Skip to main content
Medical Devices (Auckland, N.Z.) logoLink to Medical Devices (Auckland, N.Z.)
. 2022 Sep 19;15:349–363. doi: 10.2147/MDER.S375977

Risk Identification and Analysis in the Development of Medical Devices Among Start-Ups: Towards a Broader Risk Management Framework

Omar Kheir 1,, Alexis Jacoby 1, Stijn Verwulgen 1
PMCID: PMC9507292  PMID: 36158728

Abstract

Introduction

Whilst risk management has become fundamental in the development of medical devices, enforced by regulations and international standards, there is still no comprehensive model that explains how risk management in medical devices’ development should be tackled, especially with regard to the type of risks that should be addressed. Risk management in the medical devices’ development field is currently focused on technical risks, comprising product, usability, and development process risks, in alignment with standards’ requirements and regulations, without giving enough attention to non-technical risks, which include business and project risks. Start-ups within this heavily regulated domain have a key role in the innovation process, yet they suffer a structural lack of tangible, such as financial capacity, and intangible resources such as development, risk management, and regulations’ compliance. Nonetheless, they can still optimize their risk identification coverage beyond the enforced requirements to increase their products’ chances of success.

Methods

A set of qualitative interviews, serving the adopted grounded theory building research method, with seven start-ups who are involved in the development, commercialization, and quality control of medical devices was accomplished. The purpose was to determine the applied risk management practices and most importantly identify the risk types covered by them. Since every start-up is a project by itself, a sample of project risks, as identified by the project management institute, was utilized to scope the risk coverage and flag missing non-technical risks by the participating start-ups.

Results

Un-identified risk types, lack of involvement of the right teams, and other related loopholes were presented.

Discussion

A list of requirements was developed and sketched in a user-friendly risk management framework, which is believed to be crucial in helping start-ups attain successful, safe, and regulatory compliant medical devices production, is shared in the discussion and proposed framework section of this paper.

Keywords: medical devices, product development, process, risk management, risk identification, risk types, risk framework, start-ups

Introduction

Risk management (RM) has been recently confirmed as a new success factor in the medical devices development (MDD) industry with a growing importance that previous studies on MDD success factors did not emphasize on.1 The trending digitization of medical devices imposes a new horizon of risks that may have not been thoroughly considered before. Security risks resulting from intentional threats have only recently been confirmed, as medical devices increasingly use newer information and communication technologies (ICT) such as wireless communication and Internet access.2 Such associated risks necessitate a more thorough RM framework that would ensure wider risk coverage because if they remain unknown, without suitable countermeasures, further data breaches and even malicious attacks may occur threatening the lives of patients, jeopardizing their information in terms of confidentiality, integrity, and availability, and not to mention hindering the success of MDD projects. MDD firms are frequently recalling devices from the market due to product quality failure, impacting almost all the key participants of the medical device supply chain.3 According to Thirumalai and Sinha,3 the core reasons behind these failures can be related to manufacturing defects, functional defects, packaging errors, and software glitches, which poses a potential health risk to the patients and personnel using these devices. A recent study by Kamisetti29 investigates 21 medical devices that were recalled in the United States due to sensible risk which may lead to serious health problems or even death. Therefore, for MDD firms to overcome such potential failures and maximize their projects’ success, it is crucial to pinpoint the factors that systematically increase the likelihood of the triggering risks at the early development stages. Therefore, considering the significant impact MDD can reflect on human lives as well as the struggle of MDD start-ups in specific, the scope of RM in MDD among start-ups shall be thoroughly investigated to enhance risk detection and timely mitigation. This paper will tackle this investigation in effort to extend an RM framework that would cater for the gaps that this study will reveal.

Start-ups in the domain of MDD seek compliance to regulations, such as the European Union’s MDD directives and regulations as well as the FDA requirements in the United States, in addition to international standards which are a compliance tool and not all of them are mandatory as in the case of directives or regulations, such as ISO, in order for their aspired products to be sold in the respective markets. However, those regulations and standards do not explain how RM should be tackled, what are the risks that should be covered, which personnel or teams within the start-up organization should be involved in the RM process and more. ISO 31000 describes the general RM high-level process that shall be applied in any domain to identify and treat potential risks. In the MDD domain, in addition to ISO 14971, which is the dedicated ISO standard for RM in MDD, there are several other key medical device industry standards requiring RM implementation such as IEC 60601, IEC 62366, ISO 10993 and ISO 13485 which all recommend establishing an RM process specifically in line with ISO 14971. Even though ISO 13485 addresses the requirements of the quality management system (QMS) in MDD, it demands that RM should be applied throughout the entire product lifecycle and the entire QMS. The scope of the ISO 14971:2019 standard states that

The process described in this document applies to risks associated with a medical device, such as risks related to biocompatibility, data and systems security, electricity, moving parts, radiation, and usability4

which confirms that this standard also conveys a high-level process that does not consider the nature or class of the developed product and does not identify the various risk types or categories that shall be covered. Nevertheless, this standard still constitutes a milestone as it raises awareness, especially among start-ups who are innovative starting pioneers and at the same time new to MDD or even to the general product development domain. Also, they are in desperate need of resources, considering their limited development background, including guidelines that embeds an RM framework within the MDD process to support them with the RM requirements and guide them through the required stages of an RM process.

