Risk Management Interview with Naveen Agarwal, Ph.D.

Introducing our newest guest blog post: "Risk Management with Naveen Agarwal, PhD". We're thrilled to host this insightful article that delves into complexity of risk management in medical devices, which can be extended into combination products as well. The methodologies described in this interview put a new twist on the traditional methods for assessing risk and risk acceptability. As a platform committed to fostering discussions and exploring a wide range of viewpoints, we invite you to engage with this thought-provoking content and contribute to the ongoing conversation about application of risk management in your product development lifecycle.

I am an engineer by training. I started my career in the R&D function working on new product development and later moved on to leading global teams. I joined the medical device industry in 2007, first in R&D, later moving into a Product Quality role where I had an opportunity to build a post-market safety surveillance system from the ground up. I also led a cross-functional team to manage the post-market safety surveillance process for two years. I started my independent consulting practice in 2017 focusing mostly on risk management. Currently, I focus on helping elevate our collective capability in risk management across the medical device industry through my Let’s Talk Risk! newsletter.

Learn more about me on my LinkedIn profile.

The term ‘risk’ is defined in ISO 14971:2019 as the “combination of the probability of occurrence of harm (P) and the severity (S) of that harm”.  A common point of confusion arises from the lack of clarity about the term combination used in this definition. For example, it is not clear how S and P should be combined to estimate the risk level. Industry practice is to use a 3- or 5-level ordinal scale to assign qualitative levels to each combination of probability and severity corresponding to an individual risk. Sometimes a numerical 1-5 scale is also used to assign severity and probability levels. Another common practice is to graphically map all individual risks on a X-Y chart, as shown in Figure 2 of ISO/TR 24971:2020, or as a two-dimensional matrix as shown in Figures 3 and 5 of ISO/TR 24971:2020.

As a result, estimating risk is not a precise mathematical operation. However, each risk is perceived to be at a certain level, which in the absence of a quantitative measure, is qualitatively interpreted as high, medium, or low. Use of such qualitative terms causes a lot of confusion during risk evaluation because there is no comparative reference to evaluate the risk level. Additionally, it is a common practice in our industry to give more weight to the severity level when interpreting the risk level. As an example, a risk with S=5 and P=1 is perceived to be at a higher level than another risk with S=1 and P=5. A severity bias holds us back in considering breakthrough innovative technologies to solve some of the most difficult medical problems. At the same time, it makes us tolerant of low reliability products.

In my practice, I have advised clients to think of each risk in the context of a tolerable rate of occurrence at a given severity level. As an example, we could ask the question: “What is a tolerable rate of occurrence for a risk of S=5?”, in the context of the benefits of the intended use and stakeholder expectations. This can help us to establish a quantitative limit for the probability of occurrence above which, the individual risk would be considered unacceptable. It avoids a subjective interpretation of low, medium or high and focuses the discussion on whether each risk is acceptable or not.

According to ISO 14971:2019, there are 7 essential elements of a risk management plan:

• Scope of planned activities

• Responsibilities and authorities

• Review of activities

• Criteria for risk acceptability

• Method and criteria for evaluating overall residual risk

• Verification activities (implementation + effectiveness)

• Production and post-production activities 

Note that planned risk management activities need to be mapped to each phase of the device lifecycle. Some of the activities span multiple phases and continue during the post-market phase.

In my practice, I have advised clients to also include an optional 8th element to manage changes to the plan throughout the device’s lifecycle. As an example, it is important to plan for adequate resources to support your post-market activities, which may include identification and control of new risks arising from new hazards, hazardous situations or harms.

Risk management is a team sport! It is very important to identify your cross-functional team members and their roles and responsibilities during the planning phase. At a minimum, you would need subject matter experts from R&D, Quality, and Clinical or Medical Safety. Other experts may be needed on an ad hoc basis during different phases of design and development and post-market. Generally, there is a lot of overlap between risk management activities and design and development activities prior to commercialization. It is important to minimize duplication of effort so that you are utilizing your resources efficiently.

A good practice is to assign a dedicated project manager during design and development who would also own the risk management activities. During the post-market phase, it is good to transfer this role to a dedicated Product Quality Manager who is generally responsible for both quality improvement and regulatory compliance for the assigned product. Some of these roles may not exist in many organizations, but it is important to understand that different skills are needed in different phases of the device lifecycle.

Gathering the voice of the patient is very important, especially early during the development process. Generally, your clinical or medical safety expert should provide this input, but they must have direct knowledge and experience of the specific medical condition and/or procedure targeted by the medical device.

A common challenge in our industry is the nearly exclusive use of FMEAs (failure mode and effects analysis) for risk analysis. In the context of safety risk analysis per ISO 14971, this practice is not sufficient because it limits the analysis to only the fault mode of the device. As we know, hazardous situations may arise even when the device is operating in the normal mode. Further, it is generally not feasible to go from a single failure mode to multiple potential sequences or combinations of events that may lead to one or more hazardous situations in an FMEA.

Industry practice has evolved to adapt the FMEA technique to fulfill the requirements of ISO 14971. However, it generally leads to inaccuracies in risk estimation and presents challenges in demonstrating traceability and completeness of risk controls.

In my practice, I have helped clients to utilize hazard analysis and map their FMEAs or other failure risk analysis techniques to hazards. It is important to point out that there is more to hazard analysis than FMEA! I believe there is an opportunity for our industry to learn more about hazard analysis and use it effectively for safety risk analysis.

I recently did a poll in LinkedIn where I asked this questions:

“What is the most significant challenge for you to implement an effective risk management process for your organization?”. 

The choices were:

1. Compliance burden

2. Limited experience (risk)

3. Company culture

4. Other

The top two challenges were limited expertise (43%) and company culture (38%).

This is very consistent with my experience. I believe that there is a general lack of understanding and confusion about basic risk management concepts. We also seem to be stuck in a culture of compliance that seems to promote a mindset of firefighting and quick-fixes, rather than taking a step back to fundamentally improve the process.

I think the focus of risk management should be on improving patient safety, accelerating innovation and reducing cost. Generally speaking, risk management is seen as an exercise in documentation to achieve and maintain regulatory compliance. I believe risk management, when done right, can make a tangible contribution to business growth while also making an impact on the bottom line. It is time to expect more from our risk management system.

But this also means that we invest in building competent teams and a culture of collaboration.

I am very proud of the amazing innovations our industry has delivered consistently in the last several decades. They have significantly improved the quality of life for millions of patients across the world. I remain optimistic that we will continue to deliver even more amazing innovations with newer, more advanced technologies now available at an increasing pace. In this new environment, risk management can be an enabler and not a barrier to innovation. It is up to us to see the value of risk management as a value-added business process to realize its full potential.

We want to thank Naveen for participating in this discussion with our team and taking the team to answer all our questions. We invite you to engage with this thought-provoking content and contribute to the ongoing conversation about application of risk management in your product development lifecycle.

We look forward to a part 2 where we continue this conversation.

Interview with:

Naveen Agarwal, Ph.D.