Medical Device, Risk management

ISO 14971 Let’s Go! The Ultimate Guide to Risk Management in Medical Devices

What is risk management?

According to ISO 14971, Risk Management is defined as the “systematic application of management policies, procedures and practices to the tasks of analyzing evaluating controlling, and monitoring risk”

Basically, risk management means the right people doing the right activities at the right time to prevent harm.

What would you do before you went skydiving?



Whenever we take a risk, most of us consider these two questions before we ‘take the leap’:

“What are my chances?” 


“How much will it hurt?


This is part of the Risk Management Process which is simply a well thought out collection of planned ways to control situational danger from occurring and/or reduce the harm it can cause.


When you think about it… We perform many risk management activities in everyday life! 


Why did the chicken cross the road?

We know that crossing a street on foot poses the hazard of getting hit by a car, which rates high in severity because it can cause serious injury or death. [Severity can change given the speed limit and type of vehicle].

The probability of occurrence is quickly determined by your own stored memory of data and experiences. [Probability can change given the type of roadway or time of day].

We each have our own internal formula for risk and this is what it looks like:

Risk Formula.PNG

This formula is a part of our everyday internal calculations; we even do it subconsciously.


So now we see that the probability of occurrence and the severity of harm are both used together to estimate risk.  But there is more to it than that when it comes to managing that risk.

Medical Devices and Risk Management

When it comes to medical devices, we all know that risk management is mandatory and it also contains many useful design tools.

A Risk Management Process in the Medical Device Industry also needs to be easily communicated to others.

And as we know, there are regulatory rules and standards to follow when designing a risk management system for a Medical Device, especially ISO 14971.

So, what does a Medical Device’s Risk Management Process according to ISO 14971 need?  Read on.



Risk Management Process



Risk Management Strategy

Begin by creating a strategy with your team or consultant.

Create a Risk Management Plan, assign roles and set a schedule.

Store this in your Risk Management File, which is the paper trail for the whole risk management process; it should be organized and clear.

Be objective.  This will prevent you from forgetting important parts.



Risk Assessment: Risk Analysis & Risk Evaluation

Risk Analysis

The first part of a Risk Assessment is completing a Risk Analysis; the process of defining and analyzing all potential hazards.

To begin, define the devices Intended Use

  • Example questions to answer:
    • What is the medical devices role in patient care?
    • Does it sustain or support life?

Then Identify the Hazards

  • Example: Thermal Energy; High Temperature

Now brainstorm any foreseeable sequence of events that can become a hazardous situation,

  • Example: putting the battery in backwards

Describe the hazardous situation

  • Example: battery explodes

Describe the types of harm that can result

  • Example: burns

Risk Analysis in Action:

Risk Analysis

Next Estimate the Risk Level for each hazardous situation

  • Use the Risk Formula
    •  Risk Level  =  Probability of Occurrence  x  Severity of Harm
      • Example:  Chance of Battery Explosion = Likely probability x Major Severity


Risk Evaluation

Next, the Risk Assessment ends with a Risk Evaluation; the stage of the plan where you judge whether the Risk is Acceptable to you, or whether a Risk Control is necessary for each hazard.

The best way to do a risk evaluation is to use a risk acceptability matrix using the previously estimated risk levels.

Use the x y scatter plot style

Rate the probabilities of occurrence (y-axis) and rate the severities of harm (x-axis)

Designate the acceptability thresholds

The matrix will look something like this:

RMatrix1RMatrix2Risks that are at Low levels (yellow) are acceptable.

Marginal risks (orange), however, need further consideration if they are to be acceptable or can be controlled to lower figures.

Risks at High levels (red) are unacceptable and require risk control measures for the project to move forward.

Example:  Chance of Battery Explosion

Likely probability x Major Severity

= Unacceptable risk!

Our team must introduce a Risk Control for this hazard to bring the risk level down to an acceptable level (if possible).


Risk Control

Basically, the things you do to reduce the probability of occurrence and/or severity of harm, in this order:

  1. Design for Safety
  2. Add Protective Measures
  3. Provide Safety Information

Here are examples of risk control measures used to mitigate the risk of harm due to the battery overheating:

Risk Control.PNG


Residual Risk Evaluation

Residual Risk: Risk that cannot be reduced further after risk control measures have been taken.

Evaluate whether the overall residual risk is acceptable or not; benefit vs harm

Is the device worth it?

Let’s use the X-ray machine to illustrate a simple example.


Despite all protective measures and safety designs, having an x-ray done still poses the risk of radiation exposure

BUT we need x-rays for diagnostic purposes

Despite the potential for harm, the medical benefits for the patient are greater

THUS the x-ray machine residual risk is acceptable.


Risk Management Report

A summary of all the results, data, tables, etc., of the entire risk management process.

Explain all acceptable and unacceptable risks, the benefits and harms, what risk controls occurred and why, plans for risk monitoring, etc.

It must be clearly written and demonstrate that all the planned objectives had been met.

It must also provide confirmation of the overall level of risk.



Production and Post-Production Monitoring

From an idea in one’s head to post-market success, it is important to monitor all life stages of a medical device.

Risk Management involves the Entire Product Lifecycle!

Product Lifecycle

During the production phase, monitoring will help adjust overall risk acceptability and prepare for the market.

But even with all the planning and speculation, no one can predict how the device will work in real life situations, in user’s hands, and on actual patients.

Therefore, post-production monitoring is equally important.

Any changes can affect the risk formula numbers and can send the device back to the risk analysis stage.


So why did the Chicken cross the road?

Because he strategized, then defined and analyzed all known and foreseeable hazards, estimated the risk level, evaluated risk acceptability, controlled for all unacceptable risks, and then decided the benefits outweighed the residual risk.  THEN he crossed.

Smart Chicken.



Ian Maclean, P. Eng.

Director of Research and Engineering

If you have any questions, feel free to connect with me HERE



Follow us on

linkedin-logo  twitter-logo  pinterest-icon  youtube-logo



“Your Biomedical Design & Development Partner”

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.