State of the Art

In new product development (NPD), which is the general process of bringing a new product to the market and is a vital factor for surviving and gaining a competitive advantage for almost any company irrespective of its operations’ type or size, including start-ups and established companies, the scope of risk management is extended further than that of MDD. This is probably because there are not as much strict regulations and standards as in the case of MDD which sets boundaries to the scope of RM and lack important types of risk such as operational risk, project risk, market risk, etc. Also, possibly because NPD has taken place for over 30 years, which is way longer than that of MDD.5 According to Gray and Larson,6 risk management’s purpose in NPD is to identify and manage “any” potential and unforeseen trouble spots that may occur when a product development project is implemented. Management of risk plays a significant role in the success of an NPD project since it provides the development team with a risk prevention tool that ensures surprises and negative consequences, associated with undesired events, are minimized. According to Galli,7 the early stages of the product development process represent an NPD team’s opportunity to minimize the impact of a potential risk event(s). This same study stated that when an NPD project surpasses the first half of its implementation schedule, the cost resulting from identifying a new risk event increases drastically due to the required changes that the development process will incur.

As for the detailed types and categories of risks that are being tackled in NPD, they are numerous with different studies targeting various groups of risks, classifying them into different categories and tackling their identification from different angles. The research performed by Ahmed et al8 claims that an NPD project can endure eight types of risks, among which are operations that represent the project’s milestones such as the risk of not meeting a due project milestone or requirement, production planning such as the risk of resource deficiency, and task dependencies such as the risk of shipment delay caused by a third party. Additionally, this same study emphasizes that the scope of risk management should be tailored to the environment and extended to the best interest of all stakeholders. Previous studies confirm this too, such as that by Jaafary9 which stresses that each risk management system should comprise different set of tools and methods to manage the relevant risks in a specific business sector. Another approach for risk identification in NPD is to differentiate between the risks that can impact the entire project at the start of any product development project and the risks related to the specific section or component of the project. Once these “macro risks” are identified, the NPD team, whether it is a start-up team or an established company, can go more in-depth by utilizing a variety of different tools to tackle “micro risks”.7 Similarly, the study by Gray and Larson6 proposes that a risk breakdown structure should be adopted, commonly known as a hierarchical depiction of the identified project risks followed with a risk study towards each of the work breakdown structure (WBS) of a project to identify as many risks as possible, to reduce the probability of a risk being missed. This project risk approach, however, is not the same within MDD projects as per the literature.

In contrast to NPD, the risks which medical devices can impose on human beings creates a huge responsibility among MDD start-ups since they are related to the people’s health, wellbeing, and lives. According to Makary and Daniel,27 medical error is considered among the top leading causes of death in the United States, ranked third after heart disease and cancer and accounting for over 250,000 deaths annually, which amplifies the need to invest every effort to explore a better risk approach for MDD. Medical devices are developed to support health and treat human conditions and could be used in critical instances such as injuries and surgeries which makes them of greater importance against any casual product or device. Hence, and considering the start-ups’ limited resources, it is fundamental to have a comprehensive risk identification approach that would surpass the commonly recognized process, usability, and product risks practiced by start-ups to cover wider risk types that will mutually increase their chances of success and ensure a safer medical device.

RM is a trending science that is being bound to almost every domain. The very common ISO 9001 standard, which can be implemented into the QMS of almost any type of operation or business, has recently introduced “Risk-Based Thinking” as a systematic approach to risk that should be incorporated throughout the entire QMS, rather than treating risk as a single component.10 It is therefore essential that every organization adopts a proactive approach for risks, understanding how effective evaluation and analysis could be used to anticipate potential risks when implementing new systems, and thereby minimizing those risks. To ensure that any potential risks are managed effectively, the risk process needs to be explicitly built into the decision-making process.11

Accordingly, and while the RM process that is commonly adopted includes the same four RM steps: Risk Identification, Risk Assessment, Risk Response Development, and Risk Response Control, the various risk types to be covered in NPD remain a matter to be determined based on the judgement of individuals executing the RM process. Figure 1 visualizes the interlinked phases of an RM process, as listed earlier, in line with ISO 31000:2018 and which is not business or domain specific.12

Figure 1.

Figure 1

Risk management general process (adapted from ISO 31000:2018).

Note: Reprinted from The ISO 31000 standard in supply chain risk management, 151, De Oliveira UR, Marins FAS, Rocha HM, Salomon VAP, The ISO 31000 Standard in supply chain risk management, 616-633, Copyright 2017, with permission from Elsevier12

Project risk is inevitable and must be managed to the best extent possible. The study of Carvalho and Rabechini Junior13 has identified a significant positive correlation between RM implementation and project performance. RM is an integral part of project management, and product development certainly necessitates project management because risks have the potential to cause deviations from the project plan and from the pre-defined product objectives.14 Fontaine15 divides risk identification efforts in the development of any new product into two streams, the first is the identification of project risks which are risks that may be encountered during the life cycle of a project, and the second is the technical risks which are problems that could occur after project completion because of improper design. Companies fail at RM because they fail at one of the two fundamentals of managing risk properly: cross-functionality and proactiveness.16 Developers of new products tend to focus on research and development risks leaving all risks related to the project flaw uncatered for which is where most of the risk lies. They also wait until late in the project when risks begin to occur while RM should begin as early as possible in the project and advance as a monitoring and follow-up effort at the end of each project phase since it allows the project manager and other stakeholders to assess changing conditions or requirements. In this respect, and as per Atkinson et al,17 Figure 2 correlates the uncertainty with the ambiguity to demonstrate that through risk analysis and problem solving, ambiguity falls to its minimum which will in turn ensure further readiness to most uncertain situations.

