EN 14971: 2012 Content Deviation #5: Risk Control Options

During the process of harmonisation of ISO 14971: 2007 as an EN standard, it became apparent that the standard did not comply with all the requirements of the Medical Devices Directives (MDDs), namely 90/385/EEC, 93/42/EEC and 98/79/EC. Seven discrepancies were identified; these discrepancies are described in EN 14971: 2012 as “Content Deviations”. This newsletter deals with Content Deviation No. 5: Risk Control Options.

Content Deviation #5: Risk Control Options
ISO 14971: 2007 requires the manufacturer to “use one or more of the following risk control options in the priority order listed:
(a)  inherent safety by design;
(b)  protective measures in the medical device itself or in the  manufacturing process;
(c)  information for safety”
but does not require that all three options be used; instead ISO 14971: 2007 implies that once the risk has been reduced As Low As Reasonably Practicable then further risk control measures need not be taken.
In contrast, Annex I of the Medical Device Directive 93/42/EEC requires the manufacturer “to select the most appropriate solutions” by applying cumulatively what has been called “control options” in ISO 14971. The MDDs do not regard these control mechanisms as options or alternatives but as three separate control mechanisms that must be applied in consort to reduce the associated risk as far as possible.

It must also be remembered (as outlined in our previous newsletters) that the manufacturer must not stop reducing a risk when it has reached an acceptable level, but that the risk must be reduced as low as possible irrespective of the risk magnitude. When complying with the Medical Devices Directives the only justifications for not implementing a control are that either the control in question will not reduce the risk any further or that it may give rise to a new risk which is less desirable than the risk which it is intended to control.
It can therefore be concluded that risk acceptability has no impact upon whether or not risk controls are necessary. Traditional FMEA-based methods of risk analysis have included an evaluation of the risk – both before and  after the implementation of risk controls measures. Under ISO 14971: 2012 and the MDDs there is no need to perform a risk evaluation prior to the implementation of risk control measures. However, manufacturers may still want to show in the FMEA the effect of risk control measures on the RPN in order to support their claim that the risk has been reduced as far as possible. Therefore it may be a good idea to leave the before and after RPN calculations in the FMEA document but to omit any reference to the acceptability or otherwise of the risk in question prior to the application of control measures. Many risk management procedures that are based on the 2007 version of the standard contain a flowchart describing the risk management process; the preliminary risk evaluation step should be removed from the flowchart in addition to removing it from the risk management procedures and the FMEA, templates and records.

The impact of Content Deviation # 5 is to require the manufacturer to implement multiple control measure whereas in the past, one control measure may have been considered sufficient. For example; a manufacturer of a device which incorporates a heating element may have previously considered that the design of the device was sufficient to minimise the possibility of the device overheating and therefore the risk to the patient had been reduced to an acceptable level. Such a manufacturer is required under the MDD to explore means of protecting the patient from overheating in the (unlikely) event that it occurs and to consider including a warning in the IFU detailing the risk of possible device overheating, and the precautions to be taken. In many cases the manufacturer will already have done both of the above, but a review of a company’s risk analysis documents such as FMEAs will almost inevitably reveal risks for which the application of all three types of control measures has not been considered. Additionally, the manufacturer must explore if there are any further design controls necessary to reduce the risk as far as possible (and not just to an acceptable level).

The outcome of actions taken to deal with Content Deviation # 5 will mean additional design controls, increased protective measures and alarms, and longer, more detailed IFUs. However, additional measures must only be taken if they will actually reduce risk and will not give rise to additional or alternative risks that are equally or more undesirable.
In order to comply with Content Deviation # 5, manufacturers must do the following;

  • Revise risk management procedures to require that all three types of risk control are utilised. Remove the risk management process step of risk evaluation prior to the application of risk control measures.
  • Review and update risk management documentation to ensure that all three types of risk control measures have been applied and that risks have been reduced as far as possible.
  • Review the information given to the user and in particular the IFU to ensure that all information that is necessary for reducing risk as far as possible, has been given to the user in a manner that is easily understood and can be easily acted upon.

In this newsletter we looked at the implications of Content Deviation # 5 and the requirement of the MDDs to implement all three types of control measures; design controls, protection measures and the giving of information to the user.

Abbreviations used in this newsletter:
FMEA: Failure Modes and Effects Analysis
IFU: Instructions for Use
MDD: Medical Devices Directive
RPN: Risk Priority Number


Household Energy Saving Tips

Save Energy – Save Money – Help the Environment



Light, Electrical Appliances & Energy Tips:

  • Turn lights on only when you need them and turn off when you leave the room.
  • Keep your lamps and lamp shades dust free – more light in less time.
  • If you want lighten your lighting bill, replace incandescent bulbs with energy efficient compact fluorescents and LED lighting.
  • On outdoor security lighting use timers or motion sensors. They run only when required.
  • In general, the most energy efficient HD televisions are LED followed by LCD and then Plasma.
  • Switch off and save up. When you leave the TV on standby it can use up to half the electricity in standby as when switched on.
  • Be smart with your computer, use energy saving mode and turn it off when not in use.
  • If you want save up to 20% on your electricity bill try using a home energy monitoring device. It can help you to manage your energy consumption.
  • When replacing a home appliance always chose an appliance with the highest energy efficiency rating. It is a good choice for your wallet and for the environment.
  • Plug out mobile phone chargers when not in use

