Risk Management in the Medical Device Lifecycle: Development and Testing  

Executive Summary: Risk management is the backbone of your medical device product development lifecycle—a process for turning risk into a value-added type of activity. To help you understand the key role risk management has throughout the entire product lifecycle, we talked with a number of experts coming from Greenlight Guru and HTEC Group who were eager to share their experiences and thoughts on this highly relevant topic. This is the second in the series of blogs that will dive deeper into managing risk throughout three key stages of medical device development: Discovery and Prototyping, Design and Manufacturing, and Post-market activities. 

Why is risk management an imperative in the development and testing stage of the medical device lifecycle? What are risk management best practices, and how will they evolve and impact medical devices of the future?  

We caught up with Greenlight Guru’s MedTech gurus Laura Maher and Kendyl Williams and HTEC’s MedTech experts Milos Cigoj, Hristina Panovska, and Danijela Nestorovic to hear their perspectives.  

How is risk assessment executed throughout the product design and development phase? 

Risk assessment is a living process. It’s one of the first things you should do if you know your device’s user needs. You need to incorporate risk throughout the entire product lifecycle, from your initial design and any redesign all the way through planning the whole product development process.  

Laura explains,  

“Risk Management should be a constant companion throughout the journey — a tool you’re using to be successful versus a checkbox activity. However, not everybody approaches it that way.” 

It’s important to start risk management as soon as you initiate the development process. Then you can make changes and record them in their risk matrix — you can always edit it as it is a living document. Kendyl explains,  

“Before signing off on your risk management file, you need to make sure you’ve tested and verified everything, your mitigations are in place, and your controls are doing what they’re intended to do. But I would also say all companies handle risk differently. It’s not necessarily a one-size-fits-all activity — it depends on what you’re making, your team’s experience, and your team’s bandwidth.” 

In Laura’s view, there’s no set approach or wrong way of doing risk management— ISO 14971 outlines several tools you can utilize in your approach to risk management. She continues,  

“Sometimes it’s frustrating when things are not prescriptive in how to do them. At its core, risk management is a beautiful thing. All you need to do is figure out the best way to approach it for your device and team. As long as you can meet the intent of the standard, you’re good.” 

Is a solid design control in place a substitute for Risk Management?  

Some companies treat design controls and risk management as related but separate processes. Design controls and risk management are two crucial but different components of a successful product development process, especially in industries such as healthcare, where safety and reliability are critical. They should not, however, be viewed as substitutes for one another but rather as complementing processes. 

Milos points out,  

“While a strong design control process can help reduce certain risks by ensuring that the product is properly designed, tested, and validated, it cannot substitute a full risk management strategy. Risk management extends beyond design and includes sectors like manufacturing, distribution, and post-market use. It offers a comprehensive approach, evaluating not only the product itself but also how the product interacts with different user groups and contexts.” 

Danijela adds that while not all risks can be eliminated, they can certainly be reduced, and there should be a clear plan of action in case they occur. The documentation should also clearly reference product-related risks and how they affect design so we can have it ready for the intended use. 

What are the risk management best practices product engineering teams should consider both before and during the development cycle? 

To make sure they are on the right track from the start, engineers must understand and stick to control processes, including design input, design output, design verification, design validation, and design change control. The design should not only meet user and regulatory requirements; it should also allow you to manufacture at scale and maintain over time. Milos says,  

“Identifying potential hazards associated with the device, estimating and evaluating the associated risks, controlling these risks, and monitoring the effectiveness of the controls while keeping track of cybersecurity and privacy measures should be at the core of the engineering team’s daily operations rather than a one-man job assigned to a QA colleague.”  

Hristina points out that technical teams need to be aware of the responsibilities they have regarding regulatory requirements and that everyone involved is a contributor. Given that their primary valued skills are in the engineering scope, they can easily end up siloed away from the regulatory compliance activities. 

To avoid this, you should establish a cross-functional collaboration between every stakeholder, educate them, and help them align with business goals, regulatory requirements, and product decisions.

How do you prioritize risk management throughout product development? 

Risk management is an unbreakable connection between all the stages of product development for the medical device industry.  

They include design flaws, usability issues, system errors, data security and privacy weaknesses, manufacturing non-conformity, and so on. 

Milos highlights that “it’s not so much about prioritizing risk management at different stages; It’s more about ensuring that it’s woven into each stage of the process. But be mindful that the focus of risk management activities can shift as the product moves through different stages of development.”  

This is where you should develop and nurture a collective effort mindset. When you approach risk from multiple perspectives and expertise angles, it will produce robust risk assessments and mitigation plans.

Danijela recalls the time when their team encountered a serious risk during the prototyping of a medical device and explains how they managed it: 

During the prototyping of improving the existing medical device, we identified a risk that was a potential deal breaker. Due to this risk and testing of the external factors, we figured out, in the early stage, how to pivot the improved product and create a new prototype that was a better market fit and easier to build. 

How does Greenlight Guru’s Risk Solutions help MedTech companies manage risk in medical product development and design?  

The Greenlight Guru’s risk management solution gives customers a starting point. Given that half of the battle with risk is just how to put together the file, this new solution simplifies the entire process by providing you with a new risk workspace with harms already built in. This way, you already have an overview of what potential risks allow you to go backwards when you do risk. Laura adds,  

“The fact that it is a standalone risk workspace and not a part of the project workspace also helps because risk doesn’t have to be tied to a project. Greenlight Guru’s solution allows you to start managing the process before you even have a project in place or start your design. You can update risk without making changes to your project even during the post-market phase and continue your journey.” 

Kendyl explains that a lot of customers said they feel a lot more comfortable with this delineation, letting it be standalone just because people do their risk files in different ways. In essence, this gives you a lot more power to do risk and keep everything straight.  

Plus, AI-powered Risk Intelligence integrated into the solution is a great tool for the beginning of this journey. It provides the necessary data to predict the most relevant risks for your devices, improve your work and make informed decisions quickly.   

How can a Risk Management solution help companies make sure their documentation reflects all the actual risks in the production stage? 

While risk management is a total lifecycle process, MedTech organizations seem to have the tendency to forget about their risk management efforts once a product is launched. Greenlight Guru’s Risk Management solution helps you stay on top of all the actual risks during production. How?  

Laura and Kendyl agree on the four key aspects of the Risk Management solution that help MedTech companies keep track of risks during the production stage:

What are the strongest cybersecurity risk controls, and what will the cybersecurity of connected medical devices involve in the future? 

With the increasing reliance on digital technologies and the widespread adoption of Internet of Things (IoT) devices, security now needs a seat at the design table, accompanied by its own list of requirements. 

Hristina explains that, 

“Authentication mechanisms and access controls, secure communication, encryption and data protection (both at rest and in transit), updates and patch management (both for legacy and third-party components), security audits and testing are some of the base mechanisms that set a solid ground for security.” 

Additionally, in the complex and dynamic field of security, it is essential to prioritize transparency and visibility within systems. Achieving this requires automation to keep track of the ever-evolving landscape effectively. She continues,  

“Continuous monitoring is an integral part of a comprehensive security strategy, helping organizations proactively identify and address security risks, protect critical assets, and ensure the ongoing security of the medical connected devices.” 

Milos Cigoj believes that the following cybersecurity risk controls will have the biggest impact:  

• Security training is necessary because humans are the weakest element in this equation. Without sufficient engineering team training, it would be difficult for them to assess the attack surface properly. They may also overengineer and overprotect assets to the point where availability is jeopardized. It is critical that others, such as UX experts, are trained in IT security to maintain a healthy balance between asset security, privacy, and availability.
• Encryption. Without encryption, it is impossible to protect data in flight and at rest. Role-based access and control are frequently assumed to be obvious, although this is not always the case. Designing the application logic and information flow in a way that allows data processing to be restricted to a need-to-know basis protects legitimate users from unintentional data leaks and makes life more difficult for malicious individuals.    
• Autonomous data backup techniques, tried-and-true disaster recovery strategies, and proactive monitoring and patching. If we do our homework on these points, we will be prepared for success since we will always have a point-in-time recovery, automatic and proven service restoration, up-to-date IT resources, as well as the ability to predict potential future difficulties before they occur. 

How will risk management change in the future? 

As we enter a new decade and medical devices are becoming more complex and more embedded in our everyday lives, risk management practices might also change.  

According to Laura, AI helps manage risk and is going to become a bigger part of this process.   

However, Milos adds that the rise of AI in medical devices and healthcare poses new challenges. Traditional risk management techniques may not fully apply to AI algorithms, particularly those that “learn” after implementation. To appropriately analyze and control these risks, new approaches may need to be created.  

HTEC Group can act as a proactive industry player and a trusted partner, advocating for best practices and building modern tools for managing risks associated with the use of medical devices. Danijela explains,  

“HTEC’s deep tech knowledge and expertise in various tech areas, as well as specialized industry domains, allow us to address complex technological challenges while ensuring the development of safe medical products ready for their intended use. We propose that certain aspects of the process can be automated and predefined, providing a good foundation for implementing AI.” 

Kendyl also points out that it is critical to be proactive rather than reactive. Taking different factors into account, such as the environment of your product and where it is going to be used, will affect what the risks will look like. Also, new standards will have an enormous impact on risks and all the things to consider during the process, leading to the creation of new risks.  

Given that there’s much information out there, as well as the growing need for its connectivity, we need to embrace the technology that we have to improve risk management. At the end of the day, we’re talking about things that impact people’s lives, and anything we can do to make that process easier or more accurate is going to be good for the future. 

Ready to transform the way you manage risk?  

Greenlight Guru’s Risk Solutions is a one-stop shop for MedTech companies—it seamlessly integrates risk-based thinking across your device ecosystem for effortless compliance.  

Greenlight Guru and HTEC Group are on a mission to advance medical device quality management and help medical companies further improve the quality of life for their customers.   

Get your free demo of Greenlight Guru’s Risk Solutions or connect with Laura Maher and Kendyl Williams, Milos Cigoj, Hristina Panovska, and Danijela Nestorovic to learn how Risk Management Solutions can help you transform the way you manage risks.