The medical and pharmaceutical industries are involved with new product development and manufacturing (such as medical devices & products, medicines, and combinations thereof). Risk management is a regulatory requirement that medical and pharmaceutical companies are obligated to as part of the risk based approach implementation. Harm to human life, injuries, and side effects, as well as company reputation loss and business risks, should be minimized.

Risk management is an important factor for Bio-Med companies that develop, manufacture, supply and import medical devices and pharmaceuticals. As part of our experience, we’ve faced several events in which potential risks have been realized, leading to civil / criminal lawsuits against job-holders and companies alike. The risk management sector has justly received official recognition for its enormous importance in protecting human life and business performance, as well as brand sustainability.

The following article will clarify the basic terms used in risk management, explain its importance, and discuss common risk management methodologies.


The risk management approach in the medical device and pharmaceutical industries is mandatory when based on GMP principles. Risk management regulation is defined in the FDA quality guidelines, ISO 14385, ISO 14971, ISPE and even in the ISO 9001: 2015 revision showing how to establish and maintain a risk management system. The organization shall have documented requirements for risk management through product information and experience. Product risk management processes should be documented and audited and must include record keeping in accordance with regulatory requirements. This article discusses several aspects of risk management in companies that develop and manufacture medical devices (medical devices, medical products, software, cellular applications, etc.) and pharmaceutical products.

Definition of risk

The definition of risk depends on the industry and area of activity to which risk is associated. For example, risk in the area of project management may result in non-compliance, budget failure, lawsuits, business risk, etc. On the other hand, in medical/pharmaceutical areas, which deal with the development and manufacture of medical devices and drug products, risk management will focus on how to prevent injury to life, harm to the health of patients, side effects, recalls, business risk, company reputation and brand sustainability.

Basic terms of risk management

  • Harm – Injury or damage to the health of human beings or damage to property or the environment
  • Hazard – a potential cause of damage and damage itself
  • Hazardous situation – circumstances in which people, property or the environment are exposed to one or more risks
  • Intended use – A product, process or service that is suitable for the intended purpose for which it was designed, complies with the manufacturer’s specifications, instructions and is verified and validated
  • Medical Device- Any device, product, apparatus, machine, implant, medical software, medical cellular application, material or accessory intended for the use and treatment of humans or animals (alone or combined with drug products)
  • Risk – A calculation that combines the probability of occurrence of damage and damage with its level of severity
  • Risk Analysis – The systematic use of available information to identify and assess the risk
  • Risk assessment – a comprehensive process consisting of risk analysis and risk assessment
  • Risk control – a process of measurement and evaluation, through which decisions are made as to which risk should be reduced and how the risk can be maintained within defined limits with constant control
  • Safety – Exposure to a risk of high certainty does not endanger the safety of the user
  • Severity – Measuring the severity of the result caused by a possible hazard or real hazard
  • Residual Risk – The level of risk remaining after analyzing the risk, reducing the risk and implementing corrective and effective controls
  • Likelihood – The statistical probability of occurrence of a certain risk
  • Detection – The act of identifying the risk before causing damage
  • FDA- The US Food and Drug Administration, a governmental body that is subordinate to the US Department of Health. The FDA coordinates supervision and regulation of food and pharmaceutical products for humans and animals, cosmetics, medical devices, blood products, tobacco products and electro-magnetic devices in the United States.

What is Risk Management?

The basic definition of risk management is the systematic application of various policies, procedures and techniques for conducting risk analysis, assessment, control and monitoring. Risk management is a very important part of the quality management system. There is a basic regulatory requirement for implementation of this methodology mainly in the development, implementation and control stages of development of medical devices and drug products before product registration and marketing approval. The risk management process includes the stages of identifying and evaluating each of the potential risks, an analysis of the manner in which the risks may occur, the expected consequences, the assessment of the relative probability of occurrence and the probability of identifying the risk before the damage occurs. Assessing the risk of occurrence of any hazard depends on the relative probability of its occurrence and what the consequences of the damage (the severity of the damage) may be. Once the risk assessment has been performed, as part of the risk management process, we will define the methods to be used to control and manage the risk by reducing it to the minimum possible. It should be emphasized that if risk can be eliminated, this is the best option, since if risk does not exist we do not need to use resources in order to minimize it.

Risk Management – How did it start?

Managing risks began in the 1920s, but risk management as it is known today began to develop only after World War II and was formally established in the 1960s. The field of risk management was first developed in the insurance and finance sectors. Risk management was prevalent mainly among private companies as a result of the need to perform assessments and estimate risks. In contrast to the private companies, government agencies lagged behind the private market in adopting risk management methodology. Apparently, the main reason for this was the conservatism that characterizes these bodies in adopting management and innovation methodologies. The risk of medical activity and the legal liability of a caregiver towards a patient in particular and treating society in general, were already recognized in antiquity. Hammurabi’s code of laws set penalties for a doctor whose treatment was unsuccessful. A doctor whose patient was in his care often died from his guilt, or could even lose his hand. Medical professionals also began to recognize the fact that they could cause injury to patients and that they had professional responsibility for this issue and therefore initiated and set their own ethical rules. The best known of all is the oath of Hippocrates, and the command: “First and foremost, do not harm” and the Latin designation “Primum non nocere” contained in the oath of doctors. In the 20th century, there was a significant increase in the levels of public expectation of doctors and health systems, but it was still clear to all that absolute prevention of risk/damage involved in medical treatment was not possible, and that a significant or total reduction of potential damage was often impossible or very expensive and therefore impractical. Medical risk management systems initially developed mainly in the United States, in response to the significant increase in the number of law suits related to medical malpractice and the high costs involved in providing compensation to those who were damaged. The development of the field of medical risk management derived mainly from the following factors:

  1. The development of the medical industry – the medical sector has been characterized by dynamism and accelerated development in the last hundred years. As a result, the study of the attendant risks that naturally have intensified within this development process is also essential.
  2. The development of medical systems and organizations – management systems of medical organizations are often complex and cumbersome systems that include, inter alia, large teams, organizational processes, multiple systems, technological infrastructures, service to a variety of different fields and customers, which increase risks and exposure to risk and damage.
  3. Competition in the free market – The transformation of the health sector into a mass and industrialized sector, directed not only for the purpose of healing diseases among a small population but also for prevention, diagnosis, aesthetics, quality of life and leisure, has led to an increase in the scope of advertising and information disseminated to a large number of patients and clients. The public’s awareness of the existence of medical products, treatments and medical procedures has grown tremendously and has gone beyond defining the target audience of “patients” to a target audience of “customers.” The expectation among customers for professional service and minimal side effects, damages and mental distress is constantly on the rise.
  4. Society awareness and law system – the involvement of clients and patients in the details of medical proceedings, the imposition of legal liability on medical service providers, strict auditing systems, the Internet information revolution, many law firms specializing in medical malpractice cases and public advocacy for civil suits – increased the need for risk management.

It was the US pioneer in a field that already led to the development of risk management systems in 1912. Not surprisingly, it was the American Association of Surgeons who, at the end of their third Congress (1912), called for standardization of hospitals and medical equipment to improve the quality of care. In 1917, the American Association of Surgeons published basic standards, and even demanded that medical organizations monitor and supervise the quality of their functioning. About a year later, a body was set up to support and advise on how to meet these requirements. By the 1950s, other medical organizations and half of all US hospitals joined this program. In 1951, JCAHO (Joint commission on Accreditation of Healthcare Organizations) established medical organizations, hospitals and medical systems and medical associations. JCAHO as a national institution that continues to serve as the central body in the management of medical risks. The first rules of JCAHO were published in 1953, and were based on the original standards of the organization of surgeons and focused on the health system, equipment and the supervision of knowledge and certification of doctors in various treatment areas in order to reduce the potential risks. The development of hospital risk management systems can be attributed mainly to the medical malpractice claims crisis that broke out in the mid-1970s in the United States. In order to understand the causes of the crisis and propose ways to solve it, committees were established by the federal government, the physicians’ organizations and the bar association. The main recommendation of all the committees was to develop a plan for the prevention of risks and damages of medical treatments that would be binding on any medical institution. The US has experienced quite a few legal and social obstacles over the years, and this has led to institutionalization of the requirements and the development of systems for managing control and control of risks. As stated, the significant change in the area of risk management came in the wake of the medical claims crisis and was led by the hospitals. The change was motivated by a number of factors – insurance, legislative, judicial and research. Clinical risk management is now an integral part of any medical system in the United States. During its development, risk management has undergone major changes, ranging from activities to reduce the risk of financial damage, by making it an important component of quality assurance and becoming a policy instrument. Today, there are many manufacturers and suppliers of medical devices, medical equipment and drugs that target their products to the US market. Without the adoption of the requirements and the implementation of American regulation in the field, they could not supply the goods to this market. Risk management in medical companies is a critical step in obtaining the required licenses for the marketing of medical devices in the US and worldwide.

The importance of risk management

Risk management is a major and essential factor for the success of a company that develops and/or manufactures medical devices, medical products or products. Based on past experience and quite a few events that have proven in practice that potential risk, civil/criminal claims and damage to the reputation of companies and job-holders, service-providing hospitals, may be realized. The risk management sector has officially recognized the enormous importance of maintaining human life and business performance. Companies that develop and / or manufacture medical devices and drug products are committed to identifying and documenting the risks involved in the development, production and marketing stages. The ability to identify, analyze and treat various hazards is one of the high barriers to entry into the biomed sector. Even after obtaining the marketing licenses for the target markets, the company will still be required to prove that it maintains a quality system, control product change process and design control throughout the entire  life cycle of the medical product, drug product or medical software.

