Medical Device

Risk Management 101

Learning the basics of how to analyze, evaluate, control,
and monitor risk

orielstat.com 800.472.6477
 From a distance, risk management seems straightforward. You have a device,
evaluate its potential risks, mitigate those risks, monitor them over time, and you’re
done. Seems easy, right? Ah, if only life were so straightforward. The reality is that
risk management is one of the more complex aspects of regulatory compliance,
simply because risk comes in so many flavors and perceptions of severity, and
probability can be interpreted quite differently.

The thing that makes risk management tricky is that we often don’t have enough
real-world data to accurately quantify risks, especially for new devices. Fortunately,
there is a systematic process you can establish to estimate, evaluate, control, and
monitor risks. Before we get into that, let’s step back and talk about the regulations
and standards that dictate how you should approach risk management.

ESTIMATE
RISKS

MONITOR
EVALUATE
THE
RISKS
CONTROLS

CONTROL
RISKS

Medical device risk and risk management defined

• Risk is the combination of probability of occurrence of harm and the severity of that harm.
• Risk management is the systematic application of management policies, procedures, and
practices to the tasks of analyzing, controlling, and monitoring risk.

2 orielstat.com  | 800.472.6477
Why is risk management needed? Simply put, we have a collective interest in ensuring that medical
devices are safe and effective. Risk management is not optional – it is a regulatory requirement world-
wide. The US FDA mandates it in the Quality System Regulation (21 CFR Part 820). Europe requires
it in the new Medical Device Regulation (MDR 2017/745). Likewise, Japan, Canada, Australia, Brazil,
and all other major markets require the application of risk management, which is either referenced in
their national regulations and/or ISO 13485:2016.

The role of the ISO 14971 standard

Fortunately, national governments have not created their own guidelines telling you how to how to
perform risk management. Instead, they all defer to ISO 14971, the global standard for medical device
risk management. The intent of the standard is to identify hazards associated with medical devices
at all stages in a device’s life cycle, from product design to procurement to production and postmarket
use. In all cases, the goal is to estimate, evaluate, control, and monitor the risks associated with each
life-cycle stage. There are two versions of this standard in use today:

• ISO 14971:2007 – The US FDA and most other markets recommend this version of the standard to
meet national risk management requirements.
• ISO 14971:2012 – This version is required to meet CE Marking requirements for medical devices
sold in Europe. It differs only in the front matter describing how ISO 14971:2007 deviates from the
device directives in Europe.

If you are just getting started implementing risk management for your company, purchase the
ISO 14971:2012 standard and its guidance ISO 24971:2013. You will also want to buy and read the
ISO/TR 24971:2013 standard. It is brief but provides excellent guidance for dealing with specific
areas of ISO 14971. Both are copyrighted documents and you can purchase them online from ISO.

2000 2007
1998 2012
2001 2009

ISO 14971:1:1998 ISO 14971:2000/2001 ISO 14971:2007/2009 ISO 14971:2012

ɥɥRisk assessment ɥɥRisk analysis ɥɥRisk analysis ɥɥMDD “alignment”
only ɥɥRisk evaluation ɥɥRisk evaluation
ɥɥRisk control
ISO 14971 was first introduced in 1998 and has expanded in scope during subsequent releases. An updated
dated ISO 14971 is underway and expected to be complete sometime in 2019. The focus of the revision is not on
revising the risk management process but rather to improve the information on implementation of the life-cycle
risk management process.

800.472.6477  |  orielstat.com 3
 Sections of ISO 14971
Although risk management can be complex, the main body of the ISO 14971 standard is a scant
14 pages and consists of 9 clauses:

1. Scope
2. Terms and conditions
3. General requirements for risk management
4. Risk analysis
5. Risk evaluation
6. Risk control
7. Evaluation of overall risk acceptability
8. Risk management report
9. Production and post-production information

And these are the key annexes supporting those clauses:

• Annex A – Rationale for requirements

• Annex B – Overview of risk management process for medical devices
• Annex C – Questions that can be used to identify medical device characteristics that could impact
safety
• Annex D – Risk concepts applied to medical devices
• Annex E – Examples of hazards, foreseeable sequences of events, and hazardous situations
• Annex F – Risk management plan
• Annex G – Information on risk management techniques
• Annex H – Guidance on risk management for in-vitro diagnostic medical devices
• Annex I – Guidance on risk analysis process for biological hazards
• Annex J – Information for safety and information about residual risk

4 orielstat.com  | 800.472.6477
Basic steps in the medical device risk
management process
So, where to begin? It helps to think about risk management as a process that starts with a plan.
While the end deliverable is a report, your work in controlling risk is never done. We will talk in detail
about each of these areas later, but here are the steps.

RISK ACTIVITIES
Risk Analysis Risk Management Risk Control
and Evaluation Tools • Risk Reduction Options
Risk Risk
Management
Plan
> • Intended Use
• Risk
Identification
• FTA
• FMECA
• Others
• Implementation
• Residual Risk > Management
Report
• Risk-Benefit Analysis
• Estimation • Verification and Validation
• Evaluation

• Create a risk management plan: Document activities that will take place, assign responsibilities,
determine risk review requirements, establish risk acceptability levels, plan verification activities,
and plan production/post-production activities.
• Assemble your risk management team: Assemble a qualified team of people who know how
your device is constructed, its manufacturing processes, how it is used in the field, etc.
• Use risk analysis tools to identify risks: Choose the tools you will use to measure risk (discussed
more later) and then use them to identity risks posed by your processes, users, suppliers, mainte-
nance tasks, shipping, production equipment, etc.
• Weigh the risks versus the benefits: This is fairly self-explanatory, but the end goal is to ensure
that the medical benefits of your device outweigh residual risks.
• Eliminate or mitigate risks: The goal here is to reduce risks to an acceptable level. We’ll talk more
about risk reduction later and address how this varies between the 2007 and 2012 versions of
ISO 14971.

800.472.6477  |  orielstat.com 5
 Creating your risk management plan
It’s important to understand that risk management is a process and a project. In other words, risk
management is much more than a periodic analysis of product risks. Clause 6.1 of ISO 14971 states
that you must have an ongoing process in place to analyze, evaluate, and control risk. This plan
outlines the process of how you will conduct risk management, and it becomes part of your risk
management file. Risk management planning may have two levels.

GENERAL PROCEDURE SPECIFIC PLAN

A top-level procedure for all risk management How you will conduct a risk management project for
projects per written risk procedures. You may want a specific product or process per the general risk
to include this in the template you prepare in your procedures. These details may be integrated into, or
risk management standard operating procedure (SOP). replace, parts of your generic “boilerplate.”

There are several activities that should be part of your risk management plan, and we will talk more
about them later. First, you need to define the scope of what you will be evaluating, including a
detailed device description and its life cycle. This is also the time to clearly lay out your risk accept-
ability criteria, verification activities, and production and post-production plans. Your plan should
also clearly define the responsibilities of your team.

Putting together your risk management team

About your team…they need to be well qualified. What does that mean? It means you need to make
sure you select people who truly understand how your device works, how it’s made, and how it’s
used. This not simply a collection of friendly colleagues who play no real role in risk management. All
team members need to be qualified to perform their risk management role, and you must provide
objective evidence of their qualifications. After all, your team will be charged with determining what
could happen, how likely it is to happen, how bad it will be if it does happen, and how you can reduce
the likelihood that it will happen. Don’t take this lightly.

Performing a risk analysis of your medical devices

Now that you have a plan and a team, it’s time to conduct an initial risk analysis. This is the point at
which you identify known and foreseeable hazards and then estimate the risk of a hazardous situa-
tion. Before we go any further, let’s distinguish among some key terms:

6 orielstat.com  | 800.472.6477
 RISK ANALYSIS RISK ESTIMATION RISK ASSESSMENT RISK EVALUATION
Process of
comparing
Systematic use of Process used to
Overall process the estimated risk
available assign values to
comprising a risk against given risk
information to
identify hazards
and estimate a risk
+ the probability of
occurrence and
severity of harm
+ analysis and risk
evaluation
= criteria to
determine the
acceptability of
(ISO 14971 2.18)
(ISO 14971 2.17) (ISO 14971 2.20) the risk
(ISO 14971 2.21)

