Medical Device Quality Risk Management


By adding quality risk management into your processes, especially at the design and planning phase, you can take actions to ensure that anticipated problems don’t occur or have steps in place to deal with them when they do. The saying goes that an ounce of prevention is worth a pound of cure, and equally, an hour identifying potential risks can be worth several days scurrying around trying to deal with an unexpected problem. The initial investment in the risk management process will prevent the loss of time, money, brand image due to unanticipated product failures.

In this article, we will cover the basic principles and methods involved for managing risk management for the Quality and Safety issues.

The risk of product failure or quality issues with a medical device or diagnostic product (IVD Product) can lead to injury or death of a person. This type of quality risk management is required for compliance with ISO13485, 21 CFR 820, 21 CFR210/211 requirements.

In this article, we will cover the basic principles and methods involved for managing risk management of Quality or safety issues. This type of risk management is an ongoing process.

Who is Responsible?

Why do we need Quality Risk Management in QMS?

The team members from Quality Assurance, Regulatory compliance, Engineering, Research and  Development shall:

01. Be responsible for identification, analysis, evaluation of hazards during the design and development of the product

02. Be responsible for initiating corrective actions, when the risk analysis shows that the product is not suitable, adequate or effective for the intended usage

03. Be responsible for presenting the updates and summary data from the Risk Management process at the Design Review.

What is Quality Risk Management for the Biomedical Products?

The Quality System Risk management is a systematic process for identification, assessment, control, communication and review of risks to the quality and safety of the Biomedical products.

It is just acknowledging that risk happens, and taking measures to ensure you’re completely prepared for it.

Risk Management ProcessWhat is Quality Risk Management in QMS?

01. Risk Identification

02. Risk Analysis

03. Risk Control

04. Risk Evaluation

05. Risk Reduction

06. Risk Acceptance

07. Risk Communication

08. Risk Review

Risk Identification

To identify the hazards, create a list the potential areas of concerns or foreseeable hazards that can lead to the failure of a Biomedical product or device. The hazards can happen during failure conditions and during the normal operation of a device. The identification of the hazards shall be based upon historical data, theoretical analysis, informed opinions, and the concerns of stakeholders. Risk identification addresses the “What might go wrong?” question, including identifying the possible consequences. This provides the basis for further steps in the quality risk management process. The following areas are to be considered when identifying the hazards: the Nature of the device, environmental conditions, process parameters, procedural steps, device design, software, packaging design & process, usability, manufacturing processes, service and maintenance, energy, biological, environmental, intended use of the device, functional failures, aging, and any other characteristics unique to the system and/or product shall be assessed for possible hazards. Also, any reasonably foreseeable misuse should be considered when completing the risk identification.

Risk Analysis

Risk analysis is the estimation of the risk associated with the identified hazards. It is the qualitative or quantitative process of linking the likelihood of occurrence and severity of harms.

This is essential for understanding the impact of risk on business goals and objectives, as well as how likely it is the risks could happen, and when.

Assessing risks is also important for making sure that the risks that are being recorded are actually credible. This is the time when scrutiny can be applied, and methods of qualitative and predictive analysis can be used to better understand which risks should be taken most seriously.

The goal of risk analysis is to help top management understand where to focus their most immediate attention

Risk Control

Risk control includes decision making to reduce and/or accept risks. The purpose of risk control is to reduce the risk to an acceptable level. The amount of effort used for risk control should be proportional to the significance of the risk. Decision makers might use different processes, including benefit-cost analysis, for understanding the optimal level of risk control.

The Risk control measures usually focus on the following areas.

01. Is the risk above an acceptable level? What can be done to reduce or eliminate risks?

02. What is the appropriate balance among benefits, risks and resources?

03. Are new risks introduced as a result of the identified risks being controlled?

Risk Evaluation

Risk evaluation compares the identified and analyzed risk against given risk criteria. The Risk evaluations consider the strength of evidence for the following fundamental questions.

01. What might go wrong?

02. What is the likelihood (probability) it will go wrong?

03. What are the consequences (severity)?

Risk Reduction

Why do we need Quality Risk Management in QMS?

Risk reduction focuses on processes for mitigation or avoidance of quality risk when it exceeds a specified (acceptable) level .Risk reduction might include actions taken to mitigate the severity and/or probability of harm.Processes that improve the detect-ability of hazards might also be used as part of a risk control strategy.The implementation of risk reduction measures can introduce new risks into the system or increase the significance of other existing risks.