Figure 2.

Figure 2

Uncertainty–ambiguity relationship.

Note: Reprinted from International Journal of Project Management, 24/8, Atkinson R, Crawford L, Ward S, Fundamental uncertainties in projects and the scope of projectmanagement, 687-698, Copyright 2006, with permission from Elsevier.17

A risk profile comprises a set of questions that focuses on traditional areas of uncertainty (risk) on a project. This profile shall cater for risks applicable to the project flow and outcome, and can be inspired from relevant previous projects where applicable.7 Start-ups must gather input from a wide array of resources, such as suppliers, customers, and other stakeholders as well as databases. In most cases, these sources provide a new viewpoint on the risks in the NPD project, which helps the team identify risks that they might not have seen or realized before, which is crucial to maximize risk coverage. Additionally, the involvement of the internal teams helps to improve their commitment to the success of the project.7 The main objective of the RM exercise is to be proactive rather than reactive and to be ready for surprises or trouble spots that may occur, through reducing their negative consequences and minimizing their probability of occurrence. Having an adaptive RM framework will not only guide developers into risk identification and mapping but will also act as a guide for risk quantification and comparison to determine which ones need to be managed according to a set of priorities. It also points developers towards root causes of risks so that they can effectively resolve them and serves as a risk communication tool for a group of collaborators to reach a common understanding of the measures that are and will be taken in reacting to risks. Figure 3 explains the 10 risk types recommended by the Project Management Institute (PMI)14 which will help in widening the risk coverage and building a comprehensive risk profile.

Figure 3.

Figure 3

Types of risks in project management.

Note: Used with permission from Mr. Wissam Yaacoub.

This paper aims to exhaustively investigate the risk identification and analysis mechanisms of the RM process among start-ups that have been already thoroughly investigated among NPD projects, yet not studied enough to the specifics of MDD projects. The models and approaches for risk identification in NPD brought several techniques that, if applied in the MDD field, the RM outcome would be positively impacted ensuring wider risk coverage. The MDD process differs substantially from the development process of any product as it involves pivotal health matters and is subject to strict controls by governmental authorities and regulators. The renowned study of linear stage-gate models by Pietzsch et al18 represents the first comprehensive MDD model. It brings broad description of the various activities and decisions associated with the development of medical devices, from early-concept selection to post-market surveillance, with a list of proposed RM models, such as the models established by ISO 14971 and the FDA which do not dwell into risk types and represent instead a high-level RM process like the one presented by ISO 31000, that can be embedded into the MDD process. The stage-gate process demands the involvement of the right constituencies of the MDD process, referred to as functional groups, such as marketing, legal, research and development to orchestrate the execution of the process, which may influence the risk identification process, without detailing the risk areas to be addressed. Also, even though the first phase of the stage-gate process was “the initiation – opportunity and risk analysis”, the approach of risk identification to ensure that most risks are being identified by the various involved teams was not investigated to address risks beyond the requirements of regulations and standards.

Several other papers have also tackled specific details of the risk management process in MDD. Some of which have focused on the approach for risk identification, such as whether FMEA, should be adopted or not, and others magnified on the risk caused by human error, referring to one risk type which is usability risk. While their outputs constitute essential elements of an RM framework, yet they did not establish the aspired process and the level of details aimed by this research. Furthermore, according to a recent study,28 legal, human, and technical issues were found essential while implementing RM in MDD which respectively include for example safety, interdisciplinarity and biocompatibility risks. Hence, if the studies of Pietzsch et al18 and Kuhl et al28 were to be investigated and explored further, the types of risk to be explored throughout the early MDD phases can be researched.

Therefore, in this study, the early phases of RM, in which risks are identified and analyzed, and which constitute the essence of the RM process, are investigated in detail among MDD start-ups to support their innovation efforts. Establishing this is deemed a key for the foundation of a risk-based MDD dynamic process.

Methodology

Previous studies have confirmed that risk identification in NPD caters for several risk types, as described in the literature, which are tools that NPD start-ups can utilize to build a comprehensive risk register and minimalize the ambiguity around possible uncertainties, throughout their development effort to reach product success by setting treatment plans for the identified risks. The situation in MDD is different, although medical devices can lead to substantial wellbeing and health-related impact if not properly identified and treated. Previous studies have investigated the importance of embedding the RM process with that of the MDD and confirmed few risk types, which are not specified in the respective standards, that should be addressed. This paper builds on the existing literature in an attempt to identify as many risk types as possible that start-ups in the domain can focus on to increase their products’ success and sketches the findings in a framework to facilitate adoption.

