Featured Product
This Week in Quality Digest Live
FDA Compliance Features
Jón Bergsteinsson
Understanding the standard is essential
Stephanie Ojeda
The FDA’s new QMSR will harmonize with ISO 13485 for medical device quality management
Steve Thompson
An excellent technological tool that improves quality and compliance
Kelley Jacobsen
Amid rising prices, medical device supply chains need greater scrutiny and standardization
Jennifer Chu
Findings point to faster way to find bacteria in food, water, and clinical samples

More Features

FDA Compliance News
Streamlines annual regulatory review for life sciences
Facilitates quick sanitary compliance and production changeover
Creates one of the most comprehensive regulatory SaaS platforms for the industry
Company’s first funding round will be used to accelerate product development for its QMS and MES SaaS offerings
Showcasing tech, solutions, and services at Gulfood Manufacturing 2022
Easy, reliable leak testing with methylene blue
Now is not the time to skip critical factory audits and supply chain assessments
Google Docs collaboration, more efficient management of quality deviations
Delivers time, cost, and efficiency savings while streamlining compliance activity

More News

Jon Speer

FDA Compliance

Key Challenges for Risk Management in Medical Device Development

A proactive approach in a high-risk sector

Published: Monday, February 13, 2017 - 12:01

If you’re in the business of developing medical devices, then risk and risk management become terms synonymous with your daily operations. Your overall task is to bring a device to market that not only provides a needed function to a patient, but is also proven to be safe to use—maybe even used by someone who is near and dear to you.

Risk management can be a daunting and often confusing subject. Even the most experienced businesses trip over it from time to time, so it always pays to keep your knowledge up to date.

We looked into some key challenges that have been common in risk management lately, because it’s always good to know where the challenges lay, and what to do about it. Here is what we’ve found:

1. Keeping up with changes to ISO 13485

If one thing is certain in the world of medical device development, it’s that change is our constant companion. ISO 13485:2016—“Medical devices—Quality management systems—Requirements for regulatory purposes” was published in the first quarter of 2016 and contains amendments for how companies are to ensure that their quality management systems (QMS) incorporate a risk-based approach.

The challenge here is that almost every company that is operating with an ISO 13485 QMS in place will have to take action to update procedures and processes to account for risk-based approaches. For some companies, this could involve major changes within their operations.

While the adoption period for 2016 is technically three years from its publication (or 2019), registrars are already working with companies to transition to the new version. The bottom line? Knowing what is changing and making plans to comply early will save your company hassle down the line and possible issues with noncompliance.

Medical device manufacturers: Get conversant with ISO 13845:2016 now.

Tips for ISO 13485:2016
Assuming your company is one that would like to be ahead of the game, now is the time to be conducting a gap analysis to determine the impact of the changes in ISO 13485:2016 and establish quality plans to implement any updates as soon as possible.

Here are a few tips for ensuring you’re equipped with the right information:
• The full text of ISO 13485:2016 is available now for purchase. You will find appendices to compare changes vs. the 2003 version of the standard.
• Our website greenlight.guru has put together some webinars to help inform you about specific changes in ISO 13485:2016. You can find them here.
• Changes are wide-ranging but focus mainly on risk management. For example, there is now a specific requirement for documenting the maintenance of equipment that is used in production, as well as controlling the work environment, and monitoring and measurement. See a Slideshare presentation we put together for more information.
• Seek assistance from an accredited registrar to help with your transition.

2. Consistent application of ISO 14971

First of all, ISO 14971—“Medical devices—Application of risk management to medical devices” is a standard for applying risk management to medical devices. Although this standard has been established for many years, many companies seem to struggle with consistent application and get flagged for compliance issues.

All product-related risk management procedures and practices must be in alignment with ISO 14971, so it’s worth knowing about specific areas that continue to be an issue. This is the standard across the board, no matter which country you’re developing in.

Common challenges
 Here are some of the common challenges we’re seeing:
• Overuse or over-reliance on FMEA (failure mode and effects analysis) as a tool. While FMEA is a very good tool for assessing single-fault failure modes and reliability, using only FMEA as a means to identify, assess, and evaluate risks has shortcomings.
• Specifically, FMEA only assesses failure modes, and single-fault failures at that. ISO 14971 is very clear that a company needs to evaluate hazardous situations. This means considering foreseeable sequence of events. This also means considering non-failure mode situations. We wrote a detailed post on why FMEA is not ISO 14971 for risk management here.
• Risk management is often not continued throughout the entire product lifecycle. Companies do a decent job of risk management during the product development process (aside from the above noted overuse of FMEA). However, once a device is transferred from development into production, risk management documentation is often neglected and not kept up to date. ISO 14971 is clear that risk management is a total product lifecycle process, including production and post-production.

Regulatory agencies (such as the FDA) as well as registrars and notified bodies are becoming more sophisticated with their knowledge, understanding, and expectations regarding the application of ISO 14971, regardless of the version in use. We go over the “plain English” of it here, and include a handy infographic. You can also find webinars and risk management guides in our resources.

3. Risks associated with manufacturing processes

In our experience, many companies are neglecting to capture risks associated with manufacturing processes. ISO 14971 does specify that the risks associated with manufacturing processes are to be included as part of a product’s risk management file. The actual practice of doing so is very inconsistent within the industry.

It’s important to remember that risk management is a full lifecycle activity for medical device development. Risk documents need to be transferred between each stage (such as from product development to production), and a management plan needs to be in place for the manufacturing process. You can check out our guide to ISO 14971 compliance here.

4. Confusion over applicable ISO 14971 version

Do you sell medical devices into the European Union market? If so, this is for you in particular. There has been some confusion about ISO 14971:2007 vs. EN ISO 14971:2012, and which is applicable to whom. If you sell into the EU, then the EN version is for you.

The normative requirements of these two standards are the same. The EN version introduced a few new “Z” annexes. The Z annexes specify the need to document risk/benefit analysis for every single risk item, regardless of how significant. The Z annexes also require risk controls be identified for every single risk item, regardless of how significant. The 2007 version specifies risk/benefit analysis and risk controls for higher-risk items.

Many companies are still not clear if and/or when EN ISO 14971:2012 applies to them. Additionally, many companies do not consistently align with the Z annexes.

Tips for understanding the ISO 14971 version of compliance
• If you’re manufacturing devices for the EU market, then EN ISO 14971:2012 is for you.
• Pay attention to the “Z” annexes in particular; these are where the EN ISO 14971 standard does and does not meet the requirements of the European Directives.
• The Annex Zs describe these differences as “content deviations” for each directive. You must assess and take care of the gaps between the standard and the directives.

Final thoughts

We’re seeing some key challenges appear for risk management in medical device manufacturing, but with a bit of planning, these can be overcome. Be aware of the changes being implemented with ISO 13485:2016 and plan to be on top of them early. Know the common challenges with ISO 14971 compliance, and be prepared to mitigate those in your own processes.

Risk management is a full lifecycle activity for medical device development; be systematic and review often.

It is also helpful for device makers to use a QMS and risk management software to simplify their compliance to both the updated ISO 13485:2016 and ISO 14971.


About The Author

Jon Speer’s picture

Jon Speer

Jon Speer is the founder and vice president of quality assurance and regulatory affairs at Greenlight Guru, a software company that produces the only medical device quality management software solution. Device makers in more than 50 countries use Greenlight Guru to get safer products to market faster. Speer has served more than 20 years in the medical device industry and helped dozens of devices get to market. As a thought leader and speaker, he regularly contributes to numerous industry publications. He is also the host of Global Medical Device Podcast.