Risk management is a critical part of the Total Product Life Cycle framework. Despite its criticality, manufacturers continue to experience difficulty in understanding several risk management concepts and terminology.
Terms related to risk management are defined in ISO 14971, the international standard on risk management for medical devices. Below we provide an overview of these concepts and terms. Plus, examples of their application in risk management, as well as the application of ISO 14971 within the overall EU device regulatory framework.
ISO 14971 defines ‘harm’ as:
“injury or damage to the health of people, or damage to property or the environment”
Harm may be permanent (e.g. death) or may be transitory (e.g. temporary inconvenience). It is a key term. It forms the basis of risk management, which aims to identify all hazards.
ISO 14971 defines ‘hazard’ as:
“potential source of harm”
ISO 14971 defines a ‘hazardous situation’ as:
“Circumstance in which people, property or the environment is/are exposed to one or more hazards”
As shown in the below table, potential harm that results from a hazard, is dependent upon the hazardous situation. There may potentially be multiple different hazardous situations leading to the same harm, based upon the nature of the hazard and other considerations, e.g., intended use of the device, the environment in which it is used, etc.
Harm (the injury or damage that could occur) | Hazard (the potential source of the harm) | Hazardous Situation (the circumstances in which exposure to harm occurs) |
---|---|---|
Thermal burn | Device surface temperature | Device with a burn-inducing surface temperature comes into contact with patient skin |
Electrical shock | Device power source | User comes into direct contact with exposed live electrical wiring in a mains connected device |
Allergic reaction | Device chemical composition | Patient comes into direct contact with a device which contains a chemical to which the patient has an allergy |
Once identified, the risk associated with each harm is:
During production/post-production, occurrences of harm are monitored (e.g., vigilance and post-market surveillance) to:
ISO 14971 defines ‘risk’ as the:
“combination or the probability of harm and the severity of that harm”
Within this context, ISO 14971 also defines ‘severity’ as the:
“measure of the possible consequence of a hazard”
ISO 14971 reiterates the above, stating:
“It is generally accepted that the concept of risk has two key components: 1) the probability of occurrence of harm; and 2) the consequences of that harm, that is, how severe it might be.”
Severity of harm can be usually be readily identified. However, often more than one type of severity is possible. For example, in the case of the harm of thermal burn described above, burns can be categorized as being:
The probability of harm can sometimes be readily estimated based upon publicly available data, e.g. probability of intestinal perforation during a colonoscopy based upon published incidence rates. However, quite often the probability of harm occurring is dependent on multiple events / hazardous situations occurring.
For example, in the hazardous situation described above for electrical shock, three independent events must occur for this hazardous situation to arise:
The probability of each of these individual events, can be used to estimate the probability of an electrical shock occurring.
Where more than one type of severity of harm is possible, risk should be estimated based upon the probability of occurrence of each level of severity. For example, if first-degree, second-degree, and third-degree burns are possible, then each should have its own probabilities of occurrence. This would be based upon the possible combinations of hazards and hazardous situations that could occur.
ISO 14971 defines ‘risk analysis’ as the:
“systematic use of available information to identify hazards and to estimate the risk”
Similar to the erroneously interchanging of the terms hazard and risk, the term ‘hazard analysis’ is often erroneously used by manufacturers when describing risk analysis.
While the term ‘hazard analysis’ is not defined under ISO 14971, it is understood to be the identification of hazards, which is one component of risk analysis. Hazard analysis does not include any risk estimation.
For example:
ISO 14971 does not establish a definition for ‘Root Cause Analysis’. However, the term is commonly used in hazard and/or risk analysis.
Root Cause Analysis collectively describes a wide range of techniques, tools, and approaches used to identify hazards, and the hazardous situations that could cause harm.
Tracing its origins to the broader field of Total Quality Management, such Root Cause Analysis methodologies / techniques / approaches can include:
ISO 14971 defines ‘risk estimation’ as the:
“Process used to assign values to the probability of occurrence of harm and the severity of that harm”
ISO 14971 defines ‘risk evaluation’ as the:
“Process of comparing the estimated risk against given risk criteria to determine the acceptability of the risk”
Values assigned to the probability of occurrence of harm and its severity may be qualitative, semi-quantitative, or quantitative in nature.
