Featured Video
This Week in Quality Digest Live
Management Features
Mike Richman
An extravaganza of industry coverage on Manufacturing Day 2018
Nicole Radziwill
Getting started with Quality 4.0
Andreas Engelhardt
ISO 45001 marks a significant step in the overall effort to improve OH&S standards worldwide
Andy Slipher
Three fundamental principles for better strategic planning
Dirk Dusharme @ Quality Digest
Industry is trying to create its own skilled workforce

More Features

Management News
Why not be the one with your head lights on while others are driving in the dark?
The FDA wants medical device manufactures to succeed, new technologies in supply chain managment
Preparing your organization for the new innovative culture
Standard recognizes that everyone is critical to a successful quality management process.
Pharma quality teams will have performance-oriented objectives as well as regulatory compliance goals
Management's role in improving work climate and culture
Work with and learn from some of the nation’s best people and organizations

More News

Therese Graff


How to Use ISO 14971 and Project Risk Management Effectively

Set up processes that make the two types of risk similar to manage

Published: Monday, October 16, 2017 - 12:01

Medical device companies use ISO 14971 to identify and manage user risks with their devices. However, we often find these same companies do not manage their project risks well.

What is project risk management?

The Guide to the Project Management Body of Knowledge (Project Management Institute, 2013) defines risk as “an uncertain event or condition that, if it occurs, has a positive or negative effect on one or more project objectives.” Therefore, project risk management is the method used on the project to manage the risk. Those activities include planning (how you are going to manage risk), identifying, analyzing, response planning, and controlling the risks on the project.

Project risk management should be an active process used throughout the project to regularly review identified risks, curate those risks, proactively identify new risks, and respond to risks that have become events, problems, or issues. Project risks include all forms of project risk, including marketing, technical, supplier, operations, and sales. This process ends with the project closure.

Strategy 2 Market developed a process called Exploratory PD (ExPD) that helps project teams identify, evaluate, prioritize, and track uncertainties and risks throughout a project.

ISO 14971

Medical device companies also need to address user risks, through the process identified in ISO 14971:2007—“Medical devices—Application of risk management to medical devices.” The steps are somewhat prescribed, and device companies must plan, identify, evaluate, and address risks if they will cause patient or user harm. These risks need to be tied in some way to product requirements, and a final report is needed that shows the product is safe. In addition, any changes to the product must include an evaluation of the risk to the user.

Risk management of user risks is required throughout the life of the product, until the device is withdrawn from the market, which is often long past the end of the project. Users include the patient and caregivers who use the product, but may also include other users such as reprocessing groups, inventory management, or surgical setup teams.

Using risk management effectively

Although the scope and use time frames are different between the PMBOK Guide and ISO 14971, there are ways to use both of them effectively.
Use a similar process. Capturing and tracking all potential items; evaluating; identifying resolutions when necessary; and closing items become more routine when all risk processes are similar.
1. Use cross-functional teams to generate and review the risks.
2. Write it down. The user risk management file will need to be stored with the design history file (DHF). The project risk information can be stored with other project files.
Use risk libraries. Using libraries as a starting point for both types of risk management helps ensure that common items aren’t missed and often spark ideas for additional items.
Regularly review both ISO 14971 and project risk lists. Reviewing your lists as part of the regular team meetings helps ensure they remain current and new items are included. We suggest you include them on your team meeting agenda. Remember: Risk management is not a one-time activity, nor should it be a checklist item for a gate meeting.
Treat risk management as a tool. Risk management should be used to deliver your product and project better and faster.

Closing thoughts

Risk management is part of every medical device project. You have both user risks, managed through ISO 14971; and project risks, which need to be managed. Set up processes that make the two types of risk similar to manage, and integrate the reviews into your team meetings. You will find that you are much more effective in managing both types of risk.

First published on the Strategy2Market blog.


About The Author

Therese Graff’s picture

Therese Graff

Therese Graff is a partner at Strategy2Market and a product development professional with extensive experience in medical devices, IVD and single use devices.  Her expertise includes streamlining the product development process and integration with quality/ design control systems.

With a BS from the University of Illinois, Urbana-Champaign, with concentrations in Chemistry and Biochemistry, and an MBA from The University of Chicago, Graff is certified as a Project Management Professional (PMP) by the Project Management Institute (PMI) and as a New Product Development Professional (NPDP) from the Product Development Management Association (PDMA).