The medical device risk analysis process

A risk analysis is typically conducted when a solid prototype of the device has been built and is then
periodically updated as the design evolves. The first step in the analysis is to start by asking ques-
tions. Annex C in ISO 14971 has a long list of questions to get you started. It’s a good idea to create a
risk analysis checklist based on Annex C that is customized to your specific devices. Using Annex C
and/or your checklist, you will start to identify known and foreseeable hazards.

Put yourself in the shoes of the user or patient. What could go wrong during typical use situations?
Could the device be misused in a way that would cause harm? Are there other similar products on the
market? What has gone wrong with them? FDA databases, published journal articles, online product
reviews (consumer devices), and user interviews are good sources for such information. Your existing
design control program can also yield useful information and Annex D is a good starting point. The
extent to which you perform this analysis largely depends on the risk classification of your device.

ESTIMATE
IDENTIFY KNOWN ESTIMATE ESTIMATE
PROBABILITY
OR FORESEEABLE PROBABILITY SEVERITY
OF HAZARDOUS
HAZARDS OF HARM OF HARM
SITUATIONS

800.472.6477  |  orielstat.com 7
 Hazards and harms
After you have identified hazards and associated harms, you need to estimate the probability that
they will occur. Not all hazards will result in harms.

HAZARD HAZARDOUS SITUATION HARM

Circumstance in which a Physical injury or damage
A potential source of harm > person, property, or the
environment is exposed to
> to the health of people or
damage to property or the
a hazard environment

Annex E of ISO 14971 shows the relationship between hazards, hazardous situations, harm, and foreseeable
sequences of events.

You need to perform an in-depth analysis, looking at the role of the user and use environment. Here’s
an example. Let’s suppose you make a blood glucose meter. Your product displays the most important
readings in very large text. If you examine the screen while sitting in your office, you might assume
that the probability of a misread by the user is quite low. But what happens when you take it outside
into bright sunlight? Is the display screen highly reflective? Can you clearly read everything using
sunglasses? How about in low light? Is the battery meter clearly visible and does it provide adequate
warning of battery depletion? These are potentially hazardous situations and your mission is to
estimate the probability of those situations. Regulators expect you to anticipate these issues. Never
blame the user.

Let’s go back to the battery indictor issue we just mentioned. In this case, the “hazard” might be a
battery indicator that is too small on the LED screen and without any supplemental warning light to
signal that the battery is very low. A “hazardous situation” that might result involves users who need
to check their insulin level right away, only to find their glucose meter is out of power. If the users do
not have a way to recharge the meter for 2 hours, they may simply guess how much insulin they need
based on how they are feeling. The harm that could result is hypo- or hyperglycemia caused by
improper dosing of insulin. This risk can be mitigated by making the battery meter larger, and/or
by adding a supplemental visual or audible indicator by which the battery warns users that
recharging is needed.

HAZARD
+ FORESEEABLE
EVENTS + HAZARDOUS
SITUATIONS = ESTIMATE OF
RISK

8 orielstat.com  | 800.472.6477
Estimating the probability of harm
Risk is a combination of the severity of a harm and the probability that it will occur. Clause 4.4 of
ISO 14971 requires you to estimate the probability of harm. But how is that done? You can reference
historical data or published FDA data, and try to better understand typical use scenarios. A qualita-
tive probability table similar to the one shown below will help you tackle this process of evaluating
potential hazardous situations. You can also do something similar using a numerical system, rating
the severity of the harm. Annex D provides some guidance on risk analysis concepts, including risk
estimation, but you can create your own scale and descriptors as long as you define them in your risk
management procedure. Keep in mind that harms can have levels of severity. An example of this
would be burns.

