How to use ISO 14971 to manage risks for medical devices

A patient undergoing a surgical procedure places his trust in the surgeon, the institution, and the procedure of surgery. He is least concerned about the medical devices, and not aware of the associated safety risks. Therefore, the patient accepts the risks of a medical device without any knowledge or awareness. This is the reason that medical device manufacturers must ensure that their product is safe with the help of a robust risk management process.

ISO 13485 references ISO 14971:2007 (Medical devices – Application of risk management to medical devices) for risk management. ISO 13485 defines risk based on ISO 14971 as “the combination of the probability of occurrence of harm and the severity of that harm.”

Risk management process through ISO 14971

The process flow for risk management based on ISO 14971 is shown in figure 1. According to clause 3 in ISO 14971, top management must:

  • exhibit commitment for managing risks of each medical device;
  • establish a policy and the acceptance criteria for a risk, and
  • review the risks for medical devices at planned intervals (reviews can be performed at management reviews).

As with other management standards, people who perform risk assessment should be competent and knowledgeable (e.g., through trainings on ISO 14971, medical device application, etc.).

How to use ISO 14971 to manage risks for medical devices - 13485AcademyFigure 1. Risk management process flow

Risk management file

Another important element in risk management (to ensure traceability) is a risk management file, which is established for every medical device. The file is used to keep record of:

  • risk analysis results
  • risk evaluation results
  • risk control measures
  • residual risk evaluation results for each identified hazard.

The risk management file will be used to gather all information related to risk, even in post-production situations.


The process

The process of risk management has the following steps:

1) Risk analysis – Risk analysis is performed on each medical device, and possible hazards are identified. Risk is estimated for each hazardous situation. Characteristics that can foreseeably affect the safety of the medical device are also listed. Risk analysis should also incorporate a combination of hazardous events that can result in a hazardous situation, whereas reasonably foreseeable combinations of such events should be analyzed separately. For example, when a heel stick is used to collect blood from infants for testing, the blood is warmed with a chemical pack. The sudden rupturing of this chemical pack is a foreseeable effect of the characteristics of the chemical pack, and the hazardous event is a combination of the heel stick used for collecting the sample (likely a negligible hazard) and the chemical pad used to ease the process of sampling. The risk management file is updated accordingly based on all analysis results.

2) Risk evaluation – Each hazardous situation is studied, and then the organization’s risk acceptability criteria are used to confirm whether risk reduction is needed for this hazard or not. The results of risk evaluation activities are also recorded in the file. Risk evaluation is normally done by multiplying the severity of the hazard by the likelihood of its occurrence.

How to use ISO 14971 to manage risks for medical devices - 13485Academy

Figure 2. Risk evaluation

3) Risk control – Risk control is a risk reduction process in which an unacceptable risk is minimized. The effectiveness of the control is measured by reevaluation of residual risk, i.e., remaining risk after the control is implemented. Sometimes, controls allocated to minimize a risk add another risk hazard – such controls are ineffective until, and unless, the new risks are within acceptable range or controlled within acceptable limits. A risk control is chosen from the available options based on the following factors:

  • Practicality (how useful the implemented control is)
  • Simplicity (how easily it can be implemented)
  • Economic feasibility (the cost of the control does not affect product profitability)

When implemented, risk controls are verified. If the residual risk is unacceptable, a risk benefit analysis is conducted. If an additional control is impractical, then the risk benefit analysis should dictate whether the medical benefits of the device outweigh the residual risk. Records of each step of risk control are maintained in the risk management file, which includes control options, selection of control, risk control review, control verification, residual risk calculation, risk benefit analysis, etc.

4) Residual risk evaluation – Residual risk evaluation is done after all controls are in place and effective. A file is maintained with the risk management register after all risks have been properly controlled, and records are maintained. Any change may require reevaluation of overall residual risks.

5) Risk management report – Just as management reviews are planned for the Quality Management System, likewise, such reviews should be planned for the risk management system. Before a medical device enters the commercial market, a review should be conducted. Based on the review, a risk management report is prepared. The report should include the results of the review and be incorporated into the risk management file.

6) Information from production and post-production – A system for monitoring the performance of the medical device should be developed, established, and maintained. The results should be recorded in the risk management file. Information that comes from production includes any defects or failures in clinical trials, and results of post-production include any customer complaints or product failures that may increase the risk (because of increased likelihood of occurrence).

Management commitment to control risk of a medical device

With the help of a risk management system based on ISO 13485 and ISO 14971, each phase of a risk management cycle is documented comprehensively to demonstrate the manufacturer’s commitment to controlling risk in the life of the medical device. A strong risk management system also provides significant value by helping with the development, manufacture, and delivery of new medical devices. Devices under development are subject to higher levels of scrutiny. Also, a risk management system helps with documenting modifications to ensure product safety, functionality, and usability.

For reusable medical devices, a robust risk management evaluation will also classify risks related to product reapplication and reprocess. Additional benefits of such a system allow for faster market penetration and better competitive standing. A great motivational factor, isn’t it?

Use this free Diagram of ISO 13485:2016 Implementation Process to understand where risk management fits into the QMS implementation.