Alignment of Risk Management Processes for Medical Device Products and Projects

Learn how to use risk management tools and techniques to streamline medical device and diagnostic product development.

Claudia Campbell-Matland, PMP

The implementation of effective best practices and policies are essential for successful market introduction of new products or services. In the medical device and in vitro diagnostics (IVD) industries, it is vital that new product development programs:

  • produce safe and effective products that meet customer requirements;
  • comply with applicable regulatory and quality management system (QMS) requirements;
  • achieve timely market entry. 

Additionally, ensuring compliance with QMS requirements and guidances for developing and commercializing products helps achieve long-term lifecycle management.  

Risk management is an increasingly important aspect of regulations, quality management system standards, and organizational processes. Due to the complex nature of medical/IVD devices, it is essential for project and product managers to implement risk management principles and tools throughout the product development project and for its resulting product. This is a major area of focus for me as a project manager and the product development program teams that I work with and advise.

While product and project risk management focuses differ, both processes should be aligned and utilize the same risk management principles. The product risk management process focuses on product safety and effectiveness, and is part of verifying the product meets its requirements and validating it fulfills its intended use. The project risk management process is utilized as part of balancing associated project constraints—quality, scope, budget, schedule, and resources—to meet project objectives. If either of these risk processes is treated as a "check the box" exercise, this will not benefit the company and can lead to program/market access delays and potentially negative financial implications.  

Both risk processes are equally important and require a considerable allotment of time and focus to achieve objectives. By taking a more holistic approach towards risk management and incorporating a simultaneous focus on product and project risks, teams can leverage product risk management tools and risk assessment processes to enhance the overall project risk management process. This helps to streamline activities and ensures equal focus is applied to both of these important processes, contributing to project success. 


Risk Management Lifecycle Approach for Products and Projects

Risk management is to be approached as a lifecycle process—not only for a medical device/IVD  product—but also for its development project. The following is a summary of current product and project risk management standards:


Risk in its simplest terms can be defined as the possibility of loss or injury. Uncertainty and probability are commonalities in the standards' definitions of risk, for example:

  • Product: ISO 14971, defines risk as the: “combination of the probability of occurrence of harm and severity of that harm.” Harm is defined as “physical injury or damage to the health of people, or damage to property or the environment”. 
  • Project: The PMBOK defines risk as an “uncertain event or condition that, if it occurs, has a positive or negative effect on one or more project objectives . . .” Uncertainty is described with the term “probability.

ISO 14971 views risk in terms of potential harm and negative impact only. The PMBOK views risk not only in terms of reducing the likelihood of harm and negative impact, but also in terms of increasing the likelihood of benefits and positive impacts.

As per ISO 14971, efforts must be made to reduce product risks as far as possible to ensure safety. Project constraints such as schedule, costs, and resources cannot be used as reasons to avoid reducing product risks. However, product risk reduction efforts have to be managed and integrated with the project's risk management effort.

For example: a re-design is required for the product to address an identified performance or safety issue, which causes a schedule delay and increases the project's budget. These effects can have organizational impact. So it's important that the overall risk management effort considers these aspects where they apply. "Lessons learned" should also be utilized from other development projects for both product and project risks. 

Leveraging Product Risk Management Tools to a Project

The product's Risk Management File must include:

  • a plan for how the risk management effort will be implemented throughout the product's entire lifecycle;
  • an assessment of potential risks (with cause, hazard and effect) from the product and its processes, with identification of design and process controls and mitigations for reducing the risks;
  • objective evidence (verification and/or validation data) confirming the controls and mitigations reduce the risks as far as possible;
  • evaluation of acceptability of overall residual risk (i.e., risk remaining after implementation and verification of controls and mitigations); and,
  • evaluation of post-market trends and performance, with associated risk management efforts.

The process of managing project risk is similar to the process of managing product risk, as both need:

  • a plan;
  • an assessment that includes the cause, the potential hazard, and effect; (Note: Product risk addresses harm.  Project risk addresses harm or benefit.)
  • controls and mitigations; and,
  • evidence that the controls/mitigations address the risks

Therefore the product's Risk Management File elements can be used as templates for creating equivalent project risk deliverables, such as the project risk management plan and project risk assessment.

Below is a high-level view of aligning these processes using risk assessment rating tables. The two examples include Table 1 for Product and Table 2 for Project.

The project risk assessment ratings can be aligned with the product risk ratings and categories, as shown here, making it easier to incorporate into team meetings. Either table can be adjusted to a 3x3, 4x4 or 5x5 table.

Table 1 uses a 5x5 format for the product risk assessment. This is the standard best practices template based on ISO 14971 I have used and facilitated with teams when evaluating product risk.   

Table 1: Example of a Product Risk Assessment Rating Table (customize according to ISO 14971 and your organization's Product Risk Management procedure):

For the project example in Table 2, I have incorporated a 4x4 format, which may be easier to introduce to the team, but still aligns well with the product 5x5 format.

Table 2: Example of a Project Risk Assessment Rating Table (modified from Fig. D12, Practice Standard for Project Risk Management)

Product and project risk assessments need to be kept separate to ensure that the project's risk mitigations pertaining to cost, schedule, and resources are not inappropriately incorporated into the product risk mitigations. However, evaluating them together can help the team ensure project risk considerations for schedule, cost, and resources are developed and evaluated earlier in the design and development process. This provides options and contingencies for addressing product design risks if and/or when they occur. 

Finally, tracing the user needs to the product's design inputs and design outputs, through the risk assessment, to the verification/validation testing is vital and required. This documents the objective evidence demonstrating controls and risk mitigations address the risks. This tracing process is also beneficial for evaluating the progress of addressing project risks, using a similar trace matrix format.  


Due to increasing medical device and IVD compliance requirements, it is imperative that companies and project managers leading product development activities adopt new tools for risk management. Aligning product and project risk management activities and leveraging risk management tools—along with proper pre-planning and preparation of the development team—allows project managers to enable successful market entry and achieve company business development objectives.

Claudia Campbell-Matland, PMP, of CNCM Consulting is a project management consultant to start-up and small medical device/IVD companies, and universities. She can be contacted via email at

Acknowledgments: I would like to thank Beth O'Connell and Larry Picciano for their insights for this article.


Device talk Tags: