Risk Management: The Science of Minimizing Uncertainties

In all the years that I have worked in the medical device and pharmaceutical industries, I have noticed first hand that risk management is a close second to design controls when it comes to upsetting the cultural pattern of a successful medical device company. Risk management may be based upon “good science and engineering” principles but, when facilitated properly, risk management will question and impose upon those very core competencies and standards that made your company what it is. The most varied imposition to the cultural threads of any company (large or small) is the fact that decision-making is no longer qualitatively-based but, in fact, based upon quantitative conclusions and decision-making that is dependent upon measurement rather than varying degrees of savvy. It not only sends a shock wave to the reactive, fire-fighting cultures, but also to companies that depend upon large groups of human beings to “make it happen” rather than depending upon process controls. You may have heard that “people (and companies) that don’t like change…don’t like to change.” Installing risk management into your company will force the “change” issue to the brink and sometimes beyond what your present Quality Management System (QMS) can endure to still be successful.

Risks are Part of our Everyday Living
Generally speaking, we live with risk taking and risk aversion every day. Making correct decisions can be a risky business, and the goal is to enable these decisions toward a successful outcome by minimizing the uncertainties that are naturally presented to all of us. Operating an automobile presents risks whether we travel every day or just use the car to go to the grocery store now and then. We minimize the risks associated with driving our cars by making sure we are well trained to err on the side of caution, by making sure our tires have the correct air pressure, the brakes have enough pad, the headlights work and so on. When you think about it, we prepare ourselves for risk by doing all of the things we are supposed to do to minimize the uncertainties associated with failure without compromising safety and effectiveness.

The same types of uncertainties associated with automobiles can be correlated to the development and intended uses of medical devices. The concepts of risk management are particularly important in relation to medical devices because of the variety of stakeholders, including medical practitioners, the organizations providing healthcare, governments, industry, patients and members of the public. All stakeholders need to understand that the use of a medical device entails some degree of risk. The acceptability of a risk to a stakeholder is influenced by the components listed above and by the stakeholder’s perception of the risk.

Each stakeholder’s perception of the risk can vary greatly depending upon their cultural background, the socio-economic and educational background of the society concerned, the actual and perceived state of health of the patient and many other factors. The way a risk is perceived also takes into account, for example, whether exposure to the hazard seems to be involuntary, avoidable, from a man-made source, due to negligence, arising from a poorly understood cause or directed at a vulnerable group within society.

ISO 14971 specifies a process through which the manufacturer of a medical device can identify hazards associated with a medical device, estimate and evaluate the risks associated with these hazards, control these risks and monitor the effectiveness of that control.

The Process
The fundamental requirement for enabling a risk management process at a medical device manufacturer is to essentially establish, document and maintain procedures to minimize uncertainties throughout the life of the medical device and the processes that support that “womb-to-tomb” cycle of activity. Risk management is not just associated with the medical device itself but, in fact, affects key processes, such as purchasing controls, corrective and preventive action, manufacturing, complaint handling, non-conforming products, servicing, post-market quality data, etc. The basic foundation of risk management is built upon identifying hazards associated with a medical device and the processes that support this device, estimating and evaluating the associated risks, controlling these risks, and then monitoring the effectiveness of the controls. This process should include the following elements:

  • risk analysis
  • risk evaluation
  • risk control
  • production and post-production information




Read the December issue of BONEZONE for the second article in this three-part series.

ISO 14971 clearly states that top management shall be committed to:

  • defining and documenting the policy for determining criteria for risk acceptability; this policy shall ensure that criteria are based upon applicable national or regional regulations and relevant International Standards and take into account available information such as the generally accepted state of the art and known stakeholder concerns;
  • reviewing the suitability of the risk management process at planned intervals to ensure continuing effectiveness of the risk management process and document any decisions and actions taken; if the manufacturer has a quality management system in place, this review may be part of the quality management system review;
  • demonstrating support for the risk management process. Realistically, this does not mean a “yes” or “will do” to everything proposed or recommended, but it does mean that reasonable consideration be given and appropriate action taken on realistic recommendations;
  • clear communication in a policy-type statement that identifies risk control techniques that can be quantified and performance measured against an established criteria.

