Medical Device Risk Management

Posted 14 February 2018 | By Darin OppenheimerSuraj Ramachandran

Medical Device Risk Management

This article focuses on risk management in the medical device industry and reviews organizational competencies, processes and resources as well as beliefs and behaviors. The authors conclude that, especially in the later phases of product development, not enough attention is paid to risk management tools.


In our previous article, "Organizational Culture and Memory in Managing Risk in the Medical Device Industry" (Regulatory Focus, August 2017), we discussed the importance of incorporating risk management throughout an organization's culture. Although many organizations claim to have a "culture of quality," an academic study from 2016 and an existing FDA study of medical device industry participants, suggest risk management practices are not often an integral part of a medical device organization's culture.1

In this article, additional aspects of risk management organizational behaviors are explored, focusing on competency, process, and resources. The authors describe how weaknesses in key areas may directly impact risk and risk management.2

Organizational Competency

A key area emphasized by most who have written on implementing risk management is the need for appropriate training for those engaged in risk management activities.3 However, an observation by Chan in a precursor survey suggested respondents had a relatively restricted knowledge of good risk management tools, relying instead on a few tools known to have limitations. While one can appreciate the value of a risk tool, the intrinsic value comes with the knowledge of when to use the right tool and knowing its inherent limitations. A majority (43%, 32/74) of those respondents in that study identified a future challenge as the availability of tools and techniques to meet their needs.4

When survey respondents were asked to rank their use of 17 different risk management tools, ranking them as primary, secondary and tertiary, a majority ranked their organization's primary risk management tool as "failure mode and effects analysis" (69%, 52/75). The most popular secondary risk management tool was the "Five Why(s) Technique" (18%, 13/73); and the tertiary tool was "preliminary hazard analysis" (18%, 13/71). Several respondents said their organizations do not use secondary (8%, 6/73) or tertiary risk management tools (14%, 10/71) - Table 1.

Table 1. Survey Results on the use of Risk Management Tools
Choice Primary Tool (n=75) Secondary Tool (n=73) Tertiary Tool (n=71) Total Tool
Failure Mode Effects Analysis (FMEA) 52 9 5 66
Assurance Cases 1 3 2 6
Hazard and Operability Study (HAZOP) 0 0 1 1
Hazard Analysis and Critical Control Points (HACCP) 1 6 3 10
Preliminary Hazard Analysis 5 8 13 26
Functional Analysis 3 6 7 16
Markov Analysis 0 0 0 0
Monte Carlo Analysis 0 1 1 2
Wei Bull Analysis 0 0 1 1
Bayesian Analysis 0 0 0 0
Delphi Technique 0 0 0 0
Fault Tree Analysis (FTA) 3 6 7 16
Fish Bone Analysis 2 6 7 15
Pareto Analysis 2 5 2 9
Five Why(s) Technique 3 13 12 28
No Secondary Tool Used 1 6 0 7
No Tertiary Tool Used 2 4 10 16

Given that five years have passed since the surveys were implemented and more feedback from regulators and experts has been given to organizations with regard to their risk management systems, one might have expected to see improvement in the state of knowledge with regard to risk management tools. Most study respondents reported that, often driven by the introduction of new regulations, identification of previous deficiencies or even the feedback of regulatory agencies, their risk management systems had changed in the last few years.

However, not much seems to have changed with regard to the risk management tools with which respondents were familiar as most risk managers still rely on FMEA methods as a primary tool, despite the tool's several limitations, including an inability to identify normal condition-related hazards and multiple-fault conditions. When used as the primary tool, inherent FMEA limitations do not satisfy the regulatory requirements of 21 CFR 820 as identified below.5

According to comment 83 of the FDA's Preamble to the Quality System Regulation, 21 CFR 820:

"When conducting a risk analysis, manufacturers are expected to identify potential hazards associated with the design in both normal and fault conditions."6

Additionally, some respondents said they do not use secondary tools. Many others add simple approaches, such as the "Five Why Technique" or "Preliminary Hazard Analysis." Missing from the repertoire of most risk managers appears to be more analytic tools likely more effective for detecting and predicting problems using trend analysis. Further, many said their organizations used outmoded tools and standards.

Given the majority of respondents felt their risk management systems adequate, survey results suggest organizations may not fully understand the limitations of these tools, making the assumption that all risks had been identified and adequately mitigated.

Too, many respondents appeared satisfied their risk management system was reasonably effective; yet, some said they would be helped by additional risk management tools. At least a third felt the current tools were being used inappropriately.

These views lead one to question the adequacy of the training risk management practitioners are receiving. For example, when asked about the number of hours and type of materials devoted to risk management subjects, a wide range of training opportunities emerge. Most training seems to be based on reading materials or attending internal training sessions, the quality of which depends on the skill and depth of domain knowledge of the educators. This approach may insufficiently assure that practitioners are trained in some techniques involving statistical or analytical approaches and might not be easily learned without a specialized instructor with a well-designed curriculum. An important question not explored in the study regarded the curriculum of the training at different companies and how much detail was provided. Is it the training simply an overview of basic standards and simple methods aimed at onboarding new employees? Or is there a serious attempt to deepen the knowledge of the more experienced individuals leading the risk management activities?