Kitchen & Laundry Tips:

  • energy_sqtUse lids on your saucepans. The food will be tastier and it will reduce the cooking time.
  • Cook several items of food at one time. Use pans that can divide into sections or use the different temperatures of the space in oven (hotter on top, cooler below).
  • When you use the oven resist the temptation to check every minute! 20% of the heat escapes each time you open the door!
  • Slow cookers and pressure cookers save energy.
  • When using the kettle boil only the quantity of water you need. It is better for the bill, for the environment and for your health. Over-boiled water has a high concentration of limestone.
  • Stop the dishwasher before the drying cycle and open the door to let the dishes air-dry.
  • If you put hot food into fridge or freezer, they will have to work extra hard to cool it. You can let the food cool first and then put it in the fridge or freezer.
  • Defrost your freezer at least every 6 months and check your fridge and freezers door seals.
  • Put a full load in the washing machine if you can and use the lowest water temperature required. In this way you can save the money and save the fibres – your clothes remain new longer.
  • Iron smart – you should do the low temperature clothes first and the high temperature clothes last.
  • Weather permitting dry your clothes outside on the line.  In Ireland, the weather doesn’t always permit this (though we’ve had a good run!!).  If using a tumble dryer, dry heavy and light articles separately and turn the dryer off as soon as the clothes are dry.

Heating Tips:

  • When going away, turn off your central heating and set the timer to warm the house up for your return. Switch off heating before you go to bad. The radiators will continue to heat your home for some time.
  • Use time clocks to ensure the heating system works only when you need. With central heating systems use zone controls where necessary and fit thermostatic radiator valves to all radiators.
  • Turn heating thermostat down by 1°C can save you up to 10% on your annual heating costs. Room thermostats should be set on 18°C for the bedroom, and on 20°C for the living room.
  • Your boiler is heart of an efficient heating system. You should have it serviced annually to ensure it is working as efficiently as possible.
  • Ensure your house is well insulated. Double glazing and loft & external wall insulation are fundamental for saving money and for keeping your house warm. Improving your insulation is one of the best investments you can make in your home.
  • Carpets or rugs are good to insulate floors.
  • In cooler weather, keep the windows and doors closed – save the heat!
  • Curtains – close at night and open during the day. This little trick will help you to improve your house temperature management.
  • If you have a chimney but you don’t use or use occasionally you can fit a removable chimney cover to cut down the air infiltration.
  • Before you turn on your central heating…put on a jumper!
  • Radiators: to deflect heat back into a room place a shelf or longer window ledge over the radiator. For the same reason fit reflective foil-backed insulation behind it if it is on the external wall.

Water Heating Tips:

  • If your boiler is more than 10 years old, to plan to replace it. The modern ones are significantly more energy efficient. Older boilers operate at lower efficiency levels; on average 60% – 70% which means you are wasting heat and money.
  • To avoid overheating water put a thermostat to your hot water cylinder.
  • Lag your hot water pipes where you can and fit an insulating jacket on your hot water cylinder. For best results replace your existing hot water cylinder with a cylinder with factory applied insulation.
  • Take a shower rather than a bath. Usually an electric shower uses only one fifth of the energy of a full bath.
  • To save water and energy you should use a low flow shower head.
  • Use radiant heat lamps to heat the bathroom area rather than fan heaters.
  • If you use spray taps, you can reduce the amount of hot water you use.

You can also save Energy at work.  If you are interested in training in this area, view our range of Energy Management training courses – many of which are accredited.

Sources of Energy Saving Tips & Tools:


Don’t Expect to Find a Single Root Cause when Solving Problems

I think that because of the emphasis in the literature on “Root Cause” analysis some teams working on problem solving tend to believe that they are expected to identify a single root cause of the problem. I don’t believe that they should expect that outcome. Over the years I have trained and consulted with more than 100 teams undertaking root cause analysis, and it is a rare occasion in my experience in which a team will be able to identify a single cause of a problem. Indeed, if a team tells me they have managed to isolate a single root cause, I will question whether they have considered all of the possible causes in sufficient depth.

It is much more usual that the team will identify a number of possible causes of the problem. These causes may well have complex interactions, which will be difficult to disentangle, without substantial data gathering and mathematical analysis, most likely beyond many teams undertaking root cause analysis.

I believe that the best that can be expected is that the team will undertake a thorough analysis of all possible causes and identify a short list of causes, on which corrective actions can be taken. I don’t think that there is merit in teams at the point of identifying a short list, devoting time to try and find the single root cause of the problem, which I see teams attempting to do. If the team is successful in identifying the potential short list of causes, and corrective action is implemented on this short list, and is effective, then the problem will be eliminated. It is a key responsibility of the team to identify the causes on which action is to be taken.

Learn more about the techniques of problem solving by attending our Root Cause Analysis Control training course.