Typically, either qualitative or semi-quantitative is applied in the healthcare industry. Between the two, there is a preference for semi-qualitative as this allows for:
Assigning values to the severity of harm is generally straightforward, due to comparisons that can be made based on the impact. For example, death vs. permanent injury vs. temporary injury vs. inconvenience.
Where manufacturers most often struggle, is in assigning values for the probability of occurrence. They frequently perform risk estimations first by utilizing a qualitative system, then shift to a semi-quantitative or quantitative system once they have gathered relevant statistical data, e.g., from clinical investigations or productions/post-production data sources, such as post-market surveillance.
Caution should be taken when establishing levels for probabilities of occurrence. Particularly when utilizing semi-quantitative or quantitative values, as these should ideally:
Harm Severity Level | Harm Description |
---|---|
Fatal | Results in death |
Critical | Results in permanent impairment or irreversible injury / psychological trauma |
Major | Results in injury or impairment requiring inpatient medical or surgical intervention or long-term psychological support services |
Minor | Results in temporary injury or impairment not requiring inpatient medical or surgical intervention or requires short-term psychological support services |
Negligible | Inconvenience or temporary discomfort |
Harm Probability of Occurrence Level | Probability of Occurrence Description (Range) |
---|---|
Frequent | ≥ 50% |
Probable | <50% and ≥ 5% |
Occasional | <5% and ≥ 1% |
Remote | <1% and ≥ 0.001% |
Improbable | < 0.001% |
The result of risk estimation is a ‘risk rating’. While this term is not defined in ISO 14971 or the MDR/IVDR, it is a common industry term.
A risk rating is assigned to each combination of hazard/hazardous situation/harm. It is typically identified in the risk analysis record by a hazard identification number (e.g. H001, H002, etc.) or other identification system.
Below is an example of stratified risk ratings using the severity and probability of occurrence level described in the tables above:
Under ISO 14971, ‘risk criteria’ (also referred to as ‘risk acceptability criteria’) must be established for evaluating both individual and overall risks. What does this mean, however?
Evaluating Individual Risk
The risk rating assigned to each of the above identified hazards would be assessed against pre-determined individual risk acceptability criteria. For example:
Evaluating Overall Risk
The totality of risk ratings assigned to identified hazards is assessed against overall risk acceptability criteria, such as:
The process outlined above, of comparing estimated risk against risk acceptability criteria, comprises ‘risk evaluation’.
Please note that the above examples for risk estimation and risk evaluation are provided for illustrative purposes only. ISO 14971 does not mandate the approach/tools to be adopted by manufacturers.
ISO 14971 defines ‘risk assessment‘ as the:
“overall process comprising risk analysis and a risk evaluation”
Taking into consideration the risk management process already covered above: Risk Analysis + Risk Evaluation. = Risk Assessment
Overview of Shelf Life, Expiration Dates, Device Lifetime/Useful Life, Service Life, and Life Cycle for medical devices and IVDs in Europe.
ISO 14971 defines ‘risk control’ as the:
“process in which decisions are made and measures implemented by which risks are reduced to, or maintained within, specified levels”
The “specified levels” mentioned above, are the risk levels determined by the manufacturers’ risk acceptability criteria (for both individual and overall risk).
There is a priority to the types of risk controls that should be applied:
Manufacturers may believe that ‘risk control‘ is synonymous with ‘risk mitigation‘; however, such an approach would be misaligned with common industry practices, particularly in software engineering.
The ISO 14971 definition for ‘risk control’ covers the reduction, or maintenance, of risk within specified levels. It does not distinguish whether any reduction in risk is due to 1) a reduction in probability of occurrence, or 2) the severity if it occurs.
There is a distinction in software engineering, however:
Therefore, caution should be exerted in using the terms ‘risk control’ and ‘risk mitigation’, as ‘risk mitigation’ is not defined under ISO 14971.
