Featured Product
This Week in Quality Digest Live
Health Care Features
Jón Bergsteinsson
Understanding the standard is essential
Rob Moorey
Efficient processes and technology are key
Stephanie Ojeda
The FDA’s new QMSR will harmonize with ISO 13485 for medical device quality management
Steve Thompson
An excellent technological tool that improves quality and compliance
Delivering quality to the health industry

More Features

Health Care News
Streamlines annual regulatory review for life sciences
The company is also facilitating donations to the cause
Mass spectromic analysis from iotaSciences
Showcasing the latest in digital transformation for validation professionals in life sciences
An expansion of its medical-device cybersecurity solution as independent services to all health systems
Purchase combines goals and complementary capabilities
Better compliance, outbreak forecasting, and prediction of pathogens such as listeria or salmonella
Links ZEISS research and capabilities in automated, high-resolution 3D imaging and analysis
Creates one of the most comprehensive regulatory SaaS platforms for the industry

More News

Jon Speer

Health Care

What You Need to Know for an Effective Risk Assessment

Two concepts to ensure patient safety and device quality

Published: Thursday, May 14, 2020 - 11:02

Historically, risk management has been a complex and polarizing subject, with various stakeholders assigning different values on the probability and severity of harm. In the medical device industry, risk management’s high importance has led to the publication of standards such as ISO 14971, offering guiding principles using a universal risk management framework applicable to all types of medical devices and processes throughout the entire product life cycle, from design and development through manufacturing and into post-market activities.

In December 2019, an updated version of the standard ISO 14971:2019 was released, bringing impactful changes to the medical device industry. Although many of the changes were minor, there are key updates to processes and best practices that medical device companies should understand and keep top of mind.

One example is the updated guidelines for risk assessment. ISO 14971:2019 looks at risk analysis and risk evaluation as individual and separate sets of tasks that together make up a risk assessment. In my experience, I will generally conduct these two sets simultaneously, but to effectively do so, you must understand the tasks involved with each.

Risk analysis tasks

There are many ways to conduct a risk analysis, and many of these techniques are used across the industry, including failure mode and effects analysis (FMEA), fault-tree analysis, and preliminary hazards analysis. However, it’s critical that as you go through your own risk analysis, you define an approach that allows you to document the entire process easily and effectively.

To achieve this, you must clearly outline three aspects of the medical device:
1. Intended use
2. Potential hazards
3. Risk

Whenever you start a risk analysis, you should work from a documented intended-use statement. This statement helps to define the scope of the device and helps to outline potential hazards that may occur later in the process. The intended-use statement is also useful in identifying foreseeable misuse of the product.

An effective strategy to identify hazards is to go through each step required for device use and determine if there are any sources of harm along the way. Identifying these scenarios early on helps to ensure that safety measures are established in order to reduce risk.

Once each potential hazard and hazardous situation is outlined, the risk analysis can be completed by estimating risk for each hazard. According to ISO 14971, risk is defined as the probability of occurrence of harm and the severity of said harm. Risk estimation requires manufacturers to outline two things: seriousness and likelihood of occurrence.

A common technique used to illustrate these factors is a severity and occurrence table, often referred to as a risk acceptability matrix, which evaluates harm based on levels of severity and also the probability of that occurrence.

For example, a life-threatening injury would be considered critical in severity, and if it only occurs once in 1 million times, then the event is also considered improbable.

Risk evaluation tasks

Once risks for each harm have been estimated, it’s time to evaluate each risk to determine if risk reduction is required. Many companies will evaluate risk levels in three “zones”: low, medium, or high. The most common practice for practical risk evaluation is to establish criteria around which risk zones are deemed acceptable and which are not.

Manufacturers that sell in the United States often correlate the low zone with acceptable risk and the high zone as unacceptable. The medium zone often fits into what is referred to “as low as reasonably practicable.” That said, many companies place a similar emphasis on the level of risk in the medium zone as they do the high zone when conducting risk reduction.

A comprehensive risk assessment is a vital component of the medical device manufacturing process and also a significant requirement found in the updated ISO 14971:2019 risk management standard. Evaluating potential harm and risks, and diligently working to reduce them, helps to ensure patient safety and medical device true quality.


About The Author

Jon Speer’s picture

Jon Speer

Jon Speer is the founder and vice president of quality assurance and regulatory affairs at Greenlight Guru, a software company that produces the only medical device quality management software solution. Device makers in more than 50 countries use Greenlight Guru to get safer products to market faster. Speer has served more than 20 years in the medical device industry and helped dozens of devices get to market. As a thought leader and speaker, he regularly contributes to numerous industry publications. He is also the host of Global Medical Device Podcast.



Improbable Medium Risk


Thank you for the article.

Often, especially during audits and inspections, potentially life-threatening risks are seen as always of the highest risk level, no matter how improbable they are. And there is a case to make, that just because something is highly unlikely, the consequences remain life-threatening and therefore, the risk should be treated as if it occured more regular and thus be categorized as "high risk".

Assuming all risk managers somewhat use the principle of worst-case, it's hard to grasp how a critical (per articles definition life-threatening) risk can be a low risk, just because you may only harm 1 in a million. I think it would make sense to have any foreseeable permanent damage to be at least "medium" risk and all life-threatining risks as "high" risk category.

That ISO14971 fails to define this, once and for all in its current revision, is a mistake, in my honest opinion. This is, where true standardization in this industry could have happened, but instead some formalities were changed. The request for more Benefit/Risk analyses will never be heard, when even potentially fatal consequences can be a low-risk topic.