By adding quality risk management into your processes, especially at the design and planning phase, you can take actions to ensure that anticipated problems don’t occur or have steps in place to deal with them when they do. The saying goes that an ounce of prevention is worth a pound of cure, and equally, an hour identifying potential risks can be worth several days scurrying around trying to deal with an unexpected problem. The initial investment in the risk management process will prevent the loss of time, money, brand image due to unanticipated product failures.
In this article, we will cover the basic principles and methods involved for managing risk management for the Quality and Safety issues.
The risk of product failure or quality issues with a medical device or diagnostic product (IVD Product) can lead to injury or death of a person. This type of quality risk management is required for compliance with ISO13485, 21 CFR 820, 21 CFR210/211 requirements.
In this article, we will cover the basic principles and methods involved for managing risk management of Quality or safety issues. This type of risk management is an ongoing process.
Who is Responsible?
The team members from Quality Assurance, Regulatory compliance, Engineering, Research and Development shall:
01. Be responsible for identification, analysis, evaluation of hazards during the design and development of the product
02. Be responsible for initiating corrective actions, when the risk analysis shows that the product is not suitable, adequate or effective for the intended usage
03. Be responsible for presenting the updates and summary data from the Risk Management process at the Design Review.
What is Quality Risk Management for the Biomedical Products?
The Quality System Risk management is a systematic process for identification, assessment, control, communication and review of risks to the quality and safety of the Biomedical products.
It is just acknowledging that risk happens, and taking measures to ensure you’re completely prepared for it.
Risk Management Process
01. Risk Identification
02. Risk Analysis
03. Risk Control
04. Risk Evaluation
05. Risk Reduction
06. Risk Acceptance
07. Risk Communication
08. Risk Review
To identify the hazards, create a list the potential areas of concerns or foreseeable hazards that can lead to the failure of a Biomedical product or device. The hazards can happen during failure conditions and during the normal operation of a device. The identification of the hazards shall be based upon historical data, theoretical analysis, informed opinions, and the concerns of stakeholders. Risk identification addresses the “What might go wrong?” question, including identifying the possible consequences. This provides the basis for further steps in the quality risk management process. The following areas are to be considered when identifying the hazards: the Nature of the device, environmental conditions, process parameters, procedural steps, device design, software, packaging design & process, usability, manufacturing processes, service and maintenance, energy, biological, environmental, intended use of the device, functional failures, aging, and any other characteristics unique to the system and/or product shall be assessed for possible hazards. Also, any reasonably foreseeable misuse should be considered when completing the risk identification.
Risk analysis is the estimation of the risk associated with the identified hazards. It is the qualitative or quantitative process of linking the likelihood of occurrence and severity of harms.
This is essential for understanding the impact of risk on business goals and objectives, as well as how likely it is the risks could happen, and when.
Assessing risks is also important for making sure that the risks that are being recorded are actually credible. This is the time when scrutiny can be applied, and methods of qualitative and predictive analysis can be used to better understand which risks should be taken most seriously.
The goal of risk analysis is to help top management understand where to focus their most immediate attention
Risk control includes decision making to reduce and/or accept risks. The purpose of risk control is to reduce the risk to an acceptable level. The amount of effort used for risk control should be proportional to the significance of the risk. Decision makers might use different processes, including benefit-cost analysis, for understanding the optimal level of risk control.
The Risk control measures usually focus on the following areas.
01. Is the risk above an acceptable level? What can be done to reduce or eliminate risks?
02. What is the appropriate balance among benefits, risks and resources?
03. Are new risks introduced as a result of the identified risks being controlled?
Risk evaluation compares the identified and analyzed risk against given risk criteria. The Risk evaluations consider the strength of evidence for the following fundamental questions.
01. What might go wrong?
02. What is the likelihood (probability) it will go wrong?
03. What are the consequences (severity)?
Risk reduction focuses on processes for mitigation or avoidance of quality risk when it exceeds a specified (acceptable) level .Risk reduction might include actions taken to mitigate the severity and/or probability of harm.Processes that improve the detect-ability of hazards might also be used as part of a risk control strategy.The implementation of risk reduction measures can introduce new risks into the system or increase the significance of other existing risks.
