Risk management – How to Identify, Analyze, and Control Risks?

risk-management

ISO 14971 – Medical Device Company’s risk management standard. Although there are only a few medical device safety measures to consider, ISO 14971 is a widely accepted standard for risk management in medical devices.

Risk Management:

According to ISO 14971, medical device specifications and risk management processes should be documented. The risk management process is a systematic procedure for identifying, categorizing, assessing, and controlling risks associated with medical design, device manufacturing policies, procedures, and practices.

The risk management process is not limited to medical devices; any product development project must include a risk management process and must document the procedures from start to finish. Furthermore, risk management and control are applicable in a variety of situations such as,

  • When a new medical device is developed, or a derivative device is manufactured.
  • Advancement of a specific part of an already released device
  • Modifications to an existing device design
  • Non-conforming and mislabeled devices
  • Changes in the raw materials used in the device, such as changes in manufacturing sites or suppliers and CAPA (Corrective action and preventive action) requests, can pose a risk to patient safety.

The risk management process begins with documenting policies and procedures, creating a risk management file, and evaluating and implementing a risk management plan (RMP).

Risk Management Plan (RMP)

A Risk Management Plan is a written document that outlines the risk management process for a particular medical device. It is a critical document in MDR (Medical Device Reporting) documentation as per 21 CFR Part 803 to obtain CE (European Conformity) marking for medical devices, indicating that the medical device manufacturing process, procedures, and practices meet all regulatory requirements and are authorized to project devices in the market. Furthermore, RMP should be revised and reviewed throughout the device manufacturing process.

Must plan all risk management activities ahead of time. The plan lays out a strategy for risk management activities to be carried out throughout the medical device’s life cycle. The risk management strategy must include the risk acceptability criteria for the medical device to be developed. The criteria’s inclusion in the risk management plan helps ensure an objective assessment of the residual risks later in the process.

Importance of Risk Management

  • Risk assessment is a legal requirement.
  • It helps save unnecessary costs associated with product or device recalls by identifying design flaws early on, ensuring the safety of the medical device for the patient or end-users.
  • It includes risk analysis, evaluation, and risk control measures in regulatory submissions.
  • It provides insights into planning and implementing preventive measures to avoid product liability damages.
  • It ensures that the medical device is safe and effective in its intended use.
  • Potentially dangerous medical products/devices on the market are kept away.
  • It increases the credibility of the manufacturer and the company.

Risk Management Process for Medical Devices

Risk management is now a requirement for medical device manufacturers. The risk management requirements are created based on the risk analysis and stated in broad rather than specific terms. Reduce risks as much as possible while maintaining a high level of health and safety protection. The regulations established a procedure for medical device manufacturers to investigate product safety by identifying hazards and estimating risks based on available data.

To manage risk first, identify Hazards. To analyze and evaluate risk, use the potential consequences of a threat. The risk estimation is compared to the medical device risk-acceptance criteria, and if it is too high, the risk must be reduced through risk control measures. It cannot be eliminated as the risk is assessed and managed. To manage and to control the risk, the risk management process framework includes the following,

  • Document the process of what should be done and how to reduce risk.
  • Define who is responsible for authorizing the risk analysis and who is in charge of risk control measures.
  • Review the risk evaluations and estimates with the quality board.
  • Define the skills and knowledge needed to implement risk assessment methods and train employees who lack these abilities.
  • Create and keep written documentation to show policy and procedure adherence.
  • Include validation checks to ensure that the procedures followed are under the risk management procedures and policies.
  • Check for the effectiveness of the risk management process.

Risk Identification

Preliminary hazard analysis (PHA) is a technique used early in the product development process to assist manufacturers in identifying hazards, sources, or events that could cause harm while the device is still in the manufacturing phase. This technique is helpful for management in determining whether or not to proceed with developing a specific product if the risk evaluated is high and helps to list out the measures to mitigate the risk during the development phase.

Manufacturers expect to know the possible hazards of the medical device during the identification phase of the risk management process. The sources of hazards like the raw materials used, machines in the manufacturing sites, package information, etc.,  are significantly overlooked. The sources of hazards are monitored continuously to protect the device and the users during manufacturing, transportation, and storage.

A clinical hazard list (CHL) is a technique for claiming the device’s completeness. It lists the foreseeable hazards that could occur while using the device from the end-user perspective, but CHL cannot be used to estimate the hazards caused by the device. Manufacturers should use HAL (Harm assessment list) in conjunction with CHL and PHA to identify, evaluate and estimate the harm.

Risk Analysis

Risk analysis will assist the company in defining the intended use of the medical device, which will aid in risk management efforts. It will also help in focusing on potential sources of harm. At this stage, identify the foreseeable hazards and determine the cause to analyze the estimated risk associated with the cause.

Risk Estimation

Risk Estimation is when determining the severity and probability of risk will aid in quantifying or estimating the potential risks associated with the medical device. During this phase, potential hazards’ causes and effects are specified in a table known as the Risk Assessment and Control Table (RCAT). This table, also known as a risk analysis chart, risk matrix, or risk table, is considered the heart of risk management. This table provides an overview of potential risk hazards, scenarios, causes, and control measures to reduce the estimated risk as much as possible and the hazard that requires immediate attention.

