Design risk assessment, process risk assessment, and use risk assessment for medical devices – the danger of division (Part 2)

design risk assessement, process risk assessement, and use risk assessement for medical devices - the danger of division - part 2

This is the second part of a series of three articles that investigates the dangers of dividing risk management documentation in general or according to Team NB’s recommendation in Best practice guidance for the submission of technical documentation under annex II and III of Medical Device Regulation (EU) 2017/745. Read Part 1 on risk assessment here. 

This article will present a comprehensive approach to risk control measures in medical device risk management and the importance of correctly identifying and classifying risks using the example of a heart-lung machine.  

Understanding the root causes of these risks is key to their mitigation. By delving into the underlying issues and understanding them, one can not only address the symptoms but also eliminate the source of the risks. 

Scenario: Risk identified in the assembly process

When performing risk analysis for the assembly process of a heart-lung machine, the following is noted:

Two different screws are required to be placed into separate holes. The screws have the same diameter, but different lengths. A mix-up of these screws, i.e., inserting the wrong screw into the wrong hole, could result in device failure, potentially leading to harm.  

Heart-lung machine

Accurately classifying and controlling the identified risk

When considering a documentation structure proposed by Team-NB, one key question arises: where should the risk of mixing up the screws during the assembly of the heart-lung machine be documented?  

The most common approach is to classify the mixing up of the two screws as a production error, indicating that this risk should be documented in the process risk assessment. In this case, the risk control measure would involve a thorough double-check of the assembly step to guarantee the correct placement of the screws into their respective holes. 

However, in this case, the fault does not lie with the production personnel for their mistake, but rather, it points back to the design itself. The design, which allows such a mix-up to occur, is the root cause of the risk. It is a design that should not have passed the scrutiny of an experienced engineer. 

A lot of companies would restrict themselves to implement the risk control measure in production, because the risk was identified as a production or process risk.  

Finding the root cause of risks

In this instance, the risk of the two screws being mixed up was identified during the process risk assessment. However, it should have been found during the design risk assessment.  

This discrepancy might not pose a significant problem for an organisation proficient in risk management, and in these organisations, the Research and Development (R&D) team is often more than willing to shoulder the identified risk and update the design. 

However, a more common scenario involves the R&D engineers being preoccupied with their next project once the design is finalised or “frozen”. As such, whatever risks are discovered during the process risk assessment remain confined to that stage. 

This may lead to a conflict between production and R&D and between your medical device and the requirements set forth by the Medical Device Regulation (MDR), IVDR, and ISO 14971. 

Meeting regulatory requirements

The risk control options outlined by the MDR, IVDR, and ISO 14971 prioritise, above all, a design that is inherently safe. The secondary measure is the implementation of protective measures. The option to make the screws the same length, remove one, or even both, are risk control measures that would make the design inherently safe.  

Inherently safe or protective measures

Implementing an in-process control in production to ensure the correct placement of two different screws is considered a protective measure. It is important to note that opting for an in-process control does not meet the requirements, as a more effective risk control measure could have been chosen but was not implemented. 

Risk control options MDR ISO 14971

Key takeaway: Always target the root cause of any identified risks

When managing risk in medical devices, it is paramount not to confine your risk control strategies to one department, area, or the documents at your disposal.  

A far more effective approach involves delving into the root cause of each risk and implementing risk control measures where they are the most effective, which in most cases means going back to the design. 

Regulatory guidance from the MDR, IVR, and ISO 14971 echoes this view, advising a proactive and thorough approach towards risk management.  

Would you like to learn more about Risk Management?

Get instant access to our online Risk Management for Medical Devices and ISO 14971:2019 course right here. In 10 hours, you can learn more about how to develop new medical devices and maintain them in organisations where design control requirements apply. This course is taken by quality assurance, project management, design engineering or those involved in R&D and product development teams.

Or if you’re looking for a tailored training to align with your company’s specific needs – contact us for inhouse training options.

Peter Sebelius instructor

Peter Sebelius

Peter Sebelius is a highly esteemed trainer, consultant and entrepreneur in the medical device industry. He is a member of the Joint Working Group that is revising the ISO 13485 and ISO 14971 standards.

He has vast ‘hands on’ experience, having developed, amongst other things, a mechanical chest compression device and an ex vivo perfusion machine for lungs. He has received numerous awards including the Great Design Award and the title “This year’s specialist” by Veckans affärer.

Receive FREE templates and quarterly updates on upcoming courses that can help you in your career! Subscribe to our newsletter now.

When you submit this form, you will be sending personal information to To comply with GDPR requirements, we need your consent to store and use the personal data you submit. Take a look at our Privacy policy for more details.

MedicalDeviceHQ Menu logo
Table of contents

Get in touch to receive proposal for customised training

When you submit this form, your personal data will be processed in accordance with our privacy policy.