Qualitative Probability Table

SEVERITY OF HARM
Negligible Minor Serious Critical Catastrophic
Minor injury or Limited injury or Medically reversible Permanent injury Life-threatening
property damage property damage injury or significant or serious property injury or
property damage damage catastrophic
property damage

Frequent
Happens with
almost every use CONTROL UNACCEPTABLE UNACCEPTABLE UNACCEPTABLE UNACCEPTABLE
of the device

Probable
PROBABILITY OF OCCURENCE

Occurs the
majority of times CONTROL CONTROL UNACCEPTABLE UNACCEPTABLE UNACCEPTABLE
but not with every
use

Occasional
Occurs with
increased ACCEPTABLE CONTROL CONTROL UNACCEPTABLE UNACCEPTABLE
frequency

Remote
More than one
occurrence per ACCEPTABLE ACCEPTABLE CONTROL UNACCEPTABLE UNACCEPTABLE
year but still
unlikely

Improbable
Less than one
occurrence per ACCEPTABLE ACCEPTABLE ACCEPTABLE CONTROL CONTROL
year; isolated
events

800.472.6477  |  orielstat.com 9
 Ultimately, risk estimation should be viewed as a data-driven process. Gather as much quantitative
information as possible from your complaint-handling files, published standards, technical data,
clinical data, results of investigations, expert opinion, field data, MDRs, and test data. You can docu-
ment it using Excel, software tools, or a simple list.

Choosing the right medical device risk evaluation tools

Unless you have prior experience with risk management, it can be perplexing to figure out which risk
evaluation tools are best suited to your situation. There are many options, each with pros and cons.
The one(s) you use will depend on your product and company culture, among other things. It would
take far too long to go into depth about the options available to you, but on the next page is a list of
some of the more commonly used tools.

Using this list as a starting point, research the various options and find the best fit for your situation.
Typically, it is optimal to use more than one tool and a combination of top-down and bottom-up tools.

Controlling medical device risks

Now that you have identified the risks, analyzed their severity, and assessed their likelihood to occur,
it’s time to look at how those risks can be controlled. Clause 6 of ISO 14971 deals with this issue. You
will confront the following questions:

• Can we reduce the risk?

• What is the best way to do it?
• Did the risk control work?
• Is the residual risk acceptable?

That last question about the acceptability or residual risk is important. There is a significant difference
between ISO 14971:2007 and ISO 14971:2012 about this issue, more specifically ALARP (as low as
reasonably possible) and AFAP (as far as possible).

10 orielstat.com  | 800.472.6477
Commonly Used Risk Evaluation Tools
BOTTOM-UP TOOLS HOW IT IS USED
Preliminary Hazard Analysis “What if” analysis that takes a hazard and traces it to harm. Useful early
(PHA) in the risk management process.

Failure Mode and Effects “What if” analysis that takes a failure and traces it to an injury or hazard.
Analysis (FMEA) Often used in design and process phases. Focuses on one piece of the
puzzle, but don’t rely on it alone for your risk management process. Best
for manufacturing and use instructions.

Failure Mode, Effects, and Builds on the FMEA model but adds risk evaluation, including severities
Criticality Analysis (FMECA) and probabilities.

TOP-DOWN TOOLS HOW IT IS USED

Ishikawa or Fishbone Imagine this as a diagram resembling an artery with veins that branch off
(Cause-and-Effect) Diagram from it. It starts with six primary possible causes (veins) and then
branches off further to show more specific causes related to that primary
potential cause.

Fault Tree Analysis (FTA) Starts with failure and works back to the component. Focuses on the big
picture, unlike FMEA. Good choice for design activities. Use with FMEA
for new design technology unless failure modes are unknown.

MORE TOOLS HOW IT IS USED

Brainstorming Generates a wide variety of ideas. It’s important to crystalize the true
objective so time is not wasted. Clusters can be then grouped to form an
Ishikawa diagram.

Turtle Method Starts with a process and examines factors that influence the process
such as training, equipment, procedures, installation, etc.

Hazard Analysis and Critical Identifies various errors and hazards in production processes that can
Control Points (HAACP) cause finished products to be unsafe. Designs measurements to reduce
risks to a safe level.

Hazard and Operability Analysis Assumes accidents are caused by deviations from design or operating
(HAZOP) intentions. Uses keywords to focus attention on specific aspects of
design intent or associated process condition.

800.472.6477  |  orielstat.com 11
 ALARP or AFAP?
An important part of the risk analysis process is to ensure that you do not introduce
new hazards in your quest to eliminate or minimize hazards. FDA describes their
expectations about risk-based decisions. In 21 CFR Part 820, FDA states that if any
risk is judged to be unacceptable, it should be reduced to acceptable levels by the
appropriate means, which may include a redesign or warnings. Similarly, ISO
14971:2007 espouses the general concept of reducing risk to ALARP (as low as
reasonably possible). The key word here is reasonable, which is open to interpreta-
tion. In practice, within reason includes a consideration of “state of the art” from a
technical perspective. Although Annex D does mention the “cost of further reduc-
tion” in the definition of practicability, it is never acceptable to trade off device safety
against cost, so don’t even put that in your justification. The rationale for these
decisions must be documented in your risk management file.

ISO 14971:2012 – the version of the standard required for medical devices sold in
Europe – embraces the concept of reducing risk AFAP (as far as possible), which
leaves no room for interpretation. It ignores economic arguments altogether. If a
risk exists, you are required to reduce it to acceptable levels and explain why it
cannot be reduced further.

12 orielstat.com  | 800.472.6477
Risk Management Flow Chart (ISO 14971:2012)
RISK PLAN

ANALYSIS

START Risk Management Intended Use: Identify Identify Known or Foreseeable Hazards (4.3)
AND

Plan (3.4) Characteristics (4.2)

Estimate Risk for the Hazardous Situations (4.4)

EVALUATION

NO
RISK

Is risk reduction
necessary? (5)

YES

Identify appropriate risk control measure(s),

record risk control requirements (6)

Is the risk NO
reducible? (6.2)

YES

Implement, record, and verify

appropriate measures (6.3)
YES
RISK CONTROL

NO Is the residual risk

acceptable? (6.4)
YES Do medical
benefits outweigh the
residual risk?
(6.5)
Are new
YES hazards or hazardous
situations introduced or NO
existing risk affected?
(6.6)

NO

NO Are all
identified hazards
considered? (6.7)

YES
RESIDUAL RISK
EVALUATION
OVERALL

Do medical
NO Is overall residual benefits outweigh NO
risk acceptable? the overall residual
(7) risk? (6.5)
YES
REPORT

Prepare risk management report (8)

RISK

UNACCEPTABLE
Review production and post-production information (9)
INFORMATION
PRODUCTION

Is
POST-

YES reassessment of NO
risk necessary?
(9)

800.472.6477  |  orielstat.com 13
 Hazard does not equal harm
Risk management is the process of reducing risk. However, sometimes the likelihood of harm result-
ing from a hazard is quite low and mitigating that hazard may not provide any tangible reduction in
risk – in fact, it may diminish your device’s benefits. Here’s a quick example. Let’s say you produce an
IV bag stand. To reduce the likelihood of it getting knocked over, you could make the caster base legs
25% wider. However, doing so would introduce a new hazard: wider base legs increase stability but
also increase the tripping hazard. If the likelihood of the stand getting knocked over is low, you may
actually increase overall risk. To avoid making the wrong decision, evaluate risks using a disciplined,
planned process. In your risk management file, document the hazards you identify and the rationale
behind the decision to control or not control those risks. Remember, you cannot trade off safety
for cost!

Your risk management file must include evidence that you have conducted the following for each
identified hazard:

• Risk analysis
• Risk evaluation (probability, severity)
• Implementation and verification of risk control measures
• Assessment of the acceptability of residual risk

Residual risk: Avoiding analysis paralysis

The number of possible hazardous scenarios is limited only by imagination. Does that mean you must
document all possible risks, including the likelihood that Godzilla will invade your city and crush your
manufacturing plant? No.

