Risk Management Plan

• Risk management activities need an overall

plan
• The risk management plan has standard
elements:
– Scope (including the life-cycle)
– Responsibilities and authority
– Review requirements for risk management
– Risk acceptability criteria
– Risk verification
– Production activity data collection and review
– Post-production activity data collection and
review
Role of the Risk Management Plan

• The Risk Management Plan provides the

overarching approach to the managing risk.

• It can take a variety of forms

– Stand alone document
– Integrated into QMS documents
– Refer to other documents

• The structure and detail should relate to the

medical device risk.
 Scope of the Plan
Design
Design &
&
Development
Development Risk
• The scope needs to Process
Process
Assessment
& control

identify Validation
Validation

– the medical device (or Production

Production
family) Life Cycle of the Pick,
Pick, Pack
Pack &
&
Production
information
– and the life cycle Heel Warmer
Example
Ship
Ship

Warehouse
Warehouse

• The risk management Activate

Activate
Post - production
activities are Apply
Apply to
to information

mapped to the life Neonate

Neonate
cycle Dispose
Dispose
Assign Responsibility and Authority
Risk Mgmt. Plan

• Assign roles and their responsibilities

• Examples include:
– Reviewer
– Approval authority
– Expert
– Verification specialist

• Follow the roles and responsibilities in the design project to avoid

confusion

• The RASI Matrix is a useful tool

Responsible for tasks
Authority
Support Inform
 Criteria for Risk Acceptability
Risk Mgmt. Plan

• The Risk Management Plan needs two

sets of criteria
– One arises from the risk assigned to each
hazardous situation
– The other arises from the overall risk
 Concept of Risk Risk Mgmt. Plan

The concept of risk starts with continuous Probability and Severity dividing
the Risk area into regions.

Increasing Probability
Unacceptable

As low as
reasonably

practicable

Acceptable

Increasing Severity
But more often becomes a table
Risk Mgmt. Plan
...
Severity Levels Probability Levels
Term Description
Term Description
Catastrophic Results in death
Frequent Happens often
Critical Results in permanent impairment
to life-threatening injury Probable Likely to happen
Serious Results in injury or
impairment requiring Occasional Can happen, but not likely
medical intervention
Remote Unlikely to happen
Minor Results in injury or impairment
not requiring medical
intervention Improbable Highly unlikely to happen
Negligible Inconvenience or
temporary discomfort
 . . . that represents risk
Risk Mgmt. Plan

Severity Levels
Negligible Minor Serious Critical Catastrophic
Frequent R2 R2 R3 R3 R3
Probable R2 R2 R2 R2 R3
Probabilit
Occasional R2 R2 R2 R2 R3
y
Levels Remote R1 R1 R2 R2 R3
Improbable R1 R1 R2 R2 R3

Each company must develop its

R1 Acceptable risk
own risk analysis system.
R2 As Low As Reasonably Practicable
R3 Unacceptable
The risk matrix may differ by product.
For example, a risk matrix for a heel
warmer may not be adequate for an
automatic defibrillator.
 Overall Residual Risk Evaluation
Risk Mgmt. Plan

• If each risk is low, then the residual risks should be low.

• When residual risk remains, it should be evaluated by

specialists with knowledge of the device.

• If the residual risk is too high, it may be offset by the

medical benefit.
– X-rays cause damage to tissue, but the diagnostic benefit
outweighs the risk.
 Verification Activities
Risk Mgmt. Plan

• The standard says there are two distinct

verification activities
– Ensure the risk control measures are implemented in
the final design.
– Ensure the implemented risk control measures
actually reduce the risk.

