Featured Video
This Week in Quality Digest Live
Management Features
Harish Jose
The dangers of misapplying linearity
James daSilva
Like it or not, these are the good times
Chad Kymal
A single set of FMEA requirements will ease the burden on suppliers
Michelle LaBrosse
Projects go more smoothly if you have a consistent process for doing them
Rob Magee
The modern security mindset

More Features

Management News
Management's role in improving work climate and culture
Work with and learn from some of the nation’s best people and organizations
Cricket Media and IEEE team up to launch TryEngineering Together
125 strategies to achieve maximum confidence, clarity, certainty, and creativity
MIT awards more than $1 million to organizations creating greater economic opportunity for workers
Earn continuing education units
If you want to understand a system, try and change it
How to engage, retain, and develop talent for maximum performance

More News

Therese Graff


How to Use ISO 14971 and Project Risk Management Effectively

Set up processes that make the two types of risk similar to manage

Published: Monday, October 16, 2017 - 11:01

Medical device companies use ISO 14971 to identify and manage user risks with their devices. However, we often find these same companies do not manage their project risks well.

What is project risk management?

The Guide to the Project Management Body of Knowledge (Project Management Institute, 2013) defines risk as “an uncertain event or condition that, if it occurs, has a positive or negative effect on one or more project objectives.” Therefore, project risk management is the method used on the project to manage the risk. Those activities include planning (how you are going to manage risk), identifying, analyzing, response planning, and controlling the risks on the project.

Project risk management should be an active process used throughout the project to regularly review identified risks, curate those risks, proactively identify new risks, and respond to risks that have become events, problems, or issues. Project risks include all forms of project risk, including marketing, technical, supplier, operations, and sales. This process ends with the project closure.

Strategy 2 Market developed a process called Exploratory PD (ExPD) that helps project teams identify, evaluate, prioritize, and track uncertainties and risks throughout a project.

ISO 14971

Medical device companies also need to address user risks, through the process identified in ISO 14971:2007—“Medical devices—Application of risk management to medical devices.” The steps are somewhat prescribed, and device companies must plan, identify, evaluate, and address risks if they will cause patient or user harm. These risks need to be tied in some way to product requirements, and a final report is needed that shows the product is safe. In addition, any changes to the product must include an evaluation of the risk to the user.

Risk management of user risks is required throughout the life of the product, until the device is withdrawn from the market, which is often long past the end of the project. Users include the patient and caregivers who use the product, but may also include other users such as reprocessing groups, inventory management, or surgical setup teams.

Using risk management effectively

Although the scope and use time frames are different between the PMBOK Guide and ISO 14971, there are ways to use both of them effectively.
Use a similar process. Capturing and tracking all potential items; evaluating; identifying resolutions when necessary; and closing items become more routine when all risk processes are similar.
1. Use cross-functional teams to generate and review the risks.
2. Write it down. The user risk management file will need to be stored with the design history file (DHF). The project risk information can be stored with other project files.
Use risk libraries. Using libraries as a starting point for both types of risk management helps ensure that common items aren’t missed and often spark ideas for additional items.
Regularly review both ISO 14971 and project risk lists. Reviewing your lists as part of the regular team meetings helps ensure they remain current and new items are included. We suggest you include them on your team meeting agenda. Remember: Risk management is not a one-time activity, nor should it be a checklist item for a gate meeting.
Treat risk management as a tool. Risk management should be used to deliver your product and project better and faster.

Closing thoughts

Risk management is part of every medical device project. You have both user risks, managed through ISO 14971; and project risks, which need to be managed. Set up processes that make the two types of risk similar to manage, and integrate the reviews into your team meetings. You will find that you are much more effective in managing both types of risk.

First published on the Strategy2Market blog.


About The Author

Therese Graff’s picture

Therese Graff

Therese Graff is a partner at Strategy2Market and a product development professional with extensive experience in medical devices, IVD and single use devices.  Her expertise includes streamlining the product development process and integration with quality/ design control systems.

With a BS from the University of Illinois, Urbana-Champaign, with concentrations in Chemistry and Biochemistry, and an MBA from The University of Chicago, Graff is certified as a Project Management Professional (PMP) by the Project Management Institute (PMI) and as a New Product Development Professional (NPDP) from the Product Development Management Association (PDMA).