needed for comprehensive risk analysis. For example, a traditional design FMEA alone does not satisfy the requirements of ISO 14971 for risk analysis. See What’s Wrong with DFMEA? for details.
- Perfunctory benefit-risk assessment: waiting until the end of development and writing a single sentence in the Risk Management Report; this crucial aspect of risk management needs to be clearly documented in clinical terms in a way that’s defensible to regulators
- Inconsistent risk ratings across different risk analysis documents for the same product (a Severity=2 for a harm in one risk analysis document but another has a Severity=4 for the same harm)
- Not updating Risk Management File after product launch: ignoring field data; ignoring product updates and additional testing
- Underestimating the frequency of events and the probability of the resulting harms in real world usage
- Not considering worst case scenarios in risk assessments: overlooking the very high severity / very low probability risks
- Overly conservative risk ratings: often determined by pessimistic engineers instead of clinical experts
- Too much reliance on detectability to reduce risk; for example, thinking that the busy OR staff will immediately notice the beeping and the blinking red light on the device
- Overly detailed risk analysis documents: obscuring serious risks in a sea of unimportant details (“If it’s more than a 1000 rows then no one can say we weren’t thorough enough!”)
- Over-reliance on labeling: relying on information in the user manual or warning labels as the primary means of risk reduction
Biggest Error
But there’s an even bigger risk management problem I’ve seen repeatedly which aggravates all of these other problems: employees don’t understand the purpose of risk assessments and how they drive product development, manufacturing, and product support. They consider risk management to be a documentation exercise and therefore don’t make it central to product safety and quality.