Risk Assessment and Risk Management in the Medical and Pharmaceutical Industries

Risk Assessment and Risk Management in the Medical and Pharmaceutical Industries

The medical and pharmaceutical industries are involved in new product development and manufacturing of medicines, medicinal products, biological products, medical devices, and combination products. Risk management is a regulatory requirement that medical and pharmaceutical companies must apply as part of a risk-based approach to product, process, and change implementation.

Harm to human life, injuries, and side effects, as well as loss of company reputation and business risks, should be minimized.

Risk management is an important factor for biomedical companies that develop, manufacture, supply, and import medical devices and pharmaceuticals. In our experience, we are aware of several cases where potential risks were realized, leading to civil/criminal lawsuits against specific employees and whole companies alike.

The risk management sector has justly received official recognition for its enormous importance in protecting human life and business performance, as well as brand sustainability. The following article will clarify the basic terms used in risk management, explain their importance, and discuss common risk management methodologies.



The risk management approach in the medical device and pharmaceutical industries is mandatory when applying GMP principles. Risk management regulation is defined in FDA quality guidelines, ISO 14385, ISO 14971, ISPE documents, and even in the ISO 9001:2015 revision, which shows how to establish and maintain a risk management system.

The organization shall have documented requirements for risk management through product information and cumulative experience. Product risk management processes should be documented and audited and must include record-keeping in accordance with regulatory requirements.

This article discusses several aspects of risk management in companies that develop and manufacture medical devices (medical devices, medical products, software, cellular applications, etc.) and pharmaceutical products.

Definition of Risk


The definition of risk depends on the industry and area of activity to which risk is associated. For example, risk in the area of project management may result in noncompliance, budget failure, lawsuits, business risk, etc.

On the other hand, in medical/pharmaceutical areas, which deal with the development and manufacture of medical devices and drug products, risk management will focus on how to prevent injury to life, harm to the health of patients and other users, side effects, recalls or market withdrawals, business risks, company reputation, and brand sustainability.

Basic Terms of Risk Management

  • Harm: Injury or damage to the health of human beings, or damage to property or the environment
  • Hazard: A potential cause of damage and damage itself
  • Hazardous situation: Circumstances in which people, property, or environment are exposed to one or more risks
  • Intended use: A product, process, or service that is suitable for the intended purpose for which it was designed, complies with the manufacturer’s specifications or instructions, and is verified and validated
  • Medical Device: Any device, product, apparatus, machine, implant, medical software, medical cellular application, material, or accessory intended for the use and treatment of humans or animals (alone or combined with drug products)
  • Risk: A calculation that combines the probability of occurrence of damage and damage with its level of severity
  • Risk analysis: The systematic use of available information to identify and assess the risk
  • Risk assessment: A comprehensive process consisting of risk analysis and risk evaluation
  • Risk control: A process of measurement and evaluation, through which decisions are made as to which risk(s) should be reduced and how the risk(s) can be maintained within the defined limits and with constant control
  • Safety: Exposure to a risk of high certainty does not endanger the safety of the user
  • Severity: Measuring the severity of the result caused by a possible hazard or real hazard
  • Residual Risk: The level of risk remaining after analyzing the risk, reducing the risk, and implementing corrective and effective controls
  • Likelihood: The statistical probability of the occurrence of a certain risk
  • Detection: The act of identifying the risk before it causes damage
  • FDA: The US Food and Drug Administration, a government body that is subordinate to the US Department of Health and Human Services. FDA coordinates the supervision and regulation of food and drug (pharmaceutical) products for humans and animals, cosmetics, medical devices and electromagnetic devices, blood products, and tobacco products in the United States.

What is Risk Management?


The basic definition of risk management is the systematic application of various policies, procedures, and techniques for conducting risk analysis, assessment, control, and monitoring. Risk management is a very important part of the quality management system.

There is a basic regulatory requirement for the implementation of this methodology, mainly in the design, implementation, and control stages of the development of medical devices and drug products before product registration and marketing approval.

The risk management process includes the stages of identifying and evaluating each of the potential risks, an analysis of the manner in which the risks may occur, the expected consequences, the assessment of the relative probability of occurrence, and the probability of identifying the risk before damage occurs.

Assessing the risk of occurrence of any hazard depends on the relative probability of its occurrence and what the consequences of the damage (the severity of the damage) may be.

Once the risk assessment has been performed, as part of the risk management process, we will define the methods to be used to control, manage and mitigate the risk by reducing it to the minimum possible. It should be emphasized that if risk can be eliminated, this is the best option, since if risk does not exist then we do not need to use resources to minimize it.

Risk Management – How Did It Start?


Managing risks began in the 1920s, but risk management as it is known today began to develop only after World War II and was formally established in the 1960s. The field of risk management was first developed in the insurance and finance sectors. Risk management was prevalent mainly among private companies as a result of the need to perform assessments and estimate risks.

In contrast to private companies, government agencies lagged behind the private market in adopting risk management methodology. Apparently, the main reason for this was the conservatism that characterizes these bodies in adopting management and innovation methodologies.

The risk of medical activity and the legal liability of a caregiver towards a patient, in particular, and treating society in general, was already recognized in antiquity. Hammurabi’s code of laws set penalties for a doctor whose treatment was unsuccessful.

Medical professionals also began to recognize the fact that they could cause injury to patients and that they bore professional responsibility for this, and therefore initiated and set their own ethical rules. The best known of all is the oath of Hippocrates, and the command “First and foremost, do no harm”, and the Latin designation “Primum non nocere” contained in the oath of doctors.

In the 20th century, there was a significant increase in the levels of public expectation of doctors and health systems, but it was still clear to all that absolute prevention of risk/damage involved in medical treatment was not possible, and that a significant or total reduction of potential damage was often impossible or very expensive and therefore impractical.

Medical risk management systems were initially developed mainly in the United States, in response to the significant increase in the number of lawsuits related to medical malpractice and the high costs involved in providing compensation to those who incurred damage. The development of the field of medical risk management derived mainly from the following factors:

  • The development of the medical industry – The medical sector has been characterized by dynamism and accelerated development in the last century. As a result, the study of the attendant risks that naturally have intensified within this development process is also essential.
  • The development of medical systems and organizations – Management systems of medical organizations are often complex and cumbersome systems that include, inter alia, large teams, organizational processes, multiple systems, technological infrastructures, and service to a variety of different fields and customers, which increase risks and exposure to risk and damage.
  • Competition in the free market – The transformation of the health sector into a mass and industrialized sector, directed not only for the purpose of healing diseases among a small population but also for prevention, diagnosis, aesthetics, quality of life, and leisure, has led to an increase in the scope of advertising and information disseminated to a large number of patients and clients. The public’s awareness of the existence of medical products, treatments, and medical procedures has grown tremendously and has gone beyond defining the target audience of “patients” to a target audience of “customers.” The expectation among customers for professional service and minimal side effects, damages, and mental distress is constantly on the rise.
  • Society awareness and law system – The involvement of clients and patients in the details of medical procedures, the imposition of legal liability on medical service providers, strict auditing systems, the internet information revolution, and many law firms specializing in medical malpractice cases and public advocacy for civil suits, have all increased the need for risk management.

The US has been the pioneer in the field, leading to the development of risk management systems already in 1912. Not surprisingly, it was the American Association of Surgeons (AAS) who, at the end of their third Congress (1912), called for the standardization of hospitals and medical equipment to improve the quality of care.

In 1917, the AAS published basic standards and even demanded that medical organizations monitor and supervise the quality of their functioning. About a year later, a body was set up to support and advise on how to meet these requirements. By the 1950s, other medical organizations and half of all US hospitals joined this program.

In 1951, JCAHO (the Joint Commission on Accreditation of Healthcare Organizations) established medical organizations, hospitals and medical systems, and medical associations. JCAHO is a national institution that continues to serve as the central body in the management of medical risks.

The first rules of JCAHO were published in 1953, were based on the original standards of the organization of surgeons, and focused on the health system, equipment, and the supervision of knowledge and certification of doctors in various treatment areas in order to reduce the potential risks.

The development of hospital risk management systems can be attributed mainly to the medical malpractice claims crisis that broke out in the mid-1970s in the United States. To understand the causes of the crisis and propose ways to solve it, committees were established by the federal government, physicians’ organizations, and the American Bar Association.

The main recommendation of all the committees was to develop a plan for the prevention of risks and damages of medical treatments that would be binding on any medical institution.

The US has experienced quite a few legal and social obstacles over the years, and this has led to the institutionalization of the requirements and the development of systems for managing control and control of risks. As stated, the significant change in the area of risk management came in the wake of the medical claims crisis and was led by the hospitals.

The change was motivated by a number of factors – insurance, legislative, judicial, and research. Clinical risk management is now an integral part of any medical system in the United States.

During its development, risk management has undergone major changes, ranging from activities to reducing the risk of financial damage, by making it an important component of quality assurance and becoming a policy instrument. Today, there are many manufacturers and suppliers of medical devices, medical equipment, and drugs that target their products to the US market.

Without the adoption of the requirements and the implementation of American regulation in the field, they could not supply the goods to this market. Risk management in medical companies is a critical step in obtaining the required licenses for the marketing of medical devices in the US and worldwide.

The Importance of Risk Management


Risk management is a major and essential factor for the success of a company that develops and/or manufactures medical devices, medical products, or other regulated products.

Based on past experience and quite a few events that have proven in practice that potential risk, civil/criminal claims, and damage to the reputation of companies and job-holders, service-providing hospitals, may be realized. The risk management sector has officially recognized the enormous importance of maintaining human life and business performance.

Companies that develop and/or manufacture medical devices and drug products are committed to identifying and documenting the risks involved in the development, production, and marketing stages. The ability to identify, analyze and treat various hazards is one of the high barriers to entry into the biomed sector.

Even after obtaining the marketing licenses for the target markets, the company will still be required to prove that it maintains a quality system, controls the product change process, and has design control throughout the entire life cycle of the medical product, drug product, or medical software.

Accepted Risk Management Methodologies


There are several common methods for evaluating risks in the field of medical devices and pharma. Two main methodologies for risk management are:

Fault Tree Analysis (FTA)


This methodology is particularly useful in the field of safety engineering and in the initial stages of developing a medical product, primarily for the purpose of identifying and prioritizing hazardous situations and analyzing side effects.

At the core of the method is hierarchical graphic drawings of possible failure factors for the purpose of systematic targeting of risk thinking and analysis processes. The diagram includes the analysis of each failure configuration while trying to identify the possible causes (hardware, software, human error, etc.). Failure factors identified will be classified as primary and sub-factors.

The analysis is done “from top to bottom” when the first event is also called a “top event”. During this analysis, medical product systems, subsystems, components, materials, assembly methods, software, etc., are examined.

In the graphic description, the main event and the sub-event will usually be identified by defining Boolean operators that link the events and examine the probability of the occurrence of the event. This analysis will ultimately lead to a level that is the possible cause of the failure on which risk control can be applied.

This process exposes the components of the system in a systematic, picturesque, and logical layout that is easy to understand. The basis for conducting such an analysis requires a thorough technical understanding and background on the medical devices/apparatus, its components, and systems.

Failure Mode and Effects Analysis (FMEA)


The purpose of the FMEA process is to identify, analyze, and evaluate risks, often associated with the development and production of a medical device, drug, or medical product.

Examples of risks assessed by FMEA are non-quality product risk and its impact on patient health, risk analysis of medical software, computerized system or application, risk analysis of drug production infrastructure, risk analysis of production system or equipment, risk of nonconformities or deviations, production specifications deviation and analysis of risks that affect the safety of users of the planned or produced product.

The goal of risk analysis in the FMEA methodology is to document the potential risks and systematic analysis and to quantify and rank the risks in order to define priorities for corrective and preventative actions if required at all (depending on the level of risk).

The FMEA process should be conducted in conjunction with the most heterogeneous professional teams (engineering, quality, safety, production, procurement, logistics, etc.) and as much data as possible should be gathered prior to the risk analysis process to be a factual basis for decision making.

The risk priority number (RPN) will be determined based on different parameters multiplied by each other. For the most part, risk should be addressed at medium and high rating levels. The treatment of the identified risks will be carried out by defining corrective actions, preventive actions, and the addition of appropriate and effective risk controls. The main products of the FMEA process are:

  • Identification of risks and failures
  • Reduction in the severity of the result of a failure
  • A reduction in the probability of failure
  • Improve the ability to identify a failure in a timely manner
  • Treatment of failures and risks in relevant rankings only
  • Defining corrective and preventive actions while monitoring and evaluating the effectiveness

Summary and Conclusions


Risk management is primarily a part of the quality culture that must be assimilated among the company’s employees and managers. The risk management approach, as part of the quality system in companies manufacturing medicinal products, medical devices, medical equipment, and software, is proactive and preventive, striving for continuous improvement and thus constitutes an important part of quality management in the organization.

Risk management is a broad organizational activity that combines the different disciplines to identify, investigate, minimize, and control the risks and potential damage to the company.

Risk management is a regulatory requirement of the Israeli Ministry of Health, the EU, and the FDA, and also appears in ISO 13485, which is an effective tool in quality audits and periodic audits carried out by pharma and medical companies.

Failure to comply with periodic audits in general, and with risk management and risk assessment in particular, will prevent the company from supplying its medical products, drugs, and medical devices to the target countries and markets and potentially endanger consumers and/or patients.

The bottom line is that proper management of risks in a company that develops and/or manufactures medical devices and medical products, besides protecting the health and safety of the company’s customers, will also contribute to the company’s profit line and prevent long-term business shocks.


Related Articles
Contact me today
Scroll to Top
Skip to content