ISO 14971: 2007 – Content Deviation #4

During the process of harmonisation of ISO 14971: 2007 as an EN standard, it became apparent that the standard did not comply with all the requirements of the Medical Devices Directives (MDDs), namely 90/385/EEC, 93/42/EEC and 98/79/EC. Seven discrepancies were identified; these discrepancies are described in EN 14971 as “Content Deviations”. This newsletter deals with Content Deviation No. 4 - Risk/Benefit Analysis

Risk Benefit Analysis involves weighing the clinical benefits derived from the device against the risks inherent in using the device, known as the residual risks (i.e. those risks that have not been designed out).  Clauses 6.5 and 7 of ISO 14971 suggest that a Risk/Benefit Analysis is only required for risks that would otherwise be deemed unacceptable. Annex D.6.1 of ISO 14971 gives guidance that Risk/Benefit Analysis is not required for every risk. However, Essential Requirements 1 and 2 contained in Annex 1 of the MDDs require that a Risk/Benefit Analysis be performed for each risk and for the overall residual risk. In addition, Essential Requirement 6a of the MDDs also requires a Risk/Benefit Analysis as part of the conclusion in the clinical evaluation report (see MEDDEV 2.7.1 rev 3 for guidance on the format and content of a clinical evaluation report).

The Medical Devices Directives require that a Risk/Benefit Analysis be performed for each individual risk and the totality of all residual risks—not just the risks that have been identified as unacceptable and irrespective of the magnitude of those risks. Performing Risk/ Benefit Analysis on risks that were hitherto described as acceptable or negligible risks may seem like an unnecessary and purely academic exercise; however this is required in order to conform to the Directives.

In order to comply with the Essential Requirements of the European Directives relating to Risk/Benefit Analysis  (i.e. the fourth content deviation between the ISO 14971 Standard and the Essential Requirements of the European Directives), a change is required to a manufacturer’s risk management process and procedures. To comply with EN ISO 14971:2012, it must be ensured that it is clear in the procedures that Risk/ Benefit Analysis is required for every risk regardless of magnitude. In the case of risks that cannot be justified by Risk/Benefit Analysis those risks cannot be considered acceptable and the product cannot be placed on the market unless those risks are eliminated or reduced to the point where they are outweighed by the clinical benefits of using the device. Risk/Benefit Analysis must take into account the risks of using the device given the current state of the art and alternative therapies that are available. This may mean that where new technologies become available, risks that were previously acceptable may no longer be justifiable.

In a previous blog, we determined that all risks must be reduced as far as possible, meaning an end to the concept of ALARP for devices sold in Europe. Combined with the requirement to perform Risk/Benefit Analysis, this effectively leaves only two classes of risk; those that have been reduced as far as possible and can be justified by Risk/ Benefit Analysis and those that cannot be justified by Risk/Benefit Analysis.

Clinical input is an essential component of Risk/Benefit Analysis. For companies that are currently involved in developing new products, access to clinical input should present no difficulty, but for companies that have older product lines, or are producing ’me-too’ devices or low risk devices, access to clinical input may require developing new relationships with clinicians where these do not already exist. Another possible difficulty could be reluctance by clinicians who have not been involved in the development stages of the product to sign off on Risk/ Benefit Analysis especially considering the litigious environment in which clinicians operate today.

However, clinical input need not always be direct clinical input. All devices placed on the market in Europe require a clinical evaluation.  In some cases this is achieved by a review of published clinical literature and post-market surveillance data so some form of clinical input will be available for every device already on the market. It is recommended that Risk/Benefit Analysis be included in the clinical evaluation process using the device’s residual risks as inputs to the clinical evaluation. The clinical evaluation report should include a statement as to whether these risks are outweighed by the clinical benefits of using the device.  The risk management report and the clinical evaluation should be cross-referenced. Both documents should provide traceability to each risk identified in the risk analysis, and decisions on risk acceptability should be based on the conclusions of the clinical evaluation. Risk Management Reports should state clearly that Risk/ Benefit Analysis has been preformed for the individual risks and for the totality of risk and that these risks are outweighed by the clinical benefits of using the device.

The clinical evaluation and Risk/Benefit analysis will need to be updated periodically following modifications to the device, in the event of adverse incidents and on foot of other post-market surveillance information. The need to do this should be included in the company’s Risk Management procedure as part of the system for period review of risk and in the company’ procedures on clinical evaluation and post market surveillance.

Compliance with Content Deviation Number Four will require updates to a number of procedures and to the format of Clinical Evaluation reports and Risk Management Reports. From the procedures and reports it should be clear that the total and individual risks associated with using the device are clearly out weighed by the clinical benefits.

My next blog will deal with Content Deviation #5 Risk Control for CE Marking Medical Devices

Submitted by John Lafferty, SQT Healthcare tutor


How to get listed on Google’s Knowledge Graph

You may have never heard of Google’s knowledge graph but it’s likely you’re seeing it in action every day.  Just like the old sporting cliché, SEO is all about ‘making the hard yards’. Taking every seemingly small SEO step and applying it to your SEO policy and activity will ensure you get the most from your Search Engine Strategy. And today, we’re talking about one of SEO’s unsung heroes – the Google Knowledge Graph.

Did you ever see a listing similar to this in Google’s search results?











