Recently the Health Care and Youth Post Inspectorate brought out a post regarding electric wheelchairs. In the article the importance of having a good Risk Management system in place was illustrated, along with showing how a product with low risk does not mean it is without risk. To add onto this, the Post also elaborated on the products that are placed onto the market must be continuously maintained and evaluated. 

Risk Management

Medical Device Regulations in Europe uphold strong emphasis on Risk Management on medical devices. Herein, manufacturers of medical devices must control risk mitigation measures throughout the design and production process. However, it is important to note that assessing the risks does not end here, as ISO 14971 compliance requires that companies manage risks as an ongoing internal process that lasts throughout a medical device’s product life cycle. 

ISO 14971

The requirements described in ISO14971 are harmonised with the latest Medical Devices Regulations (MDR). The process intends to assist manufacturers of medical devices to identify the foreseeable hazards associated with the medical device, to estimate and evaluate the associated risks, to mitigate these risks, and to monitor the efficacy of the controls throughout all life cycle phases of the device. ISO14971 specifies that within this process manufacturers must also identify the hazards associated with medical devices, to estimate and evaluate the associated risks, to control and reduce these risks, to monitor the effectiveness of the controls, to evaluate residual risks and to perform reviews using production and post-production information. This also includes realising risks related to biocompatibility, data and systems security, electricity, moving parts, radiation and usability. Additionally, ISO 14971 requires that manufacturers establish objective criteria for risk acceptability, however the manufacturer must specify the specific acceptable risk levels herein. 

Some key terms that are used in Risk Management that are important to be aware of are:

Harm: injury or damage to the health of people, or damage to property or the environment 

Hazard: potential source of harm 

Hazardous situation: circumstance in which people, property or the environment are exposed to one or more hazards. 

Life cycle: series of all phases in the life of a medical device, from the initial conception to final decommissioning and disposal 

Post-production:  part of the life cycle of the medical device after the design has been completed and the medical device has been manufactured. EXAMPLE Transportation, storage, installation, product use, maintenance, repair, product changes, decommissioning and disposal 

Reasonably foreseeable misuse: use of a product or system in a way not intended by the manufacturer, but which can result from readily predictable human behaviour. 

Residual risk: risk remaining after risk control measures have been implemented 

Risk: Risk combination of the probability of occurrence of harm and the severity of that harm  

Risk analysis systematic use of available information to identify hazards and to estimate the risk  

Risk assessment: overall process comprising a risk analysis and a risk evaluation  

Risk control: process in which decisions are made and measures implemented by which risks are reduced to, or maintained within, specified levels 

Risk estimation: process used to assign values to the probability of occurrence of harm and the severity of that harm  

Risk evaluation: process of comparing the estimated risk against given risk criteria to determine the acceptability of the risk  

Safety: freedom from unacceptable risk  

Severity: measure of the possible consequences of a hazard 

 A Risk Management process consists of the following actions: 

  1. Risk analysis 
  2. Risk evaluation 
  3. The implementation and verification of risk control measures  
  4. The result of the evaluation of residual risks 

Certification Experts often encounter many customers who do not have their Risk Management in order when evaluating Technical Files. Herein, it is important to note that a Notified Body (NoBo) and manufacturer have the responsibility to check the efficacy of the Risk Management System. When a Risk Management system does not meet the requirements of the NoBo, a Corrective Action Preventative Action (CAPA) will be implemented immediately. This means an organisation shall take action to eliminate the causes of nonconformities in order to prevent a recurrence and to eliminate the causes of potential nonconformities in order to prevent their occurrence.

When to start creating a Risk Management File 

Creating a Risk Management file starts in the design and development phase. During this, manufacturers must already be assessing potential risks and which risk mitigation measures should be employed. During the production phase, it is also possible to identify potential risks, and both during and after the packaging and storage phases, they must be reviewed. If applicable, the transport phase may also need to be reviewed. Additionally, the post production phase is also of importance as post market surveillance must be conducted. Post market surveillance is necessary as the information obtained from this will be used as input for the Risk Management report.