Risk management is a key component of the quality management system (QMS) that crosses over many functions within an organization. Risk management is more than risk analysis; it is the systematic application of policies, procedures, and practices to the analysis, evaluation, and control of risks. It is a central requirement of the implementation of design controls in the Quality System Regulation (QSR).
Risk management involves the identification and description of hazards, how those hazards could occur, the expected consequences, and estimations or assessments of the relative likelihood of occurrence. The estimation of risk for a given hazard is a function of the relative likelihood of occurrence and the severity of harm resulting from occurrence. Following the estimation of risk, risk management focuses on controlling or mitigating risks.
Regulatory agencies are moving toward risk-based frameworks and expect medical device companies to use a risk-based approach for various activities related to both products and processes. This includes ranking the impact of different corrective action and preventive action (CAPA) activities, prioritizing validation master plan activities, and so forth. Using a risk-based approach for these activities allows for more efficient allocation of resources while addressing risks. It also allows for issues with the greatest risk to be addressed first. ISO 14971 is the standard typically referenced for application of risk management and the risk-based approach.