The section highlghted in red on the right is the knowledge graph.  You may also have noticed a carousal appearing at the top of a search, this is also part of the knowledge graph.











The knowledge graph (link to  is a knowledge base used by Google to enhance its search results.  The information in the results are gathered from a variety of sources and displays information on a particular topic and related topics in a structured way.

The main objective of the knowledge graph is to enhance the user’s experience and make it easier to find information. If you search for Leonardo Di Caprio or National Museum of Ireland (as in examples above) you can see that information about that topic and related topics is easily available.  If you want to know more about a movie that Leonardo DiCaprio is in, you can simply click on it and access more information – again this happens by normal organic searches or the knowledge graph.

The knowledge graph also allows the searchers to go deeper. It allows you to make new discoveries and find things that are unexpected.

While Google looks for data across many different resources, one of the most exciting features about knowledge graph is that “it’s tuned based on what people search for, and what we [Google] find out on the web”.

Reasons why you should consider getting your company or brand listed

  • Gives you a larger presence on the page and provides searchers with a richer experience

  • It builds credibility and trust. Having a richer listing and one that helps the searcher find their desired information will start to build your business credibility and brand.

  • Control of your branding  – while you cannot control what Google displays, you can try to.  Google knowledge graph pulls a lot of its data from Google + pages, and Wikipedia which you can edit.

  • You do not have to be a big name to be part of it.











Do you want to be part of the knowledge graph and give your company a richer presence in the search engine results page?  To ensure you get your company or brand listed, Google must understand more about you and know where to source related information.

How to get you and your business listed on Google’s Knowledge graph

  1. Set up a Google + business page for your business or brand.  Ensure that you complete the ‘about’ section and add your website, blog, email and contact details.  Now that you have a page, do not just leave it sitting there, use it to network and engage with relevant people in your industry and clients. Using the G+ page features will help provide Google with key information about your business or brand e.g. events you are running, your video channel, your website etc .
  2. Set up your Google + Local page (previously Google Places).  This shows your location, contact information and  a description of your business.
  3. Submit your business to Google’s database.  Keep it factual and not spammy! Add in core information about your business like ….other trading names for your business, do you have a registered name that people may search for?  You should also include a description – describe what your business does (remember be factual!).  Include relevant images, social media links and more.
  4. Wikipedia – search and see if you are mentioned in Wikipedia and ensure it is factual and correct. If it is not correct, there are specific guides around how to get this edited as they discourage businesses editing their own content – see their guide here
  5. Use Google’s data highlighter in Google Webmaster Tools.  This will allow you to highlight key elements on your page like product details or articles.
  6. Include rich snippets (reviews) if you can. For more information on this visit





  1. Verify your website’s structured data . The Structured Data Mark-up Helper shows you how to update your site so that Google understands what the data is.  It’s about tagging your website correctly so Google can use it correctly and present your data in more attractive ways.  The rich snippet above is one example.
  2. Use  mark-up on your site – this is one for your developer. This will help Google to understand your website content and display it correctly and more dynamically.
  3. Set up Google+ authorship for your website / blog and any other blog or website you contribute to. This allows Google a better understanding of the content you are creating and will result in your headshot appearing beside your listings in search…
    1. Set up a Google + profile, include your head shot and verify your email address – like with your G+ page you need to ensure you do not set up for the sole purpose of the knowledge graph.  Use it to network within your industry, potential and clients.
    2. In the section called ‘Contributor to’, include links to all websites / blogs that you contribute to.
    3. Create an author link from the content you are publishing <a rel=”author” href=”“>Sandra Hennessy</a> (change the link and name to your G+ profile link and your name)





While you have no doubt heard it many times, it’s true…there are no quick fixes in Organic SEO anymore. But there are many ways you can improve your ranking in an organic and ethical manner. By working with Google and contributing wholeheartedly to the entire Internet landscape, you’ll ensure you and your business are easy to find and your online voice will be heard.  Outside of all the above, you need to be active in your industry, publish articles regularly and keep your website and online profile(s) up to date.

Google’s Knowledge graph is an online phenomenon that you need to be part of. For more on applying SEO tools to only the highest standards, why not visit our /blog

Written by in: Social Media |


Like all ISO standards, one of the world’s most popular quality management standards, ISO 9001, is reviewed every five years. The International Standards Organisation (ISO) is currently revising ISO 9001:2008 to ensure it is relevant and up-to-date and has now had its Draft International Standard (DIS) released.  At the DIS stage all interested parties can submit feedback that will be considered before the final draft is published by the end of 2015.

The main reasons for the change is to keep ISO 9001 relevant, reflect changes in its environment and ensure it continues to deliver “confidence in the organization’s ability to consistently provide product that meets customer and applicable statutory and regulatory requirements”.

The impact of this revision will be similar to, if not greater than the 2000 edition, which was a major change for accreditation bodies, certification bodies, training organisations, implementing organisations, procurement organisations, consultants and customers.

The main changes in the new draft relate to its format and the increased importance of risk.

These include:

  • The same high-level structure used by other management system standards which will help companies to implement more than one standard
  • Identification of risk and risk control as requirements
  • Management will be required to take a more active role in aligning quality policies with business needs
  • Changes in terminology

Organizations certified to the current standard, ISO 9001:2008 will be given a three-year transition period after the new version has been published to migrate to the new edition of the standard.

