This article identifies the seven most common risk management errors that Johner Institute and its auditors encounter most often. It also offers advice on how to avoid these errors.
Risk management is among the most important requirements medical device manufacturers must meet. Therefore, it is important that they avoid risk management errors.
Use the points in this article as a checklist for your risk management files!
There is also usually a lack of common understanding within the company as to which element of the chain of events should be entered in the hazard column.
It becomes particularly tricky when manufacturers calculate the risks as the product of probability and severity of possible harm. This makes no mathematical sense, nor does it conform to the definition of risk.
The risk priority number, i.e., a quantity of three factors, one of which is detectability, does not correspond to risk in the sense of ISO 14971.
The manufacturers must derive the risk acceptance criteria for each device. It is, therefore (almost always) an error in risk management to define the risk acceptance matrix globally in a SOP.
Manufacturers should also not estimate the risk acceptance criteria but derive them mathematically if possible. In doing so, they should avoid another error:
They should not have quantitatively and qualitatively demonstrated a different benefit in the clinical evaluation than is being used in weighing the benefit-risk ratio and, thus, in deriving the acceptance criteria.
A prerequisite for manufacturers to express acceptance criteria in the form of a risk-acceptance matrix is that the axes be precisely defined. Popular errors in this regard are:
The next type of risk management error concerns the completeness of identified hazards and, thus, risks. The reasons for completeness are manifold:
The next risk management error is that manufacturers misjudge the probabilities and severities of harm. This, in turn, has several causes:
Many manufacturers tend to investigate only the worst case (e.g., death). However, it is a mistake to assume that the greatest risk always occurs at the greatest severities of harm.
However, even with the best method and the greatest experts, the errors in risk management files mentioned in sections three and four cannot be avoided.
Therefore, it is essential to continuously collect information in the post-production phase, in particular as part of the post-market surveillance, to complement and improve the risk analysis.
Another reason is the changing state of the art, which the risk acceptance criteria must reflect.
The post-production phase, as defined by ISO 14971, also includes production. Regularly, manufacturers forget to analyze the risks caused by production. Whenever production is changed, manufacturers must update this analysis. However, this is exactly what is often omitted, which means another error in risk management.
Another class of errors concerns the validation of measures. Either this validation is omitted altogether for individual measures. Or the manufacturers are not aware that two validations are necessary:
1. Verification that the measure has been implemented, e.g., through a review of the device design.
2. Validation that the measures are effective, typically through appropriate tests.
There is a tendency not to establish inherently safe measures or safeguards but to determine accompanying materials and training as means of risk control. In doing so, manufacturers should avoid two other risk management errors:
1. All measures, including accompanying materials, must be verified respectively validated by manufacturers - in this case, through summative evaluation.
2. There is information that must not be used as risk mitigation measures.
The seventh and final type of risk management error relates to formal requirements that manufacturers fail to meet:
None of the steps in risk management are simple:
Nevertheless, typical errors in risk management can be avoided. To help with this:
Johner Institute supports manufacturers not only in compiling and reviewing the entire risk management file and establishing a lean and compliant risk management process.