Jon Speer,

4 Reasons Your Risk Management Approach is Wrong

By Jon Speer
Jon Speer,

Risk Management is the single most important topic impacting the medical device industry today.

A few months ago, I predicted that risk would take center stage within the next few years.

After reviewing the draft revision of ISO 13485 (which will likely go live in 2016) and participating in a few industry events, it’s clear this topic is accelerating in importance with each passing day. Unless you have been hiding under a rock, I’m quite sure you are aware of the ISO 14971 standard for medical device risk management.

Being aware of this standard is not enough. Sure, maybe you think your company’s risk management processes are adequate and meet this standard. And maybe you are right. But I suspect there are a few areas in which your risk management processes and practices are weak and exposed.

In this article, I’ll share four areas that you should evaluate and shore up when it comes to risk management.

Mistake #1 – Risk Management and Design Controls Are Separate Processes

You have to realize this: Risk management and design controls have the same basic purpose regarding medical devices. This purpose is to ensure that the medical devices you design, develop, manufacture and sell are safe and effective for their intended uses.

Risk management and design controls are like two sides of the same valuable coin. All too often, medical device companies treat risk and design as two entirely separate processes. It is usually acknowledged that risk management and design controls run parallel during product development.

If this is your way of thinking, you absolutely must change your mentality.


From first-hand experience during FDA inspections and ISO audits, it is very clear that the inspectors and auditors who will be reviewing your risk management file and design history file expect you to demonstrate how these two processes are actually integrated and flow with one another.

You need to show how the intended use leads to identification of hazards and hazardous situations, as well as how it feeds into defining user needs and design inputs.

You need to show how unacceptable risks result in risk controls that are used to mitigate and reduce risks, along with how your risk controls become a plan for improving product design (via design outputs) and lead to design verification and design validation activities.

Design reviews are points in time to evaluate design controls and current status of risk management efforts.

Mistake #2 – Risk Management Is a “Checkbox” Activity

It’s really easy to get bogged down as you go through the product development process and thus delay documenting risk management activities. It’s also really easy to make an assumption that you will eventually be able to catch up. But the longer you wait, the tougher it gets. Trust me—once upon a time, very early in my career, I thought like this.

This type of thinking and approach is a huge mistake. It’s one that actually increases risks to your business. And this is not a business risk worth taking. The argument for delaying your documentation regarding risk management is almost always tied back to lack of time. If you don’t have time to document your risk activities as you are going through the process, what makes you think you are going to find time to catch up later?

You have to realize that there is a great deal of value in using risk management as a tool and solution to improve your product design, rather than treating risk management as a “checkbox” activity.

This is where the ISO 14971 standard will help guide you. ISO 14971 does a pretty decent job of identifying the steps involved in risk management and what needs to be documented.

Aligning your risk management process with ISO 14971 is a must. And integrating your risk management process with your design controls (see mistake #1) will actually save you time in the long run.

The risk management documentation actually serves multiple purposes, including:

  • Communicating to your product development team and company management the risks involved with the product, as well as planning for reducing risks to acceptable levels.
  • Demonstrating and communicating to FDA inspectors and ISO auditors that you followed a defined risk management process and actually used it to improve overall safety of your product.

Mistake #3 – FMEA is being used as Risk Management

FMEA is a very powerful tool—especially when evaluating failure modes of a product or process. FMEA is a great solution when evaluating reliability of a product or process. But please realize this: Just because you are documenting risks via FMEA does NOT mean that your practices will align with ISO 14971.

And aligning with ISO 14971 is pretty darn important these days.

I recently spoke at a medical device industry conference where FDA was very involved, speaking directly about risk management. While at this event, the representative from CDRH said, “…use ISO 14971 for risk management. While not technically required by FDA but it’s the best we have…”

Many people try to make the argument that FMEA can be adapted in a way that satisfies the objective of meeting ISO 14971. Maybe it can…but why go down this path? Why not retool your risk management practice to actually follow proven and accepted methodology as defined in ISO 14971?

FMEA is about device failures. Risk management is more holistic and evaluates risks associated with device failures and risks associated with the correct use of the device.

Mistake #4 – Risk Management Is Not a Lifecycle Process

In my experience as a consultant for the past 9+ years, I’ve observed several interesting practices in the medical device industry when it comes to risk management. I’ve already shared my biggest observation in that FMEA is being used incorrectly as an attempt to satisfy ISO 14971 Risk Management.

The other major issue that I have observed in nearly every medical device company I have worked with is that risk management is not treated as a total product lifecycle process.

Let me explain.

Medical device companies generally do a decent job at attempting to capture risk management activities during product development. The common practice is that once a design transfers from product development, the risk management file and documentation is filed. And buried.

I have yet to see a good example of a medical device company that actually treats risk management as a total product lifecycle process.

Stop burying your risk documents when you move to production.

You have to figure out how to keep your risk management file as a living document. You need to adapt your process so that you can actually update risks when you have complaints, customer feedback, CAPAs, and other production and post-production activities.

It’s not enough to have a section on your complaint or CAPA form that states that you updated risk. You actually need to live it and do it.

Regulatory Bodies Are Already Using “Risk-based” Approaches

I mentioned that I was recently at a medical device industry event in which FDA was actively participating, along with other industry experts. Within the first two hours, “risk”, “risk management”, and “risk-based” were terms uttered by the speakers at least 73 times. The trend continued throughout the day (and no, the explicit topic was not medical device risk management).

If you have heard FDA explain their approach anytime within the past few months, chances are you have heard that the agency is now following a risk-based approach when evaluating and inspecting medical device companies.

You might also know that ISO 13485 is about to be updated and revised. The ISO standard is likely to be published in 2016. And guess what? Yep, the new version of the standard will have a greater emphasis on risk management.

ISO 13485:2003 (current version) makes reference to risk and regulatory about 50 times. The draft revision anticipated for 2016 release uses these terms more than 200 times!

The other big concept introduced in the next revision of ISO 13485 is that your quality management system will also need to incorporate risk-based approaches.

The medical device regulatory world is moving towards risk methodologies across the board. You need to be aware of this change and also start to implement risk-based approaches within your medical device company too.

About The Author

Jon Speer, Greenlight Guru