In the medical device landscape, risk is defined by ISO 14971, the international standard for medical device risk management, as “the combination of the probability of occurrence of harm and the severity of that harm.” This is precisely why risk management is so essential to the medical device industry. Risk management encompasses a set of key processes like risk assessment, risk controls and overall residual risk acceptability.
Following each step in the risk management process is critical to ensure the production of safe and effective medical devices, so let’s dive into these steps to explain their function and significance:
Start with Risk Analysis
Risk Analysis should be the starting point for outlining any risks related to a medical device. There are various ways to conduct a risk analysis, including FMEA, fault tree analysis and preliminary hazards analysis. Still, it's important to note that records must be kept at every step in the process, and a medical device quality management system (MDQMS) with a dedicated risk management workflow can help streamline this workflow.
Regardless of which method you choose, your risk analysis must showcase the device, the person(s) involved, analysis scope, and dates. It’s best to first start with an intended use statement. This document outlines the device’s scope and helps identify potential hazards and hazardous situations for misuse. Whether the hazards are from misuse or the device is somehow defective, hazards are potential sources of harm and must be identified and documented.
ISO 14971 Annex C shares a list of example hazards:
- Thermal energy
- Electromagnetic energy
- Mechanical energy
When you identify hazards early, you create the opportunity to ensure that user needs are met while mitigating potential harm to patients.
Conduct Risk Evaluation
Following the identification of hazards, you must estimate the risk for each hazardous situation. Each of which will likely have its own set of potential harms with varying levels of severity and probability of occurrence.
A common technique used for estimating severity and occurrence for harms of hazardous situations is establishing a risk acceptability matrix, as shown in the table below.
A risk matrix shows risk severity in varying levels from minor to critical and ranks risk occurrence on a scale of frequent to improbable. Severity and probability will then line up into three zones of risk: low, medium, and high.
You will need to clearly define which risk zones will be deemed acceptable and which will require risk reduction in your risk management procedure and risk management plan.
Identify Risk Controls
Risk controls are defined as any measures taken with a medical device to reduce risk and are often the most significant way to reduce identified risks to acceptable levels. It's often considered best practice to include multiple risk controls for each identified risk.
Risk controls must be prioritized in this order:
- Inherent safety by design
- Protective measures in the device and/or manufacturing process
- Safety information like instructions for use and labeling
There is an important connection that must be made between design controls and overall risk management to mitigate serious harm to patients. Another tactic considered to be a best practice is linking your risk controls to your design outputs and design verification and validation, which can serve as your risk control measure. While this may seem like a time-consuming task, a purpose-built MDQMS can easily link these controls.
Finalize Overall Residual Risk Acceptability
After all individual risks you’ve identified have been evaluated, the next step is to evaluate the overall residual risk acceptability of your device. Residual risk acceptability involves determining whether the overall risk of your device is acceptable for patient use. To complete this process, you will apply the same occurrence, severity, risk level, and acceptability criteria defined earlier.
When following this process, you may determine the overall residual risk of your product is unacceptable, in which case a benefit-risk analysis (BRA) could be conducted. A BRA provides objective evidence that the medical benefits outweigh the known risk(s) associated with the medical device. If you determine the overall residual risk is acceptable, document the decision and outline factors to support your rationale to include with your risk management report.
While risk is part of our everyday lives, medical devices must be thoroughly vetted to reduce risk as much as reasonably possible to protect end users. Everything from risk evaluation to risk controls and residual risk acceptability are critical components in the risk management process to ensure the maximum safety and effectiveness of your medical device.
Jon Speer is the founder and VP of QA/RA at Greenlight Guru a medical device quality management MDQMS software & a medical device guru with over 20 years of industry experience. Jon knows the best medical device companies in the world use quality as an accelerator. That's why he created Greenlight Guru to help companies move beyond compliance to achieve True Quality.