A practical guide to implementing Risk Management for medical device startups

    Risk Management continues to be a hot topic in the medical device world as regulators place additional emphasis on the role of risk management throughout the device lifecycle. The 2016 revision of ISO 13485 increased expectations for manufacturers to implement risk management throughout their QMS. Subsequently, in the 2019 revision of ISO 14971 the methods of applying risk throughout the QMS were further identified. The FDA is currently in the process of revising 21 CFR 820 to align with ISO 13485, and risk management is sure to be much more prominent in the new revision.

    With all that being said, where does that leave small manufacturers or startups  that are not experts in risk management activities? The following is an introduction to implementing risk management with practical examples and with minimal technical jargon. This guide focuses primarily on risk from the design controls perspective, but can be applied to the entire QMS with some minor tweaks.

    Table of Contents

    1. Risk Management terminology
    2. Getting started with Risk Management
      1. Managing risk records
      2. Developing documents and records
    3. Doing the work of Risk Management 
      1. Planning
      2. Analysis 
      3. Estimation 
      4. Risk Evaluation 
      5. Risk Management Review
    4. Next steps
    5. Tips for success


    Risk Management terminology

    The first step to making progress towards understanding risk is to dissect the slight variations in the terminology. Some of these can be very nuanced, so it’s important to get a good grasp on the differences before proceeding.

    Risk Analysis: Risk Analysis is the process of looking at a design or system and actually coming up with possible hazards that could possibly cause harm to people, property, or even the environment. Think of risk analysis as sitting around a table with your team and coming up with any possible, often seemingly silly, hazard that could arise. 

    Risk Estimation: Risk Estimation is the process used to assign a numerical value to the laundry list of possibilities you came up with during the analysis. The risk estimation process considered the probability of occurrence and the severity of the harm. 

    Risk: Risk can be numerical or translated to a scale like low, medium, high, but this is the actual representation of the risk estimation for a given harm. For example, a harm with a high severity but a very small probability of actually occurring may be a low risk. 

    Risk Evaluation: Risk Evaluation is a process of taking the risk analysis and comparing it to a set of predefined risk acceptance criteria. Usually this results in a risk evaluation summary document.

    Risk Assessment: Risk Assessment is the bigger document that contains both the analysis and the evaluation

    Risk Control: Risk Control is the step where the full risk assessment is reviewed and steps are taken to reduce risk to an acceptable level.

    Risk Management: Risk Management is the overall process of all things risk. Risk Management is the umbrella term that refers to all of the sub-processes as a whole.

    Risk Management File: The records for all things risk management including analysis, estimation, acceptable risk ranges, mitigations, etc. 

    Getting started with Risk Management

    Managing Risk Records

    Okay, so you’re getting ready to start a new design project and that means a new Risk Management File. The first step is deciding how you are going to maintain all of these records. 

    Option 1: Paper: Generate paper records for every risk related document or record and maintain them in a binder. This is messy, but can work if you are in a traditional office setting. 

    Pros: Easy to start, traditional  
    Cons: Not feasible for remote work, Higher risk of damage/destruction, Can be difficult to keep continually updated

    Option 2: Electronic File/Binder: Think of this as the next evolution from paper. Your records and documents are all maintained in a file folder on a server or in the cloud. 

    Pros: Easy to start, allows online collaboration
    Cons: Potential difficulties with Part 11 compliance

    Option 3: Electronic QMS with Risk Built-in - An eQMS that has a great risk system built-in can allow for linkages throughout the system. You will still need to create documents and records

    Pros: Online collaboration, Part 11 compliance, Automatic linkage to associated documents and records
    Cons: Cost of software, learning curve for using software

    Once you have decided on a method of maintaining your records it’s time to get started creating them.

    Developing documents and records

    Things you need to develop to set up your Risk Management system:

    Procedures (SOPs, Work Instructions, etc.)

    After reading this primer, buy a copy of ISO 14971 and sit down and get writing compliant procedures, or enlist the help of an expert. You’ll want to make sure that your procedures provide enough detail that your team will be able to conduct the risk management activities in a consistent manner. 