To pursue this study, a three-stage research approach was used. The first stage entailed literature review, the second stage consisted of the actual data collection, and the third stage included a validation of the study outcome. In the literature phase, the focus was to explore the various risk identification techniques available in MDD and NPD processes along with the PMI guidelines for project RM as risk identification forms the cornerstone of an efficient and comprehensive RM process. Several research databases, online catalogues and search engines were utilized such as Google Scholar, Research Gate, PubMed, ISO and the PMI’s online library. To narrow the results, various keywords were used, and a combination of them to find the most relevant literature, such as risk management, medical devices development, framework development, risk types and risk identification. The resulted publications were filtered per publication date to ensure that latest relevant research have been reviewed and to be able to build on most recent studies and findings. The obtained literature has allowed to generate a list of open-ended generic questions to review the application of RM stages and identify the risk spectrum being addressed by start-ups in the domain.

The second stage in this research entailed the actual data collection employing qualitative interviews-based approach as it allows researchers to ask different research questions and explore and understand phenomena from a contrasting perspective.19 Accordingly, an interview guideline was prepared with probing questions and sub-questions to ensure comprehensive responses are obtained from the participants. The interviewing period took place between October 2020 and January 2021 and it had to be performed through videoconferencing due to the COVID-19 pandemic and scheduled in consideration to the participants’ availability. The third stage was the final stage of this research and it focused on validating the established framework through presenting and discussing it with a new set of MDD start-ups to collect their feedback and opinion while applying the same research methodology as in the second stage.

The conducted semi-directive interviews took online with seven MDD start-ups, three of which are involved in software-dependent medical devices, until data saturation was accomplished as further coding was found no longer necessary.20 The same approach was applied during the last stage, during framework validation, yet with new five participants and using a less comprehensive interview guideline. Bearing in mind that the number of participants complies with best practices since it consists of 5 to 50 participants as claimed by large number of articles and books.21 Interviews were performed using the English language by means of a videoconferencing application “Microsoft Teams” and were scheduled at the convenience of the participants who are residing in different regions of Belgium and the Netherlands. All participants granted their consent to participate in the study prior to scheduling the interview via email where the researcher declared the approval of the approval of the Independent Ethics Advisory Committee for Research in the Social and Humane Sciences (EA SHW), founded by the Executive Council of the University of Antwerp on 03.07.2012. Before commencing the evaluation, participants were briefed about the study’s high-level objective and the interview procedure to be used. With permission, all interviews were audio recorded for later coding and analysis. The interview duration varied between 45 minutes and 1 hour as some participants had several experiences to share. The researcher had to take notes for each discussed topic or question asked, in line with the developed interview guideline, without interrupting the participants. This has also supported and guided the researcher throughout the analysis exercise along with the audio recordings. Interviewees were requested at the end of the meeting to share, whenever possible, their adopted RM procedures and utilized checklists in order to support the analysis exercise and this was up to their own discretion.

In line with the objective of this paper, the interview guideline in the second stage of this research included questions on the adopted risk management phases with more focus on the risk identification mechanisms since it creates the foundation of the RM process. The interview questions tackled briefing the adopted RM process and its correlation with the MDD process, specifying the involved teams in the RM process, specifying risk identification mechanisms with emphasis on risk types and sampling possible project risks’ inclusion in line with the PMI, usage of checklists to support expand their risk identification, updating and reviewing the risk register and incidents or encountered risks that have not been previously reflected into the risk register. On the hand, the interview guideline in the third stage was narrowed to collect opinions per each fold of the framework and feedback with regard to its usability, potential benefits and obstacles.

For this empirical study, the data collected were initially used to draw findings in RM within MDD and to draw a hypothesis for an enhanced RM model within MDD to be iteratively revised and validated in following research milestones. The research approach, known as grounded-theory building, or inductive reasoning, was selected to accomplish this research paper because of its specific objective of building theory from qualitative data and interpretation.22 Also, because it required performing pattern identification to conclude a theory from the emerging data. This type of research method, which is also referred to as bottom-up approach, allowed for observations to build an abstraction or to describe a picture of the diverse characteristics of the investigated phenomenon.23 Thematic analysis was adopted for the assumed grounded-theory building, which is based on search and identification of codes and themes that transpire as being important to the description of the phenomenon and which involves “careful reading and re-reading of the data”.24 Therefore, interviews’ notes and recordings were transcribed into codes, whereby a code describes a vital task undertaken by the developer, and afterwards related codes were grouped into themes using pattern recognition within the data.

The codes’ analysis indicated seven different themes, each combining a set of related codes in order to conclude the findings of this study, which will be described in the following section. All participating start-ups were referred to as numbers to ensure that their privacy is being protected.

Results

As this study emphasizes, risk types targeted by start-ups constitute the basis of their entire RM process and can greatly influence the coverage of their risk profile. The types of risks that are focused on unleash a paradigm of risks, to be mitigated with proper controls, and increase the probability of having a successful product. Figure 4 describes the risk types covered by the participants of this study in line with what was revealed in the conducted interviews. As can be noticed in the figure, the basic risk types which this study referred to as technical risks are being abundantly covered by the participants, where product risks are identified by all participating start-ups; development process risks and usability risks are covered by most of them. The coverage of non-technical risk types on the other hand was scattered among the participants such as ICT-related risks, which include IT/software development and security risk types, were limited to three and two participants respectively among the seven participating start-ups. This has indicated that less attention is given to non-technical risk types among participants such as ICT risks, which mean that risks related to information systems, databases, etc, that can include critical information relevant to the project or even to end-users, are not being identified and mitigated. Most of the non-technical covered risk types fall under the category of project risks as per the PMI’s project risks breakdown, illustrated in Figure 3. These poorly covered risks, such as market and quality risks, were only included haphazardly by few participants who have identified their own risk appetite and accordingly decided the risk types to cover, considering the limited details presented in the ISO standards.

