How to use ISO 14971 to improve a Risky Business

This is under revision… please don’t forward this version. For a current version, please see my iteration on Linkedin.
Early in 2018 I underwent surgery surrounded by medical devices that were made by companies for which I had consulted. As the staff connected to a device that would keep me breathing during surgery, I thought about my experiences helping companies become more innovative while reducing risk to patients. I wrote this article while recovering. To keep it fun I use 1980’s pop-culture to illustrate the most important points.
Background
Reducing medical device risk is a law in the United States and a standard internationally. The regulations define risk as the severity of harm and how likely it is to happen.
Risk = Severity X Probability
This is more than just a definition, it’s a systematic method of reducing risk that provides repeatable, inspectable methods known to reduce harm to patients and create new products. Unfortunately, this method is underutilized or misunderstood, which harms people and adds costs to companies. For example, 44% of medical device recalls could have been prevented by design-controls that included risk-reduction, and up to 250,000 people die each year from accidental deaths in the American healthcare system. But, when used properly, risk management creates safer products, opens new markets, and makes quality control more efficient.
Regulatory requirements
Medical device manufacturing is regulated in United States by 21 CFR 820, and internationally by ISO 13485. Both require risk analysis, but neither describes how to do it, so we use methods from from the International Standards Organization, ISO, which describes Risk Management in ISO 14971:2007. Additionally, selling medical devices in the European Union requires a supplemental standard, EN 2012 : ISO 14971. which requires, among other things, that risk be reduced “As Far As Possible” (AFAP), which is a stronger statement than ISO’s, “As Low As Reasonably Practicable” (ALARP), and implies that cost can not be an obstacle to reducing risk to people, property, or the environment. Including property and the environments in risk is unique to ISO; the Food and Drug Administration limits risk to patients and users.
EN 2012 : ISO 14971 satisfies risk requirements for all countries, and using it allows a abbreviated regulatory process in the United States. A FDA 510(k) submission can refer to EN 2012 rather than explain internal processes that may be questioned by the FDA.
Medical device companies must pass country-specific audits before they can sell products in that country. An exception is the Medical Device Single Audit Program, MDSAP, which is currently accepted by five countries, including the United States. The image below, from Australia’s MDSAP policy, illustrates that risk management should be fundamental to all areas of a company’s quality-control system, especially purchasing from suppliers, and that risk management begins with a company’s management team.
Hazardous situations
A key aspect of ISO 14971 is identifying potential hazardous situations that could lead to harm. Hazardous situations are often unforeseen, especially by a small group of people who are likely biased by their experiences, therefore identifying hazardous situations requires diverse team input and constant re-evaluation. A classic example is the 1986 Space Shuttle Challenger explosion, which stemmed from a small O-ring allowing gas to leak in a rare, but catastrophic series of events that led to a hazardous situation of a postponed launch, a cold launch day, and fuel leaking around the O-ring that was not rated to such a cold temperature. Some people knew of the risk, but, in 1986, systems weren’t in place to ensure risk was analyzed for all hazardous situations.

Risk analysis methods
After identifying potential hazardous situations and harms, risk analysis is conducted to quantify the severity and probability of each harm. Risk analysis must be documented in a systematic way so that your work can continue with a product’s life-cycle, and that assumptions can continuously be monitored and updated. The two most common methods for medical devices risk analysis are:
Failure Modes and Effects Analysis (FMEA)

, which can include a dFMEA for design, a pFMEA for manufacturing processes, a system-level FMEA, a supplier FMEA, etc.

Fault Tree Analysis (FTA)
Other risk-analysis methods are less common to medical devices, but all should lead to similar results. Most use a table, or matrix, to illustrate Risk = Severity X Probability for different scenarios.

Probability is initially assumed based on similar products or scientific literature, and should be continuously updated with data from real-world use. For the matrix example shown, “catastrophic” and “high” risks would be unacceptable, and “moderate” risks would need to be reduced As Low as Reasonably Practicable or As Far As Possible. In the case of the space shuttle, an unlikely probability of a sequence of events leading to a hazardous situation would be balanced by the severity of failure.
To apply a risk analysis matrix for medical devices, each harm must be unambiguous. Harm is defined by ISO 14971, section 2.1, as “physical injury or damage to the health of people, or damage to property or the environment,” and must be unambiguous so that a “severity” number can be applied, monitored, and continuously re-evaluated.
Companies are required to maintain their risk analysis in a risk management file so that auditing organizations can see evidence of continuous improvement by constantly re-evaluating risk, which includes re-evaluating potential hazardous situations and harm that could result from those situations.
Risk Control
Both ISO 14971 and the EN 2012 supplement describe systematic methods of risk management. For example, they standardize how risk is solved by providing three priorities:
Improve the design to be risk-tolerantAdd safeguards to reduce exposure to riskLabels or instructions to educate or warn of risk
Most of us don’t read or follow instructions, so ISO doesn’t consider written warnings to be effective risk control. This partially explains the European Union’s supplement that cost can not be an obstacle to reducing risk, i.e. companies can not apply a warning label to justify not improving their product’s design. This concept is summarized by an image used for training companies, provided by Oriel STAT-A-MATRIX, a training and consulting organization:

Other forms of risk control can be included in manufacturing processes, inspections before shipping products, etc., but it’s important to emphasize that ISO standards clearly state that prioritization should be placed on design and safeguards, whichever is the current “state of the art.” State of the art means that if a solution is known, it should be implemented; if not, extensive justification should be documented for audits. And, per the European Union definition of reducing risk “As Far As Possible,” cost can not be justification for not implementing state of the art risk control.
Post-market surveillance
Risk analysis uses assumptions that must be constantly re-evaluated using real-world data. Your company’s post-market surveillance processes must be linked to your risk-management processes, ensuring real-world data is used to adjust assumptions in a closed-loop system of continuous improvement.
Definitions
The following definitions can help you search risk management regulations:
HARM – injury to people or property
HAZARD – something that can cause harm
HAZARDOUS SITUATION – a situation in which a hazard could cause harm
HAZARD ANALYSIS – a process for identifying hazards and hazardous situations
RISK – the severity of harm and the likelihood it will happen
RISK ANALYSIS – a process for estimating risks from hazard analysis
RISK CONTROL – actions taken to reduce risk for a product
RISK MANAGEMENT – a company’s official, systematic process for reducing risk
RISK MANAGEMENT PLAN – a plan before risk activities, required by law and standards
RISK MANAGEMENT FILE – a document tracing the location of all risk documents
RISK MANAGEMENT REPORT – a report summarizing all risk management activities for a product, and how it will be continuously improved.
Safer Products
Needle sticks:

Hospital caregivers were often exposed to used needles, increasing their risk of a skin puncture and exposure to diseases such as HIV and Hepatitis C. The first company to innovate a way to reduce this risk quickly dominated the market, and other companies scrambled to create their own designs. Now, patients all over the world benefit from multiple forms of risk reduction, ranging from different needle designs to user-friendly disposal containers.

New Markets
Automatic Electronic Defibrillators (AED’s):

In the past, a patient with a heart attack had to wait for trained paramedics to arrive with a cardiac defibrillator. Paramedics were trained to ensure a patient had a heart attack, as opposed to an illness with similar effects, because using a defibrillator on someone without a heart attack could harm them. Companies innovated defibrillators that reduced this risk by detecting a patient’s condition before allowing defibrillation, which allowed public defibrillators all over the world. This expanded market size, and improved public safety.
Improved Quality Control
Manufacturing processes:

The Sulzer orthopedic company recalled one of their hip implants because a manufacturing change introduced risks into their product. Their quality system did not have modern risk management methods, resulting in thousands of patients with failed hips, secondary surgeries, and permanent damage to their livelihood. A billion dollars went towards lawsuits, putting the world’s 4th largest implant manufacturer out of business. Modern risk management methods ensure that changes are reviewed by a risk management team, reducing errors before they become harmful and costly problems.
Resources
CONSULTING & TRAINING
AUDITING ORGANIZATIONS
Summary
Risk = Severity X Probability

Risk management is required by:

FDA ISO
Risk management standards are:ISO

Common risk-analysis methods are: requires a company’s quality system to be a risk-driven process.

Risky Business
I’m having fun with 80’s pop culture while sharing my belief in ; there’s no new information here.

was a 1983 film that springboarded into fame after he danced in his underwear, just like how my career began. (Just kidding.) In the film, a teenage Tom took risks, resulting in harm to his father’s Porsche sports car and their home. Like most movies in the 80’s, their problems were quickly solved with money and quirky but reliable friends.
Healthcare is Risky Business. In the real-world of medical devices, risk affects people’s lives and well-being, and can rarely be fixed with money. If you if they would rather have insurance money or be able to walk normally the rest of their lives, they would have prefered a less-risky hip replacement. Any heart-attack patient saved by a public defibrillator would be grateful for risk-reduction, and hospital workers all over the world are safer each day thanks to reduced risk of needle-sticks.
Our work can be more fulfilling knowing it makes the world a safer, healthier place. We can do our work more effectively by understanding Risk Management regulations that focus on patient safety.
Take a break from saving lives to watch Tom Cruise dance in his underwear, a risk that paid off.