Tips for Risk Management
The author has provided consultation on risk management to numerous pharmaceutical and medical device companies. Through implementing risk management practices, I have noticed many misconceptions, assumptions, and errors. In this article, I would like to introduce some practical tips for implementing risk management effectively.
What is Risk?
Risk is defined as “the combination of the probability of occurrence of harm and the severity of that harm” (ISO/IEC Guide 51:2014). In our daily lives, we frequently perform this multiplication calculation, often without consciously realizing it.
For example, consider traveling by airplane. If an aircraft crashes, survival is highly unlikely—everyone understands this is “catastrophic” (severe). However, we also believe that “airplanes almost never crash” (probability of occurrence ≈ 0). When multiplying severity by probability of occurrence, the result approaches nearly zero. In other words, no matter how severe an accident might be, if the probability of occurrence is extremely low, we accept the risk (and board the airplane). Those who remain fearful despite this calculation might choose to take the Shinkansen (bullet train) instead.
Focus on Severity First
ICH Q9 “Quality Risk Management” and ISO 14971 “Application of risk management to medical devices” both require performing the multiplication calculation (severity × probability of occurrence) when determining initial risk. Many people struggle at this point because while severity can be estimated relatively easily, determining the probability of occurrence proves challenging.
However, when providing consultation, I explain that it is not necessary to accurately determine the initial probability of occurrence. In initial risk assessment, the probability of occurrence is not critically important. If determining the probability of occurrence is difficult, it can simply be set to the maximum value of “1” (probability of occurrence is expressed as a decimal: 0.0 to 1.0). This is because risk cannot be tested—the probability of occurrence can only be calculated after an event has actually occurred.
In particular, for software errors and human errors, probability of occurrence should not be estimated. Software bugs are inherent (occurring 100% of the time), and human error will inevitably occur.
Focus on Probability of Occurrence at the End
Many risk management standards and guidelines require reducing either severity, probability of occurrence, or both. ISO 14971 states that “risk control measures can decrease the severity of harm, the probability of occurrence of harm, or both.”
However, the general understanding is that severity does not change after implementing risk controls (the severity of harm is invariant). In other words, reducing severity is extremely difficult.
For example, it is not possible to build an airplane where passengers would not die in a crash. However, it is possible to design an airplane that is extremely unlikely to crash. (Incidentally, among all modes of transportation, aircraft are the safest—having the lowest probability of occurrence.)
I often encounter people struggling to reduce severity when implementing risk management, but I explain that this is nearly impossible in most cases. In risk management, the focus should not be on reducing severity but rather on reducing the probability of occurrence.
What Has Already Occurred is Not Called Risk
When an actual accident occurs in the market, many companies re-implement risk management. In such cases, I sometimes observe them applying probability of occurrence calculations again. An accident that has already occurred is no longer a “risk” but a “problem.” Risk inherently involves uncertainty about whether something will occur, which is why we estimate probability of occurrence. When an accident has already occurred, it must be evaluated based solely on severity.
Furthermore, to prevent recurrence, companies must implement CAPA (Corrective and Preventive Actions) rather than risk management. For example, when a serious aircraft or train accident occurs, an accident investigation committee is typically convened to thoroughly investigate root causes and develop measures to prevent recurrence.
A well-known example involves a girl who, after washing her cat and thinking it must be cold, placed it in a microwave oven. The manufacturer had never anticipated that someone would put a living creature in a microwave. However, after this incident actually occurred, manufacturers began consistently stating in instruction manuals “Do not place living creatures inside” (estimating the probability of subsequent occurrence as 1).
FMEA Should Not Be Used in Medical Device Design
FMEA (IEC 60812) is not referenced in medical device regulations. The characteristic feature of FMEA is that it multiplies risk by detectability. This is called the Risk Priority Number (RPN).
RPN = Probability of occurrence of harm × Severity × Detectability
FMEA (detectability) should not be used in device design. This is because the risk priority number is irrelevant to patients and users. Medical device risk management must follow ISO 14971 and reduce risk (severity × probability of occurrence) to an acceptable level. In other words, regardless of detectability, risk control is necessary in medical device design.
FMEA should be used in process design instead.
Risk Management in the Revised GMP Ordinance
In the recently revised GMP ordinance in Japan, implementation of quality risk management is required in accordance with ICH Q9 “Quality Risk Management Guideline.” On the PMDA (Pharmaceuticals and Medical Devices Agency) website, an example of a “Risk Management Sheet” is posted as reference material.
However, this reference material may mislead the industry.
The document includes examples such as “User Requirements Specification (URS) not created,” “DQ not implemented,” and “IQ, OQ, PQ not implemented.” Are these truly subjects for risk management? Risk refers to problems that might occur even when standard operating procedures are followed. “Not implementing ~” represents an act of omission and constitutes a regulatory requirement violation. Regulatory requirements must be complied with and should never be treated as risks.
I strongly urge the provision of appropriate exemplary guidance.
Additional Considerations for Modern Risk Management Practice
Integration with Quality Management Systems
Risk management should not exist in isolation but must be integrated into the overall quality management system. ISO 14971:2019 emphasizes the importance of establishing a risk management process that encompasses the entire lifecycle of medical devices, from initial concept through post-market surveillance. This lifecycle approach ensures that risk management is not merely a one-time activity during design but a continuous process.
Post-Market Surveillance and Risk Management
The relationship between post-market surveillance and risk management has become increasingly important in recent years. When adverse events or near-misses are identified through post-market surveillance, they provide valuable data for updating risk assessments. These real-world occurrences should inform the estimation of probability of occurrence, which initially may have been set conservatively to the maximum value. Post-market data transforms theoretical risk assessments into evidence-based evaluations.
Documentation and Traceability
Proper documentation of risk management activities is essential not only for regulatory compliance but also for organizational learning. Risk management files should clearly trace from hazard identification through risk analysis, evaluation, control implementation, and residual risk acceptance. This traceability enables effective communication among team members and facilitates regulatory review.
The Evolution of ICH Q9
While ICH Q9 was originally adopted in 2005, the pharmaceutical industry continues to evolve its understanding and application of quality risk management. The principles remain constant: quality risk management is a systematic process for the assessment, control, communication, and review of risks to the quality of drug products across the product lifecycle. However, implementation approaches have matured, with greater emphasis on practical application and integration with other quality systems.
Common Pitfalls to Avoid
Several common mistakes continue to appear in risk management implementation. First, treating compliance obligations as risks rather than baseline requirements, as mentioned in the original text regarding the PMDA example. Second, confusing risk assessment with failure investigation—they serve different purposes and should not be conflated. Third, attempting to assign precise numerical values to probabilities when data is insufficient, leading to false precision. Fourth, failing to distinguish between initial risk assessment (where probability may be conservatively estimated) and residual risk assessment (where implemented controls should demonstrably reduce risk).
Conclusion
Effective risk management requires understanding the fundamental concepts while applying them pragmatically. The key principles presented here—focusing initially on severity, recognizing that probability of occurrence becomes the primary control parameter, distinguishing between risk and problems that have already occurred, and understanding the appropriate application of different risk management tools—provide a foundation for successful implementation. As regulations and standards continue to evolve, maintaining focus on these core principles while adapting to new requirements will ensure robust risk management practices that genuinely protect patients and users.
Comment