Risk Management Plan & ISO 14971

At Key Tech, risk management is an integral part of the product development process. This is by necessity, for two reasons. The first is that an appropriate Risk Management Plan is required by ISO 14971, the international standard for applying risk management to the design and manufacture of medical devices. The second reason is that such a plan helps Key Tech ensure that the medical devices we design are made safely, and are safe for end users.

ISO 14971 defines risk management as: “the systematic application of management policies, procedures and practices to the tasks of analyzing, evaluating and controlling risk.”  To that end, a Risk Management Plan is established at a project outset to document how risks are identified, evaluated, and traced. In addition, this plan should define the entire scope of the risk management process, including the purpose of the device, its life cycle, responsible parties and authorities, and data collection and analysis all the way through post production.

One of the first steps in creating a Risk Management Plan is Risk Identification. The concept of risk is a combination of the likelihood of harm occurring, and the severity of that harm. Risks are identified by evaluating the product architecture, its intended use (and possible misuse), and the environments in which the product is to be used. Hazards (potential sources of harm) are identified, and their risks estimated. At Key Tech, we use the following documents to capture these risks:

• Hazards Analysis: a top-down approach identifying both intended use and possible misuses of the product, and associated risks.
• Use or Application Failure Modes and Effects Analysis (aFMEA): a bottom-up approach of identifying risks related to possible device malfunction.
• Design FMEA (dFMEA): an approach that examines the product design and potential flaws or failures.
• Process FMEA (pFMEA): an approach that assigns levels of risk to each step in the process, to anticipate and prevent potential risks.

The second next step is Risk Evaluation. Key Tech, in conjunction with the client, must establish criteria and an associated scoring system with which to evaluate each hazard identified in the Risk Identification step. A score will be assigned to each hazard, with those scoring above acceptable levels requiring mitigation. For example, risks may be scored on a scale of one to five, with those risks scored at three and below being acceptable, and risks scored at four and five requiring mitigation.

After Risk Evaluation is the third step in creating a Risk Management Plan is Risk Trace. For those risks that require mitigation, the risk must be traced to determine that effective changes were implemented in the design phase. If applicable, design verification testing may also be required to prove that the changes to design details were implemented correctly in the product prototype or final product.

Upon completion of the Risk Management Plan, a risk management report is generated that documents the process in its entirety, and demonstrates that all risks requiring mitigation were successfully mitigated according to the Risk Management Plan.