Risk Management 

Building Good Fences: Standards Writers Lay the Foundations for Risk Management

Effective risk management is based on the identification, evaluation and control of hazards. Some hazards are foreseeable, predictable, “on model.” Hazards of this type often can be addressed through statistical and other well-known quality control methods. However, there is another type of hazard, one that is unforeseen, unpredictable and “off model.” Dubbed “black swans” (from the book by Nassim Taleb), these events can create havoc for a company or an industry. The unanticipated hazards associated with drug-eluting stents provide one example from the medical device industry. The economic fallout from the subprime debacle illustrates another from the worlds of public and personal finance.  

     Standards play a vital role in fencing out black swans. By promoting consistency in method, approach or specification, standards increase predictability, make quality decisions possible and reduce risk. In a highly regulated industry such as medical device, the effect of standards is pervasive. However, industry awareness of how standards are created and developed—including anecdotes from the authors themselves—is less widespread. A standard writer’s perspective is especially valuable because it provides a first-hand account of seminal concepts and, often enough, a glimpse into the regulatory future. Perhaps most important, authors’ anecdotes teach us that key regulations are, at the end of the day, the product of substantial effort by devoted  professionals. These professionals are unsung heroes in the industry’s effort to control risk and promote health and human safety.  

     The standard that explicitly deals with risk management for medical devices is ISO 14971, Medical Devices—Application of Risk Management to Medical Devices. This standard has exerted a rapidly growing influence since its introduction in 2000. In fact, over the past four years, the number of cross-standard references to ISO 14971 has grown from approximately 10 to more than 100. Reminiscent of a John Grisham thriller on Amazon.com, the ISOWeb site lists 14971 on its “Products” homepage under “Best-Selling Standards.”   

     Not surprisingly, one of the most visible proponents of effective medical device risk management is an original co-author of ISO 14971, Dr. Harvey Rudolph. A 25-year FDA veteran and co-chair of the US Technical Advisory Group for Risk Management, Dr. Rudolph’s entry to the medical device industry was something of a positive black swan event—unlikely, but with a significant, helpful impact. In 1974, Rudolph was in the process of wrapping up the fourth year of a physics postdoctorate. Mindful of the relatively limited employment opportunities at the time, he participated in an early experiment in computerized job matching conducted by the American Physical Society. The keyword entry “X-ray fluorescence” (his area of research) was picked up through a search by the FDA’s diagnostic X-ray division. Through fortunate circumstance, Rudolph’s career in medical device regulation was launched.  

     During his time with the FDA, Rudolph developed an interest in standards and assisted with management of the standards program at the agency’s Center for Devices and Radiological Health (CDRH). In early 1994, an ISO Technical Committee (TC 210) was established to develop that other key medical device standard: ISO 13485 (quality systems for medical devices). Thanks to his involvement through the CDRH program, Dr. Rudolph learned that a risk management standard had been proposed: 

     “Along with others at CDRH, I saw Marc Miller risk man­agement as a way to take a proactive approach to device safety. However, I also strongly believed that the original scope of ISO 14971 was far too limited. I was talked out of negative comment by wiser heads who advised that the way to get what you want in the standards world is ‘one bite at a time.’ The final form of 14971 was very close to what we originally wanted, but it took a bit of time and lots of negotiation.” 

                    —Dr. Harvey Rudolph 

The original plan for the Risk Management working group was to begin with a previous standard, EN 1441 (risk analysis), and build a three-part standard. Part one would define the requirements for risk analysis, part two would define risk evaluation and control and part three would cover post-market activities and tie together the entire process.  

     In early 1995, however, another major standards-setting body, the International Electrotechnical Commission (IEC), established Working Group 15 to investigate risk management requirements for IEC 60601 (requirements for electrical medical devices). Because several individu­als participated in both groups, it was decided that a joint ISO/IEC working group should be formed for the creation of a common risk management standard. Meeting in Chicago in October 1995, this was the first instance of a joint ISO/IEC working group. Clearly, a comprehensive approach to risk management was an idea whose time had come; a new proposal was formulated to combine risk analysis, evaluation and control into a single, unified standard.  

     Operating under this new framework, the next committee meeting was held in early 1996. Fittingly, the meeting was held at the headquarters of Dräger Medical in Lubeck, Germany. The city of Lubeck was the chief member of the Hanseatic League, an influential association of medieval trade guilds formed, in part, to help merchants manage the risk of travel in the middle ages. In attendance at the first committee meeting were manufacturers and regulators, including the European Commission, notified body representatives, Underwriters Laboratories (UL), the FDA and a single physician/practitioner.  

     Partly because of the work of TC 210 and its separate risk management working group, industry-wide pressure was developing for a comprehensive, viable risk management standard. European manufacturers wanted it—they believed they already were doing a good job of risk analysis based on compliance with EN 1441 and wanted to “level the playing field.” The CDRH wanted it to assist and guide large US manufacturers—and bring smaller manufacturers into better compliance. 

