Product Risk Management Under ISO 14971:2007 and ICH Q9

For Medical Device and Pharmaceutical Companies

John Lincoln

Risk management has many connotations depending upon the audience. Its definition depends upon whether the context is company disaster recovery, company/product liability, protection of intellectual property, protection of the data processing system and data, and similar. This article covers medical device and pharmaceutical hazard analysis and risk management.

All medical interventions involve some level of risk, which is acknowledged on the FDA's website and within ISO 14971:2007 standards. The goal of the responsible manufacturer is to reduce product risk and to identify/know the levels of remaining risks, which are tied—ultimately—to a user's (clinician and patient) safety.

Risk management has many connotations depending upon the audience. Its definition depends upon whether the context is company disaster recovery, company/product liability, protection of intellectual property, protection of the data processing system and data, and similar.

ISO 14971:2007 is the U.S. FDA's de facto standard for medical device risk management and ICH Q9 is a guidance for drugs. ISO 14971 is mandated under the European Commission's (EU) Medical Device Directive. Although each regulation is geared to its own industry, both should be considered collectively for the value they provide.

ISO 14971 provides the user a format and suggested tools to use in the identification of the hazards associated with medical devices, to estimate and evaluate associated risks, and finally, to define methods for the mitigation and control of said risks. The resulting document, in addition to providing these tools, can also serve as an excellent product familiarization and training tool.

ICH Q9 also provides an overview of a suggested quality risk management process (focused on pharmaceuticals) but that is useful for all industries. The documentation discusses:

  • Initiation and communication of the Quality Risk Management Process;
  • Risk Assessment, i.e, Risk Identification, Risk Analysis, and Risk Evaluation;
  • Risk Control (consisting of Risk Reduction and Risk Acceptance), output/result of the process, and Risk Review

In considering a product's hazards and managing its risk, its lifecycle must be considered—from initial conception to ultimate decommissioning and disposal. Disposal/"green" issues are also becoming important worldwide lifecycle issues. These too, should be elements of any product risk management activity.

Risk Management Plan

Under ISO 14971:2007, the risk management process includes the development of a company product Risk Management Plan. ICH Q9 is more general but encourages similar activities. The Risk Management Plan is a top-level document that defines the systems and procedures the company is using to implement and maintain its product risk management activities and documentation (by site and product family). It defines how product risk management is implemented, by whom, and when, and also defines product lifecycle considerations, interfaces (e.g, CAPA, et al). All company operations, processes, and systems that act upon the product should be included in the analysis process, with active senior management involvement:

  1. Systems / processes
  2. Product / design
  3. User / application, and
  4. Software, if applicable

Risk Management Process

The Risk Management Process includes: 1) hazard/risk analysis, 2) purpose, 3) hazards, and 4) risk estimation. It then addresses risk evaluation/acceptability. The next step is a discussion or ranking of the probability of its occurrence. The process finally concludes with a consideration of risk mitigation/control, including options and implementation, residual risks and an ongoing risk/benefit analysis. This is all documented in the File, and summarized in the Report, as defined in ISO 14971.

This process must include periodic production and post-production information review, often involving the company's CAPA (Corrective and Preventive Action) program, with the goal of updating the Risk Management File when additional information is noted.

Hazard / Risk Analysis / Management Process

The risk management process can be applied any time to products, although its greatest value is achieved early on in the new or changed product development process, when risk can best be mitigated by human factors engineering and resulting design changes. Information may be obtained from similar devices, CAPA sources (NCMRs [non-conforming material reports], CAPA Reports, Failure Investigation Reports, Complaints, Labeling, Manuals), industry / FDA Adverse Events databases and trade and journal articles.

