How to Set Up an ISO 14971 Risk Matrix in 5 Simple Steps

    Without a solid ISO 14971 risk assessment methodology in place, defining risk can sometimes be like answering the question, "How big is big?"

    Listen to the audio version of this article read by a real person here (Sound on!):

    Everyone will have a different answer.

    Johnson & Johnson lost a class-action lawsuit and was forced to pay $2.6 million in damages because they failed to provide sufficient data to prove that their vaginal mesh implants were safe.

    Johnson & Johnson’s vaginal mesh implants caused hundreds of women to suffer from debilitating side effects, such as infections, chronic pain, and the inability to have intercourse.

    Anna Katzman, the Federal Court Justice, said that there was an “overwhelming” amount of evidence that the implants were not tested properly.

    Building a tool to assess risk will give your company confidence and consistency — plus it can help keep your organization out of trouble. We'll show you how to set up your own ISO 14971 risk matrix in just a few steps.

    How to Set Up an ISO 14971 Risk Matrix in 5 Simple Steps

    An ISO 14971 risk matrix is a tool you create to assess and categorize the potential risks and harm your medical device poses to patients who use it. A risk matrix is combined with other tools to quantify risk and the potential sources of harm.

    Also, keep in mind that it’s important to choose an eQMS that makes complying with ISO 14971 a breeze. As you can see from what happened to Johnson & Johnson, you need to maintain meticulous records, and an eQMS such as Qualio can help you do that.

    You can find out more about Qualio and why it’s the best eQMS for medical device manufacturers here: Qualio: The first cloud management system for the entire Life Sciences ecosystem.

    Now let's take a look at the 5 steps you should follow to create your own Risk Matrix.

    1. Identify the Potential Harms

    The first step to creating your risk matrix is to identify the potential harms your medical device could cause to patients who use it.

    For example, potential harms can include: debilitating side effects, short-term injury or impairment, loss of a limb, or loss of life.

    ISO 14971 Annex C provides a list of examples to help you identify potential harms. Some examples of what it includes are:

    • Bacteria
    • Viruses
    • Electric Fields
    • Line Voltage
    • Leakage Current
    • Vibration
    • Gravity
    • Thermal Energy
    • Chemical Hazards

    Think about each step your patients will go through when using your product. What are the potential risks or harms that could happen during each step?

    Make sure to include any harm to the environment, property damage, or harm to other people as well as harm to the patient using your device.

    Related Reading: Is Your eQMS Built for ISO 14971 Risk Management Compliance?

    2. Estimate the Risk of Harm

    Now that you know what the potential harms are for your medical device, you can estimate the risks of each individual harm.

    The risk is the severity of the harm caused and the likelihood of that harm occurring in a certain percentage of the patients who use your device.

    Rank the severity by organizing each harm as negligible, minor, serious, major, or critical. For example:

    1. critical harm would be the loss of a limb or life
    2. major harm would be long-term injuries or disability
    3. serious harm involves medical intervention to fix the problem
    4. minor harm would be side effects such as headaches, cramping, constipation, etc
    5. negligible harm that doesn’t pose a risk to the patient

    If your device is new and hasn't been used by patients before, it can be hard to calculate the probability of each harm occurring. To come up with an estimate of occurrence, you can use data from similar products, regulatory data, scientific white papers, or industry standards instead.

    3. Build Your Matrix

    Once you’ve identified potential harms and estimated the risks of each one, now you’re ready to build your risk matrix using the data you’ve collected.

    You can create a risk matrix with Microsoft Excel, Google Sheets, or another spreadsheet software.

    Create a spreadsheet with fields for frequent, probable, occasional, remote, and improbable on the left, and fields for negligible, minor, serious, critical, and catastrophic on the bottom.

    Rank each risk level as low, medium, or high, as seen in the example below:


    Qualio helps you create your risk matrix with a simple, 3-category model for both impact and probability—High, Medium, Low

    Related Reading: Reviewing the Best Medical Device Risk Management Consultant Options for 2020

    4. Train Your Team

    Reduce the risks of your medical device by learning everything you can about risk management and ISO 14971. Then, pass that information on to your team. You might even benefit from sending your staff through ISO 14971 training classes or programs.

    You could also consider hiring a consultant to help you establish processes and protocols for risk management so you can maintain ISO 14971 compliance.

    Risk management should be an integral part of every step in the development of your device, and your team needs to know how to incorporate risk management into the areas of your processes they are responsible for.

    A quality management system (QMS) can help you keep track of all the documents you need to create and store for risk management.

    5. Utilize an eQMS to Manage Risk

    Maintaining meticulous records during the entire development cycle of your medical device is crucial for compliance with the FDA and ISO regulations.

    We highly recommend ditching the old-school pen and paper methods and start with an eQMS instead. Digital systems give you the ability to thoroughly control and document the "paper" trail that you need to have for ISO compliance.

    Qualio was built with life science companies and medical manufacturers in mind. Our software was built to help you create and collect the data you are required to have. You can access your data anywhere you have internet access because Qualio stores it in the cloud.

    “Coming from a manual, paper-based system, it’s amazing how it all just works. Qualio has forever changed how we manage quality.” - Tara Fitzpatrick, Quality Manager from Rowa Pharmaceuticals

    You need an eQMS that is flexible in risk management documentation and can help you create documented risk management plans for ISO 14971 compliance.

    Qualio can help you do all that and much more. Request a demo and start taking risk management seriously with Qualio.