Annex I of the European Medical Device Regulation (2017/745) says that you should “reduce risks as
far as possible” without adversely impacting the benefit-risk ratio. This is in line with the concept of
AFAP introduced in ISO 14971:2012 and discussed earlier. The US FDA also publishes an excellent
guidance document discussing the risk-benefit evaluation process for medical devices. Ultimately,
FDA recommends that you take the following factors into account:

• Type of benefit – quality of life, relief from symptoms, reduced probability of death, etc.
• Magnitude of benefit – anticipated change in condition or clinical management
• Probability of benefit – can be based on prior investigations, demographics, health status, etc.
• Duration of benefit – curative or repeated interventions required
• Availability of alternatives – safety and effectiveness of other options

14 orielstat.com  | 800.472.6477
To ensure that you do not go overboard in analyzing residual risks, it is important to establish a
systematic process and focus on the risks that are within your control. Therefore, choosing the right
risk management team is extremely important. You need to assemble people who fully understand
how your device is manufactured, distributed, and used – someone without any knowledge of how
your device is manufactured will not be able to foresee scenarios that could create hazardous situa-
tions. If you are missing expertise in one area, you may miss potential harms to evaluate and control.

Compiling your findings in your risk management report

Your risk management report documents the conduct and results of your risk management activities.
It becomes part of your larger risk management file, which includes or references all required docu-
ments and provides traceability for each hazard. Your risk management file is what you will use to
demonstrate compliance with standards and regulations. Be judicious with the amount of informa-
tion contained in the risk management report – it’s a useful internal reference, but it may contain
more information than you need to show auditors. Instead, you should compile a risk management
report summary to provide to auditors and executive management.

DEVIATIONS

RISK MEDICAL
ASSESSMENTS BENEFITS

Risk
Management
Report RISK-BENEFIT
CONCLUSIONS
SUMMARY

RISK OF
CONCERN

800.472.6477  |  orielstat.com 15
 Post-production risk management
Once your device is for sale on the market, congratulations: your risk management work is complete.
Ok, just kidding – your work is never complete! Risk management is a continuous process. Typically,
you will find yourself dealing with two types of post-production issues:

Once your device is for sale on the market, congratulations: your risk management work is complete.
POST-PRODUCTION ISSUES
Ok, just kidding – your work is never complete! Risk management is a continuous process. Typically,
INCIDENT-DRIVEN
you will find yourself REVIEW-DRIVEN
dealing with two types of post-production issues:
Requires your immediate attention Discovered during data analysis

Your risk management process should document both pathways for analysis. As part of your ongoing
efforts, you should be evaluating complaints, incidents, product failures, and design process changes
for potential safety impact. You will also take into account any changes in installation, use, and servic-
ing. Are previously unrecognized hazards present? Is the estimated risk no longer acceptable? Is the
original assessment still valid? Possible triggers include:

• Design/materials changes
• Manufacturing changes
• Vendor changes
• Complaints
• Medical device record
• Incidents
• Near-incidents
• Malfunctions

You are required to analyze all incidents, near-incidents, and malfunctions to categorize their risk
level. Your assessment must be documented, becomes part of your risk management file, and may
result in a corrective and preventive action (CAPA) or having to file a vigilance report or other regula-
tory notification.

Pulling it all together

Risk management plays a vital role in promoting the safety of medical devices. A well-designed
program of risk management certainly benefits patients or users but can also yield positive returns in
the form of higher user satisfaction and more insights into how you make your products better.
Top-tier companies take the responsibility very seriously.

16 orielstat.com  | 800.472.6477
Want to learn more?
Call 1.800.472.6477 or visit www.orielstat.com
Oriel STAT A MATRIX has been assisting medical device manufacturers with compliance issues for
over 50 years. If you are just starting out to set up a risk management system in your company, you’ll
definitely want to check out our intensive training course on ISO 14971 and risk management. Our
expert consultants can also provide hands-on risk management support.

Let us help you make sense of it all.

VIEW PUBLIC RA/QA VIEW RA/QA

TRAINING SCHEDULE CONSULTING SERVICES

800.472.6477  |  orielstat.com 17
 MT-007-0918

1095 Morris Avenue, Suite 103B

Union, NJ 07083
© Oriel STAT A MATRIX