Design risk assessment, process risk assessment, and use risk assessment for medical devices – the danger of division (Part 1)

Design risk assessment, process risk assessment, and use risk assessment for medical devices – the danger of division (Part 1)

Ensuring that medical devices are safe is a critical goal for medical device manufacturers and regulatory bodies alike.  

When performing risk management according to ISO 14971, a lot of medical device companies split up risk management documentation into “design risk assessment”, “process risk assessment” and “use risk assessment”. Not only is this common practice, but it is also recommended by Team NB in the guidance document Best practice guidance for the submission of technical documentation under annex II and III of Medical Device Regulation (EU) 2017/745.  

This is the first article in a series of three that will be shining a light on the dangers of dividing risk management documentation according to Team NB’s recommendation. 

The tools to create safe medical devices

In the medical device industry, there is a current discussion about quality versus compliance. This is a justified and important discussion to have. With the increasing documentation demands raised by the MDR and the IVDR, notified bodies have become more and more focused on what documentation should be like to facilitate reviewing of technical documentation.  

In the case of splitting up risk management documentation, the desire to simplify the review of technical documentation has gone so far that the result is in conflict with both the MDR, IVDR, and ISO 14971.  

When safety and documentation come into conflict

When developing safe medical devices, implementing and maintaining the technical documentation is a great challenge. And even though it is beneficial to have a single approach for technical documentation across available notified bodies, it is very serious when an organisation such as Team NB publishes advice that goes against the intent of both regulations and standards.  

Team NB guidance document on submission

In a paper on the submission of technical documentation, a few unfortunate sentences about how the risk management should be documented can be found.   

“The documentation should include…:  

  • design risk assessment 
  • production process risk assessment  
  • clinical/application/product risk assessment 

Thus, Team NB propose you create three documents with risk assessments. 

Risk assessment with or without risk controls?

The Team NB recommendation refers to risk assessments, and according to the ISO 14971 standard, risk assessment is the overall process comprising risk analysis and risk evaluation, which means that risk assessment effectively excludes risk control measures. 

Implementing and recording risk controls is required, and it is most likely not the intent of Team NB to exclude risk controls, but the guidance document implies that the three documents should not contain risk controls.  

This means that either Team NB refer to a different definition than in ISO 14971 or doesn’t expect these three documents to include risk control measures. Whichever may be the case, this is unclear and potentially misleading. If there are clear definitions of terms in regulations and standards, it is recommended to use them. And risk assessment is defined in ISO 14971. 

Definitions of terms from standards

Using proper terms, such as definitions found in norms and standards, reduces misunderstandings between different parties, such as medical device manufacturers and notified bodies, and makes the medical development process more efficient. 

Design, process and application – life-cycle phases or FMEA?

Furthermore, the terms design, production and application that are used by Team NB are very similar to the life-cycle phases found in ISO 14971, which in itself is an issue, but they also have an even stronger resemblance with FMEA (Failure Modes and Effects Analysis). 

And FMEA, as the method is defined in standards and guidelines, does not meet the requirements of ISO 14971. Thus, Team NB is inadvertently leading manufacturers down the road of adapting an FMEA approach to ISO 14971 risk management, which does not meet the requirements of the MDR, IVDR, or the ISO 14971.  

Life-cycle phases that must be included according to ISO 14971

Design, production, and use can be seen as three life-cycle phases, and several companies are creating one risk assessment document for each of them. But these are not the only life-cycle phases you must cover, according to ISO 14971 

Section 4.1 of ISO 14971 requires manufacturers to have an ongoing process for risk analysis, risk evaluation, risk control and production- and post-production activities throughout the device’s life-cycle.  

The life-cycle phases of a specific medical device can vary greatly depending on the nature of it, but risks from all the applicable life-cycle phases of your medical devices must be taken through risk management process. 

Medical device life-cycle phases

The life-cycle phases that must be included in the risk management of a medical device would range from initial conception to disposal or decommissioning. By proposing three distinct documents that have names similar to life cycle phases, the guidance implies that they are the only required life cycle phases.  

As a result, several other life-cycle phases may inadvertently be omitted. This is not acceptable from a patient safety point-of-view nor a regulatory point-of-view. 

Risk of omitting medical device life-cycle phases

Whichever documentation structure your company uses, do not omit any life-cycle phases in your risk management work.  

One way to avoid this issue is to define in which documents the risks from various life-cycle phases should occur. For example, include risks from initial conception in the design risk assessment. Include risks from shipping and distribution in the process risk assessment, and the rest in the use risk assessment.  

If this is clearly defined in risk management procedures and plans, it is a big step in the right direction of creating safe medical devices.  

Would you like to learn more about Risk Management?

Get instant access to our online Risk Management for Medical Devices and ISO 14971:2019 course right here. In 10 hours, you can learn more about how to develop new medical devices and maintain them in organisations where design control requirements apply. This course is taken by quality assurance, project management, design engineering or those involved in R&D and product development teams.

Peter Sebelius instructor

Peter Sebelius

Peter Sebelius is a highly esteemed trainer, consultant and entrepreneur in the medical device industry. He is a member of the Joint Working Group that is revising the ISO 13485 and ISO 14971 standards.

He has vast ‘hands on’ experience, having developed, amongst other things, a mechanical chest compression device and an ex vivo perfusion machine for lungs. He has received numerous awards including the Great Design Award and the title “This year’s specialist” by Veckans affärer.

Receive FREE templates and quarterly updates on upcoming courses that can help you in your career! Subscribe to our newsletter now.

When you submit this form, you will be sending personal information to medicaldevicehq.com. To comply with GDPR requirements, we need your consent to store and use the personal data you submit. Take a look at our Privacy policy for more details.

MedicalDeviceHQ Menu logo
Categories
Table of contents

Get in touch to receive proposal for customised training

When you submit this form, your personal data will be processed in accordance with our privacy policy.

New Process validation for medical devices course!

Special launch offer: 349 299 EUR for the online plan & 449 349 EUR for the online lifetime plan.