What’s the risk? - How to approach the risk management process of a medical device

by Liron Sarid-Krebs

In a nutshell:

  1. A good risk management plan (RMP) is a good start. RMP defines the activities associated with risk recognition, mitigation and surveillance throughout the life cycle of the product.

  2. The risk management activities are a dynamic process. They include risk identification, risk estimation and evaluation and risk control. After the risk-benefit analysis is performed, there is a feedback loop to re-evaluate the risk index according to the mitigation measures that were taken.

  3. Part of the risk management report is the risk-benefit statement. It should conclude through the process of risk analysis that benefits outweigh the risks.


The risk management process includes all stages of the product life cycle and is presented in Figure 1.

Figure 1: The risk management process: The risk management plan defines the activities associated with risk recognition, mitigation and surveillance throughout the life cycle of the product. Risk analysis and evaluation include the preliminary hazard identification, associated risk assessments and categorization of the recognized risks. Risk control demonstrates the mitigation measures that are proposed and their implementation where necessary. Thereafter, the risk management report summarizes the results of all risk management activities, and it should provide justified statement that the benefits outweigh the risks. Data from the post-production phase needs to be collected and implemented in order to maintain corrective action and vigilance procedures in a systematic way.

Figure 1: The risk management process: The risk management plan defines the activities associated with risk recognition, mitigation and surveillance throughout the life cycle of the product. Risk analysis and evaluation include the preliminary hazard identification, associated risk assessments and categorization of the recognized risks. Risk control demonstrates the mitigation measures that are proposed and their implementation where necessary. Thereafter, the risk management report summarizes the results of all risk management activities, and it should provide justified statement that the benefits outweigh the risks. Data from the post-production phase needs to be collected and implemented in order to maintain corrective action and vigilance procedures in a systematic way.

As a first step, a comprehensive Risk Management Plan (RMP) should be compiled, defining the activities associated with risk recognition, mitigation and surveillance throughout the life cycle of the product. The known and foreseeable hazards associated with the device and with the intended use should be identified and analysed, and mitigation strategies should be discussed. The RMP should also include the collection process of information from the production phase and from the post-market surveillance system and its impact should be evaluated. These data should be screened for hazards and the frequency of occurrence thereof and should be supplemented by estimates of the associated risks for identified hazards.  In addition, the overall risk, the benefit-risk ratio and the risk acceptability should be evaluated, and, if necessary, control measures should be amended.

The risk management activities include risk identification, estimation, evaluation and control. These set the ground to generate risk-benefit analyses that is based on user, design and manufacturing of the product. These activities start with identification of safety aspects according to the product characteristics. Intended use and intended purpose of the medical device are important factors in identifying the potential sources of harm associated with the product. The manufacturer should identify and document those qualitative and quantitative characteristics that could affect the safety of the medical device.

Hazards and hazardous situations are potential sources of harm and can occur either under normal or fault conditions. A good technique for identifying hazards is to go through all the steps required for the product to be used and to determine if there are any potential sources of harm at each step. Once the hazardous situations are identified, the possible harms should be established, and the risk should be estimated. ISO 14971 defines a risk as the combination of the probability of occurrence of harm and the severity of that harm. Accordingly, a common practice for risk evaluation is to determine a risk index score according to the probability of occurrence and the severity of possible harms. This allows risks to be classified into risk zones which define risks as either acceptable or in requirement of risk reduction. This procedure should be established by the manufacturer and defined in the RMP. The risks that require risk reduction should be eliminated or reduced to an acceptable level through safety testing, proper choice of materials, sterilization validation, and thorough instructions for use.

The risk-benefit analysis is a structured tool to assess and present any identified risk, including those that cannot be further reduced to an acceptable level, and its spirit is that the medical benefits of the device should outweigh the residual risks. After the risk-benefit analysis is completed and preventive measures, for those risks that cannot be reduced, are demonstrated, re-evaluation of the risk index score is performed for those risks.

Finally, a risk management report will summarize the results of all risk management activities. This report should include explanations of risk acceptability determinations and should conclude with a statement that the overall residual risk of the device is acceptable. As a next step, data from a post market surveillance system that was defined in the RMP, should be appropriately collected and processed. This post-production procedure is used to proactively collect and review experience gained from devices that are placed on the market, and the information is therefore being collected from users, service personnel, and customer feedback and should be part of the product technical file.

Biopharma Excellence is experienced in the development of drugs and devices in both the EU and the US. We understand the unique challenges and risks of medical device development programs and know how to manage and solve them. If you would like to learn more, please contact us.


References

  • DIN EN ISO 14971. (2012). Medical devices – Application of risk management to medical devices. European Standard.

  • European Union MDR. (2017). Regulation (EU) 2017/745 of the European Parliament and of the Council of 5 April 2017 on medical devices, amending Directive 2001/83/EC, Regulation (EC) No 178/2002 and Regulation (EC) No 1223/2009 and repealing Council Directives 90/385/EEC and 93/42/EEC. Official Journal of the European Union.