David M. MacKenzie
Today many medical device companies are at least basically compliant with ISO 14791:2007, "Application of Risk Management to Medical Devices." But is this enough? Executive management must realize that new standards and regulatory enforcement are expanding the scope of risk management throughout the enterprise. This means that there is a lot more to risk management than documenting a FMEA created by R&D!
For example, patient harms and their severity levels are clinical judgments. Design engineers may have the expertise necessary for the bulk of the technical risk analysis; however, they may not have the expertise to properly score risk without clinical input. Risk estimation assistance can also come from standards such as ISO 10993-1, "Biological Evaluation of Medical Devices - Part 1: Evaluation and Testing within a Risk Management Process," and IEC 60601-1:2005 "Medical Electrical Equipment - Part 1: General Requirements for Basic Safety and Essential Performance." These standards help define device hazards caused by material and component failures, but also require risk management long after the design is transferred to manufacturing. Another consideration is use error or even misuse. IEC 60601-1-6, "Usability," can help manufacturers address these likely causes of potential patient risks.
Here are some of the many risk areas that need to be formally established and managed in today's medical device organization.
- Document Control and Change Management. The level of effort can be a result of the design risk analysis.
- Manufacturing. Process validations, purchasing, and inspections should all be risk-based (see, e.g., "GHTF Process Validation Guidance for Medical Device Manufacturers").
- Software Design and Validation. IEC/TR 80002-1, "Guidance on the Application of ISO 14971 to Medical Device Software," emphasizes the tailoring/focusing of these potentially expensive activities using the system risk analysis.
- Clinical Studies. GHTF draft guidance "Clinical Investigations" discusses risk-based clinical study design and outcome expectations.
- Complaint Handling, MDRs, and Field Actions. The thresholds for regulatory action should be risk-based and closely linked to the device's potential harms and their severities.
- Integration of Medical Devices into Hospital Information Systems. ISO/IEC 80001-1, "Application of Risk Management for IT Networks Incorporating Medical Devices, Draft," identifies a risk management process for hospitals and defines the roles of a hospital risk manager and the device manufacturer.
- Quality System. GHTF guidance document on "Implementation of Risk Management Principles and Activities Within a Quality Management System."
In summary, risk management is evolving to a new level beyond the basics of ISO 14971. Executive management needs to control overall enterprise risk (safety plus business risks) by ensuring that the risk management linkages are understood, established, and practiced throughout the organization. Using risk tools can save costs in many areas by focusing activities into the most important (risky!) areas. Bottom line: all recalls are expensive.
David MacKenzie has been a design engineer, project manager, and trainer for more than 35 years. His specialty is risk management for medical devices. He is the Director of Microsafe Systems, a design and risk management consulting firm. He also provides Design Control and Risk Management consulting and training to Noblitt & Rueland, a 20-year-old professional firm providing regulatory and technical training/consulting services to medical device manufacturers around the world. For more information about Noblitt & Rueland or Microsafe Systems, view their listings in the online Consultants Directory.