What is risk management?
According to ISO 14971, Risk Management is defined as the “systematic application of management policies, procedures and practices to the tasks of analyzing evaluating controlling, and monitoring risk”
Basically, risk management means the right people doing the right activities at the right time to prevent harm.
What would you do before you went skydiving?
Whenever we take a risk, most of us consider these two questions before we ‘take the leap’:
“What are my chances?”
“How much will it hurt?”
This is part of the Risk Management Process which is simply a well thought out collection of planned ways to control situational danger from occurring and/or reduce the harm it can cause.
When you think about it… We perform many risk management activities in everyday life!
Why did the chicken cross the road?
We know that crossing a street on foot poses the hazard of getting hit by a car, which rates high in severity because it can cause serious injury or death. [Severity can change given the speed limit and type of vehicle].
The probability of occurrence is quickly determined by your own stored memory of data and experiences. [Probability can change given the type of roadway or time of day].
We each have our own internal formula for risk and this is what it looks like:
This formula is a part of our everyday internal calculations; we even do it subconsciously.
So now we see that the probability of occurrence and the severity of harm are both used together to estimate risk. But there is more to it than that when it comes to managing that risk.
Medical Devices and Risk Management
When it comes to medical devices, we all know that risk management is mandatory and it also contains many useful design tools.
A Risk Management Process in the Medical Device Industry also needs to be easily communicated to others.
And as we know, there are regulatory rules and standards to follow when designing a risk management system for a Medical Device, especially ISO 14971.
So, what does a Medical Device’s Risk Management Process according to ISO 14971 need? Read on.
Risk Management Process
Risk Management Strategy
Begin by creating a strategy with your team or consultant.
Create a Risk Management Plan, assign roles and set a schedule.
Store this in your Risk Management File, which is the paper trail for the whole risk management process; it should be organized and clear.
Be objective. This will prevent you from forgetting important parts.
Risk Assessment: Risk Analysis & Risk Evaluation
The first part of a Risk Assessment is completing a Risk Analysis; the process of defining and analyzing all potential hazards.
To begin, define the devices Intended Use
- Example questions to answer:
- What is the medical devices role in patient care?
- Does it sustain or support life?
Then Identify the Hazards
- Example: Thermal Energy; High Temperature
Now brainstorm any foreseeable sequence of events that can become a hazardous situation,
- Example: putting the battery in backwards
Describe the hazardous situation
- Example: battery explodes
Describe the types of harm that can result
- Example: burns
Risk Analysis in Action:
Next Estimate the Risk Level for each hazardous situation
- Use the Risk Formula
- Risk Level = Probability of Occurrence x Severity of Harm
- Example: Chance of Battery Explosion = Likely probability x Major Severity
- Risk Level = Probability of Occurrence x Severity of Harm
Next, the Risk Assessment ends with a Risk Evaluation; the stage of the plan where you judge whether the Risk is Acceptable to you, or whether a Risk Control is necessary for each hazard.
The best way to do a risk evaluation is to use a risk acceptability matrix using the previously estimated risk levels.
Use the x y scatter plot style
Rate the probabilities of occurrence (y-axis) and rate the severities of harm (x-axis)
Designate the acceptability thresholds
The matrix will look something like this:
Risks that are at Low levels (yellow) are acceptable.
Marginal risks (orange), however, need further consideration if they are to be acceptable or can be controlled to lower figures.
Risks at High levels (red) are unacceptable and require risk control measures for the project to move forward.
Example: Chance of Battery Explosion
Likely probability x Major Severity
= Unacceptable risk!
Our team must introduce a Risk Control for this hazard to bring the risk level down to an acceptable level (if possible).
Basically, the things you do to reduce the probability of occurrence and/or severity of harm, in this order:
- Design for Safety
- Add Protective Measures
- Provide Safety Information
Here are examples of risk control measures used to mitigate the risk of harm due to the battery overheating:
Residual Risk Evaluation
Residual Risk: Risk that cannot be reduced further after risk control measures have been taken.
Evaluate whether the overall residual risk is acceptable or not; benefit vs harm
Is the device worth it?
Let’s use the X-ray machine to illustrate a simple example.
Despite all protective measures and safety designs, having an x-ray done still poses the risk of radiation exposure
BUT we need x-rays for diagnostic purposes
Despite the potential for harm, the medical benefits for the patient are greater
THUS the x-ray machine residual risk is acceptable.
Risk Management Report
A summary of all the results, data, tables, etc., of the entire risk management process.
Explain all acceptable and unacceptable risks, the benefits and harms, what risk controls occurred and why, plans for risk monitoring, etc.
It must be clearly written and demonstrate that all the planned objectives had been met.
It must also provide confirmation of the overall level of risk.
Production and Post-Production Monitoring
From an idea in one’s head to post-market success, it is important to monitor all life stages of a medical device.
Risk Management involves the Entire Product Lifecycle!
During the production phase, monitoring will help adjust overall risk acceptability and prepare for the market.
But even with all the planning and speculation, no one can predict how the device will work in real life situations, in user’s hands, and on actual patients.
Therefore, post-production monitoring is equally important.
Any changes can affect the risk formula numbers and can send the device back to the risk analysis stage.
So why did the Chicken cross the road?
Because he strategized, then defined and analyzed all known and foreseeable hazards, estimated the risk level, evaluated risk acceptability, controlled for all unacceptable risks, and then decided the benefits outweighed the residual risk. THEN he crossed.
Ian Maclean, P. Eng.
Director of Research and Engineering
If you have any questions, feel free to connect with me HERE
Follow us on
“Your Biomedical Design & Development Partner”