Tag Archive for: risk management center

ISO 14971

Last week, Jama Software launched Jama Connect® for Medical Device Development, which helps teams speed time-to-market without compromising quality or compliance.

In our experience working with more than 200 medical device developers, we’ve realized how important it is to create best practices for risk management under ISO 14971, the FDA’s mandatory standard for risk assessment throughout the product development lifecycle.

In this post, we’ll outline the main clauses of ISO 14971 and explain how Jama Connect can help medical device developers build better, safer products that satisfy ISO 14971.

What is ISO 14971?

ISO 14971 is an international standard that sees risk management as a product lifecycle process encompassing the development, production, and post-production stages. Jama Connect offers a straightforward approach to managing risk according to ISO 14971 in one platform. The standard was updated in 2019, providing more guidance on risk management and adding more detailed requirements.

Managing Risks & Requirements for ISO 14971

Risk management is an inextricable part of the medical device development process. For medical device developers, risks are a core principle of product development and should be tied together in one powerful platform.

Many medical device companies continue to depend on Excel to capture risk data, but Excel simply can’t provide the end-to-end traceability necessary for satisfying ISO 14971. That’s where Jama Connect comes in: It allows teams to easily connect risks, requirements, and testing in one system where requirements and test results stay live in real-time.

Jama Connect and ISO 14971

Jama Connect guides compliance with Clauses 4 through 7 of ISO 14971, which covers how risk should be managed throughout the product development process.

RELATED: Understanding Integrated Risk Management for Medical Device

Risk Management Plan

Clause 4 of ISO 14971 concerns how risk is organized and administered for your product line. It requires the formation of a Risk Management Plan throughout the development lifecycle.

The Risk Management Plan is the record of a planned process for risk management: who does what and when, how risks are scored, etc. It’s a component of the Risk Management File, which contains all the outputs for risk.

Clause 5: Risk Analysis

Clause 5 of ISO 14971 requires that medical device developers identify potential hazards and hazardous situations. Each hazardous situation and its potential consequences must be evaluated. Jama Connect helps teams satisfy Clause 5 by defining device-specific hazards and capturing risk probability and severity.

Jama Connect offers risk management item templates to capture important information about the risk analysis process, including a description of the device, intended use, and the scope of the analysis.

Teams can identify and evaluate potential hazards, sequences of events, hazardous situations, and harms in a single item type.

Clause 6: Risk Evaluation

Clause 6 requires the evaluation of risk for each hazardous situation and the definition of acceptability criteria for determining when risk reduction is required. To satisfy Clause 6, teams take the inputs from Clause 5 and determine the risk level for each hazardous situation.

In Jama Connect, risk acceptability criteria can be customized for a particular product line or medical device classification in the risk management item.

RELATED: Understanding FDA Medical Device Class and Classifications, and its Impact on Requirements Management

Clause 7: Risk Control

Clause 7 requires risk control measures to be developed, implemented, and verified across the product development lifecycle. Risk control measures could include product design, preventative measures in the product, and labeling. Residual risk must be evaluated against acceptability criteria, and risk control measures must be reviewed in case additional risks have been introduced inadvertently.

The risk evaluation item lets users identify risk control options for a specific hazardous situation, such as inherent safety by design, protective measures in the medical device or manufacturing process, and safety information.

Risk control measures, implementation verification, and verification of risk control effectiveness can also be accounted for in the risk evaluation item. Links to system requirements and verifications in Jama Connect can easily be created from the risk item to demonstrate traceability from hazardous situations to risk controls.

Clause 8: Residual Risk

Clause 8 requires an evaluation of the medical device’s overall residual risk. If the overall residual risk is unacceptable, it must be demonstrated that the medical benefit outweighs the residual risk.

When defining risk control measures, teams can capture those measures in Jama Connect and link them directly to risks before updating the rankings to determine the residual risk level.

With traceability through all phases of risk, users can quickly identify potential pitfalls in the product development process and address them before they become bigger barriers to success.

The Bottom Line

ISO 14971 requires a cohesive, well-documented narrative of your product’s lifecycle to assure the FDA that the device is safe, effective, and compliant. Any decisions or actions that aren’t documented could keep your product from reaching the market or result in a recall.

Finding and fixing errors early in the product lifecycle saves money, speeds time to market, and improves product quality. Jama Connect allows medical device developers to review risks and risk controls holistically so that teams can operate with confidence.

From a compliance perspective, the Jama Connect for Medical Device Development illuminates the risk management and product development process, while simultaneously generating the required documentation to support that narrative.

For a deeper dive into ISO 14971 and how Jama Connect for Medical Device Development offers a comprehensive way to manage risk and requirements throughout development, download our white paper, “Application of Risk Analysis Techniques in Jama Connect to Satisfy ISO 14971.

You’ll gain more confidence that your recently-released products avoid recalls, fines, or worse if you perform failure mode and effects analysis (FMEA) as part of your risk management.

That’s according to Bethany Quillinan, senior quality systems consultant with Oregon Bioscience Association, who presented on the topic in our recent webinar, “Best Practices for Improving Risk Management Using FMEA.”

Over the course of the hour-long webinar, Quillinan and Jama’s senior product manager, Joel Hutchinson, provided some key elements around the value of risk management and FMEA, and the importance of modernizing your risk management process to accommodate.

At the conclusion of the webinar’s presentation, the pair answered a range of questions from the hundreds of participants in attendance. Unfortunately, they weren’t able to get to everyone’s questions, but luckily they took some extra time afterward to answer some of those remaining, touching on everything from risk mitigation in aerospace to specific standards like ISO 14971.

We’ve compiled the questions (some of which have been slightly modified for clarity) below and encourage you to check out the full webinar and Q&A session here.

Q: Given that FMEA teams in companies can be non-permanent and have a fluid scope, which role should own and drive the activity overall?

Bethany Quillinan: I think the ownership role should align with those of the design/new product introduction process. If there is a project lead, then that person would make the most sense. There may also be a particular functional group who is given ownership of risk management, like Quality or Compliance teams. I think it really depends on the organization. What we want is alignment and integration within the design process, not a separate “silo” for risk management.

Q: Do you have any suggestions for criteria that would help when selecting a good FMEA facilitator?

Quillinan: A good facilitator will be someone who is well-versed in the FMEA process and the organization’s particular methodology, rating scales, etc. Additionally, the facilitator should be skilled in well, facilitation, and by that I mean having meeting management skills — things like tracking time, noticing when energy is low and a break is needed, drawing out quieter members, dealing with overly-dominant members, and generally equalizing the field. The facilitator should not get involved in the “content” of the FMEA, just the process itself. Ideally, there is also a content leader who can keep the team focused on the scope of the FMEA. That said, the facilitator should be aware of the scope, in case the team gets way off track and no one is calling it.

Gain Confidence in Your Risk Management Plan with Jama Connect. Learn how.

Q: Any suggestions for facilitators to keep people from taking things personally?

Quillinan: One engineer I worked with who had facilitated a lot of FMEAs shared a good technique — to ask people, “How could you make it fail?” And that turned around defensiveness to creativity. From a facilitation aspect, I think emphasizing that the analysis is “potential,” that we’re not saying it’s going to happen, but that it’s a just a possibility to consider. Depersonalizing statements can help — talk about “the design” vs. “your design,” for example. If someone is super defensive, the facilitator may need to call a break to let things cool down and talk to the person offline. Diplomacy is important!

Q: What you talked about is used in the automotive field which is very effective, but the aerospace industry tends to use FMEAs focused on managing the effects and quantitative failure rates (assuming constant failure rates). How do you get the benefits of automotive FMEA and, at the same time, satisfy aerospace FMEA requirements? 

Quillinan: Having quantitative failure rate data to inform the discussion of the probability of occurrence is a big benefit. Failure mode, effects and criticality analysis (FMECA), where “C” is criticality analysis brings in more of the quantitative factor, and I see that terminology used more in aerospace. Satisfying specific Aerospace requirements is somewhat out of the scope of this presentation. In the context of the AS9100 quality management system standard, the requirement is to perform risk management, and FMEA is not prescribed but is a possible tool. Bottom line, I see FMEA as a prioritization tool rather than a reliability prediction. (In the early days, the military hoped to use FMECA to calculate an actual reliability metric, but it didn’t work out that way.)

Learn why Frost & Sullivan likes Jama Connect as a modern solution for risk management.
Read the brief. 

Q: What happens when multiple users are creating individual risk analyses? How do they collaborate if they are analyzing similar things?

Joel Hutchinson: As Bethany mentioned during her presentation, we understand that there’s going to be overlap in various FMEAs. An example of this is subsystems, which may have additional functionality that is only present at the system level. Risk management in Jama Connect helps the cross-functional team that works together to perform a risk analysis and has the ability to add view-only roles for context. One way of addressing this would be for the moderators of the two overlapping risk analyses to add each other as view-only roles to their respective analyses. This way, each cross-functional team is aware of what the other team is doing and how they’ve scoped their risk analysis.

Do you know where, when, and how intended Use FMEA (uFMEA for medical devices, per IEC 62366-1:2015) and software FMEA (life cycle requirements for medical device software per IEC 62304:2006+A1:2016) integrate into the requirements management process and product development timeline?

Quillinan: Generally speaking, risk management for usability, software, or any other aspect of a design should be integrated with the design process as soon as these aspects enter the design conversation. For example, early on during the initial “concept” phase, we need to be thinking about usability risks to inform the design concept and assist in evaluating different design routes to take. I also think useability/human factors could potentially be considered at any level of the product, so it could follow the same general timeline I showed in the presentation.

Likewise, for software, at the concept phase, the conversation will likely include software needs for satisfying customer expectations. From a systems standpoint, I feel the sooner the better. (I often use the initial rollout of the Healthcare.gov website for the Affordable Care Act (ACA) marketplace as an example of a “silo’d” approach to design. Each module was developed and tested in isolation and the “validation” of interfaces between modules was when it went live… and crashed.

We have to remember that the ultimate focus is at the system level — the end-user interaction with the product. In a medical device setting, most consultants are going to advise you to build in human factors considerations throughout the design process rather than waiting until the final human factors validation test on the finished design, for all the same reasons I described in the presentation.

The FDA guidance document “Applying Human Factors and Usability Engineering to Medical Devices” (Feb 3, 2016) is a helpful document and can complement ISO 14971.

Find out how to better manage medical device development in accordance with ISO 14971.
Read our guide.

Q: Risk Priority Numbers (RPNs) seem to always be subjective from one party to another, specifically the occurrence and detection. The occurrence is difficult to gauge when the failure mode and risks are new or when little-to-no history is available. For detection, we’ve had difficulty assessing the controls in place and how to rate them in terms of efficiency.

Quillinan: One way to help make the RPNs more objective is to establish and use consistent rating scales with descriptions that are relevant to your organization’s products and processes.

When there is no history and risks are new, the typical practice is to be conservative and give them high ratings. I often find that people have difficulty distinguishing prevention controls from detection controls.

Preventive controls typically act on the inputs to a process or are the controls during the process — think of mistake-proofing, for example not being able to choose an obsolete revision of a component for a bill of material (BOM) or having design guidelines to follow. Detection controls are after the fact and are inspections of the output of a process. In design, a typical detection control is a second person (or more) performing a design review.

Q: What is the relationship between design failure mode and effect analysis (DFMEA) and process failure mode and effect analysis (PFMEA), in terms of the failure modes and causes?

Quillinan: In DFMEA, we are looking at how the product could fail, and causes are from the design process itself; the assumption is that the process is being run correctly. In PFMEA, we’re looking at how the process could fail, assuming the product is designed correctly. Of course, this depends on FMEA scope. If we’re looking at a design for manufacturability, then we’re looking at how the design process could fail in terms of designing the product in a way that it can be easily and efficiently built.

Hear the full presentation, as well as questions and answers to many other FMEA and risk management questions, in our webinar, “Best Practices for Improving Risk Management Using FMEA.”

Many products must go through a risk management process to ensure safety, but it’s the severity of the potential outcomes that vary.

For our customers creating products in heavily-regulated industries — such as automotive, medical devices, and aerospace — the consequences associated with not correctly mitigating risk puts lives in jeopardy. And there’s ample evidence that too many in these fields are still struggling to find a process that works.

Even while tougher safety regulations and standards are being enacted, product recalls are still soaring. In February and March alone, millions of vehicles were recalled due to quality issues. And, within the fourth quarter of 2018, recalls of medical devices spiked 449% to just over 161 million, which was the second highest quarter in at least 14 years.

These examples showcase why teams building complex products need a smarter way to identify the probabilities and severity of risks early so they can track and mitigate them throughout development. And while risk management is imperative, it can’t come at the expense of the speed of development; in fact, it should complement rather than hinder efficiency.

Earlier this year, we introduced Jama Connect™ Risk Management Center for medical device developers, and now we’re excited to announce that we’re opening it up to all our customers working within regulated industries with the introduction of FMEA templates.

