Risk Management for Medical Devices
Risk management consist of the application of policies, procedures, and practices to the tasks of analyzing, evaluating, controlling, mitigating and monitoring risks as described by ISO 14971, ISO 13485, FDA’s 21st century GMP and ICH initiatives (such as Q8 Pharmaceutical Development, Q9 Quality Risk Management, and Q10 Pharmaceutical Quality System). Especially after the aforementioned guidelines and regulations were created managing risks (and designing quality) into medical devices and pharmaceutical products evolved from a reactive practice into a very proactive one throughout a product’s lifecycle. The discipline of risk management has become very much an essential part of the efforts to design quality and safety into a product. As such it is a continuous process that must start early during product development and only end after a product is off the market. This includes during the initial design of the product, after or during design changes, after or during production process changes, and in the least desired scenario of regulatory action after post-market product release such as product recalls, field alerts, etc.
Multiple tools for risk management implementation exist and are accepted widely by regulatory bodies. As a matter of fact ISO 14971 provides flexibility in terms of the overall approach and tools for its implementation. It is up to individual organization to choose the ones that best fit their needs and FDA compliance requirements. The quintessential (and often misused) risk management tool is FMEA (Failure modes and effects analysis). Although a great framework to assess process risks it is commonly utilized as the all-encompassing solution for risk management requirements. Having an FMEA (or any of its variations) for a given process does not satisfy the requirements of a sound risk management program as intended by the aforementioned regulatory body and guidelines. There are multiple tools that are better suited for specific risk assessments and more importantly there are other elements of a sound risk management system that must be in place to effectively identify, mitigate, control and monitor product risks. Most importantly, the risk management paradigm chosen must be appropriately institutionalized and consistently be utilized as part of the product lifecycle instead of as a one-time “deliverable”. Risk management should be taken seriously and objectively, or it will only yield reports with no further value other than taking space on a product file.
Two examples of these tools are:
User Risk Assessment: evaluates the impact of potential human actions due to unclear understanding of proper utilization, physical limitations or other relevant factors. It makes use of focus group studies to identify steps that are prone to error by performing the intended tasks or device usage with the instructions provided and documenting the most prevalent and critical difficulties observed. As stated above, a qualified and knowledgeable risk management team then documents, categorizes and clasifies these according to the established risk management process and identifies mitigation strategies. Process and design engineers, clinicians and focus groups provide valuable insight into these studies.
Design or System Risk Assessment: evaluates the potential risks associated with design of systems, subsystems and their interactions. These utilize inputs from subject matter experts on the device for which the risk assessment is being conducted. Understanding of the inner workings of a particular device and the potential interactions between subsystems is crucial to these assessments. Therefore team members knowledgeable in the technical aspects of a device are an important component of these teams.
The importance of the expertise brought on by the risk management team cannot be understated. Said expertise is paramount from both the risk management process and technical knowledge regarding the product (device) design and intended use as well as an understanding of actual usage conditions and limitations for which the product is intended. This knowledge feeds into the identification of ideally all or at least most of the potential hazards as well as their assessment on their respective risk categorization parameters such as likelihood, detectability, severity, etc. At this time the risk management team must focus on identifying and implementing measures for risk elimination, control and/or reduction as possible. This process takes into account risk/benefit analysis and any additional risks being introduced by the implementation of risk control measures. The results of this exercise are documented and published in a risk assessment report that in a sound risk management program would provide valuable production and post-production information throughout the product lifecycle.