Figure 4.

Figure 4

Types of risks covered per participant.

Moreover, as the participants were requested to describe risks or incidents that have been encountered and yet not included in their risk register, Figure 5 illustrates some of the risks described per each participant. Every participant, except participant 3, shared an encountered risk that could have been very helpful if catered for in their risk profile. The most encountered yet uncatered risk was addressed by three out of the seven participating start-ups in relation to a missing requirement or risk identification. The results obtained in this specific question have supported the objective of this research which demands a more comprehensive risk register to identify potential uncertainties and enhance readiness.

Figure 5.

Figure 5

Encountered risks yet uncovered in RM per participant.

The approach for RM among the participating start-up did not differ much, unlike what was witnessed earlier for risk types’ coverage. Figure 6 explains the adopted RM approach among the participating start-ups which shows that most of them prefer to use Failure Mode and Effects Analysis (FMEA), noting that one start-up stated that hazard analysis is more effective for them, another three participants decided that combining between FMEA and Hazard Analysis or Corrective and Preventive Actions (CAPA) or SWOT analysis would help in their risk identification within the development phases. The results in this question showed that FMEA is the mostly utilized risk identification method by most participants and that the range of risk types addressed by the start-up is not influenced by the utilized identification approach. It is mostly a “management decision”, as stated by participant 7, to address more risks and set preventive measures for them.

Figure 6.

Figure 6

Approach for risk identification per participant.

While there is no mandatory tool to implement risk management, nevertheless it was interesting to know what tool is being utilized by the participating start-ups. Figure 7 shows that four out of the participating start-ups use the software “Matrix Requirements” as their tool for QMS, requirements identification, RM, and test management. The remaining three start-ups use templates created through “Microsoft Office” to perform their RM duties. The results revealed in this question did not lead to any recommendation related to whether it is better to use the tool “Matrix Requirements” because the software used obviously does not influence risk identification considering the relatively comprehensive scope of risk covered by participants 7 and 1, as illustrated in Figure 4, who each use a different RM platform.

Figure 7.

Figure 7

Tool used for RM per participant.

All participants demonstrated that their RM process adheres to the requirement of ISO 14971 and ISO 13485 yet none of them had a mechanism or scientific approach to measure benefit–risk analysis (BRA) which is required by ISO to ensure that benefits of having a risk outweigh its impact in case of its occurrence. It is worth mentioning that among the participants who use the software “Matrix Requirements”, the benefit–risk analysis was a tick box that could be marked on the system without any proposed or required analysis by the tool to confirm that this requirement has been met. This has also confirmed the earlier finding that used software does not influence risk identification or treatment without evident management decision and commitment to establish and operate an ISO 14971 compliant RM process.

Furthermore, it was also interesting in this study to know if the participants use any kind of checklist that would trigger their risks identification exercise given their lack of experience in RM and considering that such external sources can provide new risk viewpoints. Figure 8 indicates that four of the participating start-ups use checklists to support their risk identification. Most of these utilized checklists are information security related such as that of the medical device coordination group (MDCG), ISO 27001, etc. Only two checklist sources were non-IT specific such as the annex C of ISO 14971 and the FDA Maude (Manufacturer and User Facility Device Experience) database. The relation between the types of risk addressed by the participants in Figure 4 and the utilized checklists in Figure 8 is visible considering that identifying specific risk types can be supported and inspired by the used professional checklists, as witnessed for example by participants 5 and 7.

Figure 8.

Figure 8

Use of checklist for risk identification per participant.

Another critical question that this study focused on was to know who is being involved in the risk identification among the start-up’s teams. Figure 9 details the various teams involved among each of the participating start-ups. In some cases, it can be noticed that upper management and quality personnel are the ones solely handling risk identification, such as participants 1, 2 and 4. On the other hand, participants 5–7 showed highest teams’ involvement among the participants and who also have covered most of the risk types, as illustrated in Figure 4. Therefore, the inclusion of teams can expand the risk coverage considering the expertise and backgrounds of each team which can contribute to the RM process and accordingly to the start-up’s risk profile in addition to improving the team’s commitment to the success of the project as discussed in the the literature. The presence of the functional groups in the stage-gate process, referred to as the involvement of the right constituencies, also complements this finding that this is an interdisciplinary project which can build on all functional teams’ experience.

Figure 9.

Figure 9

Teams involved in risk identification per participant.

Lastly, the interviews included questions regarding the review of the risk register with interest to know if the magnitude of a certain risk influences the frequency of its controls review. Figure 10 summarizes the answers given in this respect by the participants. Most of the participants mentioned that a risk review is being performed further to a change or an addition of a new feature, especially for the related risks. Only one participant confirmed that a general review is being periodically performed while two other participants stated that no general review has been accomplished in the last 2 years. Also, only one participant stated that a risk review takes place after an occurrence of an incident or the identification of a nonconformity. Therefore, while standards like ISO 14971 and 31000 require ongoing risk monitoring and periodic risk review as illustrated in their process, this was only perceived by participant 2 who covers only two risk types as per Figure 4. This triggers the need to implement a dynamic and smart risk review process, considering that with the increase of risk coverage, the risk periodic review process may be initiated less or even become absent probably due to the complexity of the exercise, as witnessed for example by participants 6 and 7 who identified most risk types in Figure 4.

