The Importance of Risk Management
Risk management is a key component to demonstrate regulatory compliance for medical devices, it contributes to the medical device company’s ability to meet the regulatory requirements for approval from local regulatory authorities. Effective risk management is essential for determining whether the benefits of the product outweigh any potential risk to the patient.
ISO 14971 ’Medical devices – Application of risk management to medical devices’ is the international standard for the application of risk management by a manufacturer to medical devices, including in vitro diagnostics (IVD’s). ISO 14971 is accepted by the TGA and recognized by the FDA as a consensus standard. Within ISO 13485:2016 “Medical devices—Quality management systems—Requirements for regulatory purposes”, the term “risk” is referenced over 15 times, placing more an emphasis on risk in comparison to the previous revision where it was only mentioned twice, therefore ensuring the manufacturer establishes a risk-based approach to product lifecycle. The expectation isn’t that risk can be completely avoided; however, it can be minimized, if the company is aware of the associated risks. ISO 14971 encompasses more than just the risk to the patient, it also considers the risks to others i.e. equipment, environment and operators. Risk should be managed throughout the lifecycle of the device from initial concept to the disposal of the device.
ISO 14971 is a risk management tool which ensures there is a systematic approach is undertaken, when ensuring risk management is applied throughout the QMS (Quality management system). It ensures that management and appropriately trained personnel are involved in making of product related decisions and reviewing effectiveness.
Risk Management Process Flow
1. Risk management framework and planning.
The manufacturer should define the risk management process, defining the roles and responsibilities and document a risk management plan. The medical device and medical device family groups will be within the scope of the plan.
2. Risk analysis.
Risk analysis takes into consideration the intended use and identifies the medical device characteristics which could potentially affect safety. Risk is assessed for each hazardous situation. Risk is the combination of severity of the potential harm and the probabability of the harm occuring. FMEA (Failure Mode and Effect Analysis) is a standard technique used to assess and evaluate potential risks in the design development phase and continues into production.
3. Risk evaluation.
Each hazardous situation is evaluated and the severity and occurance of the risk identified. Consider every foreseeable sequence or combination of events which could result in a hazardous situation. The medical device manufacturer’s risk acceptability criteria is used to determine if a risk reduction is required for the risk. This is documented in the risk management file. The risk management file will facilitate traceability for the medical device.
4. Risk control.
Risk control is used to reduce the risks to acceptable levels and determine if the benefits outweight the potential risks. During this process the unacceptable risk is minimized by developing and implementing safeguards within the device or the production process to control the risks. It is important to determine the residual risk. Risk controls must be verified and the residual risk is deemed acceptable/unacceptable. Records of each step of risk control are maintained in the risk management file. Residual risk evaluation is performed after all controls are in place and effective. A risk register should be implemented after all risks have been identifed and properly controlled.
5. Risk management report.
Prior to the commercialisation of the product a risk management review should be conducted. The output of this review is the risk management report, which will be incorporated into the risk management file. This should include all actions, reports, assessments and diagrams created during the risk management planning process. This should be a summary report in the form of summary technical doucment i.e. STED, this should indicate all the risk management activies that were performed specific to the medical device or product family which was identified in the scope. STED is recognised by Australian, European, US, Canadian and Japanese regulators.
6. Production and post production information.
Post production the manufacturer should develop a medical device monitoring system, this should be documented and maintained. Contributing activites include internal audits, CAPA’s, complaints, customer feedback, the results should be recorded in the risk management file. This is a living document.
Medical devices are used every day and should be safe to use by the patient and risk management is a total product lifecycle process. Risk can’t be completely avoided however it can be minimized if the manufacturer is aware of these risks and implements an effective risk management system.
The risk management standard ISO 14971 is for medical devices provides the framework for risk management policies, procedures and practices. The standard states that the manufacturer should establish a document of risk analysis, risk evaluation, risk control, production and post production information, which is used throughout the life cycle of the medical device. It also provides information about expectations of top management, personnel’s qualification who perform the risk management, the risk management plan they develop and follow as well as documentation of the overall procedures.