• The Risk Management Plan explains how

to conduct these verifications.
 Production Activity –
Data Collection and Review
Risk Mgmt. Plan
• The Plan describes how you
will collect and review data • Our example
from production activities – The chemical mix
– Some production activities, if determines the
temperature of the heal
performed incorrectly could
warmer. Monitor mix
increase risk
parameters.
– Identify them and monitor
– One would expect
process results
destructive testing for seal
– Pay particular attention to
strength and temperature
processes that must be profile. Monitor the
validated results of these tests.
Performing Risk Analysis

Clause 4

12
 Risk Analysis Methodology
• This is a systematic approach to determine risk
– List every hazard (know or foreseeable)
– List the associated hazardous situations
– List the chain of events that creates each hazardous
situation
– Identify the potential harm(s)
– Estimate the severity and probability
– Calculate the risk, using the Risk Management Plan

13
 Post-production Activity –
Data Collection And
Review Risk Mgmt. Plan
• The plan describes how you will collect and review post-production
activity

• Include the following areas in data collection:

– Customer complaints
– Installation reports
– Servicing reports
– FDA’s Adverse Event reports
– Professional literature

• For each item collected, review the hazard, hazardous situation,

and risk
– The new information may lead you to update the previous analysis
and conclusion
14
 This approach lends
itself to a
Chain of
spreadsheet
Hazardous Potential
Hazard events Situation Harms Severity Probability Risk
*Operator error setting up
sealing machine
* Weak seal
*Nurse agressively mixes Pouch spills Second degree
Pouch bursts hot contents thermal burn Serious Occasional R2
the pouch

*Nurse reheats the pouch

*Aggressive mixing breaks Pouch spills Second degree
seal hot contents thermal burn Serious Remote R2

The spreadsheet could contain many rows.

Notice that a hazard could have more than one chain of events.

15
 Identifying hazards can be difficult
• The standard has a number of helpful aids
– Annex C helps identify device characteristics that may
impact safety
– Table E.1 provides a list of potential hazards
– Table E.2 offers a list of potential initiating events
– Table E.3 shows examples of hazards, chain of
events, hazardous situations, and harm
– Annex H provides additional information for in
vitro
diagnostic devices

16
Risk Evaluation

Clause 5

17
 The Prior Work Simplifies Risk
Evaluation
• The Risk Management Plan contains the criteria
for acceptable risk

• Risk Analysis determined the risk for each

hazardous situation

• Application of the criteria to each hazardous

situation determines the need for risk reduction
18
Risk Control

Clause 6

19
 Risk Reduction (when required) Clause 6
Select risk control measures in the specified order:
Option Analysis
inherent safety by design € protective measures
(6.2)
€ safety information

Implement the selected risk control measures

Implementation • Verify implementation of each risk control measure
(6.3) • Record the results in the risk management file

After implementation of risk control measures

Residual Risk • Evaluate residual risk by the risk management plan
(6.4) • If necessary, apply further risk control measures

Decide if medical benefits outweigh the risk when:

Risk
• Residual risk is not acceptable
Benefit
• Further risk control is not practicable
(6.5)
New Risks Determine if risk control introduced any new
(6.6) risks Check if previously estimated risks are
affected
20
Risk Control Completeness Check
Clause 6

Completeness Ensure the risks from all identified

Check (6.7) hazardous situations are considered.

21
Evaluation of Overall Residual Risk
Acceptability
 This is a Broad View of Risk
• Previously we evaluated the risk of each
hazardous situation
– If it didn’t meet the criteria we reduced the
risk
– We also cycled through all the hazardous
situations to evaluate impacts

• Now we take a broader view to evaluate

the whole device
 Use Expert Opinion to Review and
Decide
Overall residual Yes
risk acceptable?

No

Medical benefits Yes

outweigh risk?

No

STOP THE PROJECT Disclose overall risk

 Disclosing Overall Risk
• Annex J offers guidance on communicating risk

• Information for safety is the least preferred method

– Recall the priority order: inherent safety by design >protective
measures safety information

• Identify who receives the information and how

• Explain the risk, the consequences of exposure, and

how to prevent the harm
 The GHTF Guidance

Implementation of risk management

principles and activities within a Quality
Management System
 Purpose and Overview
• The GHTF Guidance focuses on integrating Risk
Management into the Quality Management
System (QMS).

