The International Organization for Standardization (ISO) drafts business management standards that any organization can use to identify and mitigate risk. The medical device industry is one such example.

The importance of risk management for medical devices cannot be stressed enough; a pacemaker or ventilator, for example, does not have the luxury of failure. 

For medical device manufacturers worried about risk, the relevant international standard is ISO 14971, Risk Management for Medical Devices. The ISO 14971 standard was first adopted in 1998 with several revisions since then, and the current standard has been in effect since 2019. 

The Primary Medical Device Directives of ISO 14971 

  • Life cycle. All medical devices have a device life cycle. It consists of six primary phases: concept, planning, design, validation, launch, and “post-market” or post-production (that is, how the device is used in an actual patient). 
  • Risk management. This is the organization’s overall program to address the risks of using medical devices. That program has several parts: identifying a risk, evaluating its potential threat, implementing controls to reduce the risk, and using a quality management system to assure that risk stays at appropriate levels. 
  • Risk assessment. Risk assessment is the process of identifying and quantifying the risk associated with each component of a device. The risk could be operational (the device fails at a critical time and harms patient care), or regulatory (the device malfunctions in a way that violates government regulatory requirements, which exposes the company to legal liability), or potentially both.
  • Risk evaluation. Evaluating the risk to determine what specific factors found in the risk analysis contribute to the overall safety of the device. 
  • Risk control. These are actions comprising your risk management policy, taken to mitigate identified risks and decrease the likelihood of failure or incident. For example, if a device might be vulnerable to cyberattacks, the control might be security measures such as limited connectivity time. If the device can collect personal health data, where a privacy breach could result in significant legal liability, the control might be to disable that data collection.
  • Risk acceptance. A medical device will never be completely free of risk, so organizations must determine what level of risk they are comfortable accepting. 
  • Residual risk. This is the amount of risk that remains after all controls have been implemented. For example, you might decide to collect only certain types of health data but not others; or implement one cybersecurity password but not multi-factor authentication. 

ISO 14971 Risk Management for Medical Devices 

While the above points about ISO 14971 are a good primer for medical device companies, proper application of risk management is crucial, given the importance and high-risk potential involved with medical devices.

Here’s how you can implement the standard for medical device risk management.

Establish your risk management framework. This includes defining your risk management process, establishing roles and responsibilities, laying out your plan, and establishing a central repository where your plan and all its components will live.

Define the intended use and scope for your medical device. How is the medical device supposed to work, and supposed to be used by others? 

Identify your hazards. This includes all the potential sources for harm that may be associated with the product life cycle of your medical device, whether through its intended use or foreseeable misuse. It also includes estimating the risk of each of those hazardous situations.

Score the risks associated with those hazards. This involves determining the probability of harm occurring, the potential outcomes, and ultimately deciding whether that potential harm is an acceptable risk, or should be mitigated. Remember to include the risks of failing to meet compliance standards from the Food and Drug Administration, as well as the risk negative reports submitted to the FDA Medical Device Reporting tool

Develop and implement risk control measures. While “acceptable” risks only require monitoring for those potential threats, risks that pose an unacceptably high threat need a plan to mitigate them. 

Monitoring and post-production activities. This includes the post-production information to study the effectiveness of the controls and to assess any overall residual risk that remains.  

Worrying About Compliance Is Not the Zen Way 

ZenGRC’s enterprise risk management system provides state of the art, real-time insight into the risks associated with your medical device. 

While executing your risk management activities, you need a single place to store your risk management reports, data on associated risks,  acceptability criteria, and more. 

Not only does ZenGRC provide the location for your risk management plan, but it also allows organizations to track responses from notified bodies so you always know where you stand in your overall risk management requirements.

For more information on how ZenGRC empowers financial institutions, request a demo.

How to Approach Inherent
Residual Risk