Reducing Medical Device Failures through Risk Management

Posted in Medical Software by Qmed Staff on August 28, 2015

Although risk management is a commonly used term, it can be difficult to understand precisely how to implement it during medical device product development.

Lisa Weeks

Risk management is not a new concept for device makers. ISO 14971, the international risk management standard for medical devices, has been around since 2000. Once it became apparent that absolute product safety was unattainable, meaning, that some level of failure was inevitable, the need arose for a system that would help lessen the frequency and severity of those failures, and ISO 14971 was born. Yet here we are, 15 years later, still struggling to understand risk management and its vital role in product design and development.

Perhaps part of the problem is that many device makers assume successful risk management means eliminating risk altogether or see it as an isolated regulatory activity that is separate from the design process. In reality, risk management is ongoing. Continuous improvement—not risk elimination—is its real goal. “It’s impossible to anticipate every potential hazard or misuse of your device,” said Walt Murray, director of MasterControl’s quality and compliance consulting services, who has more than two decades of risk management expertise. “You’ll save yourself a lot of time and grief if you remember that risk management exists to make devices safer, not foolproof.” 

Understanding Risk-Related Terminology

Clearly, risk management is a polarizing subject. Even the so-called experts can’t seem to agree on what it is exactly. Loosely defined, risk management is a systematic process that can be used to identify hazards, to estimate and evaluate the risk associated with those hazards, and to implement and monitor the effectiveness of risk mitigation measures.1 When done effectively, it helps a manufacturer produce a safer product that performs as expected and experiences fewer failures in the field. If that sounds remarkably like design control, that’s because it is. Risk management as a requirement of design control shares its purpose: to produce safer devices that meet user needs. They should be performed simultaneously.

Risk management is often separated into four phases (risk planning, risk assessment, risk control and risk review/monitoring), but the process should be treated in a more cyclical manner during product development.

Risk Planning

Before you can even begin to assess risk, you must clarify your product’s intended use (i.e., what the product is supposed to be used for according to the manufacturer’s specifications, instructions, and other information).This is important! Intended use drives compliance and is used to classify your product. Management should take classification into consideration when determining the organization’s risk threshold, which is the degree, amount or volume of risk that the organization is willing to withstand. All of these things make up your organization’s risk management policy.

Risk planning also includes the creation of a risk management plan and risk management file, which will eventually include all of the records and documents generated during the risk management process. The planning stage is critical. Poor or insufficient planning is a common reason for device failure—and one that is easy to avoid.

Risk Assessment

No product is 100 percent safe. The purpose of risk assessment is to determine the product’s potential to cause harm. Every medical device has the potential to present a hazard. The hazard can lead to a hazardous situation. The hazardous situation can cause harm. For example, if a catheter is not sterile (hazard), infectious agents can enter the patient’s body (hazardous situation), causing an infection (harm). Hazards can occur during normal use (intended use), but more so if the device is misused. Hazards and hazardous situations feed into your product development process to improve user needs and design inputs.2

Risk assessment is made up of three interconnected processes: risk identification, risk analysis, and risk evaluation. The terms risk analysis and risk assessment are often used interchangeably, but they are not synonymous.

  • Risk identification: Focuses on uncovering and describing as many of the potential risks associated with the application of your device as possible. Questions to ask: What could go possibly go wrong, i.e., what are my hazards? What harm can come from each hazard?  
  • Risk analysis: Focuses on estimating the level of risk associated with each independent risk uncovered during risk identification. There are many risk analysis tools (e.g., FMEA, fault tree analysis, fishbone diagrams) at your disposal. They are covered extensively in ISO 31010. Questions to ask: What is the likelihood of a particular risk occurring? What level of impact (severity) will it have if it does?
  • Risk evaluation: Focuses on comparing your risk analysis results with your organization’s predetermined risk threshold. Questions to ask: Is this level of risk acceptable? Does it fall within my organization’s risk threshold? If it does not, you’ll have to try to reduce the risk.

Risk Assessment Best (and Worst) Practices  

  • Best: Assemble a cross-functional team, e.g., design engineer, product development engineer, member of manufacturing team, someone from packaging, someone from marketing (to address labeling concerns), medical consultant, medical writers and quality engineers, to brainstorm potential risk scenarios.The increased number of perspectives will increase your chances of uncovering more risks. It is easier and cheaper to fix risks now rather than during production or worse, once the product is in use.
  • Best: Don’t reinvent the wheel; perform a complaint analysis as early as possible. If your device has a predicate, examine the complaints that have been submitted against your competitor’s predicate device by searching the FDA’s Maude (Manufacturer and User Facility Device Experience) Database. Taking these complaints into consideration when designing your device will help you avoid reanalyzing risks that have been addressed in the past and ultimately reduce failures. Complaint analysis can also be conducted on previous generations of your own device.
  • Best: Integrate risk management into the design process from the get-go (e.g., during concept selection). The earlier designers are aware of risks, the better.
  • Worst: Skipping risk analysis or performing it casually. Every identified risk requires its risk analysis.
  • Worst: Addressing (mitigating) risk during the assessment phase. That’s risk control, and it comes next.  

Risk Control 

Once you’ve assessed your risk, it’s time to brainstorm options or mitigation methods you can implement to reduce it to an acceptable level. ISO 14971 provides you with three options to consider:

design safety into the product, e.g., eliminate a sharp edge from your design or design it in such a way that it’s virtually impossible to misuse it; establish protective measures (e.g., alarms); or provide safety information (e.g., putting a warning in the Instructions for Use or IFU). The latter option is the one most frequently used and arguably the least effective, especially if the user throws the information in the garbage five minutes after opening the package! Try to avoid using warnings as a risk reduction measure. Whenever possible, try to implement risk controls directly into the design process. Your risk controls will have a direct impact on your design outputs, as well as your verification and/or validation activities.

Review/Monitor Risk

Now it’s time to review all of the risk management work and determine whether you’ve done it according to the risk management plan. Make sure you have included appropriate methods for collecting production and post-production information (e.g., incident reports, customer complaints) throughout the product lifecycle. Make sure this information is included in your risk file. If it isn’t, you will need to update it and start the risk analysis process over again. Remember, risk management never ends! It is—and should be—an inherent component of your design process and your overall business plan.


1. Risk management DIN EN ISO 14971 – Risk Analysis, (accessed August 25, 2015).

2. 3 Tips for Incorporating Risk Management Throughout Medical…, (accessed August 26, 2015).

Lisa Weeks, a marketing communications specialist at MasterControl, writes extensively about technology, the life sciences, and other regulated environments. She has worked at McNeil Pharmaceuticals, SAP AG, SCA Mölnlycke Health Care, Crozer-Keystone Health Systems, and NovaCare Rehabilitation/Select Med. Connect with her on LinkedInor GxP Lifeline