    As a disclaimer, you might write or buy a set of procedures that seems great, but once you get in and do the work of the risk management process you realize the process doesn’t work as well as you hoped. That’s okay! The nature of quality is to make continual improvements in systems and processes.

    You can always open a corrective and preventive action (CAPA) to document the improvement process. Auditors do not look at CAPAs as a bad thing, unless you are opening CAPAs and then not properly addressing them. The 2016 revision of ISO 13485 put more emphasis on preventive actions to encourage manufacturers to continually review systems for possible improvements. This ties in nicely with using risk management throughout the QMS. 

    Documents and Records

    These will be the backbone of how you document everything in your Risk Management File. You will need at least the following basic documents:

    Risk Management Plan

    This is device specific and will be your guiding document for ensuring all of your other risk activities take place. This plan must also include your risk acceptability criteria. The Risk Management Plan should be considered a living document that is updated as timelines change. This will be your guide for making sure all of the risk activities are carried out.

    Risk Analysis Document

    This needs to capture the who, what, where, and when of the analysis, as well as listing all of the hazards that were identified during the analysis. This could be as simple as meeting minutes with a list of the hazards as the output, or could be much more complex with flowcharts showing the thought process for the analysis. It will really depend on the complexity of your device and manufacturing process. 

    Risk Estimation Document

    Here is where you will assign numerical values to the hazards that you identified in the analysis. If you have an eQMS there will likely be an integration for this. If not, a good old fashioned spreadsheet is typically used. There are different styles and methods, so find a way that will work well for you.

    Risk Evaluation

    At this stage, you will compare your estimations to the acceptability criteria from your Risk Management Plan and draw conclusions about the overall risk acceptability. This should be a document that covers not only the numerical analysis, but also offers a synopsis. Your evaluation may come up with risks that are unacceptable and that's okay. Document the risks that need to be mitigated and consider this an action item checklist. 

    Risk Management Review

    A simple document that should be part of your final phase of Design Controls. This review will document that the Risk Management Plan has been implemented, risk levels are all acceptable, and that plans for post-production risk management activities are in place. 

    Doing the work of Risk Management

    Looking at the list of documents and records above, you may be feeling a bit overwhelmed or still at a loss as to what it actually means to “do” Risk Management. Next, let’s look at an example using a standard yellow #2 pencil as an example of the device.

    Step 1: Planning

    First, you'll need to prepare the Risk Management Plan with timelines and responsible people in place. It may look something like the following.

    Scope: The following plan covers the design, development, and product launch for the Model #2 pencil.

     


     Activity


    Responsibility


    Timeline


    Reviewers

    1

     Initial Pre-Design Analysis

         

    2

     Data Review for Estimation

         

    3

     Develop Risk Acceptability  Criteria and add to Risk  Management Plan

         

    4

    Develop Evaluation Metric for Residual Risk and add to Risk Management Plan

         

    5

    Post-Design Risk Analysis*

         

    6

    Apply Risk Estimates*

         

    7

    Risk Evaluation*

         

    8

    Risk Control & Mitigation* 

         

    9

    Verification of Risk Controls

         

    10

    Develop Post-Product Risk Metrics

         

    11

    Risk Management Review

         

    *Repeat steps 5-8 cyclically until all risks have been mitigated to an acceptable level or a risk-benefit analysis determines that residual risk is acceptable given the expected benefits.

    Remember: The Risk Management Plan is a living document. Update it as necessary. Adhere to document and record controls when updating. 

    Step 2: Analysis

    Once you have (at least your first version of) your Risk Management Plan in place, it's time to get to work on risk analysis. Let's use some examples using our #2 pencil device model.

    There are many different Risk Analysis techniques that can be used. For an initial risk analysis before you have a finished or even prototype device to look at, a less structured approach might be the best fit. This approach will allow your team to come together to discuss the device and may also be helpful in introducing additional considerations for the device development. 

    So for this example we know we want to make a pencil, but we don’t yet know what that manufacturing process really looks like, what the final materials will be, or where it will be used. This is where using risk early can be beneficial to the overall development process. We know we want to have some sort of a coating on the outside of the pencil, but we don’t know what material we want to use. If we discuss the risks and benefits of the different options now we can save time and money down the road when we realize we picked a material without thinking it through completely.

