Like other types of therapeutic products, risk is an inherent characteristic of all medical devices and manufacturers must weigh the benefits of their devices against residual risks on a continual basis, based upon available data. Risk management is one of the cornerstones of medical device regulation in established markets, however unfortunately it is an area in which manufacturers have some difficulty in establishing effectively. Fundamentally, manufacturers must possess a strong understanding of risk management requirements and concepts as effective risk management is essential across all steps of a device’s life cycle, from design and development through to post-market surveillance (PMS) and end-of-life (EOL). This article provides an overview of medical device risk management and key considerations for manufacturers looking to establish their risk management process and apply it to their devices.
What is Medical Device Risk Management?
To understand ‘risk management’ it’s first important to understand the vocabulary associated with this process, beginning with the term’s ‘harm’, ‘hazard’, ‘hazardous situation’ and ‘risk’.
- Harm’ is “physical injury, especially that which is deliberately inflicted.” In the medical device industry, harm may be manifested physically and/or psychologically and may be caused by a malfunctioning device (i.e. a device in an ‘in fault condition’), may occur during its intended use (i.e. a ‘normal condition’), or even during misuse. Therefore, harm may not be (and is quite often not) not be deliberate. As devices may also be used in a wide variety of environments (e.g. hospitals, outpatient clinics, home use, etc.), there is also a possibility of damage to property or the environment. Therefore, for medical devices, harm is understood to be damage or injury to the health of people, or damage to the environment or property.
- ‘Hazard’ is “a danger or risk”, however, this definition is not aligned with the concept of ‘hazard’ for devices which instead is a “potential source of harm”. For example, specific properties or characteristics of a device may be a ‘hazard’, such as mechanical, chemical, or biological properties. A case in point would be the presence of sodium azide in an in vitro diagnostic medical device (IVD), where this specific chemical is a ‘hazard’.
- ‘Risk’ is “a situation involving exposure to danger”, however for devices risk is understood to be a combination of the severity of harm and the probability of that harm, with manufacturers also often including the ability to detect the harm. Whereas a ‘hazardous situation’ is understood to be the circ*mstance in which the environment, property or people is/are exposed to at least one hazard. Taking the above example of sodium azide:
- A ‘hazardous situation’ could be the explosion of metal azides due to the improper disposal of the IVD containing the sodium azide in routine laboratory plumbing, although it’s important to note that hazardous situations often arise from a sequence of events having occurred, e.g.
- Event # 1: Improper disposal of sodium azide in routine laboratory plumbing.
- Event # 2: Sodium azide accumulates in plumbing due to not being adequately flushed through plumbing.
- Event # 3: Sodium azide reacts with metals present in plumbing system (e.g. silver, gold, lead, copper, brass, solder) to produce explosive metal azides.
- Event # 4: Explosion caused by metal azides in plumbing system.
- A ‘risk’ in this scenario would be the probability of a person suffering physical injury resulting from the explosion of the plumbing system and the severity of the injury (there would also be injury to environment and property in this scenario).
Maintenance of Corresponding Records for Risk Management
Comprehension of these basic concepts allows for a foundation upon which manufacturers can perform ‘risk management’ through systematically applying management policies, procedures, and practices for the realization of the following and maintenance of corresponding records (maintained in a Risk Management File):
1. Risk Analysis: In a systematic manner, using the information to identify ‘hazards’ and to estimate ‘risk’.
2. Risk Evaluation: Comparing the estimated risk against established risk acceptability criteria to determine acceptable/unacceptable risk.
3. Risk Control: Analyzing options to control risk and implementing risk control measures, evaluating the residual risk after their implementation, and determining whether they introduce new hazards or impact previously identified risks. This may include individual benefit-risk analysis, depending upon the jurisdiction. Risk control measures typically include (in the following order of priority):
- Elimination or reduction (as far as possible) of risks through safe design and manufacture.
- Taking appropriate protection measures (e.g. alarms) where risks cannot be eliminated.
- Providing safety information (e.g. warnings, precautions, contra-indications) and, where appropriate, training for users.
