Back to the Glossary

Risk Analysis

Risk Analysis is the structured activity of identifying hazards (potential sources of harm) and estimating the risk (combining the probability of harm occurring with the severity of that harm) before any mitigation efforts are formally applied. It is the first critical step in understanding the risks inherent in a design or system.

The term Risk Analysis refers to the initial and foundational process within the overall Risk Management framework. It involves systematically identifying potential hazards associated with a device or process, determining the potential harm they could cause, and calculating the corresponding risk level.

Risk Analysis is a mandatory and comprehensive process, particularly in regulated industries such as medical device manufacturing, driven by standards such as ISO 14971 and U.S. FDA regulations.

Context and Requirement

Risk Analysis is a mandatory part of the Quality Management System (QMS) and is required to be performed early in the design phase:

Design Validation Requirement (FDA): Under the former Quality System Regulation (QSR), Design Validation shall include software validation and risk analysis, where appropriate [74(g), 301]. The sources indicate that performing a risk analysis is "almost always appropriate" and required unless the manufacturer can justify otherwise.

Early Integration: Risk management activities, including Risk Analysis, should be initiated simultaneously with the design process to minimize potential hazards from the beginning. Performing the initial risk analysis earlier during design inputs is recommended.

Design Input: Risk management outputs are listed as one of the required design and development inputs under ISO 13485 (Section 7.3.3).

Software and IVDs: ISO 14971 is specifically intended to apply to software as a medical device (SaMD) and in vitro diagnostic devices (IVD). Manufacturers must perform verification, validation, and hazard analysis and risk assessment activities for software, including an assessment of the impact of threats and vulnerabilities on device functionality and end users/patients as part of cybersecurity review.

The Intent of Risk Analysis

The intent of Risk Analysis, according to the Preamble Comment #83 of the Quality System Regulation, is to facilitate several crucial steps in the risk management process:

  • Identify possible hazards, including use errors.
  • Calculate risk under normal and fault conditions.
  • Determine risk acceptability.
  • Reduce unacceptable risks to acceptable levels.
  • Ensure changes made do not introduce new hazards.

Key Components of the Risk Analysis Process

Risk Analysis consists of three main stages: identification, estimation, and linkage to consequences.

Hazard Identification

The goal is to identify possible hazards that could cause harm to people, property, or the environment.

Hazard vs. Hazardous Situation vs. Harm:

A hazard is defined as "a potential source of harm". The hazard cannot cause harm without a trigger event or hazardous situation. The harm is the resulting injury or negative outcome.

  • Example: Bacterial contamination is a hazard. The hazardous situation is that the bacteria are not removed properly before being introduced during a surgical procedure. The resulting harm is a bacterial infection.

Scope:

The analysis should consider the intended use and foreseeable misuse of the device, as well as safety characteristics.

Cross-Functional Team

The analysis should be done by a cross-functional team to consider all perspectives. Personnel with knowledge of clinical use may handle analysis for intended use and misuse, while quality/regulatory teams may focus on safety using complaint data and standards.

Sources of Data

Useful sources for identifying hazards include publicly available information about similar devices, such as public complaint reporting data and scientific literature. ISO 14971 Annex C also provides a starter list of hazards.

Risk Estimation

Risk Estimation is the process of assigning a value to the identified hazardous situations.

Metrics

Estimation considers the probability of occurrence of the harm and the severity of the harm.

Qualitative vs. Quantitative

Risk can be estimated qualitatively (e.g., high, medium, low) or quantitatively (using a calculated probability value), or a mix of both. If a qualitative system is used, the definitions of those categories must be documented.

Risk Index

The process typically assigns a risk index level to the hazardous situation.

Data Support

Even qualitative estimates need supporting data or information, such as reports from pre-market testing, clinical trial data, publicly available incident reports, or published literature. Relying on expert consultants is also a valid source, provided their qualifications are documented.

Integration and Documentation

Risk Assessment: The term Risk Assessment is often used as a comprehensive document that contains both the Risk Analysis and the subsequent Risk Evaluation.

Risk Management File (RMF): The RMF must contain records for all risk management activities, including the Risk Analysis. The RMF must demonstrate traceability for each hazard back to the associated Risk Analysis, Risk Evaluation, and Risk Controls.

CAPA Input: Risk analysis tools, such as Failure Modes and Effects Analysis (FMEA), are used to manage issues and risks proactively in the medical device industry. The information gathered during risk analysis is crucial for determining how to mitigate risks and prevent potential or future issues from occurring.

Analogy for Understanding Risk Analysis

If Risk Management is the overall safety department for a newly built theme park ride, the Risk Analysis is the initial brainstorm and spreadsheet creation. The design team sits down and systematically lists every single potential problem: What if the brake fails? (Hazard: Mechanical Failure). What if the attendant pushes the wrong button? (Hazard: Use Error). For each item, the team assigns a preliminary score for how likely it is to happen and how severe the injury would be if it did happen (Risk Estimation). The entire stack of these initial spreadsheets, documenting every single potential disaster and its calculated score, constitutes the Risk Analysis. This analysis is performed before they decide to install redundant brakes or special training programs.

Ready to see what Botable can do for you?

Book your demo now to see how Botable can transform your workplace.

Identify your unique challenges

Flexible pricing options

Easy integrations

Step-by-step implementation plan

Customize Botable for your workflow

Book a demo

Find out how Botable can answer your employee’s questions in just 30 minutes.