    Here's an example thought process: A paint coating on the pencil is nice, but where will the pencil be used? Is it going to be a hazard if the paint flakes off? Can we include any design or markings on the painted surface that we need to? There is usually a metal component that attaches the eraser to the pencil. What are the risks if that metal breaks off? Can the metal cut anyone? Can the metal interfere with other devices in the environment that use magnets? What about users that are allergic to certain metals? 

    The initial spit-balling of ideas can then be translated into a formal risk analysis like below:


    Hazard


    Hazardous Situation


    Potential Harm


    Pencil Coating


    Flakes off


    Contaminates controlled environment


    Difficult to Print on


    Illegible Markings


    Metal Clamp


    Sharp Edges


    User is injured


     Magnetic Interference

    Nearby devices disrupted


    Biocompatibility


    User allergies to metal


    Eraser Material


    Biocompatibility


    User allergies to material


    Complete the analysis by documenting exactly what device it applies to, who was involved in the analysis, and when the analysis took place. 

    Step 3: Estimation

    This is where things start getting tricky. Estimation can be qualitative or quantitative, but where possible there should be some rationale for the estimate. 

    For medical devices that are based on similar existing devices, it may be possible to pull some risk estimation data from published scientific literature, clinical trial data, or publicly available adverse event reports. But how do you estimate the risk that someone will use an expired product or that manufacturing debris will remain in a fluid pathway?

    For risks introduced through the manufacturing process, statistical data can be gathered from the quality control system to help inform your estimates. For user based risks such as off-label use, or incorrect use, usability studies can be conducted. Another source of risk estimation data is expert opinion.

    For the below example, a numerical scale of 1 to 5 has been used for the estimation, where 1 is incredibly unlikely and a 1 in severity is practically harmless. In practice in industry, there's often also a column for Detectability, which identifies how easily the hazard is detected prior to use as a means to prevent the harm from occurring.

    Hazard Hazardous Situation Potential Harm  Probability of Occurrence Severity  Comments

    Pencil Coating


    Flakes off



    Contaminates controlled environment

    3

    1


    Not designed for controlled environments

    Difficult to Print on

    Illegible Markings

    3

    2


    Manufacturing data indicates 3% of units have poor print quality; Unclear printing could result in selection of the wrong hardness pencil (ex. 2 instead of 2B)

    Metal Clamp

    Sharp Edges

    User is injured

    2

    3


    Consumer data for similar pencil indicates 5 complaints out of 100,000 pencils sold for injuries from the metal clamp.


    Magnetic Interference


    Nearby devices disrupted

    1

    1

    Metal used is nonmagnetic.

    Biocompatibility

    User allergies to metal

    1

    5


    Available medical data indicates allergy to selected metal occurs in 1 of 100,000 people.

    Eraser Material

    Biocompatibility

    User allergies to material

    1

    5


    Available medical data indicates allergy to selected metal occurs in 1 of 100,000 people.

    Note: Prior to completing the estimations you will need to define the acceptable risk levels in the Risk Management Plan. Similar to the estimation, you may look to industry sources for data about typical risks to identify what is acceptable. The acceptability criteria for a manufacturing process risk may be different from a risk to the patient or device user. This is also where you will define how you will identify estimations, quantitative, qualitative, or both.

    Step 4: Risk Evaluation

     At this stage, you'll be looking at the risks and determining if they meet the acceptability thresholds. If a certain hazard is identified as being unacceptable, risk control measures may be implemented. These are changes to the design, packaging, labeling, training program, manufacturing process, etc., that will be implemented to attempt to reduce the risk occurrence. These mitigations must be verified for implementation and effectiveness, and that verification must be documented within the Risk Management File. 

    For this example, we’re going to say that the metal used can potentially cause a life threatening reaction for those with the rare allergy. Since it's life threatening we want to mitigate the risk if at all possible. Some possible mitigations we might consider would be changing the type of metal used for the clamp, coating the metal so it not able to cause a reaction, or putting a warning label on the packaging for the pencils notifying the user of the potential allergen.

    It would then be up to the design and development team to determine if a material change or coating makes sense. If the material change doesn’t make sense, some sort of usability testing may be necessary to ensure that the labeling on the product is prominent enough to alert users to the potential danger.


    Hazard


    Hazardous
    Situation


    Potential Harm


    Probability of Occurrence


    Severity


    Comments

    Metal
    Clamp

    Biocompatibility

    User allergies to metal

    1

    5


    Available medical data indicates allergy to selected metal occurs in 1 of 100,000 people.


    The analysis, estimation, evaluation, and control steps may be repeated in iterative cycles until the risk is finally brought to an acceptable level. This cycle may also need to be repeated at different phases of the design process as new information about the device and manufacturing process become available. 

    Step 5: Risk Management Review

    Finally, you’ve reached the final phase of design controls and the device is ready to be released.

    As part of your final design phase review you will need to complete a formal Risk Management Review. The Risk Management Review is simply checking to make sure that the Risk Management Plan has been fully implemented, that the residual risk of the device is acceptable, and that the Risk Management Plan has been updated to include methods and plans for post-production risk activities. 

    These post-production plans will include identifying sources for collecting data that will be included in future risk analysis and estimation activities. Possible sources include Nonconforming Material Reports, Complaints, Literature Reviews, clinical data, process control data, user feedback, or any other source that may provide useful data.

    The Risk Management Plan should also be updated to include defined triggers and timelines for reviewing and updating the Risk Management File. At a minimum, the risk analysis and risk estimation should be reviewed annually and a new Risk Evaluation prepared summarizing any risk data that has accrued. Defined triggers to require a risk analysis and risk estimation review may include: recurring customer complaints, recurring material non-conformances, or a complaint indicating a severe risk. 

    If there are any design changes or process changes the risk analysis and risk estimation should also be reviewed. This should be built into your change control system as an automatic trigger.

    Next steps for Risk Management

    If you have made it this far, hopefully you have a much better idea of what Risk Management is and what you need to do to be successful. Remember, this is a primer and certainly does not capture all the nuances of Risk Management.

    You will want to check with the ISO standard for the specific requirements for each Risk Management document (i.e. signatures, scope, etc.).  ISO 14971 also has an annex with some great examples of hazards that you may want to consider for your design project. The hazards list  in Annex C is  a great starting point if you still aren’t feeling confident with identifying hazards and harms. 

    Tips for Risk Management success

    1. Start with a plan. Trying to just “do risk” without a Risk Management Plan and procedures in place is a disaster waiting to happen. It's a controlled methodical process, so start with controls in place.
    2. Don’t be intimidated. Risk can seem overwhelming and confusing, so you just have to get in there and start writing hazard statements until it starts to make sense. If the grid is difficult to comprehend, write sentences first to help get the process started. For example, “If the pencil coating doesn’t properly adhere during drying it could flake off and contaminate a clean room."

    3. Don’t forget to routinely review your risk materials. Doing the initial pre-market risk management process will get you to market, but if you stop there you are at risk of noncompliance during an audit or FDA inspection. There's increasing focus from international regulators on post-market surveillance and therefore post-market risk analysis. Make sure that you build a system that keeps regular risk review from falling to the back burner.

    4. Integrate Risk Management throughout your QMS. Once you have a handle on how risk management works you can start to see the value of using risk throughout the QMS. You can use risk to prioritize efforts in all areas of your QMS.
    A few examples of what you can do by assessing risk across the QMS:
    • Document/Change Control - assign priority and approval requirements 
    • CAPA - assign priority level and range of actions that are appropriate to address the CAPA
    • Supplier Controls - assign level of control required based on 
    • Internal Audits - determine audit frequency 
    • Management Review - assess overall risks within the QMS
    • Production - determine inspection requirements, determine maintenance/calibration intervals

    Make sure all of these QMS processes have processes built-in to trigger a review of the design Risk Management File when appropriate. Now you're ready to get out there and build a successful and compliant Risk Management System to optimize processes, reduce time to market, and cut costs.