In a nutshell: Risk management for medical devices

How does risk management for medical devices work?

Risk management (RM) is an ongoing, living process. So you don't just end up with it at some point. Ideally, RM activities should start during product development, as they can have an influence on product design, instructions for use and labels, for example.

All risk management activities are carried out according to a process and a RM plan. The process usually provides a general framework. The RM plan then tailors the activities to a device.

After planning, the following activities are performed:

1. Risk analysis
2. Risk evaluation
3. Risk control
4. Assessment of the overall residual risk
5. Risk management review
6. Production and post-production activities (collecting and evaluating data, deriving measures)

1. Risk analysis

The risk analysis is intended to identify risks that may arise during the use of the product in accordance with its intended purpose and reasonably foreseeable misuse. The basic aim is to identify all hazards and hazardous situations. It must be determined which characteristics of the product could influence safety. In other words, those characteristics / functions that could lead to risks if they no longer function properly. A risk assessment is carried out for all hazard situations. The respective risk of a hazardous situation is determined by the combination of probability of occurrence and severity of harm.

2. Risk evaluation

In the risk assessment, the previously identified risks are evaluated as to whether they are acceptable or unacceptable (according to ISO 14971). The criteria for this evaluation are defined in advance in the risk management plan.

3. Risk control

During risk control, risks must be reduced to an acceptable level in accordance with ISO 14971 and as far as possible in accordance with MDR / IVDR. Measures shall be applied in the following order:

• inherently safe design and manufacture
• protective measures in the medical device itself or in the manufacturing process
• information for safety and, where appropriate, training to users

The order of the measures results from the efficiency of these. Imagine the product has a sharp edge where the patient or user could be injured. Please do not think of a scalpel. Of course, you do not simply warn about the sharp edge in the instructions for use, but you change this edge so that it is no longer sharp. So you have preferred an inherently safe design over information for safety. And this is the principle according to which the previously listed measures are to be applied and implemented.

Now that you have defined the risk control measures, you must check (verify) whether they have been implemented. Then the effectiveness of these measures is verified to ensure that they really reduce the risks.

Now that you have defined the risk control measures, you must check (verify) whether they have been implemented. Then the effectiveness of these measures is verified to ensure that they really reduce the risks.

A risk assessment was already carried out before the measures were taken. A further evaluation step is now being carried out to assess the residual risk after effective measures have been implemented.

If there are risks that are unacceptable and cannot be reduced, a risk-benefit analysis must be carried out for these risks. If the benefits do not outweigh the risks, the product or its intended use must be changed.

Risk management is about reducing risks through effective measures. However, care must be taken to ensure that these measures do not create new risks. If new risks are introduced, these must be fed into the risk analysis and the process is followed beforehand.

4. Evaluation of overall residual risk

You have now identified all hazardous situations and effectively implemented all risk control measures. You are now performing an assessment of the overall residual risk for the medical device or IVD. At this point, therefore, all risks are not considered individually, but all together. All risks are put in relation to the benefit of the intended purpose and it is on this basis that you must assess whether the overall residual risk is acceptable.

5. Risk management review

The review of risk management activities is documented in the risk management report. The aim is to ensure that the risk management plan has been implemented correctly and appropriately. On the other hand, it is checked whether the overall residual risk is acceptable and whether appropriate measures have been implemented to collect and review data from production and post-production phases. The strong link to post-market surveillance is also evident here.

6. Production and post-production activities

ISO 14971:2019 provides detailed requirements for linking risk management to post-market surveillance (PMS). This fits in well with the concept of MDR and IVDR, as both regulations place greater emphasis on PMS. More information on this link will follow in the next article.