Blog by Ryan Lloyd, Customer Requirements Manager, MKS a PTC Company
Risk Management is a critical process in developing safe and effective medical devices as well as a requirement for regulatory approval. However, there is no single best method for managing risk that can be applied in all circumstances. Organizations often need to adapt accepted and new processes to meet their needs and to fully leverage the benefits of Risk Management.
For example, there are multiple approaches to Risk Management, and each approach has its benefits and drawbacks. Traditional approaches, such as FMEA, are often described as ‘bottom-up,’ and they require examining every design element and ensuring each possible failure is appropriately mitigated. In contrast to this, standards such as ISO 14971, IEC 62304 and regulatory bodies such as the FDA and the EU, emphasize a ‘top-down’ approach, such as Hazard Analysis, to ensure that safety and effectiveness are considered from the perspective of the device’s intended use rather than just how it functions.
Both approaches contribute to the overall safety, effectiveness and quality of a device, and while the industry is moving towards top-down risk management, this doesn’t mean that bottom-up approaches such as FMEA shouldn’t still be applied. Most organizations use a customized combination of both approaches.
Another difference can be found in how organizations classify risks and hazards. Risk Priority Number (RPN) is a commonly used technique often associated with FMEA, that calculates the priority of a risk based on several characteristics, typically Severity and Occurrence. This is a simple and quantitative means of assessing risks and hazards, but it does have some limitations. For example, in the following chart:
several different combinations result in the same value. Does that mean that a critically severe hazard with a remote possibility should be prioritized the same as a hazard that is probable but with minor repercussions? Because RPN is numerical it is useful in statistical analyses, but sometimes too vague and inflexible for dealing with the complexities of modern medical device development.
Another commonly used technique for prioritizing and categorizing hazards is the use of a Risk Index. The organization, or sometimes the specific project, defines what can be classified as Unacceptable, As Low as Reasonably Possible (ALARP), and Acceptable level of risk, not by RPN but by explicitly assigning a risk level to each combination of severity and occurrence.
Therefore, while Risk Management is mandated and an essential part of design and development, organizations need flexibility to tailor it to fit their needs. Risk Management solutions must enable medical device manufacturers to apply Risk Management techniques that fit the organization and the situation, rather than try to shoe-horn development into a pre-defined process. For example, the system should allow the organization to define the computations used for RPN and Risk Indexes for each project. Workflow and artifacts for top-down Risk Management during initial requirements and design, and bottom-up during development, must also be supported. This will also ensure that Risk Management is not conducted as a separate and isolated activity, meaning that Risk Management is not only tailored to the organization and project needs, but is also closely integrated with all of development, reducing effort for Risk Management and demonstrating compliance.
PTC is committed to helping medical device manufacturers succeed.
Feel free to comment on this post or visit our other blog post on Risk Management by Dennis Elenburg, Customer Solutions Engineer at MKS, a PTC Company.