Life Cycle Approach
Risk management tools should be applied during all phases of the life cycle of medical devices. The common thread is to identify and address safety issues, whether they be in design controls, production and process controls, post market quality data analysis, legacy product decision-making and, of course, when it comes to handling complaints and potential adverse events. In general, risk management can be characterized by phases of activities. The following examples represent phases that could be addressed as part of a fundamental risk management plan.

Phase I – Your risk management team must determine the levels of risk that would be acceptable in the device and/or process. Manufacturers should have a procedure to determine risk acceptability criteria. These risk acceptability criteria may come from an analysis of the manufacturer’s own experience with similar medical devices or research on what appears to be currently accepted risk levels by regulators, users or patients, given the benefits derived from diagnosis or treatment with the device. Risk acceptability criteria should generally be reflective of state of the art in controlling risks.

Phase II – This cross-functional team will then perform risk analysis. This phase starts with identifying hazards that may occur due to characteristics or properties of the device during normal use or potential misuse. After these hazards are identified, risks are estimated for each of the identified hazards, using available and credible information.

Phase III – The estimated risks are compared to the risk acceptability criteria that your risk management team has decided upon. This decision-making process is influenced by the type and classification of your medical devices, the size and complexity of your quality management system and the legitimacy of your collected and documented quality data. This comparison will determine an appropriate level of risk reduction (mitigation), if necessary. This phase is called risk evaluation. The combination of risk analysis and risk evaluation is called risk assessment. Risk assessment is ongoing and dynamic within the frame of a documented quality management system.

Phase IV – Can be composed of risk control and monitoring activities. Your team establishes actions, i.e. risk control measures, intended to eliminate or reduce (mitigate) each risk to meet the previously determined risk acceptability criteria. Within the limits of feasibility, one or more risk control measures may be incorporated in order to achieve this end. Risk control activities may begin as early as design input and continue through the design and development process, manufacturing, distribution, installation, servicing and throughout the medical device life cycle.

Throughout the life cycle of the device, your team will monitor whether the risks continue to remain acceptable and whether any new hazards or risks are uncovered. This type of quality data can be obtained from your quality management system, for example, production, complaints, customer feedback, purchasing data, non-conforming products, corrective and preventive action trends, audit finding trends, design controls and re-design information, acceptance activities, servicing data, adverse events, recalls, etc. should be used as part of this monitoring activity.

If at any time a risk is determined to be unacceptable, the existing risk analysis should be reexamined and the appropriate action should be taken to meet the risk acceptability criteria.

If a new hazard is identified, then the four phases of risk management should be performed as part of a procedure.

Concluding Remarks
The success of a risk management process in medical device manufacture lies in an early start in design and use of the life cycle approach in continuum. As soon as conceptual designs are available, the risk management process can begin. A preliminary hazard analysis can be useful in selecting the concept with the highest level of inherent safety. Later, as the design is developed, design reviews at key points in the development process will allow changes to be made without significantly affecting the project schedule. It doesn’t end with the design process or just the medical device, however.

Risk management should extend into the core of your quality management system by controlling processes that are the foundation for making rational decisions that will, in fact, have ramifications beyond products. The effectiveness of your complaint handling and adverse reporting procedure, for example, cannot exist in a compliant manner if risk management is not factored into the decision-making process.

gagliardi sidebar

Choosing suppliers and evaluating and monitoring their performance is a triage type of decision with ongoing change control based upon types of products produced, services rendered and the cost of doing business. Every facet of the QMS is affected.

Companies are acclimating slowly. FDA is expecting progress with every FDA inspection that I am involved with, and ISO Registrars still contend that Product Realization is driven by risk management planning and ongoing change management.

John Gagliardi has had success over the past 43 years in the Medical Device and Pharmaceutical industries because of his practical approach to process-orientation and business. He has been actively involved in research and development, quality assurance, training, operations, process architecture, FDA inspections and regulatory affairs. John specializes in building systems in a compliant and business-ready manner. John can be reached at This email address is being protected from spambots. You need JavaScript enabled to view it..

MidWest Process Innovation, LLC