How to play it safe: risk management in medical device development
If you’re developing a medical device, you’ll know that one of the most significant aspects to consider is risk management. The importance of the subject was emphasised in the 2017 European Regulation on Medical Devices, where the requirements for risk management were significantly bolstered from the superseded Medical Device Directive.
With risk management becoming increasingly complex, it’s become even more important for companies to understand how to create a risk management strategy for their medical product or process and implement it from the outset.
Risk management for medical devices is centred around the product hazards when using the medical device, therefore I wont cover other subjects such as business or process risks. The safety of the medical device is demonstrated through a lifecycle approach; the risk management process runs all the way through from the conceptual design, to decommissioning and disposal of the device.
Depending on the device in general, risk management can, and to a certain extent should, be linked to other aspects of the device development, such as usability engineering (EN 62366 – 1), and software development processes (EN 62304) which are also based on lifecycle processes.
It is important to undserstand that risk management is not an exercise to be conducted in isolation. It is an integral part of the design and development process. Early identification of hazards will allow risks to be designed out of the device at an early stage when the design is still fluid, and changes are most easily adopted. Ultimately this will produce a more appropriate, reliable and better designed device.
Identify, evaluate, control
Risk management can be divided into three different processes: identifying, evaluating and controlling risks. As the device is developed, so is the risk management file. Different tools are used for each of these processes at different times of the development. For example, at the conceptual design phase risks may be identified through a preliminary hazard analysis. A preliminary hazard analysis looks at the overall features and use of the device, and what the likely hazards might be. A detailed design of the device is not needed for this process, and there are useful questions to prompt this process within Annex C of ISO 14971:2012.
Checklists are particularly good at identifying risks, and one easy way of using test based standards is to convert these standards into checklists. The definitive standard for electronic medical devices is EN 60601 – 1. This standard, together will all the associated collateral and particular standards, provides many hundreds of tests and specifications that a medical device is expected to meet. These can easily be thought of as a checklist, for each clause you should meet the requirement — if not then the clause identifies a hazard that needs considering.
The European guidance standard EN 31010, although not specific to medical devices, is particularly useful for identifying suitable tools for the three risk management process. Equally, you may find that a SWIFT (structured “What If?” technique) is appropriate within the development phase for identifying hazards in the use and implantation of a particular device, whereas a root cause analysis is the most appropriate tool for assessing the consequence of failed medical devices.
Make it relevant
It is particularly important for the risk management of the device to be relevant to the device that is being developed. One would expect a much more detailed and substantial risk management file for a high risk device such as a pacemaker, in comparison to a risk management file for a low risk device such as dental floss. Whatever the device, a methodical approach to risk management is needed throughout the lifecycle of the device. Thankfully we have some guidance about appropriate methods for risk management, in the form of the standard ISO 14971.
The latest version of this standard ISO 14971:2019 was released in December 2019, and in spirit makes relatively few changes from the previous 2012 version. The inclusion of a new section on references means that the clause numbering differs between the 2012 and 2019 versions. In addition, there are several new and changed definitions and a consideration for cybersecurity. Many of the annexes that were present within ISO 14971:2012 have now been removed, and they will form content within the guidance standard ISO/TR 24971, however this guidance standard has yet to be updated with this information.
A risk management process is most effective within an optimised quality management system, such as one compliant with ISO 13485. This provides an effective framework for ensuring that there is sufficient resource, infrastructure, and control to allow a risk management process to be effective. An effective risk management process will speed up your device development, enable certification of your products, and most importantly ensure the safety of patients, clinicians and the general public!
If you need support with risk management of medical devices or any aspect of medical device development, please get in touch.
EN 60366 – 1:2015 Medical devices. Application of usability engineering to medical devices
EN 62304:2006+A1:2015 Medical device software. Software life-cycle processes
ISO 14971:2019 Medical devices. Application of risk management to medical devices
ISO/TR 24971:20XX Guidance on the application of ISO 14971 *Note there is a previous version, ISO/TR 24971:2013, however this does not have the annexes from EN 14971:2012.
EN 60601 – 1:2006+A12:2014 Medical electrical equipment. General requirements for basic safety and essential performance
ISO 13485:2016 Medical devices — Quality management systems — Requirements for regulatory purposes
Note that although this blog was written from a European perspective, the undertaking of risk management and the considerations are common across jurisdictions.