REGULATION AND STANDARDS COLUMN
 |
The European medical devices Directives require that manufacturers identify risks associated with the use of their devices, eliminate or reduce risks as far as possible, take protection measures in relation to risks that cannot be eliminated, and inform users of the residual risks that result from any shortcomings in the adopted protection measures. Regardless of the measures taken, any risks that may be associated with the use of medical devices must be acceptable when weighed against the benefits to the patient and must be compatible with a high level of protection of health and safety.
European harmonised standard
The European harmonised standard, EN ISO 14971:2000/A1:2003, Medical Devices, Application of Risk Management of Medical Devices, supports the essential requirements of the European Directives related to risk. It should always be noted that European standards, including harmonised standards, are voluntary. However, if manufacturers implement European harmonised standards, regulatory bodies and Notified Bodies must presume that the medical devices covered by those standards comply with the essential requirements relating to the standards. Therefore, regulatory bodies and Notified Bodies must presume that manufacturers implementing EN ISO 14971:2000/A1:2003 comply with the Directives’ essential requirements related to risk. Except for the European national forewards, the European harmonised standard is identical with ISO 14971.
The risk analysis standards have been available for some. In spite of this, some manufacturers continue to encounter problems when implementing the standard. In part, this may be because some find aspects of the standard difficult to follow. For example, it may not be clear how to use tools such as Failure Mode and Effects Analysis, which can be used for identifying hazards and estimating the risks associated with the use of the medical device. In other cases, some manufacturers have not always found it easy to incorporate the policies and procedures described in the standard into their quality systems.
Stand-alone risk standard
One of the more important reasons why incorporation of the provisions of ISO 14971 into a formal quality system has presented some challenges is because the standard was developed as a stand-alone standard, which does not require the implementation of a quality system. In fact, Clause 1, Scope, states that the standard does not require manufacturers to have a formal quality system in place. For this reason, ISO 14971 is written as if risk-management procedures are separate from quality system procedures. For example, Clause 3.2 requires manufacturers to establish and maintain a process for identifying hazards associated with a medical device, estimating and evaluating the associated risks, controlling these risks and monitoring the effectiveness of the control. However, how these activities can be managed within a quality system is not addressed. All of the procedures described in the standard are written in this way.
ISO 14971 also specifies certain risk-related requirements that are not described in the European harmonised standard for medical device quality systems, EN ISO 13485:2003, Medical Devices, Quality Management Systems, Requirements for Regulatory Purposes. For example, it includes requirements for management responsibilities concerning the management of device-related risks and development of risk-management plans. In contrast, EN ISO 13485:2003 specifically mentions risk only in the clauses related to product realisation such as in Clause 7.1, Planning of Product Realisation and 7.3.2, Design and Development Inputs. For example, Clause 7.1 states that organisations establish documented requirements for risk management throughout product realisation. It also requires that records arising from risk management are maintained. A note informs users of the standard to read ISO 14971 for guidance related to risk management. In addition, Clause 7.3.2 requires that inputs relating to product requirements shall be determined and records maintained, and that these inputs include, among other information, output(s) of risk management. Therefore, some manufacturers have been confused by the differences in the manner in which these standards address risk. This has sometimes led to uncertainties regarding the implementation of risk-related policies and procedures within their quality-management systems.
In spite of the fact that EN ISO 14971 does not require that a formal quality system is in place, Clause 1 of the standard states that risk management can be an integral part of a quality system. The guidance document, which is the subject of this article, was written to assist manufacturers in incorporating risk-management policies and procedures into their quality-management systems.
The guidance
 |
Table I: (click to enlarge) Table of contents of GHTF guidance document on incorporating risk management into a quality system. |
On 20 May 2005, the Global Harmonisation Task Force (GHTF) issued a guidance document: Implementation of Risk Management Principles and Activities within a Quality Management System (GHTFSG3/N15R8).1 This guidance document was developed by GHTF Study Group 3. Table I lists the table of contents of the guidance document.
Readers involved in the incorporation of risk-management policies and procedures into EN ISO 13485:2003 should review this guidance document. It can also be used by manufacturers who wish to do the same with regard to the US Quality System Regulation (21 CFR Part 820). It provides concise and practical guidance and has proven to be useful in ensuring that considerations regarding risk are incorporated into appropriate provisions of formal quality systems. In addition, the authors of the guidance document have ensured that it is consistent with the contents of ISO 14971. Some examples of the manner in which the requirements included in ISO 14971 can be incorporated into quality systems are presented below.
Management responsibilities
Clause 3.3, Management responsibilities, of ISO 14971, requires that manufacturers define the policy for determining acceptable risk; ensure the provision of adequate resources; ensure the assignment of trained personnel for management, performance of work and assessment activities; and review the results of risk-management activities at defined intervals to ensure continuing suitability and the effectiveness of the risk-management process.
Section 4, Management Responsibilities, of the GHTF guidance document states that objectives relating to device safety should be a major part of the overall quality objectives of manufacturers. It also states that management should ensure that as part of quality planning, planning for risk-management activities is conducted to meet these objectives. These activities should include establishment of risk acceptability criteria, risk analysis, risk evaluation, and risk control and monitoring. In addition, manufacturers should plan and perform internal quality audits to verify that risk-management activities and related results comply with planned and established procedures.
Thus guidance is provided that assists manufacturers in understanding how the management-responsibility provisions of ISO 14971 can be incorporated into the quality system. For example, ISO 14971 states that manufacturers must review the results of risk-management activities at defined intervals, but it does not specify how this should be done under a quality system. The GHTF guidance suggests that manufacturers plan and perform internal audits to accomplish this task.
Design and development input
EN ISO 13485:2003 requires that design and development input relating to product requirements such as functional, performance and safety requirements, and applicable statutory and regulatory requirements be determined. One of the listed design inputs is the output of risk management, but no additional detail is provided.
 |
Dr. Maria E. Donawa Donawa Consulting, Piazza Albania 10, I-00153 Rome, Italy, tel. +39 06 578 2665, fax +39 06 574 3786 e-mail: medonawa@donawa.com www.donawa.com |
The GHTF guidance document makes useful suggestions regarding which risk-related activities can be considered to be design inputs and which can be considered to be design outputs. For example, it provides a brief discussion of the steps involved in risk analysis, including the identification of hazards and potential harms that could result from those hazards and estimation of the risks of those harms occurring. Those identified risks are then evaluated against previously established acceptability criteria to determine whether or not risk controls are needed. The guidance document states that when establishing design and development inputs, the need for risk control measures should be considered. Thus, the activities that comprise risk analysis are included in section 7.2, Design and development input, of the guidance document. Furthermore, the guidance states that the risk control measures that are identified during the input phase must be designed and incorporated into the design and development output. The guidance describes design and development outputs as falling into three categories: specifications of the characteristics of the medical device; requirements for purchasing, handling, distribution and services; and medical device acceptance criteria. A detailed discussion of this and the remaining sections of the guidance is beyond the scope of this article. Therefore, readers should refer to the guidance for more information.
Other available guidance
ISO TR14969:2004, Medical Devices, Quality Management Systems — Guidance on the Application of ISO 13485:2003, was developed to provide detailed guidance related to process validation, design control, quality planning and other provisions of ISO 13485:2003. This document will be discussed in a future article. It is mentioned here because it also contains guidance on where risk-related activities should be considered within the quality system.
Dr. Maria E. Donawa, physician, pathologist and pharmacist with 25 years’ regulatory experience, worked with the US FDA before becoming President of Donawa Consulting, an international consultancy firm, which provides clinical research, quality management system, regulatory affairs, and European Authorised Representative services to medical technology companies.