The draft version is now available on the ISO website which you can reach by clicking here.




Morgan McKinley


Blog courtesy of

Written by in: Uncategorized |

It is vitally important that measurement systems are studied using Gauge R&R (Gauge Repeatability & Reproducibility)

All manufacturing organizations nowadays have a comprehensive measurement instrument calibration process in place, and pay a lot of attention to ensuring that the calibration work is carried out in accordance with procedures. Failing to calibrate the measuring instruments in accordance with requirements would result in the organization falling foul of auditors of the various standards such as ISO 9001, ISO 13485, and FDA regulations. It is greatly surprising then, that so many people, including many of the aforementioned auditors, have so little understanding of the importance of studying the variability of the measuring process. The lack of emphasis in standards such as ISO 9001 and FDA regulations on the need to study measurement system variability, is also a surprise.

Operating a calibration process without Gauge R&R (Gauge Repeatability & Reproducibility) leaves a critical gap in assessing the health of the measuring process; Measurement system variability is not assessed during the calibration process. Routine calibration is, of course, very important. However, I have seen people responsible for the measurement process, shocked when Gauge R&R studies were completed, to learn that the information provided by their carefully calibrated measuring instruments is of little practical use, because the real variability in the manufacturing process that they are attempting to study is smothered by excessive variability in the measuring process.

There are well established methods under the general heading of Gauge R&R available to facilitate the study of measurement system variability. Also, the analytical work can be undertaken with the Gauge R&R modules available in most statistical software packages. Personnel responsible for the measurement process can be readily trained to use modern computer software to design and analyse Gauge R&R studies, which will enable them to see whether the instruments are fit for purpose, and to indicate the direction of corrective actions, should the need arise.


To Serve or not to Serve?

Should we or should we not serve … that is the question … well, it is one of many questions that should be asked. The idea of servant leadership is to serve those they lead. So why don’t we do this more and serve those that we lead rather than manage those that we lead? There are a few factors that we, as project practitioners, need to take on board to make this a reality

Become a transformational leader
Rather than act in a certain way in order to gain the trust and avoid the pitfalls of human nature, why don’t we tap into the needs and values of people and inspire them with new possibilities that raises confidence, conviction and desire to achieve a common, moral, motivating purpose. This is commonly referred to as a ‘transformational leader’ and is an core element of servant leadership
Is this a risky method of leadership … of course it is but the value and result is one of empowerment rather than management. Is this worth doing … well, that is based on the 3 characteristics of leadership: -
  • Your Environment will support transformational leadership?
  • Your People will respond to transformational leadership?
  • You will Embrace transformational leadership?
Create the Vision for Others
To be a servant leader, there must be a direction for people to follow.  Does lack of vision mean lack of leadership? Is it because we lack vision? The reason is not because we don’t have a vision, it is because the vision is cosmetic and not focused on those we lead. The vision needs to be exciting, adapted and most importantly it can be connected with. If not, we become a ‘transactional transformational leader’ in a management world. Yes this is a sentence full of words, but what it means is that we may talk the talk but not walk it.
Hear about the other factors that constitute Servant Leadership for Project and Programme Managers in my workshops

Submitted by Liam Dillon, Turlon, SQT Project Management tutor


Successful Project Managers – throw away the rule book

Are Your IT Project Managers Costing Your Organisation Millions?

We believe that the current view of best practice in IT Project Management is flawed.  As a consequence, failing to rectify the situation can add millions to an organisations cost base. There is a myriad of things that can go wrong when replacing a core system. However, if the training, tools, practices and disciplines that are deemed best practice for project managers [PM’s] are fundamentally flawed and failing organisations, then the situation is greatly and dangerously exacerbated.

The key to successful IT Project Implementation, is to develop a dynamic system of processes and practices that can quickly and effectively respond to constantly emerging risks.  Some experienced PM’s break the ‘rule book’ and intuitively intervene in the delivery of a project in a way that prevents disaster.  Such PM’s are the treasured few. For the most part the moves they make and the actions they take are instinctive; ask them to give their thinking for why and when they intervened and they will struggle to explain themselves.

In this article we describe and codify some of these ‘intuitive’ interventions and explain the rationale for their use.  Our aim is to show that there is an alternative way to manage large enterprise wide IT implementations and in the process, save organisation millions of dollars of cost and substantially reduce project risk.

Our findings are based on interviews with Ennovate’s Directors in which we capture their experience of project managing dozens of separate IT implementations across Europe and Ennovate’s experience of providing a project recovery and client-side advisory service for enterprise-wide system integration.