Survey questions regarding the knowledge of participants about different standards and regulations reflected the quality and risk management culture of medical device companies. Most respondents said they were very knowledgeable about quality standards and regulations, including ISO 13485, 21 CFR 820 and the European Medical Device Directives.7-9 This is consistent with earlier responses indicating most companies were marketing globally and most individuals responsible for risk management were in regulatory departments. Also, many respondents were "modestly" or "not knowledgeable at all" about 8001 and 8002, standards relating to software and IT networks. However, not all companies market products with a software component.

Unexpected was that many respondents were not knowledgeable about harmonized standard ISO 14971 on which their risk management activities, both national and global, should be based.10 Furthermore, most respondents were not knowledgeable about ISO 31010, a standard outlining risk management tools and techniques.11 The relatively low knowledge of ISO 31000, a standard with broad applicability to the whole company, is an important deficiency to rectify if the risk management system is viewed as part of an overall risk management strategy.12 These results further support the idea that while organizations are familiar with the needs for risk management as part of a quality system, they lack a deeper knowledge of the tools and techniques. This is a significant weakness.

Organizational Process

As a highly organized activity, risk management relies on a well-developed set of processes. It is often recommended these activities begin as early as possible in the development cycle. According to Narayan and Prutrow:

"When initiated early and employed frequently throughout the product life cycle, risk management can promote innovation, leading to a reduction in the number of customer complaints, lowered service and support costs, fewer disruptions from field actions, and improved execution against program expectations. Resources once spent on such non-value-added activities can instead be used to fuel growth and shareholder value.13 was 6

When respondents were asked to indicate the stage at which risk management occurs during the development lifecycle in their organization, most indicated it began during the development phase (72%, 60/83), while others indicated it began during feasibility/early research (18%, 15/83), design transfer (7%, 6/83), or post-market release (2%, 2/83). These results differed from answers given when respondents were asked when they felt that risk management activities should start. The majority indicated such activities should start during the feasibility phase (76%, 63/83) or the development phase (24%, 24/83) - Figure 1.

Figure 1. Risk Management Phase of the Development Lifecycle (n=83)


These results suggest most risk managers have heard this message, as reflected by their sense that risk activities should begin in the feasibility stages of research and development. The reality is different, however. Most respondents reported beginning such activities later in the development stage, begging the question of why risk management activities are not initiated early, as the risk managers believe they should be.

An important aspect of risk management is using new information obtained prior to and post product-commercialization to update and fine-tune the often-shallow information upon which early stages of risk analysis are based. It was surprising to find most organizations did not have processes to take advantage of two important potential sources of information - FDA's complaints and recalls databases. This suggests companies may not be focused on monitoring functions called out in risk management standards, such as ISO 14971.14 Also, they may not be using valuable tools that could inform on potential risks associated with similar products. This information is shown in Figures 2 and 3.

Figure 2. Hazard and Hazardous Situation Source Information Prior to New Product Launch (n=81 and 80)


The medical device industry is approaching a tipping point where the increasing likelihood of a quality event, the rising costs of such events, and the public nature of quality performance will force companies to focus on quality and reliability throughout product design, manufacturing, and marketing.15

Figure 3. Hazard and Hazardous Situation Source Information Prior to New Product Launch (n=81 and 80)


Organizational Resources

A recurring challenge to risk management is the difficulty of assuring sufficient resource allocation, particularly for companies with competing pressures. Regardless of company size, more than two-thirds of survey respondents believed that their organization needed to devote additional resources to support risk management activities (Figure 4), unsurprising considering that the most respondents said their organizations viewed risk management as "a burden."

Figure 4. Resource Allocation (n=82)


It also was clear most time and resources were spent on risk management at early stages of product development and became less of a focus as the product matured (Figure 5).

Figure 5. Time Allocation for Risk Management Activities (n=76)


This may occur because regulatory agencies, including FDA, emphasize having a risk management file in place at the time of clinical trials or market registration, with little follow-up regarding the quality of the risk management system after market launch. A recent report issued by the FDA highlights this challenge, suggesting:

"Many companies recognize a need to move beyond mere complaint handling mechanisms for feedback, especially since the "quality of complaints data often depends on what questions your customer interfaces are asking."16

Because risk management activities related to activities such as non-conformances, defect disposition, and complaint handling were ranked lower than other risk activities related to analysis and evaluation, verification and validation, and manufacturing suggests respondents may view earlier activities to be more important than post-market surveillance. Activities such as complaint handling and non-conformance defect disposition are the precursors to early identification of problem products, ones that may need to be recalled to prevent distribution of multiple defective lots.


