Perhaps the easiest part of risk management is risk evaluation. Still, one needs to know how to do it properly to perform risk management successfully.
The following topic is a part of our online Introduction to risk management and ISO 14971:2019 course. You can register for it by clicking the link or find other courses we offer there.
Risk evaluation in the risk management process
If the risk management process were to be presented visually in a flowchart, risk evaluation would be the step after risk analysis. But risk evaluation is not only carried out in this step, but also at the end of the risk control stage, when the residual risk has to be evaluated.
Records of the results of the risk evaluation must be maintained. A common way of recording them is to include them in a hazard traceability matrix. An important thing to remember is that establishing criteria for risk acceptability is a requirement, so the simplest solution is to create a risk evaluation matrix.
The risk evaluation matrix can be used to determine when risk is acceptable or not. In the example above, the risk is in the unacceptable area. Had the probability of occurrence of harm (Po) been 1, and the severity 4, the risk would have been acceptable.
For the EU market, risks must be reduced as far as possible without adversely affecting the benefit-risk ratio. This means that a risk cannot be deemed acceptable only based on the results in the risk evaluation matrix, but risk reduction must be attempted for all risks regardless of magnitude and continued until “the benefit-risk ratio” is adversely affected.
Companies may also include other risk acceptability criteria based on the policy for establishing criteria for risk acceptability.
How to make a risk evaluation matrix
There are many different ways to draft a risk evaluation matrix. It can be colour-coded like in the example image, where the yellow area could represent a relatively high magnitude of risk. Red and green only can also be used, or any other colour; this is entirely optional. Even this type of risk evaluation matrix is not specifically prescribed by the standard, but it is common practice.
The risk evaluation matrix also says a lot about what the manufacturer thinks about risk. In the top left example above, very few risks are considered unacceptable, which means that the manufacturer is happy with most of the risks that could occur, regardless of PO and severity.
When a manufacturer has chosen the top right evaluation matrix above, the matrix says that very few risks are acceptable; most of them are unacceptable, which means that the manufacturer has high ambitions in terms of reducing risks.
If you found this article helpful, do check out our articles archive for more.
Would you like to learn more about Risk Management?
Get instant access to our online Risk Management for Medical Devices and ISO 14971:2019 course right here. In 10 hours, you can learn more about how to develop new medical devices and maintain them in organisations where design control requirements apply. This course is taken by quality assurance, project management, design engineering or those involved in R&D and product development teams.
Or if you’re looking for a tailored training to align with your company’s specific needs – contact us for inhouse training options.
Peter Sebelius
Peter Sebelius is a highly esteemed trainer, consultant and entrepreneur in the medical device industry. He is a member of the Joint Working Group that is revising the ISO 13485 and ISO 14971 standards.
He has vast ‘hands on’ experience, having developed, amongst other things, a mechanical chest compression device and an ex vivo perfusion machine for lungs. He has received numerous awards including the Great Design Award and the title “This year’s specialist” by Veckans affärer.