Why Risk-Based Thinking Is Essential in Medical Device Development

Many global regulatory requirements now include risk management, so medtech companies may need to revisit their quality system processes.

Kim Jackson, senior product manager (QEM/Postmarket/Risk)

February 9, 2021

5 Min Read
Why Risk-Based Thinking Is Essential in Medical Device Development

On average, around 4,500 drugs and medical devices are pulled from shelves across the United States each year.1 This alarming statistic underscores the importance of controlling and mitigating risk in healthcare-related products. Recent updates to regulatory guidances and standards are encouraging life sciences companies to step up their risk management efforts by infusing risk-based thinking into their entire quality ecosystem. For example:

  • ISO 13485:2016 – The current version of ISO 13485 has a significant focus on integrating active risk assessment and mitigation in quality processes, which includes documenting requirements and maintaining risk management records throughout the product’s life cycle.2

  • ISO 14971:2019 – The 2019 updates to ISO 14971 regarding risk management with medical devices include risks related to biocompatibility, data and systems security, electricity, moving parts, radiation, and usability. It applies to risk with intended use, reasonably foreseeable misuse, identifiable characteristics related to safety, and identification of hazards and hazardous situations throughout the product’s life cycle.3

  • European Union Medical Device Regulation (MDR)/In-vitro Diagnostics Regulation (IVDR) – The updated regulations for medical devices are slated to go into effect in May 2021, while the regulations for in vitro devices are slated to go into effect in May 2022. Compliance requirements include establishing and documenting a risk management plan for each device. The requirements for postmarket risk management will be more granular and stringent. Once the product is on the market, manufacturers will be accountable for continuing to gather and examine data throughout the device’s life cycle.4

  • Medical Device Safety Action Plan – The FDA’s Center for Devices and Radiological Health (CDRH) is pursuing initiatives to protect patients and promote public health while continuing to drive innovation to address unmet medical needs. A key component of the agency’s efforts is its Total Product Life Cycle (TPLC) approach to device safety.5

Healthcare providers need to have the necessary medical devices available to perform procedures. Unless a device is fully compliant with the regulations, it cannot be used where it is needed. With more robust global regulatory requirements being enforced, companies will need to revisit their core quality system processes—particularly risk management.

Risk Management Best Practices

Overall, employing risk-based thinking throughout the organization is important, but how do companies put risk policies and procedures into practice? Most often, risk management is viewed as a requirement to meet regulatory compliance. The guidances and standards leave the “how” up to the companies. Some of the most common methods for assessing risk include a risk matrix, a risk register, and a failure mode and effects analysis (FMEA). But what is really needed is a practicable and effective risk management system within the organization.

Risk management needs to be a continuous, iterative process. It involves employing a systematic, data-driven approach to monitoring trends and identifying and mitigating risks before they result in costly delays, rework, or product recalls. Individual events such as out of specifications (OOS) and other deviations are easy to silo and overlook as part of a larger risk. For instance, there could be a new risk that may have been missed or an unforeseen hazard that now needs to be monitored. That said, risk management is not a quality-only responsibility—it needs to be integrated into all areas of the company.

Much of the impetus for making risk management an all-hands endeavor is attributed to advancing technology and more-sophisticated medical devices. Software-based medical devices are a prime example. More disparate entities (internal and external) are involved in the design and development of the components of these devices. All too often, defects or functionality discrepancies go undiscovered until later in the production process or postmarket. Risk management needs to start earlier and be performed in greater detail and at every stage of the product’s life cycle. Staff involved in product design, development, manufacturing, supply chain, etc. must participate in risk control and mitigation.

Consistency in Risk Management

Setting up an effective risk management system involves effectively aligning people, processes, and technology. This all starts with building a risk management plan that includes clearly defined, documented policies, such as a policy for risk acceptability. Best practices include establishing organization-wide collaboration, clarifying priorities, and empowering people in all areas to make decisions, including stopping production if necessary. This way all employees understand the purpose of the procedures as well as the overall goals of the risk management system.

To successfully implement this type of all-inclusive system means all stakeholders need the ability to access and share data in real time in order to more effectively track and trend risk data. The need for this level of interaction, speed, and efficiency renders paper-based or spreadsheet data collection and analysis impracticable.

With platform-based technology, every business unit can have an appreciable impact on the company’s overall risk management efforts. Integrating business unit-specific systems across the organization dissolves siloes, harmonizes disparate operations, and fosters real-time, company-wide communication. This augments the company’s capacity for gathering quality data and making more confident decisions based on predictive insights.


Using technology to proactively monitor and control risk reduces regulatory interaction, which makes sense on a compliance and business level. In return, the organization experiences shorter product development cycles and faster regulatory clearance, reducing the overall cost of compliance. Regulators have greater assurance of the company’s ability to identify and mitigate risks and develop safe and effective products. Essentially, the organization's risk management system becomes a catalyst for business success. 


  1. "FDA Recalls,” Drugwatch, https://www.drugwatch.com/fda/recalls/.

  2. “Reducing the Risks of Medical Devices: International Guidance Just Updated,” Clare Naden, Dec. 18, 2019, https://www.iso.org/news/ref2465.html.

  3. “ISO 14971:20198 Medical Devices – Application of Risk Management to Medical Devices,” https://www.iso.org/standard/72704.html.

  4. “The European Union Medical Device Regulation of 2017,” https://eumdr.com/.

  5. “Medical Device Safety Action Plan: Protecting Patients, Promoting Public Health,” Center for Devices and Radiological Health, Jan. 5, 2021, https://www.fda.gov/about-fda/cdrh-reports/medical-device-safety-action-plan-protecting-patients-promoting-public-health

About the Author(s)

Kim Jackson

senior product manager (QEM/Postmarket/Risk), MasterControl

Kim Jackson serves as senior product manager (QEM/postmarket/risk) for MasterControl. Jackson has more than 10 years of experience in healthcare technology, information science, and project management. As a senior product manager with MasterControl, she works to create standard quality event management solutions that can be leveraged by FDA- and ISO-regulated companies for use with best-in-breed enterprise software solutions. Prior to joining MasterControl in 2012, Jackson configured health benefits technology software for ADP and Ceridian and managed both software implementation and communications projects. She has a master’s degree in library and information sciences from the University of Washington.

Sign up for the QMED & MD+DI Daily newsletter.

You May Also Like