About this Paper
The nuts and bolts of risk management
Working with global medical technology leaders, including teams from FEI, Thermo Fisher and Plexus, we’ve created risk management best practices for product development in Jama Software.
This paper takes you through the seven main clauses of ISO 14971 — the FDA prescribed mandatory standard — to outline the practical, step-by-step application to meet risk management requirements.
- Execute risk management processes
- Reinforce defined organizational processes
- Document risks and traceability to design controls
- Ensure accuracy during audits
Your content is available to read below.
Medical technology companies especially those developing medical devices are faced with a wide range of techniques for managing risk. The hardest part is often deciding which specific techniques and data points need to be captured to demonstrate that all angles of risk analysis for the product have been accounted for. Today, many medtech companies are using spreadsheets to capture risk data and in so doing are then faced with the manual process of somehow connecting that information to design and mitigation. Achieving medical software and hardware compliance is much less stressful when developers and stakeholders have a structured, detailed and easy-to-use data information management process in place.
ISO 14971 is a harmonized standard (now superseding EN 1441) that provides a comprehensive approach to reducing risk to the lowest reasonable level. The most common method today is to use FMEA as a tool to perform risk analysis. The techniques described in IEC 60812, the only standard that defines FMEA, aren’t necessarily sufficient to tackle the specific risk needs for medical device compliance. Medical devices themselves are not the only source of risk, but the environments in which they are used are enormously complex. Considering both the device and the environment, the circumstances and combinations of circumstances that cause a risk might have unlimited permutations. Performing FMEA analysis as described in IEC 60812, which dates back to 1985, is daunting.
The Jama Software product development platform gives teams following ISO 14971 a single source of data and robust information management. Our customers use Jama to execute risk management processes, reinforce defined organizational processes and document risks and traceability to design controls, and ensure accuracy during audits. Let’s look at how Jama has helped our customers navigate various risk techniques including FMEA to satisfy ISO 14971.
FDA Risk Compliance
The FDA requires risk assessment as part of design validation. Design validation means establishing by objective evidence that device specifications conform with user needs and intended use(s). The FDA prescribes ISO 14971 as mandatory standard. At a glance the clauses that pertain specifically to risk management are clauses 4-9 as illustrated below.
The nuts and bolts of Clause 3 require you to:
- Establish a process used to control risks associated with the medical device. This process needs to articulate risk acceptability criteria for each medical device.
- Provide risk training
- Establish a Risk Management Plan
- Establish a Risk Management File. FDA compliance is checked by inspecting the files which can be electronic or paper-based.
To satisfy Clause 3 in Jama you can author the process document that describes how teams can use Jama as a tool for Risk management. Your risk acceptability criteria can be defined and documented as part of this document. Jama provides a single place where the risk management plan can be viewed holistically by the entire development team in the context of the medical device development environment where requirements, specifications, validations, and risks are analyzed.
Clause 4 of ISO 14971
- Requires documentation in the Risk Management File of the medical device’s intended use. (and misuse)
- Requires identification of all medical device characteristics that could affect safety.
- Requires performance of risk analysis to identify hazards and estimating risks for each hazardous situation.
Working with global medical technology leaders, including teams from FEI, Thermo Fisher, and Plexus, we’ve created risk management best practices for product development in Jama.
In Jama you begin by defining Hazards that are specific to your medical device using the Hazard item type. You can then begin capturing risk using various techniques.
The Risk item in Jama (see pic below) allows you to capture individual risks. Fields let you describe the cause of the risk, the detection method, and the compensating actions. During this risk evaluation stage you can complete a preliminary estimate of the risk by defining the probability of occurrence of the harm and the severity of that harm. Jama will automatically calculate the risk priority number for you to assess if the risk is acceptable.
Jama’s flexible architecture lets customers easily create additional configurations that can be used to capture data and perform various risk techniques. Jama can be tailored to match your organization’s nomenclature preferences and techniques.
This flexible architecture lets you also perform risk analysis techniques such as FMEA, dFMEA, pFMEA, and FTA. You can define failure modes and take a FMEA bottoms up approach to describe all of the circumstances in which a failure might occur. You might also create faults which can be applied as a top down approach to perform a fault tree analysis. Many users will use their fault tree modeling tool and then import the results into Jama. Using a fault tree analysis in conjunction with FMEA is ideal for systems with complexity such that an exhaustive FMEA might be unreasonable. A fault tree analysis begins by looking at the equipment and its interface with its expected operating environment to determine what harm can occur. It then traces those harms back to all possible sources, including component or subsystem failures and harms that arise from the use of the device or environmental effects. FMEA is then applied only to those elements of the design that could result in hazards.
Clause 5 of ISO 14971
- Requires evaluation of risk for each hazardous situation. Acceptability criteria is then used to decide if risk reduction is required.
- The Risk Management Plan describes risk criteria and defines calculations to be used
- Unacceptable risks must be controlled
Review Center in Jama is an ideal method for risk and design control reviews where you can invite feedback from subject matter experts and stakeholders. Using Review Center lets teams collaboratively evaluate each risk’s definition, discuss mitigation options, and conduct verification of test results. When someone asks why a risk was estimated a certain way, reviews provide a self-serve answer.
Clause 6 of ISO 14971
- Requires Risk Control Measures to be developed, implemented, and verified.
- Examples (in order of preferred method)
- Product design
- Preventative measures in product
- Residual risk needs to be evaluated against acceptability criteria.
- Risk control measures must be reviewed to find any inadvertently introduced risks.
- Examples (in order of preferred method)
Clause 7 of ISO 14971
- Requires evaluation of the medical device’s overall residual risk. If the overall residual risk is unacceptable; it must be demonstrated that the medical benefit outweighs the overall residual risks
As you define risk control measures, you can capture those and trace them directly to the risk using Jama’s relationships function; and then update the risk priority number post-mitigation. Live traceability can be used during all phases of risk to quickly identity potential problems in the product development process. Errors found and fixed earlier in the lifecycle are less costly in time and budget. Jama lets you conduct reviews of risks and their related risk control measures holistically.
Clause 8 of ISO 14971
- Requires performance of a Risk Management Review and compilation of a risk management report.
- Compliance checks are done across all artifacts in the Risk Management File
- The review will look to make sure the Risk Management Plan was followed
- Outputs of the review will include production and post production information
- Results of the review is included in the risk management file
Clause 9 of ISO 14971
Risk management doesn’t just stop with the completion of the Risk Management Report!
- Requires establishment of a system to monitor medical devices during production and post-production.
- Acceptance data
- New or revised standards
- Customer product complaints
- Publicly available info on similar products
When telling the story of your medical device’s development life cycle to the FDA, you must organize the information in a cohesive manner. Any decisions or actions not recorded are information gaps that could result in your product never reaching the market—or being pulled from the shelves.
Using Jama creates much of the needed evidence and is an easy step to take that will save your teams money and time, and maintain your company’s reputation and relationship.
See How Risk Management Works in Jama
In the following video demonstration, we walk you through an example use case of Jama for developing a life-critical product with a lot of regulatory oversight. This medical device company is building a Class II, bone-conducting hearing aid, the Clear 3. It’s the third variant in the company’s hearing aid product line, and like most products in this category, combines multiple engineering disciplines, including software.