Risk Evaluation

The risk evaluation phase involves determining the risk and further evaluating the factors to reduce the risk or hazardous situation as much as possible, and then implementing additional risk control methods. This phase evaluates the risk-benefit analysis to determine whether the potential risk outweighs the potential benefits. If the result is positive, the benefits outweigh the risks, and the RCAT should be updated with additional risk-control measures. If the outcome is negative, indicating that the risks outweigh the benefits, the device cannot be released to the market.

 Risk Control

The goal is to mitigate and control the risk to reduce and manage it to an acceptable level. Risk management measures can be implemented from the initial design input stage to the development life cycle. There are several methods for risk control:

  • The device or product can be recalled or can be changed to the device or product design.
  • Define protective and control measures to reduce the likelihood of harm occurring.
  • Clearly define the instructions on the label regarding the device’s harmful effects.

Hazardous Analysis Report (HAR) and Risk Management Report (RMR)

The HAR is a comprehensive report that is generated immediately following the RCAT (Risk assessment and control table). The potential hazards of the device are defined and created as part of the RMR (risk management report). The RMR is created to provide a detailed view of the documented device specifications and serves as a regulatory document outlining the procedures and processes used in risk management, assuring the reviewer that the medical device is safe to use. If the regulatory board approves the medical device on the market, the risk management process will continue indefinitely.

Final Thoughts

The most important thing to remember is that risk management strategy and plan are not limited to the design and manufacturing processes. Documentation is an essential step in the device development life cycle process. It is critical to keep track of the processes, procedures, actions, reports, and assessments related to the design and device manufacturing and development life cycle process, as well as the risk control methods and their effectiveness, in order to assess the risks associated with risk control measures.

For more information on Risk Management and its strategies, don’t hesitate to get in touch with us at sales@complianceg.com

Contact Us

FAQ's

What is a risk management analysis?

Risk management analysis is a regulatory process that consists of a series of measures designed to reduce risks to an acceptable level. It is a set of techniques with defined processes and practices for minimizing and eliminating risks. Proper risk analysis aids in the elimination of potential harm that may occur soon. It is a proactive rather than a reactive process.

How do you write a risk analysis?

 Identifying the risks is the first step in creating a risk analysis. Make a list of potential and foreseeable hazards that could occur in all aspects, such as from the end-users perspective, the manufacturing and development process, defining the level of uncertainty and risk sources. Furthermore, evaluate and estimate the risk, as well as analyze the risk, to implement control measures that will lessen the impact of the negative event.

What is the risk management process?

 The risk management process consists of a series of steps that include identifying, analyzing, managing, and controlling risks and hazards associated with a medical device. Each phase of a risk management process is thoroughly documented to demonstrate the manufacturer’s commitment towards managing risk throughout the life of the medical device and to assure the reviewer that the developed device is safe to use.

What is the difference between risk management and risk analysis?

Risk management is an overview of the risk process that includes a series of measures such as risk identification, assessment, analysis, evaluation, and estimation to mitigate and control risks to an acceptable level. Within the risk management process, Risk Analysis is a micro-level process. It clearly defines the risk and its ramifications.

What is the first step in risk analysis?

Risk analysis is an important step in the risk management process. By estimating the hazards, it assists manufacturers in identifying and assessing the likelihood of hazards occurring and their impact. It also provides them with insights into the planning of risk control measures to manage and mitigate risk.

The first step in risk analysis is to identify the risk. Make a list of potential internal and external hazards that could affect the development process or device feature specifications, and analyze the negative impacts as thoroughly as possible.

What is an example of prevention as a risk management strategy?

Risk cannot be eliminated, but it can be reduced to a manageable level by reducing the severity of hazards. Changing procedures, processes, and strategies are some examples of risk prevention measures.

Preventive measures include, for example, changing the formulation to remove hazardous ingredients, changing the design of the device, and so on.

What is risk identification and assessment?

Risk identification is identifying the risk and its sources whereas risk assessment is analyzing the risk and its impact. The tolls for risk identification and risk assessment are not the same.

What is identification in risk management?

The process of identifying risk entails recognizing the risk, its sources, and the impact on achieving the device’s desired specification as defined. It entails meticulously documenting the risks to lay the groundwork for risk mitigation plans.

What are the methods of risk identification?

There are various approaches for identifying risks and the approaches depend on the type of project management.

  • Checklist Analysis
  • Brainstorming
  • Casual mapping
  • SWOT Analysis
  • Flowchart method

What is the most important step of a risk management plan?

The risk assessment, also known as risk recognition, is the first step in the risk management plan. This phase focuses on identifying and describing potential risks that could have a negative impact on the device’s market release.

What are the five main categories of risk?

  • Compliance Risk
  • Quality and process risk
  • Operational Risk
  • Reputation risk
  • Financial risk

What are the main objectives of risk management?

The primary goal of risk management is to assist manufacturers in planning the risk assessment prior to completing the development of medical devices in identifying the hazards associated with the medical device, estimating and evaluating the associated risks, controlling these risks, and monitoring the effectiveness of the controls to release the safe medical device into the market for the intended use.