Ennovate’s approach to IT Project Management is to:

  1. Develop a single page project view of the Project that is simple and easy for all to understand and to avoid the tendency to manage the implementation at task level.
  2. Create short and real milestones every 6-8 weeks. We believe that this is essential to achieving high levels of productivity.
  3. Set-up a project ownership structure with single owners and develop a direct style of meeting practice that focuses on owners’ reporting exceptions.  Ennovate’s approach to IT Project Implementation is to use these meetings to design real-time corrective interventions.
  4. Design and implement early prototyping by getting business stakeholders to own usability designs and gain their early participation in prototyping.  Ennovate’s aim here is to move the technical team out of a mindset of perfect build and test and into one of learning together
  5. Encourage project conflict. If managed well and all stakeholders are made to focus on the project goals, encouraging project conflict is a powerful method of keeping the project real and promoting the necessary pragmatic trade-offs.
  6. Avoid the natural desire to over-specify and resist complexity.  Both users and technical staff  need to be managed away from this inherent tendency.
  7. Facilitate changing scope by ensuring project goals remain alive in the project yet promote pragmatic negotiation of scope as part of the project delivery.

In summary, we advocate promoting a candid style of project management. This is one that seeks commitments and clarity at every opportunity and does not tolerate behaviour that deflects from the projects overall goals. A sharp focus on the projects final outcome is maintained and individuals are coached and mentored to take personal accountability and pride in their contribution.

  1. Develop a Single Page Project View 
    Large IT projects have a typical pattern starting with business requirements and then going through technical design, build and configure, various iterations of testing, migration and ending with user acceptance.   Each phase involves tasks and assigning task ownership.  Typically, reporting focuses on progress at task level with some level of interpretation during the aggregation process required for summary reporting.  This approach, deemed best practice by project management authorities, does not take care of the problems with interpretation and aggregation, nor does it lend itself to keeping a simple coherent view of the project that all project members can understand and relate to.Our approach, based upon Commitment-based Management is different. We focus on building a top down, single page view of the project.  First we develop a unifying project goal and maintain this throughout the project.  We work with the project team to design their promises and help them relate to and understand how they contribute towards the project goal.  This results in a simplified programme structure with clear accountability and commitment to the projects success.  Reporting focuses on how the team are doing against managing their promises and the actions required to keep, renegotiate or support each other in delivering upon such promises.  In doing so, the project is focused on the future, maintains simplicity and unity to the overall project goal.  Another outcome is that the project reporting requirements are simplified and the work of the project office moves from simply reporting and interpreting progress to value adding activities such as supporting the team in managing the delivery of their commitments.
  2. Real Milestones every 6-8 Weeks 
    Projects with a six-month-plus duration and a large and diverse range of interested parties, have a difficult time maintaining the momentum and energy of all involved.  This can mean milestones are fudged resulting in the erosion of trust between the project team and their stakeholders.Our approach builds upon a project team that understands the overall project goal and how its promises are part of that goal. Ennovate then design and plan 6-8 week milestone deliverables.  In addition, we introduce an operational meeting practice that focuses on the commitments pending and actions required to safe-guard them or re-negotiate them.  In doing this, the project team focus on outcomes required from each milestone and maintain high energy levels and conviction.
  3. Promote an honest and straight talking meeting practice
    In our experience all projects have a tendency to slide into working in silos.  When teams operate in silos they move away from having a clear goal of the greater project good and look to focus on their own deliverables.  The sum of their deliverables inevitably falls short of the required overall project goal.  The team fragments, with each deliverable competing for limited resources.  Project managers and leaders can fall into the trap of refereeing or making priority calls based on the strongest personality’s representation.  Furthermore, this tendency, when it extends to the business community, creates additional work. Users begin to focus predominately on their own needs and end up specifying nice-to-have requirements in the name of future proofing.  This leads to unnecessary workload and unnecessary development effort which results in spiralling implementation risk.In Ennovate’s experience, the typical response to this situation is a generic cry for charismatic leadership.  This is helpful, but does not ensure success in preventing silos from emerging.Our approach is to get the project team to maintain focus on the overall project goal.  Our operational meeting practice provides a process of renegotiating commitments / promises and is a practical way of ensuring that the team is in regular dialogue on the projects goals, the interdependency of their promise on others and vice versa.
  4. Encourage Business Stakeholders prototyping as early as possible
    IT Projects based upon the traditional project management frameworks, are designed and implemented in a way, where the requirements are handed-off to project technical team members and little is heard from the development team until they are ready for the users to re-engage at acceptance phase.  This approach generates a number of risks, one of which is that the business moves on and the original requirements are no longer relevant. Business users compensate for this situation by putting forward extensive and very often, unnecessary requirements, while technology delivery teams build completly over-engineered solutions. The consequence is additional time and risk introduced into the project with the likelihood that the business community begins to lose interest in the project.  The challenge here is how do you maintain business community commitment and prevent this from happening?Ennovate’s approach is to bring the business into the project. We introduce a dynamic change management practice through the design and build phase and maintain a practical perspective on requirements and changing business needs.  In addition, we look to push through an end-to-end transaction early in the project cycle.  This sharpens the overall project deliverables and gets the business community meaningfully engaged earlier in the process.  This also gets the users and core project team focused on real issues that can be resolved pragmatically.
  5. Promote Project Conflict Projects tend to be a microcosm of the organisational structure and represent the organisational culture in a magnified way.  When things go wrong, which is inevitable, the success in managing such conflict will be critical for getting the project delivered against its goals and time commitments.Some see conflict as a bad thing, Ennovate do not.  Healthy teams bring disagreements and conflict out into the open and deal with it.  Our style of working is to encourage openness and candour to get conflict out early and deal with it.  Our project teams are trained to deal with conflict and listen to the breakdowns in order to design constructive exchanges that help re-align the team to their stated goals.  In fact, regularly encouraging disputes to occur and resolving them, quickly adds to the team morale and their sense of creating a real difference.
  6. Resist Complexity 
    Managing scope, budget and timelines is a mandatory competency for all project leaders and managers.  However, the training project managers receive and the commonly held best practice for project risk management, is to eliminate and minimise scope creep.  In our experience, this has the opposite effect on managing scope, budget and timelines.  For instance, when a project manager receives a new requirement or change request, the project managers natural instincts are to encourage the functional designer to over specify, conservatively estimate effort and scope and negotiate to eliminate as many changes as possible.   The result of this situation is extra redundancy in scope,  an unwillingness to accept change and an emerging distrust between the users and the project team.We see budget, timelines and scope as a series of commitments that need to be negotiated and managed throughout the project.  Our focus on managing these commitments are forward looking.  By getting the users to work with the project team and make commitments by giving them a forum to discuss in the various meeting practices, we keep the project alive to the concerns of the customers. This approach minimises wasteful, non-value add activities that have a tendency to creep into projects based on the emergence of distrust between the various stakeholder communities. The result is a project implementation that delivers the business benefits at the minimum effort and cost.
  7. Promote Pragmatic Negotiations and Scope Changes
    The success in all projects boils down to the team’s effectiveness in managing change.  The commonly held view in project management is to get buy-in from all parties and negotiate change through a series of change control practices that escalate upwards to a steering group based on the impact on project scope, budget and timeline.  As mentioned above, project managers are risk adverse by nature and see change as a potential threat to the project’s success.  In fact, some even get territorial and fanatical about maintaining the status quo, i.e. make a strong case for minimising change.Ennovates view is different. Our team is trained to see that changes are necessary to a projects success and introduce ways of managing change through negotiation with all stakeholders, building trust in the process.  When this happens, change becomes part of the mind-set of the project team. Only changes that are required by the business will be proposed, the opportunity to remove requirements that are no longer necessary will exist and costs associated with managing change will be minimised.  In fact, pragmatic trade-offs that swap one requirement for another is key to successful implementations and results in reduced effort and cost.  Such change management practices will help ensure that the project delivers upon its commitments in an effective and efficient manner.