 Accepted risk management methodologies

There are several common methods for evaluating risks in the field of medical devices and pharma. Two main methodologies for risk management are:

Fault Tree Analysis-FTA

This methodology is particularly useful in the field of safety engineering and in the initial stages of developing a medical product, primarily for the purpose of identifying and prioritizing hazardous situations and for analyzing side effects. At the core of the method is hierarchical graphic drawings of possible failure factors for the purpose of systematic targeting of risk thinking and analysis processes. The diagram includes the analysis of each failure configuration, while trying to identify the possible causes (hardware, software, human error, etc.). Failure factors identified will be classified as primary and sub-factors. The analysis is done “from top to bottom” when the first event is also called a “top event”. During this analysis, medical product systems, subsystems, components, materials, assembly methods, software, etc. are examined. In the graphic description, the main event and the sub-event will usually be identified by defining boolean operators that link the events and examine the probability of the occurrence of the event. This analysis will ultimately lead to a level that is the possible cause of the failure on which risk control can be applied. This process exposes the components of the system in a systematic, picturesque and logical layout that is easy to understand. The basis for conducting such an analysis requires thorough technical understanding and background on the medical / medical devices / apparatus, its components and systems.

Failure Mode and Effects Analysis-FMEA

The purpose of the FMEA process is to identify, analyze, and evaluate risks, often associated with the development and production of a medical device, drug or medical product. Examples of risks assessed by FMEA are non-quality product risk and its impact on patient health, risk analysis of medical software, computerized system or application, risk analysis of drug production infrastructure, risk analysis of production system or equipment, risk of non-conformance or deviation production specifications deviation and analysis of risks that affect the safety of use of the planned or produced product. The goal of risk analysis in the FMEA methodology is to document the potential risks and systematic analysis, to quantify and rank the risks in order to define priorities for corrective and preventative actions, if required at all (depending on the level of risk). The FMEA process should be conducted in conjunction with the most heterogeneous professional teams (engineering, quality, safety, production, procurement, logistics, etc.) and to gather as much data as possible prior to the risk analysis process to be a factual basis for decision making. The risk priority number (RPN) will be determined based on three different parameters multiplied by each other. For the most part, risk should be addressed at medium and high rating levels. The treatment of the identified risks will be carried out by defining corrective actions, preventive actions and the addition of appropriate and effective risk controls. The main products of the FMEA process are:

  • Identification of risks and failures
  • Reduction in the severity of the result of a failure
  • A reduction in the probability of failure
  • Improve the ability to identify a failure in a timely manner
  • Treatment of failures and risks in relevant rankings only
  • Defining corrective and preventive actions while monitoring and evaluating effectiveness

Summary and Conclusions

Risk management is primarily a part of the quality culture that must be assimilated among the company’s employees and managers. The risk management approach, as part of the quality system in the companies manufacturing medical devices, medical equipment and software, is proactive and preventive, striving for continuous improvement and thus constitutes an important part of quality management in the organization. Risk management is a broad organizational activity that combines the different disciplines to identify, investigate Minimizing and controlling the risks and potential damage to the Company Risk management is a regulatory requirement that appears in the requirements of the Israeli Ministry of Health, the EU and the FDA, and also appears in ISO 13485, which is an effective tool in quality audits and periodic audits carried out by pharma and medical companies . Failure to comply with periodic audits in general and management / risk assessment in particular will prevent the company from supplying the medical products, drugs, and medical devices to the target countries and markets and endanger consumers and / or patients.

The bottom line is that proper management of risks in a company that develops and / or manufactures medical devices and medical products, besides protecting the health and safety of the Company’s customers, will contribute to a negligible profit line and prevent long-term business shocks.

About Cannabis GxP consultancy

Cannabis GXP is proud to stand at the forefront of the Cannabis industry in Israel and worldwide thanks to many years of experience in these areas.

Our team is compelled to spread the message of the importance of cannabis science, regulation, and standardization as the world enters a new era of cannabis legislation.

We aim to position our clients with their best foot forward when it comes to anything and everything cannabis related.

Our vast expertise allows us to assist companies in a wide range of services and needs. This includes anything from Cannabis R&D, growing and manufacturing, new product development, facility design, technology, Quality Assurance, Good Practices (GAP/GMP/GLP/GDP/GCP), staff training and local and global regulations.

Cannabis GxP is a subsidiary company of Bio-Chem Ltd. (2007), a consultancy firm for the Pharmaceutical field, Medical Devices, Cosmetics, and food supplements industry based in Israel.

Our cannabis consultancy services include:

  • Product development, delivery system & clinical trials
  • Growing, Manufacturing and Lab Facilities Design
  • Quality Assurance and Good Practices (GxP)
  • Cultivation & Product Manufacturing Technology
  • New product Regulations and Submissions
  • Qualification & Validation
  • Risk Assessment
  • Staff training

If you need one or several of our services, we will be more than happy to assist.

Please do not hesitate to contact us for further information.