• The scope of ISO 14971 says

– “This International Standard does not require that the
manufacturer have a quality management system in
place. However, risk management can be an integral
part of a quality management system.”
 Phases of Risk
Acceptable levels of risk
1st Phase A policy or procedure determines risk acceptability
criteria It is derived from experience and research on
currently accepted risk levels

Risk analysis
2nd Phase Identify hazards in normal use or foreseeable
misuse Estimate the for each identified hazard

Compare risks to acceptability criteria

3rd Phase Determine the need for risk reduction, if necessary
Determines the appropriate level of required risk
reduction
Risk control and monitoring activities
Activities can begin as early as design input, and
4th Phase
continues through manufacturing, distribution, installation,
and servicing. Activities cover the device life cycle.
 Two Areas are Worthy of Note
• Design and • CAPA
Development
– The guidance covers
each area of design and
development.
– Annex B contains a
detailed flowchart placing
risk management
activities in the design
and development
process
– The guidance contains a
detailed flowchart integrating
risk management into the
CAPA process.
– The flowchart identifies key
quality data points:
Service Reports
Product Complaints
Manufacturing
Nonconformities/
Defects
Engineering
Nonconformities/Defects
Quality System
Nonconformities/Defects
Tools for Risk Management

Failure Modes and Effects Analysis

Fault Tree Analysis
Hazard Analysis and Critical Control
Point
 Failure Modes and Effects
Analysis (FMEA)
• This is a standard reliability technique adapted
to risk analysis.

• In risk analysis, there is a very important

consideration. Hazards and Harms do not
require failure!

• Evaluate risk management in normal,

single fault, and multiple fault conditions.
 The Standard Method
• A large spreadsheet where each row relates to a hazard.
• Typical column entries include:
– Function
– Hazard
– Harm
– Mode (Normal, single fault, or multiple fault)
– Severity
– Occurrence
– Detection
– Risk Priority Number (Determine by severity, occurrence, &
detection as defined in the Risk Management Plan)
– Mitigation
– Responsibility
– Verification
 Fault Tree Analysis (FTA)
• A Fault Tree is a logic diagram showing
the paths to an event

• The event under study is called the Top

Event

• The causes of the Top Event are

diagramed using standard logic gate
symbols
Logic Symbols
AND
The output event occurs when all
input events occur at the same time

OR
The output event occurs when at least
one of the input events occur
 A Fault Tree
Pump Failure

Bearing Failure Motor Failure Seal Failure Valve Failure

A coupling failure causes a motor failure
A motor failure causes a pump failure

Coupling Failure Electrical Failure

A power failure AND battery

exhausted cause an electrical
failure
Power Failure Battery exhausted
Risk Management - ISO 14971
Fault Tree Analysis (FTA) Steps
Fault Tree Analysis usually involves five steps:
1. Define the undesired event to study, the Top Event
– State the undesired event that can cause risk

2. Understand the system

– Describe the events that could allow the Top Event to happen. For each event determine the
what would cause it. Continue to analyze the system.

3. Construct the fault tree

– After selecting the undesired event and analyzed the system to identify the causal events,
construct the Fault Tree. Describe the events and their relationships using AND and OR
gates. More complex gates are also possible.

4. Evaluate the fault tree

– Evaluate the Fault Tree. Look for possible improvements that can mitigate, reduce, or
eliminate the events. Identify all possible hazards affecting in a direct or indirect way the
system.

5. Control the hazards identified

– After identifying the events and hazards, determine methods to decrease the probability of
occurrence.
 Hazard Analysis and Critical Control
Point (HACCP)
• HACCP is a system to prevent problems, rather
than finding them by inspection at the end of
the production process.

