Design Excellence in Medical Device: Comprehensive Risk Management

By Ryan Bauer

In this post we will explore Comprehensive Risk Management – traceability, application, & decision support through Requirements, Design, and Verification & Validation – as part of our Design Excellence series for Medical Devices. Follow along to learn how 5 key areas of Design Excellence combine multi-disciplinary design collaboration with advanced design tools and multi-physics simulations to achieve competitively differentiated, premium-value devices. 

Comprehensive Risk Management 

Risk management is pervasive in medical device development – as it should be. Design engineers are tasked with developing products that are safe and efficacious. As patients or users of these devices we have a high expectation in this regard. Rigorous risk management helps to ensure both outcomes.  

Medical device manufacturers are responsible for managing risk throughout the entire product lifecycle. As design transfers into production and final devices are on the market in use, risk management is expected to be involved in all aspects of the device lifecycle. Setting the basis for a comprehensive view of the device risk is ISO 14971 – Application of Risk Management to Medical Devices as the go-to standard.  

Following ISO 14971 will yield a comprehensive risk management file consisting of planning, analysis, evaluation, controls, understanding and review of residual risks, reports, and application for production and post-production activities. This standard provides the framework for an excellent risk management approach. So where does failure occur in performing risk management, even if a company is following the standards & regulations?  

Here are 6 common failure points: 

  1. Lack of design control integration
  • Risk management is viewed as a discrete/separate activity. There is a process, but it is not tightly coupled with design controls. Requirements, V&V, the product design, production, and inspection activities lack end to end traceability. Manual linkages and traceability gaps are the clue to dysfunction here.  

2. ‘Risk management is done’

  • This symptom is evident when an organization focuses on creating a documentation package instead of the process. It treats risk management as an event, not a continuum. Changes during development may/often become out of sync. ‘If the checklist is marked off, we are good…’ 
  • Organizational structure impacts 

3. Organizational Structure

  • Sometimes organization structures can play a role. If the risk management function is separated out within the business, process excellence may be improved at the expense of product knowledge or capacity. This can lead to adversarial behaviors and/or a timeline penalty that makes project teams loathe to revisit the analysis. Often there is compromise or putting off desired changes. It can also lead to a lack of ownership to the extended team. Other times this effort is outsourced to a consultant which can lead to similar deficiencies. This issue is more acute when there is a lack of design control integration as noted above.  

4. Change control risk comprehension (a lack thereof)

  • Change control is tough enough without trying to guess how the risk analysis informs the now changing product or process. Lack of full comprehension in the context of a change is a common case study of failures in the medical device industry.   

5. More is better

  • Risk analysis is an open-ended problem. Without a finite end, sometimes teams will produce copious amounts of data and flood the project with minute risks, requirement, reports, documentation, etc. Nothing looks better than a mile-high stack in front of an auditor – because more is better, right? The reality is that there is a balance between being thorough and being dilutive in risk management efforts. Risk management teams burn out and the salient points of an analysis can become lost in the clutter.  

6. Analysis by rote

  • Commonly teams wish to re-use something similar to get a head start in their risk file development. When mechanically going through the motions of borrowing and tweaking and adding new analysis, one of the frequents issues is a new team may decide to define or rate severity or likelihood differently. Consistency may be lost based on the teams opinion and not on the broader risk measure itself.  

Medical device companies more than ever require risk management solutions tailored for medical device industry needs. Seamless integration of logical risk elements must be handled into design input and through verification and validation. The risk file must also be tightly coupled into design outputs for extensive product data management and process control. Effective design transfer follows for end to end risk management into production with a clear communication of Critical to Quality (CTQ) characteristics. Closing the loop is essential through post market surveillance with updates and analysis of the risk file.  

So, how do we ensure the important decisions/application from the risk analysis inform the design and are realized in the product? Furthermore – how can we ensure they will be understood and assessed outside the original project team for future changes and sustaining engineering? How can this be integrated in a way that is insensitive to organizational design and personnel changes? Can we be confident risks are defined and assessed consistently?  

To start with we must break the document first mindset and focus on distilling the risk management into logical, digital data elements. This can provide a foundation to ensure full software-controlled trace and status control through design requirements and verification and validation. Data can now be intelligently linked. Linkages cannot be lost or broken without visibility. Managing changes during and after development become simplified and constrained to the affected subset of data for a more meaningful and manageable review.  

Moreover, the breakdown into logical risk elements enables consistent definition and assessment. Controlled re-use is now possible, reducing the tedious burden of re-creation and re-analysis. This benefits teams to generate thorough analyses without the barrier of rote definition.  

Finally, this approach lowers the organizational barriers through targeted analysis with data & changes shared, visible, and responsible across multiple parties. Interweaving core risk management activities and data across domains ensures collaboration and a sense of ownership, regardless of organizational structure. This common set of tools and processes can then be replicated globally.  

It’s time to approach medical device risk management in a comprehensive, digital, & intelligent way to best serve the needs of our development teams, patients, and regulators.  

To Learn more about Design Excellence at Siemens please visit here.  

Leave a Reply

This article first appeared on the Siemens Digital Industries Software blog at