Hence, it might be appropriate to revisit the risk assessment to identify and evaluate any possible change in risk after implementing a risk reduction process.

Risk Acceptance

Risk acceptance is a decision to accept risk. Risk acceptance can be a formal decision to accept the residual risk or it can be a passive decision in which residual risks are not specified.

For some types of harms, even the best quality risk management practices might not entirely eliminate risk. In these circumstances, it might be agreed that an appropriate quality risk management strategy has been applied and that quality risk is reduced to a specified (acceptable) level, this will be referred to as tolerable risk.

Risk Communication

Risk communication is the sharing of information about risk and risk management between the decision makers and others. Parties can communicate at any stage of the risk management process.


Risk Review

Risk management should be an ongoing part of the quality management process. The updates and status of action items from the Risk Management process shall be presented in the Management Review meetings.


Example of a Risk Management Template:

1. The following templates are examples of severity and occurrence scales that can be used for evaluation and analysis of risk of the harms.

1.1 Definition of Severity Scale:

Severity (S) Description / Explanation

(Severity of the Injury or Adverse Health Outcome that might reasonably be expected to occur)

Minor (1) No adverse effect on safety
Marginal (2) Surgical delay (≥ 15 minutes) and/or short-term pain / discomfort
Major (3) Injury to the patient or user, which requires re-operation
Critical (4) Irreversible chronic pain or loss of anatomical / physiological function
Catastrophic (5) Death to Patient

1.2 Definition of Occurrence Scale:

Occurrence (O) Description / Explanation

(Probability of Occurrence that hazardous situation occurs and leads to harm)

Extremely Unlikely (1) An extremely unlikely probability of occurrence (Approximately 1 in 10,000)
Remote (2) An unlikely probability of occurrence (Approximately 1 in 2,500)
Occasional (3) An occasional probability of occurrence (Approximately 1 in 500)
Reasonably Probable (4) A moderate probability of occurrence (Approximately 1 in 100)
Frequent (5) A high probability of occurrence (Approximately 1 in 10)

1.3 Risk Analysis Matrix: Using the following formula, calculate the overall risk level of the hazards. The Overall Risk Level of Hazard = Severity of the harm x Occurrence of the harm. Then compare the Overall Risk Level with the values from Risk Analysis matrix. If the results of overall risk are in the Intolerable region, then define action plan to bring down the overall Risk Level to Acceptable region.

1.4 Justification for Tolerable Risk Levels:There may be instances where, after the implementation of action plans, the risk levels cannot be brought to Acceptable values, the risk levels may be accepted as tolerable. In such instances, justification or rationale shall be documented for tolerable risk levels.

2.0 Risk Identification: Hazard Identification- Additional numbering to be added as needed.

2.1 List of foreseeable hazards

3.0 Risk Evaluation: For the hazards listed in section 2.1 assign the ranks for severity and occurrence based on the values from section 1.1 and section 1.2. Additional rows can be used as needed.

3.1 List of hazards with assessment ranks:

4. 0 Risk Control: Risk control is achieved through the implementation of action plan.

4.1 Risk Reduction: Define the action plan to mitigate the risk.

4.2 Residual Risk Evaluation and Justification for Acceptability

Risk control measures identified in Section 4.1 will be evaluated against risk acceptability matrix. Justification of acceptability as well as residual risk will be completed in the following table.  Additional hazards identified (if any) shall be transferred to Section 3.0 for risk evaluation.

5.0 Risk Review: Completeness of Risk Assessment: All hazards in Section 2.1 shall be reviewed for completeness of risk evaluation.  Additional risks identified will be documented below and added to Section 3.1

5.1 Additional list of hazards

6.0 Risk Management Report Approval

Risks identified have been completed and judged to be acceptable.

The following agree that QMS Risk Management has been completed on identified (sub)   system. Action in this document (see below) are complete and correct.

01. Function / Purpose of (sub) System Identified

02. Identification of potential or known hazards

03. Risk Evaluation of identified (sub) System

04. Risk Reduction of identified (sub) System

05. Residual Risk identified, acceptability of risk justified

06.Completeness of Risk Assessment


01ICH Q9, Quality Risk Management, November 9, 2005.

02. FDA, Pharmaceutical CGMPs for the 21st Century—A Risk Based Appoach, August 2002. 


You can contact us to set up a demo to see the Qualcy eQMS Software. Also you can get a word copy of this document.

Leave a Reply

Your email address will not be published. Required fields are marked *