How to Use ISO 14971 and Project Risk Management Effectively

Medical device companies use ISO 14971 to identify and manage user risks with their devices. However, we often find these same companies do not manage their project risks well.

What is Project Risk Management

The PMBOK Guide[i] defines risk as “an uncertain event or condition that, if it occurs, has a positive or negative effect on one or more project objectives.” Therefore, project risk management is the method used on the project to manage the risk. Those activities include planning (how you are going to manage risk), identifying, analyzing, response planning, and controlling the risks on the project.

Project risk management should be an active process used throughout the project to regularly review identified risks, curate those risks, proactively identify new risks, and respond to risks that have become events/ problems/ issues. Project risks include all forms of project risk, including marketing, technical, supplier, operations, sales, etc. This process ends with the project closure.

Strategy 2 Market developed a process called Exploratory PD (ExPD) that helps project teams identify, evaluate, prioritize and track uncertainties and risks throughout a project. To learn more, please go to www.exploratorypd.com.

ISO 14971

Medical device companies also need to address user risks, through the process identified in ISO 14971. The steps are somewhat prescribed and device companies must plan, identify, evaluate, and address risks if they will cause patient or user harm. These risks need to be tied in some way to product requirements and a final report is needed that shows the product is safe. In addition, any changes to the product need to include an evaluation of the risk to the user.

Risk management of user risks are required throughout the life of the product, until the device is withdrawn from the market: often long past the end of the project. Users include the patient and care givers who use the product, but may also include other users such as reprocessing groups, inventory management, or surgical setup teams.

Using Risk Management Effectively

Although the scope and use time frames are different between the 2 different risk management processes, there are ways to use both of them effectively.

1. Use a similar process: Capturing and tracking all potential items, evaluating, when necessary identifying resolutions, and closing items become more routine when all risk processes are similar.
   1. Use cross-functional teams to generate and review the risks.
   2. Write it down. The user risk management file will need to be stored with the design history file (DHF). The project risk information can be stored with other project files.
2. Use risk libraries: Using libraries as a starting point for both types of risk management help ensure common items aren’t missed and often spark ideas for additional items.
3. Regularly review both ISO 14971 and project risk lists: Reviewing your lists as part of the regular team meetings helps ensure they remain current and new items are included. We suggest you include them on your team meeting agenda. Remember, risk management is not a one-time activity, nor should it be a checklist item for a gate meeting.
4. Treat risk management as a tool: Risk management should be used to deliver your product and project better and faster.

Closing Thoughts

Risk management is part of every medical device project. You have both user risks, managed through ISO 14971, and project risks which need to be managed. Set up processes that make the 2 types of risk similar to manage and integrate the reviews into your team meetings. You will find that you are much more effective in managing both types of risk.

Related Posts

How to Identify and Manage Project Risk

Dealing with Uncertainty in Product Development

The Multiple Personalities of Risk

[i] Project Management Institute.2013. A Guide to the Project Management Body of Knowledge (PMBOK Guide) – Fifth Edition. Newtown Square, PA. Project Management Institute