Figure 10.

Figure 10

Risk review interval per participant.

Discussion

On top of regulatory requirements and the innovative nature of MDD products, which are progressively becoming technologically driven as well, start-ups should also deal with inevitable risks associated with their development efforts.25 Several research papers which addressed the application of RM within MDD have been published in the past. None of them, however, were built based on the performance of the RM process among MDD start-ups and considered the several risk types that should be covered to reduce risk encounter and increase the chances of the MDD project success among start-ups who may have little development and RM experience. The commonly practiced RM among start-ups is focused on product, development process and usability risks, as certification bodies and the enforced requirements dictate, while there are many other critical areas that are worth of risk identification and analysis. The feedback and responses obtained from the participants in this study, especially with respect to the results established earlier in Figure 4, triggers to a new paradigm of risk spectrum that is essential during risk identification, especially with the growing demand for a broad range of medical technologies and innovation settings. Therefore, to alleviate risk occurrence, and irrespective of the adopted MDD process or RM approach or the utilized RM tool, MDD start-ups are encouraged to widen their risk coverage beyond design risks and have their RM framework tailored rather than haphazard to lessen encountering risks that are not priorly identified and analyzed as shown in Figure 5. This same figure also interestingly showed that most of the encountered risks by the start-ups that were not previously mitigated were due to a missing requirement or unidentified risk. Therefore, the technical risks in MDD can combine between process, product, and usability risks which almost all the participants in this study implement. On the other hand, non-technical risks can include a range of supplemental risks to cover other essential operational components as witnessed among NPD projects and recommended by the PMI. This risk context scoping should be studied and identified by MDD start-ups at the RM earliest stages in order to identify what are the risk types that are applicable to their scope of work. In addition to safety and product concerns, MDD start-ups, especially in today’s digital world, should focus also on non-technical risks related to design information leakage, patient’s information leakage or theft, risk triggered by external parties such as suppliers, transporters, or vendors storing their data online such as the cloud, and many more, as such risks may not only jeopardize their success but also may pose a threat to patient’s privacy and wellbeing. Also, MDD start-ups need to learn that their RM process and incident management process should work together in order to adopt encountered incidents into their risk profile and establish a plan to avoid potential reoccurrence, as confirmed in Figure 5, since incident reporting makes substantial difference to patient care.26

Additionally, the use of a risk identification checklist, as observed by participants 4 and 5 who sought further milestones during their risk identification, as confirmed in Figures 4 and 8, can help in extending the scope of risk identification. These checklists can be sourced from standards or other professional databases that can help identify risks for which brainstorming sessions and focus groups alone may not suffice. Moreover, the involvement of the various teams, with sufficient RM training, can support this process a lot as observed with participants 5–7 in Figures 4 and 9. This will ensure a more comprehensive risk coverage, build resilience and agility into the RM process, and promote a sense of belonging among the participating teams towards the QMS of the firm. It is fundamental that the RM process is being recognized as a company-wide process that requires holistic efforts from all teams in order to expand its output.

Further findings from this study showed that the BRA, which shall be implemented for risks that still fall within the unacceptable level even after treatment, is not being implemented using scientific approaches. As per ISO 14971 requirements, the BRA must be documented and provide objective evidence and rationale as to why the medical benefits outweigh the unacceptable risks, since it constitutes a special provision for moving forward with unacceptable risks. Also, the frequency for risk review among the participating start-ups, in Figure 10, indicated a lack of a well-defined risk review procedure, as the general risk register review is not being periodically implemented among most of the participants and not even for high risks which may require further and ongoing attention. Furthermore, it showed that the risk review is mostly triggered further to changes or release of new features; hence, the risk register may not be reviewed for long period until a requirement change or a feature has been introduced.

Accordingly, the below preliminary framework in Figure 11 has been derived from the ISO 31000 and 14971 RM processes, which demand a risk identification through risk treatment process and accompanied with monitoring and commitment as represented in Figure 1, while reflecting this study’s recommendations and specifically the identification of non-technical risks. This proposed four-folded RM framework, which the researcher labelled as the four by four or “4×4” RM framework, focuses on the risk identification phase and highlights on the significance of teams’ involvement, encountered incidents reflection and the dynamic risk review procedure across the early four phases of the proposed MDD process. It is dedicated for MDD start-ups to support them through their regulatory compliance journey and expand on their likelihood of success through implementing and actively managing a comprehensive risk database.

Figure 11.

Figure 11

Proposed RM framework considering the study’s findings.

The first risk identification pillar falls in the inclusion of further risk types at the various production phases, such as the ones derived from this study, which can expand the number of risks identified, therefore increase and optimize risk mitigation plans and ensure further readiness and agility of the product and the firm. The second risk identification pillar is demonstrated in the inclusion of the encountered risk events or incidents into the RM profile to ensure that the RM plan is not only corrective and reactive to recurring faults but also prevents their reoccurrence. Also, in addition to risk identification, this framework aims to increase the involvement of personnel involved in production to ensure that RM activities are comprehensive and not limited to top management or group of selected personnel in line with relevant findings in the results section. Lastly, this framework demands that periodic risk reviews are not limited to changes or new releases which could hinder the effectiveness and efficiency of the RM process and to ensure compliance with the continuous risk monitoring requirement by ISO.

