Risk Management – Design & Development and Beyond

In case you haven’t noticed, Risk Management is BIG topic in the medical device industry these days. Risk Management has kind of been a “buzz” word in the med device space for a while. Now, it seems as though regulatory bodies across the world are starting to raise the bar on their expectations of how you integrate Risk Management throughout the entire product lifecycle and Quality Management System (QMS).

A few weeks back, I was part of an ISO 13485 surveillance audit. And of course, the Risk Management was discussed. The auditor focused primarily on Risk Management with respect to the QMS. The primary reason being is that the company is pursuing a scope expansion to their ISO 13485 certification to include Design & Development.

I usually learn a great deal during audits, and this time was no different.

Let me share some of the discussion points from the Design & Development / Design Controls and Risk Management portions of the audit.

Risk Management – ISO 14971: 2007 vs 2012

ISO 14971 is Risk Management

ISO 14971 is Risk Management

  • ISO 14971 is the Risk Management standard for the medical device industry.
  • ISO 14971:2007 is harmonized, meaning it is accepted everywhere in the medical device world.
  • EN ISO 14971:2012 is currently required for the EU.
  • The main standard of the 2007 and 2012 versions is the same.
  • EN ISO 14971:2012 differs in some of the informative annexes. But don’t disregard this. EU expects you to meet the criteria in the informative annexes.
  • 2012 differs in the following:
    • ALARP (as low as reasonably practicable) is no more. Now it is ALAP (as low as possible).
    • Risk benefit analysis required for all risks.
    • Labeling can’t be used as sole means to mitigate risks.
  • If you comply with EN ISO 14971:2012, you will also comply with ISO 14971:2007 (but not the other way around).

Risk Management part of Design & Development

The auditor first reviewed the Design & Development procedure, forms, etc. She then reviewed the current Design & Development records for a couple active product development projects.

One side note: This company is an early adopter of greenlight.guru and has been using this innovative software to capture the Design & Development activities. The auditor was able to easily view Design History Files and D&D records, while “driving” greenlight.guru.

The ISO auditor then shifted to Risk Management. Again, she reviewed the procedures, forms, etc. and dug into Risk Management documentation.

She then asked us to show her how the risks identified have been captured as Design Inputs.

Easy. We flipped back to the Design Inputs and quickly navigated to the few that resulted from Risk Management activities.

She wasn’t satisfied. She expected to see how Design & Development and Risk Management are fully and seamlessly integrated.

I responded with “Design Control is a separate process from Risk Management.”

I thought the auditor was literally going to punch me in the face. “Please don’t say that! Risk Management has to be fully integrated throughout the Design Control process.”

So how do you integrate Risk Management with Design & Development?

Let’s just say in the 16 years I’ve been in the medical device industry, I have not seen one company who has figured this out just yet. And I’ve been exposed to Risk Management / Design & Development processes from probably 30 – 40 medical device companies of all shapes and sizes. Not to mention the 100s of medical device professionals I’ve talked to about Risk Management and Design & Development.

Granted, the concept of Risk Management is still pretty new to the industry, relatively speaking.

I’ll give you this, for now. There is a relationship between Design Inputs and Hazards. There is a relationship between Design Verification / Design Validation and Risk Controls.

Don’t forget Risk Management beyond Design & Development

While the ISO auditor did not spend much time on Risk Management outside the context of Design & Development, you also need to consider risk throughout all aspects of your Quality Management System.

CAPA, complaints, customer feedback, nonconforming materials, process validation, and so on.

All have an impact on Risk Management.




Jon Speer has been in the medical device industry for over 16 years. In 2007, Jon started Creo Quality to help medical device companies with project management, quality systems, and regulatory submissions. As a result of his experience in the medical device industry, Jon had an idea to develop a software solution to improve how companies handle Design Controls. Because of this greenlight.guru was born. You can find him on Google+Twitter, and LinkedIn

No Comments Yet.

add new comment