1 Risk

• 1.1 History
• 1.2 Scope
• 1.3 Benefits

1.1 History and references

History, disastrous risk management cases

The word risk could come from the Latin word resecum “that which cuts, reef” hence the maritime origin “steep rock” or could derive from the ancient Italian risicare, which means “to dare.”

Opportunities and threats are two sides of the same coin called risk. When the outcome is favorable we speak of an opportunity, when the outcome is unfavorable we speak of a threat.

About 5,200 years ago in the Euphrates region, a group called Asipu were consultants in risk analysis for making risky or uncertain decisions.

Every decision involves risk. Peter Barge

In Mesopotamia, around 3,900 years ago insurance began as one of the oldest risk management strategies. The risk premium for ship and cargo losses in basic contracts was formalized in the Hamurabi Code.

More than 2,400 years ago Pericles spoke about taking risks and evaluating them before carrying out an action. His compatriot Socrates defines eikos (possible, probable) as “likelihood of truth”.

Blaise Pascal and Pierre de Fermat laid the foundations of probability theory in the 1650s, which opened the door to quantitative risk assessment.

Pierre Simon de Laplace developed a risk analysis in 1792 with his calculations of the probability of death with and without smallpox vaccination.

Risk management is relatively recent. For example, the Basel II agreement on risk management requirementsexplicit or implicit need or expectation (see also ISO 9000, 3.1.2) in the banking sector dates from 2004. Some prescriptive (non-certifiable) standards on risk appeared at the beginning of the 21st century (see § 2.2).

In 1997, the European Committee for Standardization (ECS) published the standard EN 1441 “Medical devices – Risk analysis”.

In 1998, the ISO (International Organization for Standardization) published ISO 14971-1 – “Medical devices — Risk management — Part 1: Application of risk analysis” which became ISO 14971 in 2000. The second edition was released in 2007 and the third in 2019 (see § 2.2).

The ability to identify a hazard, analyze the risk, evaluate it, and then act accordingly is the basis of risk management.

A difficulty in risk management arises from the fact that the event concerned (the harm) takes place in the future. You have to imagine an event that may never take place.

Zero risk does not exist

For several decades, the majority of companies in the medical sector have become aware that the costs of implementing risk management are insignificant compared to the unfavorable consequences or even the insurance to take out.

The main objective of risk management is to ensure the survival of the company in all circumstances.

Risk management has been considered in the past by some managers as something superfluous, cf. annex 01. These people believed that the main goal was to avoid risk. Since then, many have understood that risk is inevitable and intrinsic to any activity but must be reduced to an acceptable level. 

Risk cannot be eliminated

Top of the page

1.2 Scope

Scope of the ISO 14971 standard, what can be excluded, areas

The scope of this module applies to risk management of medical devices (MDs). This concern:

• requirements (see chapter 4)
• risk analysis (see chapter 5)
• risk evaluation (see chapter 6)
• risk management (see chapter 7)
• the overall residual risk (see chapter 8)
• the risk management review (see chapter 9)
• production and post-production (see chapter 10)

The risk scope includes:

• the structure of the company
• the management system
• the department
• the process
• the product
• the service
• the project
• the performance
• reliability
• the costs
• the calendar
• the methods
• technology
• requirements
• specifications, including acceptance criteria
• functionalities
• the tools
• external providers
• the tests

This module does not specifically include risks related to:

• specific clinical procedures
• commercial activities
• accounting
• financial crises
• insurance
• natural disasters
• pandemics
• occupational diseases
• environmental protection
• food crises
• terrorist acts
• tax fraud
• counterfeit parts
• corruption

Risk management is used in many areas:

• insurance
• the bank
• the army
• energy
• aerospace
• projects
• medical devices
• medicine
• the company
• construction
• the markets

Top of the page

1.3 Benefits

Benefits, root causes of failures, cost versus life cycle

Expected benefits of risk management of MDs:

• identification of hazards and their severity
• improved stakeholder confidence
• improvement of the overall performance of the company
• improvement of the company’s reputation
• detection of potential future problems
• improved appreciation of opportunities and threats
• increased opportunities to achieve goals
• easier obtaining of the CE marking of a medical device (MD)
• creation of value for the company
• recalls avoided
• establishment of an adequate framework for the implementation in a controlled manner of any activity
• establishment of a reliable basis for decision-making
• identification of gaps
• obtaining a competitive advantage
• optimization of resource use
• protection of company assets
• effective response to changes
• reduction of costs and deadlines
• reduction of operational surprises
• scrupulous compliance with legal requirements
• increased visibility of the responsibilities of each staff member

The biggest risk is not taking any!

Root causes of failures:

• unplanned activities
• priority change
• irregular communication of results
• excessive self-confidence
• poorly defined acceptance criteria
• poorly understood requirements
• lack of resources
• poor estimation of effort
• poor distribution of work
• unplanned MD change
• new methods and technologies misunderstood
• unrealistic goals
• industrialization problems
• design issues
• unforeseen technical problems
• sporadic and inaccurate progress reports
• unidentified hazards
• insufficient support from top management
• conflicting or inconsistent specifications

Applying risk management upstream costs 10 times less than managing a crisis

The cost of managing risk over the life of a productany outcome of a process or activity (see also ISO 9000, 3.4.2) is shown in figure 1-1.

 
Figure 1-1. The cost and product cycle life

He who excuses himself, accuses himself

Common excuses for failure:

• it was the responsibility of top management
• this was not an explicit requirement in the contract
• how can we have an effective plan in the face of so many potential problems
• give me enough time and everything will be sorted
• in the event of a serious emergency situation, the implication will be completely different
• there was not enough time
• there was no staff available
• there are more important things to do
• I was sure we could cope
• I didn't realize it was so serious
• I didn’t think it was a key process
• I didn't think this would happen
• insurance had to take care of this situation
• the contract was already signed
• you cannot plan for the unexpected

Top of the page

• Home
• My account
• Site map
• FAQ
• GTU