In summary, do not be afraid to ask any system integration partner to tell you about their success rate and do be prepared to probe behind their answers.  The truth may surprise you, provided you get to it! What the project management industry does not tell you is that replacing a core system never goes to plan, will cost more than your most generous estimates and demolish any contingency you might have, causing huge business disruption in the process. Ennovate’s approach and experience tells us that we can dramatically reduce this risk.

Submitted by Ian Duncan, Ennovate, SQT Strategic Change Management tutor


ISO 14971 – Content Deviation #3 Economic Considerations of Risk Reduction

During the process of harmonisation of ISO 14971: 2007 as an EN standard, it became apparent that the standard did not comply with all the requirements of the Medical Devices Directives (MDDs), namely 90/385/EEC, 93/42/EEC and 98/79/EC. Seven discrepancies were identified; these discrepancies are described in EN 14971 as “Content Deviations”. This blog deals with Content Deviation No. 3 – Economic Considerations of Risk Reduction. (See below for links to our previous newsletters on the topic of Content Deviations)

In the area of medical device manufacture, all risks cannot be completely designed out and therefore there will always be some residual risk. This residual risk and precautions that are necessary by the user and contraindications are normally contained in the device Instructions for Use (IFU).  However the Essential requirements of the MDD require that all risks must be reduced as far as possible and not just as low as reasonably practicable (ALARP) as stated in the ISO 14971: 2009. The 2012 version of the Standard (EN ISO 14971: 2012) makes it clear that economic considerations are not an acceptable justification for not reducing a risk, regardless of the magnitude of that risk. Therefore, manufacturers cannot justify not reducing a risk because to do so would be too costly. The Medical Devices Directives do not permit financial considerations to override the Essential Requirements for safety and performance of medical devices.

Process Risks

As regards process risks, the same principles apply – economic considerations cannot be used as justification for not implementing process controls. The question must be asked, would additional process controls or inspections reduce the risk associated with the use of the device?

If the answer is yes, then the additional process controls must be implemented. The permissible reasons for not implementing additional controls are outlined later in this newsletter but they must not include economic considerations. It is important to note here, that the MDDs are only concerned with the risks associated the use of the device and not the risks to the manufacturing process itself, except the risk that stocking out the market would be deny patients treatment e.g. in the case of a unique therapy or a near monopoly situation.

The real practicable difficulty that arises here is the need to immediately comply with EN 14971:2012. Implementing additional process controls takes time, the process controls themselves must be risk assessed to ensure that there is no adverse effect from their use and the effectiveness of the controls must be validated or verified.

The question is; how does the manufacturer solve this problem? It is recommended that existing risk analysis documents such as pFMEA s be reviewed and additional controls be identified where necessary for each and every process risk (regardless of its magnitude). Once this has been done, a project plan should be drawn up for the implementation of the additional process controls. This plan should prioritise the risks of the highest magnitude. The project plan should be integrated into the company’s Quality System through a mechanism such as Change Control or a Quality Plan. The next step should be to contact your Notified Body as soon as possible, well in advance of your next audit or submission, and outline your plan for compliance.

Once the notified body is on side with the plan, the implementation of additional controls should be progressed without delay and the project plan should be kept up to date as the project evolves. Account must be taken of the Post Market Information as required by ISO 14971:2012 when implementing the plan. If information arises that indicates that a particular risk was higher than originally estimated or has increased or is increasing, then that risk should be re-prioritised within the project plan and the implementation of the additional risk controls for that risk must be brought forward if possible.

Does this mean an end to the use of ALARP?

Yes. For devices sold in Europe, the ALARP concept will no longer be permissible as a means of risk acceptance because it involves an economic element in the justification of acceptable risk.

In future, there will only be two categories of risk;

  1. Intolerable risk – the presence of which means a device cannot be placed on the market unless justified through risk/benefit analysis.
  2. Acceptable risk – risks that have been reduced as low as possible and have been justified through risk/benefit analysis. (Risk/benefit analysis must be conducted for each individual risk and for the totality of the risk).

Most company’s risk management system contain a risk acceptability matrix that displays the ALARP region of risk acceptability such risk acceptability matrices should be replace with a matrix such as the one shown in Figure D.5 of ISO 14971 (reproduced below).

 Where does this all end?

How far do I need to go in reducing risks is a question manufactures often ask? To take the principle of not using economic justification for reducing to its logical conclusion, I could ensure that my device is free particulate by having it built in space. As I cannot state that it would not be economically feasible to do so, how am I to proceed? You are not expected to go to the Nth degree but are expected to adhere to the ‘generally acknowledged state of the art’ as required by the MDDs. The MDDs do not define state of the art, but ISO 14971 does define sate of the art as follows:

“State of the art” is used here to mean what is currently and generally accepted as good practice. Various methods can be used to determine “state of the art” for a particular medical device. Examples are:

  • standards used for the same or similar devices;
  • best practices as used in other devices of the same or similar type;
  • results of accepted scientific research.

State of the art does not necessarily mean the most technologically advanced solution.

As there is no content deviation in EN ISO 14971: 2012 relating to state of the art it can be concluded that this definition is valid for compliance with the MDDs. As long as your designs and controls are state of the art you can justify that you have reduced the risk as far as possible.

For example: To have a line of six inspectors each checking the previous inspector has not missed a defect is not the state of the art; however, to have a vision system checking for defects which are associated with a high severity harm for the patient is state of the art, while to have a vision systems to check for every possible defect irrespective of the harm that it could cause is not state of the art.

Manufacturers must be aware that the state of the art changes over time and that they must keep up with the state of the art. Consideration of how current designs and controls compare to the state of the art should form part of the periodic review of risk conducted by top management as required by ISO 14971.

This leaves the following possible justification available for not reducing risk further:

  • The risk has been eliminated.
  • The designs and controls are state of the art.
  • Improved design or further controls are not technically feasible (as opposed to economically feasible) taking into account the current state of the art.
  • The existing design (or controls) have reduced the risk to the same level as the proposed new design.
  • Additional designs or controls would conflict with the existing design or controls thereby resulting in a risk that is equal to worse than the current situation.
  • The design or control introduces a new hazard that presents a risk that is equal to worse than the current situation.

How to Address Deviation No. 3

In order to address content deviation No. 3 your risk management team will need to change the risk management process to remove the ALARP risk category and the use of economic justification for not reducing risk. These will need to be replaced with requirements to reduce risk as far as possible given the state of the art and a requirement to clearly state that all risks have been reduced as far as possible. The risk review process will need to be updated to ensure that it contains a requirement that the designs and controls be kept up to date with the current state to the art.

Your team will need to review risk management documents such as dFMEAs and pFMEAs to remove all reference to ALARP and to ensure that all risks have been reduced as far as possible. Where this is the case a clear justification should be added to state that risks have been reduced as far as possible given the state of the art. Where this is not the case, redesigns and or improved controls will have to be developed in order to bring the device safety up to the state of the art. A project plan to achieve this should be embedded in your Quality System and kept up to date.

Finally communication with your Notified Body is vital to ensure that they are on side with your programme for compliance with content deviation No. 3.


* Content Deviation: During the process of making ISO 14971 an EN standard (a process known as harmonisation), it became apparent that the standard did not comply with all the requirements of the Medical Devices European Directives, namely 90/385/EEC, 93/42/EEC and 98/79/EC. The differences between EN 14971: 2012 and the medical devices directives are known as Content Deviations.

The seven Content Deviations are:

Treatment of Negligible Risk
Risk Acceptability Assessment
Risk Reduction Economic Considerations
Risk-Benefit Analysis Not Optional
Risk Control Options
First Risk Control Option
Labelling Information Cannot Influence Residual Risk

Our previous blogs on the topic of EN 14971: 2012 Compliance and Content Deviations are available here

Submitted by John Lafferty, SQT Healthcare tutor



Powered by WordPress | Theme: Aeros 2.0 by