Risk Management File

The Risk Management File documents the product or process and the associated risk management activities and resultant outcomes, which can include the following:

  • Item Description and Use
  • Risk Assessment Sources / Methodology / Assumptions
  • Hazard Analysis - Categories (e.g. ISO 14971)
  • Fault Tree Analysis (FTA) (one tool that may be used)
  • FMECA (Failure Mode, Effects, Criticality Analysis, the tool mostoften used in performing the basic risk analysis)

The Risk Management File Sections

Descriptive Information

This section could include basic information of the product and the methodology used in the risk management activities, such as:

  • Item information
  • Physical description item use, including user and use environment
  • List of assumptions that were used in preparing the risk assessment
  • Identification of the person(s) involved in performing the analysis
Hazard Analysis / Listing

A basic Hazard Listing can be compiled from the ISO 14971 appendices, prior knowledge or other sources, tailored to a specific product by a review of the aforementioned CAPA, related documentation and other sources.

Detailed Failure Analysis

There can be many ways to analyze all the failure modes that underlie each listed hazard. The two most common are FTA and FMEA / FMECA. The development of these documents is frequently iterative rather than linear, i.e, going back and forth in the documents until all inputs have been listed down to the desired level.

Fault Tree Analysis (FTA) uses a logic diagram (examples can be found on the Internet). It is a top down analysis, using "logic diagram" symbols, starting with the hazard/fault/problem and then moving down to the various contributors/causes of the problem.

Failure Mode, Effects and Criticality Analysis (FMECA, or FMEA) also expands upon the Hazard Listing by taking each hazard and determining all the possible inputs that could cause that hazard (failure modes), their sources/causes, their probability of occurrence, and methods for control and mitigation. An optional activity may be the assignment of numerical ratings for probability, severity, and control/mitigation placed for each. Of all such tools, the FMEA is perhaps the single most useful (as previously stated examples can be found on the Internet).

While the FTA and FMEA are the most common tools, ISO 14971 lists other hazard analysis methodologies; any effective technique that works for a company should be acceptable. Usually, the concurrent use of more than one is more effective in flushing out all sources of hazards and their failure modes/sources.

Risk Management Report

The product's Risk Management Report is a summary of the data recorded in that product's Risk Management File. It covers the key issues and shows that the overall product's residual risk(s) is (are) acceptable e.g., with conclusions and an optional Risk / Benefit Analysis.

Using the File/Report

The primary purpose of the Product Risk Management File and Report is to evaluate a product's risk for acceptance, reduction and/or mitigation. Reduction and mitigation usually involve design changes based on human factors but may also include labeling, cautions, warnings and instructions for use.

This document has many other uses. This record (or something similar to it) is a required element under Design Control and is expected to be a part of a 510(k)/IDE/PMA submission to the U.S. FDA, and part of the EU's Medical Device Directive / CE-marking Technical File / Design Dossier. It should also play a prominent part in all risk-based activities, including CAPA investigations, in order to justify the amount of resources expended. Its value as a training document for company personnel has already been mentioned. As a "living" document, the File and Report should not be filed away and forgotten, missing its true value. Instead it should be placed under a company's Document Control or similar control system, subjected to periodic reviews, linked to CAPA / Design / Change Control system(s), and subject to periodic Management Review / Internal Audit.

Developed and used as such, the Product Risk Management File and Report can be a very useful tool in product development, improvement, legal due diligence, training and dGMP compliance.

John E. Lincoln is principal of J. E. Lincoln and Associates LLC, a consulting company with over 29 years experience including over 15 years as a full time consultant, serving U.S. FDA-regulated industries. John has worked with companies from start-up to Fortune 100 in the U.S., Mexico, Canada, France, Germany, China, and Taiwan. He specializes in medical device cGMPs / systems / SOPs, product-to-market endeavor, defect- and cycle-time reduction, product clearance, regulatory issues resolutions and equipment, process, product, software documentation, validation, quality, regulatory management, product risk, ISO 14971, product clearance and regulatory issues resolutions. He's held assignments as VP R&D, Director of QA/RA, Senior QA Engineer, Senior Manufacturing Engineer, and has worked for companies such as Abbott Laboratories, Hospira, Integra, et al. Additional experience has been in government (civil and military), aerospace and electronics industries. He has published numerous peer-reviewed articles on culture change, training, biohazards, quality, regulatory affairs, CAPA, and validation. He conducts webinars, workshops and training worldwide. He has a BA from UCLA. Contact: | | Phone: 435-840-0252.