• HACCP is used by US regulatory agencies (FDA

and USDA) to help protect the food supply

• HACCP is based on seven principles described in

the FDA’s Hazard Analysis and Critical Control
Point Principles and Application Guidelines
 HACCP Principles
• Principle 1: Conduct a hazard analysis
– The hazard analysis develops a list of significant hazards that they
are reasonably likely to cause injury or illness if not effectively
controlled.

• Principle 2: Determine the critical control points (CCPs)

– A critical control point is a step at which control can be applied
to prevent or eliminate a hazard or reduce it to an acceptable
level.

• Principle 3: Establish critical limits

– A critical limit is a maximum and/or minimum value to which a
parameter must be controlled at a CCP to prevent, eliminate or reduce
to an acceptable level the occurrence of a hazard. A critical limit is
used to distinguish between safe and unsafe operating conditions at a
CCP.
 HACCP Principles (cont.)
• Principle 4: Establish monitoring procedures
– Monitoring is a planned sequence of observations or
measurements to assess whether a CCP is under control and to
produce an accurate record for future use in verification.

– Monitoring serves three main purposes.

• Monitoring facilitates tracking of the operation. If monitoring
indicates that there is a trend towards loss of control, then
action can be taken to bring the process back into control
before a deviation from a critical limit occurs.
• Monitoring is used to determine when there is loss of control and
a deviation occurs at a CCP, i.e., exceeding or not meeting a
critical limit. When a deviation occurs, an appropriate corrective
action must be taken.
• Monitoring provides written documentation for use in verification.
 HACCP Principles (cont.)
• Principle 5: Establish corrective actions
– The HACCP system identifies hazards and establishes
strategies to prevent, eliminate, or reduce their occurrence.
Deviations from established processes may occur, so if there is
a deviation from established critical limits, corrective actions are
necessary. Specific corrective actions should be developed in
advance for each CCP and included in the HACCP plan
– Corrective actions should include the following elements:
(a) determine and correct the cause of non-compliance;
(b) determine the disposition of non-compliant product and
(c) record the corrective actions that have been taken.
 HACCP Principles (cont.)
• Principle 6: Establish verification procedures
– Verification is defined as those activities, other than monitoring,
that determine the validity of the HACCP plan and that the
system is operating according to the plan.

• Principle 7: Establish record-keeping and documentation

procedures
– Generally, the records maintained for the HACCP System should
include the following:
• A summary of the hazard analysis, including the rationale
for determining hazards and control measures
• The HACCP Plan
• Support documentation such as validation records
• Records that are generated during the operation of the plan
 Risk Management File
• The documents and quality
records are maintained in the
Risk Management File.
• Think of this as a filing cabinet
containing information about
the risk management program
– In practice, it is usually a variety of
documents, often in different
formats (text files, spreadsheets,
etc.)
• You must be able to readily
retrieve documents and
records of the Risk
Management File.
 Summary
• The standard method for medical device
risk management is ISO 14971:2019
– The FDA recognizes it as a consensus
standard

– The EU lists it as a harmonized standard to

the MDD, IVD, and AIMD

– ISO 13485:2016 recommends ISO 14971

for risk management
 Summary
• ISO 14971 implementation starts with a Risk
Management Plan

• The implementation flows through a series of steps

defined in the respective clauses:
– 4: Risk Analysis
– 5: Risk Evaluation
– 6: Risk Control
– 7: Residual Risk Evaluation
– 8: Risk Management Report
– 9: Production & Post-production Information

• Maintain of the information in the Risk

Management File
 Summary
• The Risk Management File is not a static
document

• It should include production information

– Monitor production processes that contribute to risk
factors
– Validated processes are particularly significant
contributors

• It include post-production information

– Integrate the complaint and post-market surveillance
processes
 Conclusions
• ISO 14971:2019 is the de facto standard
for medical device risk management

• Regardless of the marketing region (US,

EU, Canada, etc.) ISO 14971 is a valuable
addition to a medical device QMS

• ISO 14971 is most effective when it is

integrated into a company’s QMS.