ISO 14971 defines ‘residual risk’ as:
“Risk remaining after risk control measures have been implemented”
Under ISO 14971, once the manufacturer has identified and implemented the necessary risk controls, it must:
ISO 14971 defines ‘benefit’ as:
“Positive impact or desirable outcome of the use of a medical device on the health of an individual, or a positive impact on patient management or public health”
The description of specific device benefits is an area of greater scrutiny under ISO 14971:2019, as historically it has been poorly documented by manufacturers. Compounding this is that direct comparison of risks and benefits is challenging. It requires consideration of factors such as:
Device benefits may be related to safety and/or performance outcomes. For example:
Benefit/risk analysis is performed (both individually and overall) when assessing the residual risks. The outcome of the benefit/risk analysis depends on the residual risk levels and the established risk acceptability criteria. The outcome of the benefit/risk analysis must result in a positive benefit/risk ratio, i.e., benefits realized from use of the device outweigh the residual risks.
ISO 14971 defines ‘risk management’ as the:
“Systematic application of management policies, procedures and practices to the tasks of analysing, evaluating, controlling and monitoring risk”
In addition to the risk management activities already described above, risk management also includes the monitoring of risk. This is typically performed through utilization of other QMS processes that are interlinked with the risk management process, including:
The records generated through the risk management process are then included, and/or cross-referenced, in the manufacturer’s risk management file for the device family.
ISO 14971 defines the ‘risk management file’ as the:
“Set of records and other documents that are produced by risk management”
This “set of records” begins with creation of the risk management plan, whose minimum content requirements are established in ISO 14971. It continues to the records generated through the entire risk management process.
The ‘risk management report’ (also referred to as ‘risk management summary report’) typically incorporates all elements that need to be recorded, that are not captured by the risk management plan and risk assessment records. These include:
When it comes to Risk Assessment and Risk Control records, the most commonly encountered records are Failure Mode & Effects Analyses (FMEAs). Their use is widespread in multiple industries and the methodology is well known/established. However, in the medical device industry, care needs to be taken when utilizing FMEAs.
ISO 14971 requires that manufacturers identify, and document, known and foreseeable hazards associated with the characteristics related to safety in both normal and fault conditions. As FMEAs inherently have a focus on “failure modes” (i.e. fault conditions), they need to ensure that hazards and hazardous situations in normal conditions are also identified.
ISO 14971:2019 was established with the purpose of alignment with risk management requirements under the MDR/IVDR. Further, in the 2021 amendment to the standard (harmonized under the MDR/IVDR), Annexes ZA/ZB were added as informational annexes.
These describe the gaps with the EU MDR/IVDR, including:
The 2021 amendment emphasizes the criticality of the definitions established in the standard and the MDR/IVDR. Notably, the standard does not establish a definition for risks being “reduced as far as possible”. Therefore, manufacturers pursuing CE marking must ensure that the meaning of reducing risks as far as possible in their risk management process, is aligned with GSPR 2 of the MDR/IVDR.
Additional elements of risk management under ISO 14971 and their relationship to MDR/IVDR, include:
Trend reporting is established within the scope of MDR/IVDR’s post-market surveillance requirements. They require establishing methods and protocols to manage the incidents subject to trend reporting. For example, to 1) identify any statistically significant increase in the frequency or severity of incidents, and 2) the observation period.
Therefore, risk estimation levels (for both severity and probability of occurrence) should be established so that they may be used to determine statistically significant increases.
They should be designed so that they can be used as suitable indicators and as threshold values, for continuous reassessment of the benefit-risk analysis and of the risk management, as required under MDR/IVDR post-market plan requirements.
Clinical/Performance Evaluation Reports should be closely aligned with the risk management file. Particularly in regard to the benefits and risks identified in clinical evidence included in these reports, and the overall benefit-risk analysis.
Typically, when demonstrating conformity with MDR/IVDR GSPR 1 (Requirement for Safety), these reports include: