With the release of ISO 14971:2019 and ISO/TR 24971:2020, medical device manufacturers are undertaking comprehensive gap analyses to ensure compliance with the updated standard and its accompanying guidance.
As an effective risk management process evaluates potential hazards during design, production, and post-production activities, it’s easy for manufacturers, especially startups and those new to the industry, to overlook critical risk factors.
Use this practical resource to navigate the complex risk management landscape.
Following, you will find:
- A summary of the basic components of a risk management strategy
- An overview of common risk management planning and implementation challenges
- Four best practices for implementing changes to your risk management strategy
Back to Basics: Risk Management Plan (RMP), Risk Analysis, and Risk Management Report (RMR)
Before diving into implementation, it’s essential to understand the three-step process behind your risk management strategy.
First is the Risk Management Plan (RMP), which includes:
- Scope of the plan
- Risk analysis methodology (HAZOP, FMEA)
- Classifications for severity, probability, and detectability
- Risk Index (RI) evaluation matrix with acceptable, as-far-as-possible*, and not acceptable thresholds
- Risk Priority Number (RPN) evaluation matrix with acceptable, as-far-as-possible* & not acceptable thresholds
- Indication if a DFMEA, PFMEA and/or AFMEA are required
- Identification of specific processes (production & post-production) that shall require verification activities for risk control measures
- Activities for review of relevant production and post-production information
*As-far-as-possible is used to mean that iterative risk control measures are applied excluding economic or business decision making.
Second is the Risk Analysis, which includes:
- Design Failure Mode & Effects Analysis (DFMEA)* to assess risks inherent in the device design and associated risk control measures
- Process Failure Mode & Effects Analysis (PFMEA)* to assess risks in the manufacturing processes that generate parts, sub-assemblies, and final assemblies of the device
- Application Failure Mode & Effects Analysis (AFMEA)* to assess risks and risk control measures related to the user interface of the device
*Note: Reference Annex A of ISO/TR 24971:2020 for identification of potential hazards. Not all devices require a DFMEA, PFMEA, and AFMEA – the requirement should be documented in your RMP.
Third is the Risk Management Report (RMR), which includes:
- Summary matrix of RI results for initial risk evaluation before any mitigating actions
- Summary matrix of RPN results for residual risk after mitigating actions
- Overall residual risk evaluation taking into account all of the residual risk RPN values to determine if the residual risk is acceptable or unacceptable in accordance with the established criteria in the risk management plan, reported, and intended use.
- Benefit-risk analysis to assess risks that are not found to be acceptable, cannot be further mitigated, and do not meet defined acceptance criteria. The residual risk needs to outweigh the expected benefits of the intended use.
Relevant literature, as well as a team of medical and clinical experts, are essential to this phase. Even before the ISO 14971:2019 update, manufacturers were required to have processes to document risk planning, analysis, and reporting.
This three-step process is the foundation of any comprehensive medical device risk management strategy.
Risk Management Planning and Implementation Challenges
Having worked with dozens of clients on their risk management strategies, I see numerous roadblocks that prevent a smooth implementation.
Here are three of the most common challenges our team encounters:
- Assuring the appropriate individuals participate in the initial or subsequent risk analysis activity. Not having the right people at the table is itself a risk. From the engineers and marketing team to the customer complaint department and manufacturing, excluding various perspectives prevents your quality team from seeing potential hazards.
- Failing to account for all potential hazards. The good news is there’s a list of potential hazards found in ISO/TR 24971:2020 Annex A. The bad news is not everyone knows about it and have implemented RMPs without adequately evaluating the risks.
- Neglecting to incorporate protocols for periodic effectiveness checks. QA Consulting recommends manufacturers conduct effectiveness checks on a device and its associated manufacturing processes if complaint trends are seen and at least annually.
4 Risk Management Implementation Best Practices
To overcome these common challenges, here are four best practices:
- Develop a comprehensive RMP as described above.
- Generate DFMEAs, PFMEAs, and/or AFMEAs as required by your RMP, assuring that the appropriate individuals participate in the brainstorming process. Individuals should include representatives from engineering, manufacturing, quality (QC and/or QA), regulatory, technical support, clinical, and an end-user or practitioner (if possible).
- Conduct a risk evaluation for each identified hazardous situation in accordance with the RMP.
a. If the risk is deemed not acceptable, additional risk control activities are required.
b. If the risk is found acceptable, the estimated risk becomes part of the residual risk evaluated in the benefit-risk analysis.
c. A benefit-risk analysis is performed for risks that are not judged acceptable per the RMP, and for which further risk control is not practicable. Note: benefit-risk analysis should not be based on business decisions.
- Create a detailed RMR as described above.
Lean Into Our Real-World Risk Management Implementation Expertise
Working with QA enables your organization to lean into the breadth of knowledge our team has gained from a variety of risk management implementations.
There is no one-size-fits-all approach as every device presents its own unique potential hazards. Tapping into our experience with medical device risk management and utilizing the SOPs and templates we’ve perfected over the years can help your organization upgrade its risk management strategy in compliance with ISO 14971:2019 and ISO/TR 24971:2020.