Koven cardiovascular innovation

Your Biomedical Design & Development Partner

Risk management in Medical Device design

ISO 14971 Let's Go!  The Ultimate Guide to Risk Management in Medical Devices

May 15, 2018

What is Risk Management?

According to ISO 14971, risk management is defined as the "Systematic application of management policies, procedures and practices to the tasks of analyzing, evaluating, controlling, and monitoring risk."

Basically, risk management means the right people doing the right activities at the right time to prevent harm.

What would you do before going skydiving?


Whenever we take a risk, most of us consider these two questions before we "take the leap";

"What are my chances of success?"


"How much will it hurt?"

This is the part of the risk management process which is simply a well thought out collection of planned ways to control situational danger from occurring and/or reduce the harm it can cause.

When you think about it ... We perform many risk management activities in everyday life!

Cross at your own risk
Why did the chicken cross the road?

We know that crossing a street on foot poses the hazard of getting hit by a car, which rates high in severity because it can cause serious injury or death.  [Severity can change given the speed limit and type of vehicle].

The probability of occurrence is quickly determined by your own stored memory of data and experiences. [Probability can change given the type of roadway or time of day].

We each have our own internal formula for risk and this is what it looks like:

Risk formula

This formula is part of our everyday internal calculations; we even do it subconsciously.

So, now we see that the probability of occurrence and the severity of harm are both used together to estimate risk. But there is more to it than that when it comes to managing that risk.

Medical Devices and Risk Management

When it comes to medical devices, we all know that risk management is mandatory and it also contains many useful design tools.

A risk management process in the Medical Device industry also needs to be easily communicated to others.

As we know, there are regulatory rules and standards to follow when designing a risk management system for a Medical Device, especially ISO 14971.

So, what is required when designing a Medical Device risk management process? Read on.

Risk Management Process

Risk management process
Risk Management Strategy

Begin by creating a strategy with your team or consultant.

Create a risk management plan, assign roles and set a schedule.

Store this in your risk management file, which is the paper trail for the whole risk management process.  It should be organized and clear.

Be objective.  This will prevent you from forgetting important parts.

Risk management strategy
Risk Assessment:  Risk Analysis & Risk Evaluation
Risk Analysis

The first part of a risk assessment is completing a risk analysis; the process of defining and analyzing all potential hazards.

To begin, define the devices Intended Use.

Example questions to answer:

  • What is the medical devices role in patient care?
  • Does it sustain or support life?

Then identify the Hazards.

  • Example: Thermal Energy; High Temperature

Now brainstorm any foreseeable sequence of events that can become a hazardous situation.

  • Example: Putting the battery in backwards

Describe the hazardous situation.

  • Example: Battery explodes

Describe the harm that can result.

  • Example: Burns
Risk Analysis Action:
Risk analysis action chart

Next, estimate the risk level for each hazardous situation.

Use the risk formula:

  • Risk level = Probability of Occurrence x Severity of Harm
Risk Evaluation

Next, the risk assessment ends with a risk evaluation; the stage of the plan where you judge whether the risk is acceptable to you, or whether a risk control is necessary for each hazard.

The best way to do a risk evaluation is to use a risk acceptability matrix using the previously estimated risk levels.

  1. Use the x axis / y axis scatter plot style
  2. Rate the probabilities of occurrence (y axis) and rate the severities of harm (x axis)
  3. Designate the acceptability thresholds

The matrix will look something like this:

Risk evaluation matrix

Risks that are at low levels (yellow) are acceptable.

Marginal risks (orange), however, need further consideration if they are to be acceptable or can be controlled to lower figures.

High level risks (red) are unacceptable and require risk control measures for the project to move forward

Example: Chance of battery explosion

Likely probability x Major severity = Unacceptable risk!

Acceptable risk chart
Risk Control

Risk control are the things you do to reduce the probability of occurrence and/or severity of harm, in the following order:

  1. Design for safety
  2. Add protective measures
  3. Provide safety information

Here are examples of risk control measures used to mitigate the risk of harm due to the battery overheating:

Risk control
Residual Risk Evaluation

Residual risk is defined as risk that cannot be reduced further after risk control measures have been taken.

Evaluate whether the overall residual risk is acceptable or not; benefit versus harm.

Let's use the X-ray machine to illustrate a simple example.

Risk evaluation

Despite all protective measures and safety designs, having an x-ray done still poses the risk of radiation exposure.

BUT, we need x-rays for diagnostic purposes.

Despite the potential harm, the medical benefits for the patient are greater.

THUS, the x-ray machine residual risk is acceptable.

Risk Management Report

The risk management report is a summary of all results, data, tables, etc., of the entire risk management process.

It explains all acceptable and unacceptable risks, the benefits and harms, what risk controls occurred and why, plans for risk monitoring, etc.

It must be clearly written and demonstrate that all the planned objectives have been met.

It must also provide confirmation of the overall level of risk.

Product and Post-Production Monitoring

From an idea in one's head to post-market success, it is important to monitor all life stages of a medical device.

Risk Management Involves the Entire Product Lifecycle!
Product lifecycle

During the product phase, monitoring will help adjust overall risk acceptability and prepare for the market.

But, even with all the planning and speculation, no one can predict how the device will work in real life situations, in user's hands, and on actual patients.

Therefore, post-production monitoring is equally important

Any changes can affect the risk formula numbers and can send the device back to the risk analysis stage.

So why did the chicken cross the road?

Because he strategized, then defined and analyzed all known and foreseeable hazards, estimated the risk level, evaluated risk acceptability, controlled for all unacceptable risks, and then decided the benefits outweighed the residual risk. THEN he crossed.

Smart chicken!

Ian Maclean, Professional Engineer
Published by Ian Maclean, P. Eng.