Proposed 4×4 RM Framework (Four Stages, Four Folds)

The proposed framework aims to represent and facilitate the adoption of the findings identified in this study across the earlier phases of the MDD. It is labelled as such because it highlights four folds, highlighted in yellow, to be implemented during the proposed early four phases or stages of the MDD process. Though this framework proposes four early stages of MDD, it does not require adhering to the exact stages as this was not in the scope of the conducted research, while the identification of risk types to be covered by MDD start-ups was the upmost research’s interest. In this framework, the risk types to be identified are progressively introduced within each MDD phase to follow a logical path and ease adoption, while start-ups can still commence risk identification of the identified risk types as possible, regardless of the proposed path, in line with the findings of Figure 4 and the PMI’s risk types highlighted in the literature.

Therefore, the first fold of this framework constitutesrisk identification which can be greatly supported by a list of professional checklists, without being limited to them, that were identified by the different participants of this study, being their sources to expand their risk register as explained in the findings discussed with respect to Figure 8, and reflected within the framework. These checklists are extendable as they were proposed by only seven participants; therefore, start-ups can build on them and expand as needed. The second fold in this framework addressed the findings highlighted in the results of Figure 5 where encountered incidents, due to risks being not already identified, can be adopted into the risk register in order to be treated and accordingly avoid risk reoccurrence. The third fold is designated to cater for the findings discussed in the results of Figure 9 where teams’ involvement can expand risk coverage, to ensure that risk identification involves all angles of the business such as finance, IT, human resources, etc. The last fold proposes having a smart periodic review process of the register since as described in the results of Figure 10, the expansion of the risk register can make the periodic review a complex mission for start-ups.

The proposed framework is aspired to guide start-ups as of the initial MDD phases, such as product ideation, by triggering identification of risks that are vital per each early development phase. For example, start-ups are recommended to consider risks relevant to market acceptance, availability of similar devices, budget acquisition from financial institutions or investors and more. All these types can be explored further with the help of checklists, which again should not be limited to the presented ones in the framework, to ensure risk prevention measures are implemented, better decisions are made and to secure a better flow of the MDD process.

The framework validation stage has confirmed the framework usability and intended benefits where all interviewed start-ups in this stage have confirmed, based on the count of the generated codes from the interviews, that the benefit from using the framework can outweigh the effort associated with adopting it, considering that it will require further effort to identify new risk types throughout the early development phases. This exercise was vital to ascertain its usability and comprehensibility with no additional requests to apply further changes within the framework.

Research Limitation and Future Research

This study was established through interviewing seven MDD start-ups, of which three start-ups were into software dependent medical devices, also known as Software as a Medical Device (SaMD) start-ups. Future research can consider expanding this number and encompassing a variety of start-ups’ profiles to extend the outcomes of this study.

Conclusion

Medical devices are used by human beings to support their health and wellbeing. Therefore, they should be very safe and reliable to use. Following an effective risk management process helps start-ups, who are innovative yet suffer a lack of tangible and intangible resources, not only to cater for the various possible risks throughout their development efforts but also to increase their chances of success. RM standards, such as ISO 14971, provide a general guideline on how an RM procedure should be like, yet they give minimal attention to the various types of risks that can be involved, and which may have direct and indirect consequences on patients and the development process if not timely identified and treated. This study dives into the details of risk identification within NPD and uses samples of risks identified by the PMI to align it with that of MDD while building on previous research which emphasized that RM in MDD shall include legal, technical, and human issues. It was established in this study that risk identification among start-ups in MDD already covers different risk types that are not listed in ISO 14971 or ISO 31000 to widen their risk register yet not in a consistent manner. Each of the participating start-ups chose a different set of risks to investigate, which were grouped in the proposed framework to be utilized by existing and new start-ups in the field and maximize the coverage of their risk register. The conducted interviews have also induced more findings, such as the use of professional checklists to aid their risk awareness and more, which were discussed and represented into the 4×4 RM framework. The resulting framework was ultimately validated with a new set of start-ups to confirm that it can be of added value.

Disclosure

The authors report no conflicts of interest in this work.

