Risk Management & Medical Devices: 4 Common Problems to Avoid

Risk management has become a central focus for regulators over the past few years, a point underscored by this year’s draft revision to ISO 13485.

Despite this, many device manufacturers don’t go far enough to incorporate the guidelines established in ISO 14971—exposing themselves to vulnerabilities and weaknesses investigators are looking for during inspections.

To help you reinforce your risk management system and avoid potential issues, we’ve pulled together a few of the most common issues companies face along with advice on mitigating them.

Grab our free white paper for a complete list of recommendations for medical device companies in 2016.

1. Ignoring EN ISO 14971:2012 for the European Market

For manufacturers with products in the European market, EN ISO 14971:2012 is your standard. In the simplest terms, it connected ISO:14971:2007 with three key EU Medical Device Directives 90/385/EEC, 93/42/EEC and 98/79/EC.

EN ISO 14971:2012 introduced what’s come to be known as the “Z” annexes (ZA, ZB, and ZC). Before 2012, these were simply informative in nature, but the updated ISO made them required for the EU market.

It’s important to note that there has been ongoing debate among industry professionals as to what these annexes actually require, but without stepping too far into these gray areas, here are a few of the key takeaways the Z annexes present:

• Reduction of risks “as far as possible” rather than “as low as reasonably practicable”
  
  
• A requirement to establish risk control measures for all risks, not just those that are unacceptable
  
  
• Required risk/benefit analysis for all risks
  
  
• A requirement that risk reduction must go beyond the information provided to the user

Key Takeaways

One of the most common problems raised by this updated ISO is how items in the risk management matrix are coded. Since “As Low As Reasonably Practicable,” or “ALARP” is no longer acceptable, companies should make sure to update their logs accordingly by reclassifying risks labeled "ALARP" as either high or low risks.

While this is an immediate short term solution, companies subject to this ISO should ideally stop using these matrices altogether, and instead, develop a system that shows that risks are reduced AFAP by giving objective evidence that all possible risk control options were considered and implemented.

2. Treating Risk Management and Design Controls as Distinct Processes

Risk management and design controls share the same fundamental aim of ensuring devices are safe and effective.

Although it’s usually understood that both of these areas run parallel to each other when developing a product, many companies still treat them separately—a potentially major problem if you’re still in this mindset.

Key Takeaways

Experiences with real-life audits and FDA inspections have made it clear that investigators expect to see how these two processes are connected to each other when reviewing risk management and design history files.

With that in mind, it’s important to show how intended use leads you to identify existing hazards and situations where they might arise along with how that information is used to determine user needs and design inputs.

Similarly, you’ll also need to clearly show how unacceptable risks lead to controls used to mitigate them and how this system feeds into improving product design, verification and validation.

3. Using FMEA As a Risk Management Model for Medical Devices

FMEA is an effective system for evaluating failure modes and the reliability of a product or process, but it’s important to realize it does not fully align with ISO 14971. 

While some have tried to twist FMEA in such a way that satisfies the goals of ISO 14971, it’s recommended manufacturers follow a proven methodology rather than modify another system designed specifically to address device failures alone.

Key Takeaways

ISO 14971 established a complete system for managing risk throughout the entire lifecycle of a device. At its core, this process includes:

• Risk management planning
• Risk analysis
• Risk evaluation
• Risk controls
• Overall residual risk acceptability
• The risk management report
• The Risk management file
• Production and post-production information

Here are some general tips to keep in mind when considering your risk management system:

• Have a complete understanding of ISO TR 24971:2013—“Guidance on the application of ISO 14971”
• Use it as the basis for your risk management procedures
• Keep severity, probability and risk levels simple
• Use your risk management system during and after product design and development

Read our free white paper to learn more about building a reliable risk management system.

4. Treating Risk Management as a Checklist Item

There’s no question the regulatory environment has become more complex, making it easy to find yourself devoting more time and energy to the pressing areas of product development while pushing other tasks farther out on the calendar.

But as FDA continues to put risk management processes under the microscope, it’s critically important to not let these activities wait until later. The risks of waiting are simply not worth it.

Risk management should be a proactive activity that feeds directly into improving product design, not simply a list of items to check off.

Key Takeaways

ISO 14871 gives insight into the “what” along the “how” of risk management. It outlines the steps involved in the process, linking them to the items that should be documented.

To the second point, good documentation accomplishes a couple important tasks:

• Explaining the risks associated with the product to everyone involved in product development and company management
  
  
• Showing regulators you’re adhering to a respected risk management process and are actively using to improve the safety of your products

If you’ve been paying attention to what FDA’s been saying over the past year, it should be clear that the risk-based approach isn’t something coming down the road, it’s happening right now.

As the medical device industry continues to move quickly to address the growing number of risks as devices incorporate more innovative technologies into their products, it’s important to implement risk-based measures throughout your processes and procedures.