Several survey responses reported above reveal contributing factors potentially impeding risk management from being as useful as intended. The responses suggest many organizations do not have adequate resources to optimally support risk management activities and existing resources are focused on the early stages of product management. Responses also suggest risk management teams could benefit from better education about the tools available for informing risk management and a greater appreciation of risk management approaches is needed.

As the evolution of medical devices and combination products continues, new technologies, such as regenerative medicine, biomaterials, in silico methods and nanotechnology, will pose novel and more challenging risks. Without careful attention to risk management, safety problems associated with medical devices will not diminish. Survey results analyzed above, coupled with the increased sensitivity of health agencies with regard to the stubbornly high rate of recalls, suggests industry should be highly driven to improve risk management methods. However, survey and study results suggest there is a long way to go. By dissociating aspects of organizational structure and behavior, it is possible to identify areas in which risk management activities may be particularly vulnerable and where better guidance might help companies to develop more proactive and effective risk management systems.


  1. Oppenheimer, D.S. and Ramachandran, S. "Organizational Culture and Memory in Managing Risk in the Medical Device Industry." Regulatory Focus. August 2017. Regulatory Affairs Professionals Society.
  2. Oppenheimer, D.S. Risk Management and Medical Device Recall: A Survey of Medical Device Manufacturers [Dissertation]. Los Angeles, CA: Pharmacy/Regulatory Science, University of Southern California; 2017.
  3. Eagles, S. and Wu, F. "Reducing Risks and Recalls: Safety Assurance Cases for Medical Devices." Biomedical Instrumentation and Technology. Jan/Feb 2014, Vol. 48, No. 1, pp. 24-32. Accessed 13 February 2018.
  4. Chan, T.C. Implementation of Risk Management in Medical Device Companies: a Survey Analysis of Current Practices [Dissertation]. Los Angeles, CA: Pharmacy/Regulatory Science, University of Southern California; 2012.
  5. Bills, E., Mastrangelo, S. and Wu, F. "Documenting Medical Device Risk Management Through the Risk Traceability Summary." Biomedical Instrumentation and Technology: Risk: How Do You Manage It Effectively? Spring 2015. Vol. 49, No. s1, pp. 26-33. Accessed 13 February 2018.
  6. Quality System (QS) Regulation/Medical Device Good Manufacturing Practices. 21 CFR 820. FDA website. Accessed 13 February 2018.
  7. Medical Devices. Quality Management Systems. Requirements for Regulatory Purposes. International Organization for Standardization (ISO) 13485. ISO website. Accessed 13 February 2018.
  8. Op cit 6.
  9. European Medical Device Directives. Accessed 13 February 2018.
  10. Medical Devices. Application of Risk Management to Medical Devices. ISO 14971. ISO website. Accessed 13 February 2018.
  11. Risk Management. Risk Assessment Techniques. ISO 31010. ISO website. Accessed 13 February 2018.
  12. Risk Management. ISO 31000. ISO website. Accessed 13 February 2018.
  13. Narayan, S. and Prutow, J. The Basics of Medical Device Risk Management. Medical Device and Diagnostic Industry: August 2010.
  14. Op cit 10.
  15. Fuhr, T., George, K. and Pai, J. The Business Case for Medical Device Quality. McKinsey Center for Government. October 2013.
  16. FDA. (2011). Understanding Barriers to Medical Device Quality. FDA website. Accessed 13 February 2018.

About the Authors

Dr. Darin S. Oppenheimer is an executive director of the drug device center of excellence focusing on medical devices and combination products at Merck based in Upper Gwynedd, PA. Oppenheimer is involved in many facets of the product development lifecycle, including regulatory submissions, due diligence, and active participation on industry trade organizations and standards committees over the past 15 years. His prior background as a research and development scientist focused on pharmaceuticals and medical device diagnostic applications for biomarker and drug discovery. He holds two Master's from Johns Hopkins University in biotechnology and regulatory science as well as a graduate Certificate in biotechnology enterprise. Recently Oppenheimer completed his Doctorate degree in regulatory science from the University of Southern California. He is also a 2017 Regulatory Affairs Professional Society Fellow. He can be contacted at

Suraj Ramachandran, MS, RAC, is a director, regulatory affairs in the drug device center of excellence at Merck based in Rahway, NJ. Ramachandran is currently responsible for supporting various medical devices combination products, such as auto injectors, prefilled syringes, inhalers and contraceptives. In addition, he is heavily involved in providing guidance for digital solutions and has led many development efforts regarding medical device software, intended for both domestic and international markets. In previous roles within industry, he was responsible for an infusion pump platform as well as supporting all new product development and lifecycle maintenance activities including regulatory submissions, design control, audits, and CAPAs. Ramachandran holds a Master's in biomedical engineering from the University of Michigan. In addition, he has earned the RAPS RAC certification. He can be contacted at

Cite as: Oppenheimer, D.S. and Ramachandran, S. "Managing Risk in the Medical Device Industry." Regulatory Focus. February 2018. Regulatory Affairs Professionals Society.

Categories: Feature Articles

Regulatory Focus newsletters

All the biggest regulatory news and happenings.