MEDIcept is presenting this paper as an introduction to an ongoing series of articles focused on the conduct of risk management in the medical device and invitro diagnostic industry. The intent of the series is to provide practitioners with insight into how to apply risk management principles and tools to improve the performance and safety of their devices, and, as an added benefit, maintain compliance with risk management standard such as ISO 14971 (Medical devices – Application of risk management to medical devices) and IEC 62304 (Medical device software – Software life cycle processes)
Our team at MEDIcept plans to use these articles to capture best practices, explore the more challenging aspects of maintaining risk management systems over the long term, and elicit discussions among practitioners. To this last point, if you have questions or comments on the issues discussed, or if you have recommendations for topics to consider in the future, please let us know!
Risk Management – Beyond FMEAs:
Too often, when medical device companies think about risk management, they think of just two things:
- Regulatory requirement
- FMEA (Failure Mode and Effects Analysis) style Risk Assessments
Our team of medical device consultants at MEDIcept has worked with a broad range of companies faced with a wide variety of design, processing, and usage challenges; based on that experience, we recommend a broader view of risk management. While it’s true that regulatory authorities require device manufacturers to implement risk management systems and that FMEAs are valuable tools for assessing risks and documenting that risk controls are effective, the focus on only these two elements blinds companies to the real objective of medical device risk assessment. A broader view of risk management and a larger toolbox of analysis methods can improve the ability of companies to make decisions about how best to ensure the safety and efficacy of their products. This change in perspective will greatly increase the relevance and benefit of medical device risk management.
Many companies fall into a “regulatory mindset” when thinking about risk management. When we say regulatory mindset, we mean the perspective that certain activities (e.g., document control, validation, risk management, etc.) are performed primarily because they are required by regulators—if they don’t comply, they’ll fail their ISO 13485 audit or receive an FDA 483 observation. In fact, regulatory compliance should not be the primary driver for the conduct of these activities. The true driver is to ensure the safety and efficacy of your company’s products, as well as to reduce liabilities and costs. Risks associated with cybersecurity or human factors for example have direct safety impact upon the product, the company, and the customer.
If the regulations went away tomorrow, engineering and management best practices would still dictate that risk management and Quality System activities be followed. Would any reputable company want to produce devices using an obsolete print, use a machine without first confirming that it is capable of producing quality outputs, or go to market without fully assessing their product’s risks to the user’s health and safety? Risk management and other Quality System activities have been endorsed and adopted by regulators because they are the best practices and, when implemented properly, are proven to improve product safety and efficacy and reduce cost – not the other way around.
The following graphic provides a good perspective on the proper role of risk management. While risk assessments are developed as part of a company’s Design and Development Process, risk management doesn’t stop there. The intent of risk management is to capture knowledge about your products and processes and share that knowledge with the parts of the organization that need it to do their jobs and ensure that your products remain safe and effective.
 Note: In this series, the term “Risk Assessment” includes what ISO 14971 calls Risk Analysis, Risk Assessment, and Risk Control. In practice, all of these activities are documented in an FMEA-style Risk Assessment.
As the graphic shows, when the product is released to the market the risk management system becomes an active, living system that helps to ensure that:
- design changes do not have a negative impact on safety or effectiveness;
- new, unanticipated hazards are identified, and risks are assessed and mitigated as appropriate;
- critical product components and process are identified and monitored to ensure they meet specifications; and
- information about observed risks is communicated back to Design and Development to improve the performance of the next generation of
The Role of FMEAs:
For several good reasons, FMEAs (or at least the standard format used to conduct an FMEA) have become the default risk assessment tool used by medical device manufacturers. The FMEA-style format provides a very clear, structured approach for assessing risks and verifying that actions to control risks are effective. Whether you are looking at the design, software, processing, or use of the device, the FMEA-style format can be structured to ensure that a comprehensive review is performed. For example:
- Design: the risk assessment is structured by the assembly or sub-assembly bill-of-material (Note: for a complex device with reusable and disposable components and/or interfaces with other devices, a system-level design risk assessment that is focused on component interfaces may also be appropriate);
- Software: similar to a design risk assessment, the software risk assessment is structured by the software units and modules;
- Process: this assessment is structured by the manufacturing step (from incoming inspection, through manufacture, and to distribution); and
- Use: is structured by the steps in the use of the device (from selecting the device, through use, and to disposal or decommissioning)
However, the FMEA format also has two main weaknesses that make it problematic to use as the sole risk analysis tool. First, even for fairly simple devices, FMEAs can become very long, dense documents. Without a process to prioritize hazards before they are entered into the FMEA, the FMEA can become a dense list of unrelated issues ranging from trivial to critical. Teams often spend too much time on the trivial and can’t put proper attention and energy into the critical. Second, each row in an FMEA represents an independent potential failure (with an associated cause). There is no ability within the standard FMEA approach to consider the effects of combinations of failures. As a result, the FMEA does not provide a complete, systems-view of device risks.
In our next article, we will describe a structured approach for focusing risk assessment activities on those design, software, process, and usage elements that have the greatest impact on safety and efficacy. The approach begins with an understanding of critical quality attributes, including Preliminary Hazard Analysis (PHA), and makes use of fault tree analysis (FTA) tools to identify those areas as most critical to safety and efficacy. Then FMEA-style risk assessments can then be used to their best advantage: clearly assessing risks (which have already been identified as priorities), and tracking/documenting the activities conducted to verify the effectiveness of any required risk mitigation efforts.
By applying appropriate tools to fully understand the risks that can affect the safety and efficacy of your company’s devices, both when they are first released to the market and over their complete lifecycle, you will be well-positioned to truly understand whether the clinical benefits of your devices outweigh the risks associated with their use.
MEDIcept … Trusted Solutions, Rapid Response …
MEDIcept Inc. is an international consulting firm specializing in medical device, IVD, and biotechnology Regulatory, Quality, and Clinical Services. Since 1996, we have worked with thousands of companies to solve their most critical FDA and ISO issues. Our integrated solutions are rooted in our direct experience and span all stages of the product life.
MEDIcept is committed to providing our clients with what they need. We are committed to quality deliverables because we value our clients’ time and resources. This is why 90% of our clients come back to us again and again to solve new issues.
For additional information, please contact Susan Reilly at SReilly@MEDIcept.com.