The Jama Connect Risk Management Center was developed from best practices learned from our work with companies that deliver quality products in safety-critical industries. With the newly-updated Risk Management Center, development teams can participate in risk management techniques including Preliminary Hazard Analysis (PHA) and FMEA in accordance with ISO 14971 and IEC 60812.

As an overview, here are some common problems we’ve often seen around managing risk and how the Jama Connect Risk Management Center solves them.

Problem: Not sure how to implement a solid risk management process

Risk management is a daunting challenge, especially for startups vying to disrupt an entire industry. Whether it’s ISO 14971, IEC 60812, or beyond, many new companies aren’t sure where to start when creating a risk management plan to bring their products up to international standards and government regulations.

Solution: Pre-configured risk analysis templates and startup services

In Risk Management Center, users receive guided templates based on best practices like FMEA and ISO 14971, which helps remove the bulk of the guesswork.

For medical device developers, Jama also has a Professional Services division that can work directly with your team to provide the best possible start to your process in accordance with ISO 14971. Through training and consultation, they’ll help customize your templates in a way that matches your team’s risk management process so you can start managing and mitigating risks quickly while accelerating development.

Jama’s professional services dramatically speed time to value, so much so that one customer began developing medical devices in less than a week with our guidance.

Frost & Sullivan points to Jama Connect as a way to better manage risk for companies in regulated industries. Read the report.

Problem: Risk management process can be siloed

In many organizations, managing risk during development is painfully cumbersome, disconnected, and inefficient.

If you can imagine a company emailing gigantic Excel spreadsheets around to manage risks for large, complex products — whether its airplanes, automobiles, medical devices, or software that interacts with any of these elements — you can also envision the unintended errors that can manifest as a result.

Solution: Streamlined risk management

The Jama Connect Risk Management Center takes a strong, team-based approach, ensuring risk analysis is not done in silos and instead performed early, collaboratively, and continuously throughout development.

With your risks and requirements housed directly within Jama Connect, Risk Management Center helps you track both in a single place. And since the data in Jama Connect is updated in real time, you’ll always be working from the most recent version of any risk analysis. Invited individuals can simply log in to Jama Connect and participate throughout the development process.

Through this effort, risk management becomes a continuous and collaborative part of the development process saving you valuable time and rework cost.


Problem: Aligning teams around risk management

Throughout the frenzied pace of development, those charged with leading the risk management process at organizations can find it difficult to keep teams engaged and focused on reviewing risks. The issue often manifests itself in long, painful, cross-functional meetings, wherein risks are reviewed in detail.

By their very nature, cross-functional teams aren’t performing risk management full time. As a result, review meetings can become susceptible to the same problems all meetings are prone to: participants don’t prepare, precious meeting time is spent on what to focus on, and action items aren’t clearly identified or resolved. This type of disorganization can significantly extend the development cycle if risks are still discovered late in the design or commercialization phases – times when efficiency is most needed.

Solution: Centralized risk management activities

Lengthy meetings around risk management can be halved with the Jama Connect Risk Management Center. Throughout development, key stakeholders in the risk management process can be given select access to Risk Management Center.

These chosen team members can then easily and efficiently view and contribute to the risk analyses that matter most to their expertise and experience. Users also get the ability to easily bookmark, organize, and identify recently-viewed analyses so they can pick up right where they left off.

Organizations using dedicated requirements management platforms receive fewer warnings, recalls, fines, and production stoppages than those that don’t, according to Engineering.com. Get the full report.

Problem: Tracking accountability in risk management

If your team is still relying on spreadsheets when building complex products, that’s going to cascade into other problematic areas.

In the whirl of development cycles, it can be difficult to manage the multitudes of requirements and tasks, leaving teams with a sense of unease around whether or not they’ve properly tracked and mitigated all possible risks when it comes time to launch.

Solution: Visible risk tracking and mitigation

In Risk Management Center, you’ll have the ability to link risks to requirements and verifications to better manage development complexity and assess the impact of changes to ensure quality. This feature also allows you to easily track open risks and those that are still needing mitigations, effectively eliminating the chance something slips by your team.

When it comes time to prove compliance, risk analysis and plan elements can be easily exported to allow sign-off in another compatible document or management tool.

Learn more about Jama Connect Risk Management Center by downloading our datasheet or contacting your account manager.