Hence, it might be appropriate to revisit the risk assessment to identify and evaluate any possible change in risk after implementing a risk reduction process.
Risk acceptance is a decision to accept risk. Risk acceptance can be a formal decision to accept the residual risk or it can be a passive decision in which residual risks are not specified.
For some types of harms, even the best quality risk management practices might not entirely eliminate risk. In these circumstances, it might be agreed that an appropriate quality risk management strategy has been applied and that quality risk is reduced to a specified (acceptable) level, this will be referred to as tolerable risk.
Risk communication is the sharing of information about risk and risk management between the decision makers and others. Parties can communicate at any stage of the risk management process.
Risk management should be an ongoing part of the quality management process. The updates and status of action items from the Risk Management process shall be presented in the Management Review meetings.
Example of a Risk Management Template:
1. The following templates are examples of severity and occurrence scales that can be used for evaluation and analysis of risk of the harms.
1.1 Definition of Severity Scale:
|Severity (S)||Description / Explanation
(Severity of the Injury or Adverse Health Outcome that might reasonably be expected to occur)
|Minor (1)||No adverse effect on safety|
|Marginal (2)||Surgical delay (≥ 15 minutes) and/or short-term pain / discomfort|
|Major (3)||Injury to the patient or user, which requires re-operation|
|Critical (4)||Irreversible chronic pain or loss of anatomical / physiological function|
|Catastrophic (5)||Death to Patient|
1.2 Definition of Occurrence Scale:
|Occurrence (O)||Description / Explanation
(Probability of Occurrence that hazardous situation occurs and leads to harm)
|Extremely Unlikely (1)||An extremely unlikely probability of occurrence (Approximately 1 in 10,000)|
|Remote (2)||An unlikely probability of occurrence (Approximately 1 in 2,500)|
|Occasional (3)||An occasional probability of occurrence (Approximately 1 in 500)|
|Reasonably Probable (4)||A moderate probability of occurrence (Approximately 1 in 100)|
|Frequent (5)||A high probability of occurrence (Approximately 1 in 10)|
1.3 Risk Analysis Matrix: Using the following formula, calculate the overall risk level of the hazards. The Overall Risk Level of Hazard = Severity of the harm x Occurrence of the harm. Then compare the Overall Risk Level with the values from Risk Analysis matrix. If the results of overall risk are in the Intolerable region, then define action plan to bring down the overall Risk Level to Acceptable region.
1.4 Justification for Tolerable Risk Levels:There may be instances where, after the implementation of action plans, the risk levels cannot be brought to Acceptable values, the risk levels may be accepted as tolerable. In such instances, justification or rationale shall be documented for tolerable risk levels.
2.0 Risk Identification: Hazard Identification- Additional numbering to be added as needed.
2.1 List of foreseeable hazards
3.0 Risk Evaluation: For the hazards listed in section 2.1 assign the ranks for severity and occurrence based on the values from section 1.1 and section 1.2. Additional rows can be used as needed.
3.1 List of hazards with assessment ranks:
4. 0 Risk Control: Risk control is achieved through the implementation of action plan.
4.1 Risk Reduction: Define the action plan to mitigate the risk.
4.2 Residual Risk Evaluation and Justification for Acceptability
Risk control measures identified in Section 4.1 will be evaluated against risk acceptability matrix. Justification of acceptability as well as residual risk will be completed in the following table. Additional hazards identified (if any) shall be transferred to Section 3.0 for risk evaluation.
5.0 Risk Review: Completeness of Risk Assessment: All hazards in Section 2.1 shall be reviewed for completeness of risk evaluation. Additional risks identified will be documented below and added to Section 3.1
5.1 Additional list of hazards
6.0 Risk Management Report Approval
Risks identified have been completed and judged to be acceptable.
The following agree that QMS Risk Management has been completed on identified (sub) system. Action in this document (see below) are complete and correct.
01. Function / Purpose of (sub) System Identified
02. Identification of potential or known hazards
03. Risk Evaluation of identified (sub) System
04. Risk Reduction of identified (sub) System
05. Residual Risk identified, acceptability of risk justified
06.Completeness of Risk Assessment