Posted on

Risk Management in IVDs

Written by Stuart Angell, Director IVDeology Ltd

Risk is something we deal with all day, every day in our busy lives. Sitting down with my breakfast writing this I had to boil water in my kettle, carry hot coffee to my desk in a mug, toast some bread in my toaster, retrieve butter from my electric fridge… 

Risk is everywhere, but did I worry about burning myself on the hot water? or electric shock from my toaster? No, because I am confident that the equipment that I used was safe to use. The products are CE marked, and I have confidence that the manufacturer has demonstrated that the kettle, or toaster are safe and effective for their intended use.

For medical devices, and in-vitro diagnostics, this responsibility of the manufacturer is the same, so that people like me (for a self-test, or a trained person for a lab or near patient test) have confidence that the device is safe and effective to use. The current state of the art for assessing risks for medical devices is the international harmonised standard ISO 14971:2012; Medical devices – Application of risk management to medical devices and it provides a backbone for an effective quality management system (demonstrated by the increased reference within ISO13485:2016 and MDSAP) and a core part of the General Safety and Performance Requirements of the MDR and IVDR.

SO14971:2012 provides a systematic approach to ensure that all risks associated with the design, manufacturing & delivery and use of the device are identified, considered and controlled as far as possible. Not only is this assessment performed as part of design and development of the device and continuously reviewed throughout the product life-cycle.

“Risk assessment is part of design and development of the device 

and continuously reviewed throughout the product life-cycle.”

The standard provides very good guidance on how to construct and manage a risk management system. It also includes a series of informative Annex notes giving further details and examples on the risk management process and tools that could be used.

A common tool for risk assessment is an FMEA (failure mode and effects analysis) which focuses on the potential (or actual) failure modes resulting from a design or process step associated with a device.

An example FMEA template can be downloaded.. IVDeology Ltd FMEA Template.xlsx

The FMEA tool is very useful for initial brainstorming of risks, contributing factors and upstream impacts as you design your product or your manufacturing process. The IVDeology template uses the quantitative estimation of severity of harm (SEV), occurrence or harm (OCC) or ability to detect failure (DET) each with a score from 1 (low) to 10 (high). In practice the rating can be difficult to estimate during early design stages therefore the risk assessment should be reviewed at each stage of the product life-cycle. The severity, occurrence and detection values multiplied together result in a Risk Profile Number (RPN) from 1 to 1000. The higher the number the greater risk and therefore greater consideration should be given to implement mitigating controls, however all risks should be evaluated to identify opportunities to reduce risks.

Risk should be lowered as far as possible by implementing additional controls into the design of the product, design and control of the production process (including in-process testing) to ensure the inherent safe design and construction of the device.

Note: Provision of additional warnings given to the user within the information of use (IFU) should not be considered a risk reduction strategy.

“Risks should be lowered as far as possible by design changes

 or design or control of the production processes. Additional warnings

 in the IFU should not be considered for a risk reduction strategy”

For each design change or process improvement (risk reduction) identified within the FMEA template, suitable methods of verification or validation should be described or referenced. This ties in Risk Management to product verification and validation mechanisms (and supply control) essential for ISO13485:2016.

When all risks have been mitigated to as low as possible, each residual should be reviewed with respect to the benefit of the device given the intended use and intended purpose defined by the manufacturer. If the risk is low then the risk-benefit of he device can be easily justified, however if the residual risks continue to be high then the risks could outweigh the benefit and further controls should be considered.

For effective risk-benefit evaluation the manufacturer must gain a full understanding of the intended use and intended purpose of the device (how, why, when, what its used for and who by) and what the implications (clinical benefit) are when a result is obtained. This information should be continuously reviewed when the product is placed on the market using suitable post-market activity e.g. customer feedback & complaints, literature reviews, post market performance studies.

“Integration of Risk Management into the QMS will not only reduce the burden

 of Risk Management file maintenance but actively support design control,

 change management, vigilance reporting, supplier management and CAPA”

An effective Risk Management file which is fully implemented and maintained can be a highly useful tool in other parts of a quality management system. Below are some examples of potential interactions with the QMS:

Design Control – Early risk assessment of design characteristics using a design FMEA, together with an understanding on the intended use and intended purpose of the device can shape your design process based on the risk of the products including the extent of verification and validation mechanisms

Production Development – Evaluation of risks associated with process steps, equipment or materials used can reveal the areas of highest risk to product safety and performance. These ‘hot spots’ should have more stringent in-process checks, higher sampling rates or functional in-process tests compared to less critical areas of the process.

Change Management – Any potential changes to the device design or production process can be reviewed against the risk management file. The impact of the change can be included into the risk assessment (FMEA) to ensure that it does not have any adverse impact on safety or performance. In addition, the level of change verification or validation can be justified according to the risk profile (RPN) of the change.

Supplier Management – The selection and control of suppliers can be determined by the impact on the safety and performance of the product using the risk assessment process. Critical suppliers, where there is the biggest risk to product should have greater controls in place.

CAPA and Vigilance Reporting – Evaluation of potential or actual failure modes within the risk assessment (FMEA) will provide a good starting point to determine the risk on product (and customer, user or patient) when potentially reportable events occur. This can be very useful when time restrictions require clear, objective decisions. In addition, an active risk assessment process can provide guidance on the most likely causes of failure (contributing factors) to focus on during root cause investigations.

The overall result in a well-established risk management process is the ability of the manufacturer of a device to determine with a degree of confidence that the product it places on market is safe and effective for use and meets the requirements of the IVD regulations so that when the user sees the CE mark, they are confident in the devices safety and performance.

Do you have further questions? We can help! IVDeology Ltd provide expert solutions for medical device companies in quality and regulatory affairs.  Contact us at [email protected] or visit us at