Achieving excellence in Risk Management, Understanding the International Standard for Risk Management of Medical devices ISO 14791

Compliance risk management is essential to the successful performance of a regulated firm. It forms the basis for managing all levels within an organization. The compliance risk management business process is a common process for Medical devices, pharmaceutical and combination products.

Webinar Subscription 150+ regulated compliance trainings Expert-led webinars Cost-effective compliance trainings Flexibility and convenience Continuous skill enhancement 6 months unlimited viewing

To achieve excellence in risk management, it is crucial for the top management and key personnel in functions that share the risk management responsibility to understand:

This article sets the stage for the greater understanding of Risk management and provides an overview of ISO 14791.

Risk management

Risk management

The difference between Compliance Risk Management and Product Risk Management

Both 'Compliance risk management' and 'Product risk management' are responsibilities of a regulated firm but they are not mutually exclusive responsibilities. They are two disciplines which are interrelated. They are subsets of each other. They go hand in hand. Also, there are some overlaps between the two: Compliance and operational risks are generally the same, Operational risk management can be used for compliance risk.

ISO 14971 Overview

The ISO 14791 describes a process which is effective for creating medical devices that are safe. It is a harmonized standard that applies to medical devices, in vitro diagnostic devices and active implantable medical devices. Compliance with this standard requires the top management to have a process, risk management policy, and training of relevant staff, and a risk management plan.

The Risk Management Process includes:

  • Risk management planning
  • Risk Analysis
  • Risk Evaluation
  • Risk Controls
  • Overall Residual Risk Acceptability
  • Risk Management Report
  • Production and Post-Production Information
  • Risk Management file

Risk Management planning: What to include in the plan

  • Include scope of the risk management activities.
  • Define the product/s included
  • Describe what intended use of the product/s are
  • Describe all the risk management activities that are planned for the product/s throughout its lifecycle
  • Define roles and responsibilities for the risk management team. Who will be reviewing and approving risk documentation
  • Describe the criteria for the acceptability of the risk (This is often included in the Risk management procedure)
  • Specify the methods you will use to verify the implementation of risk control measures and measures to reduce risks
  • Describe how the production and post-production information will be collected and captured in the risk management activities for the product.

Risk Analysis

When developing a product, begin with risk analysis early. The outputs from the risk management are inputs to the design and development. Identify the hazards by using checklists, brainstorms, or from feedback about the previous products.

Risk Evaluation

Determine the likelihood of the occurrence of harm and the severity of the harm using the risk evaluation matrix.

risk evaluation matrix

Risk Control

Reduce the risk by implementing protective measures. If a residual risk exists, let the user know that it exists. Verify the effectiveness of your risk controls including warnings and instructions for use. Use standards for testing to show the safety of the product. Provide evidence that you have implemented risk control and that it is working.

Overall residual risk acceptability

To determine the residual risk acceptability, use the same severity, occurrence, risk level, and risk acceptability criteria you use throughout the process. If the overall residual risk of the entire product is acceptable, it does not require any further review. If the overall residual risk is not acceptable, conduct a risk / benefit analysis for the case.

Risk management report:

In the report, document the results of your overall residual risk analysis in the risk management report. Review all the risk management activities and the method you are going to use to collect the production and post-production information.

Production and post-production

Collect field data and from production and continue to do so throughout the product's lifecycle. Information can also be collected from incident reports, and customer complaints. A process Failure Modes and Effects Analysis (FMEA) that fits into your risk management process.

Risk management file

Put all the information collected together in the risk management file and continue it as an ongoing process.

Attend the seminar Compliance Risk Management in Medical Devices, Pharmaceuticals, and Combination Products to get answers to key questions regarding Risk Management and Product Risk Management, the acceptability criteria for Compliance Risk Management, the expectations for managing risk in Pharmaceuticals (cGMP), and the interface of evolving landscape of Compliance Risk Management with the evolving landscape of Combination Products.

The speaker Stan Mastrangelo has over 30 years of professional work experience in Quality Assurance of medical devices, pharmaceuticals, and foods. Stan has held positions such as Senior Quality Engineer, Corporate Quality Assurance Auditor, Plant QA Manager, QA Director, and Consultant. Stan was a member of the ANSI Executive Standards Board. Stan has had extensive involvement in the development of International Risk Management Standards. Stan was a member of the ISO Joint Working Group for Risk Management of Medical Devices (that developed ISO/IEC14971). Stan was a committee liaison to the ISO Technical Management Board Joint Working Group on Risk Management that developed ISO 31000 which is the Risk Management Standard for all sectors. Stan was on the US PhRMA (Pharmaceutical Research and Manufacturers Association) Team that supported the development of ICH (International Conference for Harmonization) Standard Q9 titled Quality Risk Management for Pharmaceuticals. Stan also served on various IEC Standards Teams related to IEC 60601, IEC 80001 and Risk Management in the Software Lifecycle. Stan is an Adjunct Professor at Virginia Tech and was a co-developer of a Masters Degree Program in Medical Product Risk Management. Stan is on the Risk Management Committee for the IECEE.