Meaningful interfacing despite differences?

In the medical technology industry, the preventive management of product quality risks is of central importance, if only because of the possible hazards to users and patients. In this context, quality-oriented process optimization and preventive mitigation of product-immanent risks are common measures, as is the constant monitoring of products on the market on the basis of a pre-planned monitoring process in order to control possible escalation and damage potential. However, the consequences of a product quality risk go further:

If product safety or product quality risks materialize, not only customer acceptance but also the reputation of a company suffers, which has negative consequences for its economic success.

Silo thinking makes risk overview difficult

Although they are equally relevant to the company and interwoven with each other in terms of content, quality and risk topics have historically often been dealt with in isolation in the respective specialist department due to their specific regulatory requirements. The possibly incomplete exchange of information due to this technical isolation can lead to an incorrectly assessed overall risk situation of the respective company and thus to serious economic problems when decisions are made on the basis of this information. An interface between Product Risk Management and Enterprise Risk Management (ERM) avoids such a problematic reporting gap.

Analysis of the different risk management systems as an interface basis

In order to design such a universal interface, the respective system bases must first be analyzed. Here, a comparison of the risk management standard ISO 31000, which can be used as a guide for setting up a risk management system across all industries, with ISO 14971, which sets out specific requirements for the risk management of medical devices in accordance with § 3 MPG, is a good idea.

A comparison of the standards shows that even their binding nature differs. If ISO 31000 is intended as general guidance for the implementation of an ERM, ISO 14971 is considered by the EU to be the best solution for implementing the requirements of Directive 93/42/EEC.

Different objectives and areas of application

The goal and application of the standards also differ. While ISO 31000 aims to protect assets, ISO 14971 is a tool aimed at preventing product-induced damage to users, patients, objects and the environment. ISO 31000 describes requirements for successful ERM, the standard is applied to business functions and all conceivable types of risk in both internal and external contexts. It addresses fundamental objectives for meeting customer needs, products, services, key markets, target customers, and the capabilities and resources required to do so. In contrast, ISO 14971 focuses on the product characteristics and the processes of the entire product life cycle and thus considers exclusively product-oriented risks, such as product design risks or the process risks of the product life cycle.

Different integration potentials

Due to the different focus on company-related and product-related topics, there is also a different depth of integration and different integration potentials. While ISO 31000 as a system is intended to penetrate the entire organization from top to bottom according to the top-down principle, ISO 14971 as an operational process corresponds to the bottom-up principle.

Differences exist between the monetary, company-related standard ISO 31000 and the health-hazard, product-related requirements of ISO 14971.

Principle. According to the recommendation of ISO 13485, the integration of product risk management into quality management makes sense for medical device manufacturers. In contrast, the ERM should at least connect, if not integrate, other systems for comprehensive risk management through interfaces. The ERM also recommends a centrally coordinating department that defines the framework conditions, methods and tools of risk management and supports the risk managers in the operational execution of the risk management process. (Figure 1) However, all those involved in risk management must individually go through the entire risk management process. Product risk management, on the other hand, is not organizationally intended as a department, but rather as a process within projects. Depending on the process step and product, responsibility changes from one corporate function to another.

Recommendation vs. specification of the risk management process

The analysis of the respective risk management processes shows differences in many process steps. For example, ISO 31000 does not specify a specific method for risk identification, but instead lists common methods in ISO 31010. In contrast, ISO 14971 specifically prescribes, among other things, failure mode and effects analysis or modified fault tree analysis. Risk analysis is also defined differently in the standards. In ISO 31000, these are the description of the risk and its causes. In contrast, in ISO 14971, the assessment of each risk for each hazard situation is understood as risk analysis.

Different methods of risk assessment

Differences are also evident in the process step of assessing identified and analysed risks. In ERM, quantitative assessment is preferred. Potential financial loss values are calculated in relation to planned values. In product risk management, a proportionate qualitative scoring method is chosen instead, in which a risk priority number is calculated from the probability of occurrence, the potential extent of damage and the probability of detection.

Measures between selection and determination

Measures must be selected and assessed to manage risks. In this context, ISO 31000 does not specify any coping measures. The risk manager can choose between different mitigation paths. In contrast, ISO 14971 specifies possible measures to mitigate risks, such as integrated design safety. A review of the effectiveness of the measures is mandatory in both standards. However, efficiency assessments are also carried out differently. ISO 31000 compares the costs of measures with the benefit from the non-occurrence of the risk, while ISO 14971 compares the medical benefit for the patient, under the most diverse aspects such as law, politics, economics or technology, with the risk of the product application.

Fixed intervals and situational actions

The comparison of the process and reporting frequency of the standards is also important. While ISO 31000 suggests regular intervals for risk identification and review - outside of urgent ad hoc risk reports - the product risk management process is carried out on an ad hoc basis, e.g. if there is a need for a change in the product due to observation of the market or legislation. Due to legal requirements regarding the management report (DRS 20), external reporting of ERM is regularly carried out in the opportunities and risks report of the management report. Product risk management, on the other hand, only reports externally on (realised) product risks if it becomes necessary to report an incident to the authority responsible for medical devices (BfArM). Continuous improvement of ERM is process-oriented according to ISO 31000, but product-oriented in the case of ISO 14971.

Interface useful despite all differences

A comparison of the two standards reveals differences. Nevertheless, due to the generic nature of ISO 31000, there is room for an interface between the ERM described therein and product risk management according to ISO 14971. This consists primarily in the exchange of risk information from product risk management, which is additionally evaluated in monetary terms. Gaps in risk identification can thus be closed and cross-company measures can be implemented in a more targeted manner and at an earlier stage.