References

  • 1.Kheir O, Jacoby A, Verwulgen S. Success factors impacting nowadays technologically driven medical devices. Proceedings of the AHFE 2020 Virtual Conferences on Human Aspects of Advanced Manufacturing, Advanced Production Management and Process Control, and Additive Manufacturing, Modeling Systems and 3D Prototyping. USA; 2020. [Google Scholar]
  • 2.Rozenblit J, Sametinger J, Lysecky R, Ott P. Security challenges for medical devices. Commun ACM. 2015;58:74–82. doi: 10.1145/2667218 [DOI] [Google Scholar]
  • 3.Thirumalai S, Sinha KK. Product recalls in the medical device industry: an empirical exploration of the sources and financial consequences. Manage Sci. 2011;57(2):376–392. doi: 10.1287/mnsc.1100.1267 [DOI] [Google Scholar]
  • 4.ISO. 14971:2019(en) Medical devices — application of risk management to medical devices; 2019.
  • 5.Medina L, Wysk R, Kremer G. A review of success factors in NPD: medical device domain. 61st Annual IIE Conference and Expo Proceedings; 2011. [Google Scholar]
  • 6.Gray CF, Larson EW. Project Management: The Managerial Process 4e. New York: McGrawHill/Irwin; 2008. [Google Scholar]
  • 7.Galli BJ. The effective approach of managing risk in New Product Development (NPD). Int J Manag Sci Eng. 2017;4(2):27–40. doi: 10.4018/ijamse.2017070103 [DOI] [Google Scholar]
  • 8.Ahmed A, Kayis B, Khoo YB, et al. Development of an intelligent risk management system for minimizing problems in new product development. In Proceedings of International Concurrent Engineering Conference. China; 2004. [Google Scholar]
  • 9.Jaafary A. Management of risks, uncertainties, and opportunities on projects: time for fundamental shift. Int J Constr Proj Manag. 2001;19(2):89–101. doi: 10.1016/S0263-7863(99)00047-2 [DOI] [Google Scholar]
  • 10.ISO. 9001:2015(en) Quality management systems — requirements; 2015.
  • 11.Mobey A, Parker D. Risk evaluation and its importance to project implementation. Work Study. 2002;51(4):202–208. doi: 10.1108/00438020210430760 [DOI] [Google Scholar]
  • 12.De Oliveira UR, Marins FAS, Rocha HM, Salomon VAP. The ISO 31000 Standard in supply chain risk management. J. Cleaner Prod. 2017;151:616–633.
  • 13.Carvalho MM, Rabechini Junior R. Impact of risk management on project performance: the importance of soft skills. Int J Pro Res. 2014;53(2):321–340. doi: 10.1080/00207543.2014.919423 [DOI] [Google Scholar]
  • 14.PMI. Importance of project risk; 2019. Available from: https://www.pmi.org/-/media/pmi. Accessed August 26, 2022.
  • 15.Fontaine M. Project risk management. In: Green PAJ, editor. Enterprise Risk Management: A Common Framework for the Entire Organization. Waltham, MA: Elsevier; 2016. [Google Scholar]
  • 16.Smith PG, Merritt GM. Proactive Risk Management: Controlling Uncertainty in Product Development. CRC Press; 2020. [Google Scholar]
  • 17.Atkinson R, Crawford L, Ward S. Fundamental uncertainties in projects and the scope of project management. Int J Constr Proj Manag. 2006;24(8):687–698. doi: 10.1016/j.ijproman.2006.09.01 [DOI] [Google Scholar]
  • 18.Pietzsch J, Shluzas L, Paté-Cornell M-E, Yock P, Linehan J. Stage-gate process for the development of medical devices. J Med Device. 2009;3. doi: 10.1115/1.3148836 [DOI] [Google Scholar]
  • 19.Kemparaj U, Chavan S. Qualitative research: a brief description. Indian J Med Sci. 2013;67(3):89. doi: 10.4103/0019-5359.121127 [DOI] [PubMed] [Google Scholar]
  • 20.Guest G, Bunce A, Johnson L. How many interviews are enough? An experiment with data saturation and variability. Field Methods. 2006;18(1):59–82. doi: 10.1177/1525822X05279903 [DOI] [Google Scholar]
  • 21.Dworkin SL. Sample size policy for qualitative studies using in-depth interviews. Arch Sex Behav. 2012;41(6):1319–1320. doi: 10.1007/s10508-012-0016-6 [DOI] [PubMed] [Google Scholar]
  • 22.Flint DJ, Woodruff RB. The initiators of changes in customers’ desired value. Ind Mark Manag. 2001;30(4):321–337. doi: 10.1016/s0019-8501(99)00117-0 [DOI] [Google Scholar]
  • 23.Lodico MG, Spaulding DT, Voegtle KH. “Methods in Educational Research: From Theory to Practice”. John Wiley & Sons; 2010:10. [Google Scholar]
  • 24.Fereday J, Muir-Cochrane E. Demonstrating rigor using thematic analysis: a hybrid approach of inductive and deductive coding and theme development. Int J Qual Methods. 2006;5(1):80–92. doi: 10.1177/160940690600500107 [DOI] [Google Scholar]
  • 25.Teferra M. ISO 14971-medical device risk management standard. Int J Eng Res Technol. 2017;3:83–87. [Google Scholar]
  • 26.Kingston MJ, Evans SM, Smith BJ, Berry JG. Attitudes of doctors and nurses towards incident reporting: a qualitative analysis. Med J Aust. 2004;181(1):36–39. doi: 10.5694/j.1326-5377.2004.tb06158.x [DOI] [PubMed] [Google Scholar]
  • 27.Makary M, Daniel M. Medical error: the third leading cause of death in the US. BMJ. 2016;353:i2139. doi: 10.1136/bmj.i2139 [DOI] [PubMed] [Google Scholar]
  • 28.Kuhl J, Sankowski O, Krause D. Investigation on methods and characteristics in medical device development. Proceedings of the Design Society: DESIGN Conference; 2020:1969–1978. doi: 10.1017/dsd.2020.95. [DOI] [Google Scholar]
  • 29.Kamisetti RR. Regulatory control on medical devices-A Case Study on Device Recalls by USFDA; 2022.

Articles from Medical Devices (Auckland, N.Z.) are provided here courtesy of Dove Press

RESOURCES