     With pressure came quick reaction. Even though the analysis portion of 14971 largely was “cut and pasted” from EN 1441, several sections required writing from scratch—including Annex E, Risk Management Concepts (co-authored by Dr. Rudolph). In all, the development of ISO 14971 took only four years from initial committee meeting to final draft—something of a “land speed record” in the consensus-conscious world of standards writing.  

     Because of this activity, an increased awareness of risk management concepts and techniques, as applied to quality management systems, had developed among device manufacturers. The generic quality management standard, ISO 9001:1996, left out any reference to risk management (it specifically was excluded from the revised, 2000 version). This prompted Ed Kimmelman (the convener of ISOTC 210, Working Group 1 and a long-time quality systems professional) to call risk management one of the primary reasons that ISO 13485 was developed as a separate standard in the first place: 

     “ISO 13485:1996 was based closely on ISO 9001:1994 with added requirements and details from the FDA GMP. During the standard’s revision, we recognized that risk management was necessary to reflect current industry practice. As a result, we have strong requirements for risk management planning in ISO 13485:2003 for all aspects of product realization. In addition, ISO/TR 14969:2004 contains important guidance for how risk management extends to other processes within the organization’s quality management system.” 

                    —Ed Kimmelman 

So, the concept of risk management has served as the one common element in establishing ISO 13485 and ISO 14971, the two key standards for the medical device industry. Risk management, as a concept, permeates medical device standards.  

     The most recent version of ISO 14971 (2007) was developed in response to numerous comments that were received after the initial 2000 publication. The majority of questions centered on the risk management concepts contained in Annex E, as well as effective implementation of risk management plans and risk management reports…in vitro device manufactures wanted guidance specific to them. Above all, manufacturers wanted to know how to make ISO 14971 and risk management work within the context of their quality systems.  

     Questioned as to why ISO 14971 prompted such wide-ranging questions from the industry, Dr. Rudolph’s answer is based on his years of experience at CDRH and UL: 

     “The concepts in ISO 14971 and risk management are big and can be difficult to get your arms around. If manufac­turers fail at risk management, it is typically because they don’t look at the process as an integrated whole. Since most errors are handoff errors, risk management systems can fail when systems or processes aren’t effectively tied back into the quality system for appropriate action and ‘closed loop’ risk control.” 

                    —Dr. Harvey Rudolph 

Perhaps this explains some of the ambivalence expressed by manufacturers around risk management. On one hand, the benefits of effective risk management are undeni­able—improved patient safety, lower liability and opera­tional effectiveness. On the other hand, implementation of risk management processes, much like the quality system itself, can be problematic. Both efforts require an ability to develop simple, effective, even elegant processes that meet requirements in a “least burdensome” manner. Further, both efforts will be necessary to meet coming risk management regulation. 

     To get a view of where risk management require­ments are headed, Kimmelman pointed to GHTF guidance (SG3/N15R8) as well as the ISO/TR14969 (guidance on implementation of ISO 13485): 

     “The trend is clear—risk management will find its way, more and more, into all aspects of the quality system. This includes traditional areas like supplier management as well as important activities outside of product realization such as post-market surveillance, CAPA, even training and HR.” 

                    —Ed Kimmelman 

The standards that were born from the industry’s empha­sis on risk management continue to grow in influence. In a little more than four years, reference to ISO 14971 by other standards has demonstrated a geometric, 10x growth. Since 2003, supplier certification to ISO 13485 has increased to more than 36% of the entire medical device supplier base—with further, rapid growth projected. 

     What about the standards writers responsible for launching the industry’s “risk management revolution”? Many have gone on to become consultants, assisting manufacturers and building fences against black swans and risk. Dr. Rudolph is active in this effort, as well as extending the benefits of a risk management perspective to other areas. His diversified manufacturing clients are investigating the benefits of a risk management perspective for their non-medical device divisions. Perhaps most interestingly, in his continued role with the joint working group on risk management, Rudolph is working on ISO Guide 63 (guidance for standards writers), focused on applying risk management to the standards writing processes itself. Is risk management pervasive? Indeed. 

Marc H. Miller is president of the Crimson Life Sciences division of TransPerfect Translations. Crimson is the only translation organization in the world certified to ISO 9001:2000, ISO 13485:2003 and endorsed to ISO 14971:2000. Crimson’s translation risk management processes have received official Notified Body endorsement and are patent pending. Crimson is the world’s largest translation practice devoted exclusively to Class II and Class III medical devices and List A and List B IVDs. TransPerfect is the world’s largest privately held, diversified language services provider with over 50 offices on 4 continents.



Crimson Life Sciences has become
TransPerfect Medical Device Solutions.

You will be redirected to the TransPerfect website in