To establish Risk Management procedures

We had previously mentioned how having a Design History File (DHF), or Design and Development (D&D) File is important for traceability and risk management purposes. However, risk management encompasses more than simply keeping a tidy D&D File.

With patient safety as a priority, much detailed consideration is needed to address product-related risks. The ISO 14971 is a standard that defines medical device risk management expectations. It serves as a useful guide for your plans of risk management activities covered under the ISO 13485 standard. We shall walk through a few key principles needed to properly establish risk management procedures. 

To get started, it is necessary to define your risk management framework. This would require the definition of your risk management procedures, assignment of management roles and responsibilities, documentation of your risk management plan, as well as establishment of a living risk management file. 

In general, risk management procedures include: Risk assessment, Risk control, Risk acceptability, Review and reporting, as well as Production and Post-production information. Given this breakdown of processes, roles and responsibilities of your team members can be more clearly allotted. You can then put together a risk management plan that would describe the timing and type of risk management activities to be performed throughout product development. Collectively, all risk management documentation is contained within the risk management file. As risk management is an on-going process, your risk management file should be kept “living” - where updates are recorded continually throughout the whole product life cycle. 

Let’s look into the details of risk management procedures:

1) Risk Assessment

Risk assessment involves identifying potential harm, severity of that harm, and the likelihood of occurrence. While you consider risk assessment, you would take into account Risk analysis as well as Risk evaluation

Performing Risk analysis would require you to: 

  1. Specify intended use.

    Tying in with your design and development work structure, it is necessary to understand and define the scope of your medical device. Document its intended use, and you can properly conduct risk analysis accordingly.

  2. Identify hazards, define hazardous situations and foreseeable sequences of events.

    In order to conduct risk analysis appropriately, you will also need to clearly identify potential sources of harm associated with your product. Knowing the hazards and hazardous situations pertaining to the medical device you are developing will ensure a safer product.

  3. Estimate risk.

    Risk is the combination of severity of potential harm and probability of that harm occurring. 

Risk evaluation is then possible, according to the parameters drawn out during risk analysis. With the hazards defined and risks estimated, a risk acceptability matrix is often used as a guide to evaluate if the risk levels are acceptable, or if risk reduction is required. 


2) Risk Acceptability

Risk evaluation can take place properly when risk acceptability has been defined. To define risk acceptability, a table can be constructed that provides the risk index for each combination of qualitative assignments for both the occurrence probability and the loss or hazard severity. 

3) Risk Control

Having performed risk assessment and defined the risk acceptability, it would be clear where risk levels might need to be further reduced or managed. With patient safety as the end in mind, risk control measures must be implemented to mitigate the initial risks identified. 

As severity of the hazards have no reason to be reduced, risk control measures would mean reducing the probability of the harm occurring. This is done in order to have the risk of harm as low as possible within the acceptable range. 

4) Review and Reporting

Given risk control action taken to reduce the risk, evaluation of the overall residual risk of the product must still be done as well. You are responsible to carry out a risk management review and prepare a risk management report before manufacturing and releasing your product to the market. These records will add to your D&D File, showing that proper work had been performed to bring a quality product to market. 

5) Production and Post-production Information

Keeping in mind that risk management needs to be in place throughout a product’s lifecycle, your production and post-production information is also important for consideration and evaluation. Internal audit reports, customer feedback, complaints, CAPAs, and non-conforming material all provide information for continued risk management procedures. These similarly will be maintained in your ‘live’ risk management file, to ensure that relevant information stays easily accessible for your staff when needed. 

As you put into practice these risk management procedures, you would have a system that allows you to identify hazards, estimate and evaluate risks, as well as develop, implement and monitor the effectiveness of risk control measures you have in place. This in turn, adds to your effective QMS that prioritises patient safety and continual improvement of your product. 

Having such a QMS that enhances your business is the objective of the ISO 13485:2016 standard. To learn more about the ISO 13485:2016: