Risk Management: learn from my mistakes

This article is about Risk Management applied to a medical device I co-invented and commercialized in 2004. I followed it’s history after our company was acquired, and am re-analyzing our 2004 work using lessons learned in 15 years.

I describe that product in another article. This article helps you learn from my mistakes.

My Mistakes

In 2004 I managed both engineering and marketing for a small medical device company. We developed products faster than competitors, rapidly grew sales, achieved twice the profit margin as competitive products, and were acquired by a large company for $42 Million.
Our board members profited, employees moved on to higher levels of responsibility in new companies, and I became president of a company formed around technologies I invented and co-invented.

Years later, I would learn that our first medical device eventually caused unnecessary pain and suffering for many patients and added unnecessary expenses to America’s healthcare costs. In this article, I re-analyze our product using modern design controls, risk management, and the European Union Medical Device Regulation; and I share lessons learned in leadership and entrepreneurship.

I posted the history in another article, Medical Devices: learn from my mistakes, which I suggest reading to help understand and apply the following article about Risk Management and ISO 14971.

Risk Management

Modern risk management methods are summarized in an international standard, ISO 14971, published by the International Standards Organization. In short, modern risk management must focus on a closed-loop process of continuous improvement, documenting assumptions and using real-world data to improve those assumptions and the product.

Risk management begins with understanding the sequence of events that leads to a hazardous situation, reducing risk of harm in that situation by modifying the product or adding protection, then monitoring and improving your risk management plan. This process must be a continuous part of improving your procedures and product throughout the life of your product, from initial concept to as long as your product is available.

I explain modern risk management methods and the logic behind them in an article using ISO 14971 to re-analyze the 1986 space shuttle explosion. The article you’re reading now applies those methods to my device from 2004 without explaining why each step is taking. It assumes you’ve stepped into a company with an existing project and are creating a risk management plan that complies with ISO 14971.

Like all examples, this is only for discussion of main points, not intended to replace understanding fundamentals. It has many simplifications necessary for an online example readable by a broad audience with diverse experience levels.

Risk Management Plan example

This risk management plan is for the Viper distal radius plating system, a medical device that treats wrist fractures using a metal plate and screws. The Viper is available commercially, and this plan uses existing data and future plans to comply with the European-approved version of the international standard for medical device risk management,  EN ISO 14971:2012. quality assurance.

The Viper has variable angle locking screws, allowing a physician to select the orientation of a bone screw before locking it to the plate.
Previously, the product had negligible risk planning and limited post-market surveillance to evaluate new risks, therefore this plan makes assumptions and documents methods for obtaining data to improve those assumptions.


  • EN ISO 14971:2012
  • Previous risk documents (you’d find them and list them here, eg. design input documents, PMEA files, etc.)
  • Corporate policies and procedures (list policies you follow in addition to EN ISO 14971 to create this plan.)
  • Post-market surveillance plan (required if you sell in Europe – link that plan to risk management here)


A complete plan would include all hazards: include metal allergies, bacteria contamination if not sterilized correctly, etc.
For simplicity, this example will focus on mechanical hazards from the screws not seating flush with the plate, leading to the harm of tendon damage.
Hazardous situation #HS1
  • Sequence of events and hazardous situation: If a screw were not inserted flush with the plate, tendons could be exposed to sharp edges.
  • Harm #H1: tendon irritation
  • Harm #H2: tendon rupture

Hazard situation #HS2

  • Sequence of events and hazardous situation:If a surgeon stripped a screw trying to make it flush with the plate, it could become stuck and require additional surgery time to remove and replace the screw.
  • Harm #H2: additional risk from extended surgical anesthesia
  • Harm #H3: unnecessary damage to bone during removal and replacement

Acceptable Risk

Risk is severity of harm times probability of harm occurring

  • R is the level of risk
  • S is the severity of harm
  • P1 is the probability of a hazardous situation occurring
  • P2 is the probability of harm resulting from a hazardous situation
  • P = (P1xP2)
  • R = S x P
  • R = S x (P1xP2)
Acceptable risk is defined by Risk Table 1.0.
Severity for each harm is on a scale from 1 to 5:

  1. Inconvenient
  2. Bleeding or physical damage requiring first aid or less than 20 minutes of treatment
  3. Visit to an emergency room or treatment between an hour and a day
  4. Hospitalization under a month or permanent physical damage
  5. Loss of life or limb
Probabilities are defined as:
  1. Rare, < 0.01%, <1/10,000
  2. Infrequent, 1%, up to 1/100
  3. Occasional, 1%-5%, up to 5 /100
  4. frequent, 5%-10% up to 10/100
  5. probable, >10%, > 1/10
Risk is defined as R = S x (P1 x P2)
A product can not be sold with unacceptable risks. All other risks must be reduced as far as possible, AFAP, according to company risk management policies.

Risk Assessment

Severity of harm was determined by a team consensus, with team members representing high levels of authority, and including people qualified to evaluate the clinical impact of hazardous situations on patient harm and people qualified to discuss technical details of the product. Changing these values requires the same team or their equivalent. The severities are:
#H1, tendon irritation = 3
#H2, tendon rupture = 4
#H3, additional time and anesthesia during surgery = 2
#H4, bone damage = 2
Signatures: ___________     _____________    _____________   ____________   ____________
This plan provides team-consensus of these probabilities:
Hazardous Situation HS#1, P1 = 2
#H1, P2 = 3 (tendon irritation)
#H2, P2 = 2 (tendon rupture)
Hazardous Situation HS#2, P1 = 2
#H3, P2 = 4 (surgical time)
#H4, P2 = 3 (bone damage)
Using these probabilities and pre-determined severities, risk levels are:
R = S x (P1 x P2)
  • #H1, R1 = 4 x (2 x 3) = 4 x (6)
  • #H2, R2 = 3 x (2 x 2) = 3 x (4)
  • #H3, R3 = 2 x (2 x 4) = 2 x (8)
  • #H4, R4 = 2 x (2 x 3) = 2 x (9)

Risk levels are compared to the risk table. None are unacceptable, all must be reduced as far as possible (AFAP) using risk controls.

Note: Some companies use a separate document for the severity values and acceptability matrix, requiring signatures from senior managers with expertise including clinical, engineering, and quality assurance. This approach protects patients by locking in values that are usually unrelated to product design, and increases efficiency by allowing smaller teams to update the risk plan with lowered probabilities and new hazards; higher-level documents can be updated less frequently.

Risk Control

Risk control must strive for the highest of three priorities:
  1. an inherently safe design
  2. added safeguards or protection from harm
  3. written warnings or instructions
Risk control is described in feature-specific Product Failure Mode Effects and Analysis. (You’d enter your document numbers here.) The following are key risk control features for this report:
Hazardous Situation #HS1: Reduce likelihood of protruding screws.

  • Written instructions for use, and surgeon training with warnings of the risk
  • Added safeguard using a custom drill-guide to align screw holes
Hazardous Situation #HS2: Reduce likelihood of stripped screw

  • Written instructions for use, and surgeon training with warnings of the risk
  • Modified screw driver design to force surgeons to hold the driver more delicately, restricting force of tightening to what is possible with two fingers rather than a full grip.
Evidence of implementing these controls is in drawing files, instructions for use documents, packing slips of shipped products with risk controls, etc. (insert document numbers that provide evidence of your risk controls)

Monitor and improve

This plan shall continuously improve by reviewing post-market data, verifying or improving assumptions, confirming that risk controls have reduced risk as far as possible. The plan shall be updated at least every six months and whenever there is a reported incident of severity 3 or higher.
Post-market surveillance shall include a plan for obtaining preventive information (list your post-market plan number here.)  That summary shall be linked to this risk management plan, and shall include incidences from randomly sampled patient x-rays, documenting the percentage of time screws protrude. This value shall be used to improve assumptions about this hazardous situation.

The post-market surveillance plan shall also include both proactive investigation into harm and follow-through with reported incidences of harm, and these percentages shall be used to update this risk management plan.

Similarly, this plan shall update severities at least once every two years and after any documented incidence of a severity of 3 or greater.

End of plan at this point.

Date _________ Signatures _____________  _____________  ____________  ____________

Lessons Learned

That was a risk management plan that would have lived with the product for it’s lifetime, even after a larger company acquired the technology, because of government regulations linking quality assurance with medical devices. This simple document would have protected patients long after I was unable to directly influence product improvement.
  • Any acquiring company must either adhere to the plan or justify why they change it, and all changes must be maintained in their document system for future teams to access.
  • Long-term efficiency improves with effective plans. Quick meetings are short-sighted; the time saved moving forward that week costs many months of inefficiency and miscommunications later.
International healthcare regulations and standards require that plans be clear, unambiguous, and easy to understand. This sounds simple enough, but the most carefully crafted plan can be misunderstood by a new team unfamiliar with acronyms and phrasing. What the first team team considered to be clear, easy to understand, and unambiguous could be interpreted differently by a new team with their own acronyms, assumptions, and biases.

Effective planning is a skill developed with practice, not just medical device regulations, but all activities that require planning and are monitored and improved contributes to learning in ways that don’t always show up on a resume. Some of the best planners I’ve known developed their skills in the military, volunteering, organizing their kid’s soccer team, etc. Seek out effective planners to help your team.
Many lessons are difficult to convey in words, such as leadership and managing “up,” influencing executives who may not have your level of expertise with each product. I share those lessons throughout my blog, including tips for patenting new inventions and methods to accelerate development.
No amount of reading beats real-world experience, continuously improving based on real-world feedback.

Parting Thoughts

Today, I consult healthcare corporations on international medical regulations and teach entrepreneurship at universities and in under-served schools. I allow companies to pay nonprofits in equitable healthcare and education instead of paying me. My goal is to help people who help others, and I hope my blog helps you identify unmet patient needs, innovate solutions, and advance healthcare for all of society. I wish you luck.
Please share this if you think others would find it useful.