The role of risk management for medical devices is not just a regulatory expectation, it’s a critical part of designing, developing, and manufacturing safe and effective devices for patients.
There can be so many parts and pieces involved throughout the life cycle of a medical device that sometimes risk management activities can appear quite onerous. Especially when everything comes back to the seemingly subjective question of: Am I effectively managing risk?
A key part of answering “yes” to this question, and doing so with confidence, involves following a planned, disciplined risk management process in which risk is thoroughly evaluated, controlled, and reduced to acceptable levels.
There are a handful of risk management tools used in the medical device industry to help manufacturers manage risk. This article will take you through some of the most commonly used tools and methods, so you can make an informed decision the next time you’re considering which one to use.
FREE RESOURCE: Click here to download our previously confidential Risk Management Plan Template.
The purpose of risk management tools is to help manufacturers identify and analyze risks before then taking action to prevent, mitigate, or reduce those identified risks to acceptable levels.
Regardless of which risk management tools you’re using, you should always document your processes, any identified risks, and rationale scrupulously in a living risk management file. Your risk management file will prove to be an instrumental asset throughout the life cycle of your medical device.
You might wonder, how far do you have to go with your risk management using these tools? Must everything be considered for a device to be safe and effective?
A good rule of thumb is to focus on risks that are within your control. Clauses 7.4 and 8 of ISO 14971:2019 emphasize the need to evaluate residual risk, while Clause 3.15 provides guidance on how to minimize known and foreseeable risk — your evaluation process should include definitions for both of these types of risk.
It’s important that your most knowledgeable people, in terms of the design, manufacture, distribution and use of your device, are involved with the risk identification and evaluation process. This way you can more accurately work on those “foreseeable” risks.
Here are some commonly used risk management tools in the medical device industry:
Preliminary Hazards Analysis (PHA)
Failure Modes and Effects Analysis (FMEA)
Fault Tree Analysis
Some other tools, such as Fishbone or Ishikawa diagramming and brainstorming are also commonly used, but let’s take a closer look at these three risk management tools for the purpose of this article:
Preliminary Hazards Analysis (PHA) is known as a “top-down” risk-based tool used in the situation where you have an identified hazard and must ask “what if” to identify possible harm. This tends to be most useful at the early stages of the design and development process and you could look at it as establishing the baseline hazards associated with the device.
The essence of a PHA involves listing all of the major components and operating conditions for the device, then evaluating each for its potential hazards.
For example, in a device with connected software, an obvious risk is a data or privacy breach for the patient. You would ask “what if” questions, like “what if someone was able to access data that is transmitted from the device?” You’d then go down the road of asking “will that data identify the patient and breach their privacy in some way?” What happens if it does?
Like any risk analysis method, PHA has its pros and cons. For example, a pro is that you can do this analysis early on in the product life cycle, and doing so can help to inform your design of potential failure scenarios to avoid. A con of this method is that, given that it is done at an early phase, you often have insufficient data to truly evaluate the likelihood of a hazard.
Given that it is a brainstorming exercise, it’s also possible that there will be hazards that just aren’t on your radar at that early stage. There have been many occasions where medical device companies have reached clinical testing, or even begun marketing their device before a hazard became truly evident.
Failure Modes and Effects Analysis (FMEA) is another “bottom-up” risk analysis tool that uses a “what if” approach for failures to be traced back to a hazardous event. This is another tool that is usually used in the early phases of the design and development process.
This is probably one of the most commonly used methods for risk analysis among device manufacturers and is a way to systematically assess failures in a specific design, process, or system, then list the consequences of the failures. The risks associated with those failures are then evaluated, and a plan is made to mitigate or eliminate the risk.
The FMEA process is time-consuming, but on the plus side, it is thorough when used as intended. One thing to know is that FMEA is not ISO 14971, in terms of its risk management approach, nor is it a tool to evaluate device safety - using it in this way does not align with ISO 14971 guidelines.
Fault Tree Analysis (FTA) is a top-down risk analysis tool. This means it starts with a failure and works back to the component. Fault tree analysis maps the relationship between faults, subsystems, and redundant safety design elements by creating a diagram, using boolean logic, of the overall system.
Essentially, an FTA starts with the “big event”, like an injury done to a patient or operator. It then works backward through several levels or “logic gates” on the tree that lead to reasons why the failure would happen. For example, if the injury happened due to mechanical failure, why was there a mechanical failure?
The Fault Tree Analysis method is best used for uncovering future events that may lead to a major fault or failure. It works well in conjunction with FMEA analysis and other tools. The greatest benefit is that FTA can increase visibility into events most likely to lead to failures. A limitation is that you may have only a small amount of failure data.
FREE RESOURCE: Click here to download our previously confidential Risk Management Plan Template.
One thing to remember is that these tools are meant to serve as a starting point in your risk management program. We recommend having a dedicated workflow for your risk management processes that includes subprocesses for risk analysis, risk evaluation, and risk control.
Your risk management process must include each of the following:
Risk Management Plan
Risk Analysis
Risk Evaluation
Risk Controls
Overall Residual Risk Acceptability
Risk Management Review
Production & Post-Production Information.
You also need to be able to prove that you have done all of this thoroughly and in accordance with the applicable standards and regulations where you plan to market your medical device. Your risk management file needs to be a living document that is always kept up-to-date.
To this end, it’s important to have a purpose-built QMS software that aligns with the latest industry best practices and regulatory guidelines. Greenlight Guru offers the only Risk Management Software built exclusively for medical devices.
The dedicated workflow allows you to keep your risk management file up-to-date and living throughout the entire lifecycle. Users also benefit from conducting risk analysis evaluation in a closed-loop QMS environment with full traceability of all related processes and data.
Medical device market leaders use Greenlight Guru to seamlessly integrate their risk management process throughout the entire QMS so risks are identified and prevented early, saving time and money.
Join the ranks by getting your free demo of Greenlight Guru and take control over your risk management once and for all.
Looking for a design control solution to help you bring safer medical devices to market faster with less risk? Click here to take a quick tour of Greenlight Guru's Medical Device QMS software
Jon Speer is a medical device expert with over 20 years of industry experience. Jon knows the best medical device companies in the world use quality as an accelerator. That's why he created Greenlight Guru to help companies move beyond compliance to True Quality.