4. Evaluation of Overall Residual Risk: The benefits of the intended use of the device are evaluated against the overall residual risk of the device, applying previously established criteria for the acceptability of overall residual risk. Where overall residual risk is deemed to be acceptable by a manufacturer, it should also ensure that users are aware of the significant residual risks through information provided in documents accompanying the device.
5. Risk Management Review: To ensure overall completeness of the risk management process for a device, that overall residual risk is acceptable, and that the manufacturer has established appropriate procedures to collect and review information during production and post-production.
6. Monitoring During Production and Post-Production Activities: Under the activities, the manufacturer uses production and post-production data to essentially validate the results of the risk management process for a particular device and update the documentation and take other necessary corrective and/or preventive measures to ensure the continual acceptability of the overall residual risk when compared to the device benefits.
Which Risk Management Standard to Apply?
ISO 14971:2019 is the international ISO standard established to cover medical device risk management requirements and it encompasses the risk management activities presented above including establishing the relevant definitions applicable to risk management. This standard is also accompanied by highly relevant guidance in ISO/TR 24971:2020. While compliance with FDA consensus standards and EU harmonized standards, different versions of the ISO 14971 standards are listed in both the FDA consensus standards database and the current list of standards harmonized under the EU MDR/IVDR, as follows:
Differences Between US FDA and EU MDR/IVDR Regarding ISO 14971:2019
In the case of the US, the FDA has indicated that ANSI AAMI ISO 14971:2019 is an identical adoption of ISO 14971 Third Edition 2019-2, therefore from a US perspective, these standards can be considered equivalent with both falling under the same recognition number.
However, in the case of the EU, things are a little more complicated. Under Section 1, Annex I of the MDR/IVDR (i.e. GSPR 1), it is a requirement that the respective devices “…be safe and effective and shall not compromise the clinical condition or the safety of patients, or the safety and health of users or, where applicable, other persons, provided that any risks which may be associated with their use constitute acceptable risks when weighed against the benefits to the patient and are compatible with a high level of protection of health and safety, taking into account the generally acknowledged state of the art.” While the MDR/IVDR do not establish a definition for “state of the art”, MDCG 2020-6 does utilize the following definition from IMDRF/GRRP WG/N47: “Developed stage of current technical capability and/or accepted clinical practice in regard to products, processes and patient management, based on the relevant consolidated findings of science, technology and experience.”
Applying this definition of “state of the art”, the EN ISO 14971:2019/A11:2021, being the most recent version of the standard harmonized under the MDR/IVDR could be viewed as being the state of the art. However, from our experience, we’ve not observed Notified Bodies expecting the application of one version rather than the other. With that being said, manufacturers applying the EN ISO 14971:2019 version would be well served in reviewing the relevant ZA (MDR) and/or ZB (IVDR) annexes of this version of the standard as they provide relevant guidance on the relationship between the respective MDR/IVDR GSPRs and EN ISO 14971:2019 requirements, including the definitions to be applied and risk acceptability criteria. In particular, we’ve noted that certain Notified Body reviewers are questioning manufacturers how they’ve applied EN ISO 14971:2019/A11:2021 to their device during technical documentation file review, where the manufacturer has applied this version to their device.
Risk Management Integration with other Quality System Processes
Risk management begins during device design and as described above, risk management includes ongoing monitoring during the production and post-production phases of the device life cycle. Subsequently, processes established within a manufacturer’s quality system that typically have a direct relationship with the risk management process include:
- Design and development, including design change control
- Clinical / Performance evaluation (EU MDR/IVDR)
- Corrective and preventive action
- Management review
- Post-market surveillance (PMS) / Post-market clinical/performance follow-up (EU MDR/IVDR, and PMS, as applicable, under the FDA regulatory framework)
Due to direct interaction with several other quality system processes, a manufacturer must ensure that risks (and the associated harms, hazards, and hazardous situations) are consistently described so that these are effectively communicated throughout the organization (and to relevant external parties). As such, it is strongly recommended that manufacturers consider utilizing the IMDRF Adverse Event Terminology as early as possible in the risk management process (ideally during initial design and development) as the utilization of such terminology is typically expected in Periodic Safety Update Reports (PSURs) for medium-high risk devices.
This article provides an overview of medical device risk management. If you have any questions regarding this topic or require relevant consulting support, get in touch.
