First, let's define "risk" and "risk management." ISO 14971 defines risk as the "combination of the probability of occurrence of harm and the severity of that harm." Risk management for medical devices is "the systematic application of management policies, procedures and practices, to the tasks of analyzing, evaluating, monitoring and controlling risk." Clause 7 under Product Realization of ISO 13485:2003 makes reference to ISO 14971 to use as guidance for medical device risk management.
It's important to note that severity is a key component of risk management. Many people erroneously assume that risk is purely a percentage. If 1 of every 1,000 people dies due to a faulty pacemaker, for example, that's a more severe "risk" than having 1 of every 300 who might suffer minor burns due to poor design of an electrical component of a medical device.
The first step in implementing an effective medical device risk management process is to perform a full risk assessment. This consists of two parts: risk analysis and risk evaluation. It should be noted that this applies to all phases of the device lifecycle, including planning/product realization, design and development, purchasing, service and change control.
There are various types of hazards that need to be evaluated. They include energy, biological, environmental, software, user error, labeling, complexity of use and functional failure hazards.
The path through risk analysis is paved with questions, and the first step in identifying hazards is to analyze your device for characteristics that could affect safety. Here are some questions you should answer:
- What is the intended use of the product? Is it a single-use medical device?
- Is energy or a substance delivered to or extracted from the patient?
- Is the device to be routinely cleaned or disinfected by the user?
- Are measurements taken? Is maintenance or calibration necessary?
- Is the medical device susceptible to environmental influences?
- Does the medical device have software?
- Does it have a shelf life, and what determines its useful life?
- Does installation or use require special training?
These are just a few of the many questions suggested in Annex A of ISO 14971. Of course, depending on the complexity of your product, there may be dozens more that you should ask and answer.
Once you have identified the device characteristics, the initial medical device risk assessment can begin. This includes identification of risks/hazards known to the device, risks/hazard evaluation and, if required, mitigation taken to reduce the risk/hazard to an acceptable level. Remember that any mitigation taken needs to be re-evaluated to ensure that it has reduced the risk/hazard and that it has not created any new risks. (Annex B, C and D of ISO 14971 includes many good examples of possible medical device hazards.)
After you have performed a comprehensive medical device risk assessment and evaluation and made internal decisions concerning the acceptability of those risks, you must now create a plan of attack for monitoring and controlling those identified risks.
Medical Device Post Market Surveillance: Monitor and Control
Monitoring risk is an important part of the risk management process. Medical device companies need to ensure that they have processes in place to capture customer feedback (through inquiries, complaints, market studies, focus groups, servicing, etc.). More importantly, you need to trend and review that data on a periodic basis. At the very least, this should be done annually at the formal management review meeting (required by FDA and ISO 13485). However, to have a truly effective program, this should be performed more frequently (monthly, quarterly, etc.), depending on the quantity and type of feedback being received.
Procedures that can cover the collection of medical device post-market surveillance data can include, but are not limited to, customer concerns and complaints, control of non-conforming material/products, corrective and preventive actions, post-market surveillance, servicing, customer surveys, etc. It is important to ensure that all applicable departments and personnel in your organization such as customer service representatives, sales representatives, distributors and others who may be involved in the collection of this data have been properly trained to ensure that all information is being collected and documented. These procedures should identify how the collected data is reviewed, investigated, analyzed and trended, plus identify the frequency in which this is performed and who reports and reviews this data.
Feedback is analyzed, and determinations are made whether corrective and preventive action (CAPA) needs to be taken to fix the problem, through product design or manufacturing changes, product labeling and/or training, etc. Feedback and data also need to be evaluated to determine whether regulatory action such as Medical Device Reporting (FDA), Medical Device Vigilance Reporting (EU), advisory notices, recalls and other actions are needed.
Procedures that generally explain how the data is collected and analyzed often include measurement and analysis, management review meetings, risk management, etc. These explain how the feedback (gathered from the above procedures) is analyzed and evaluated, identify the frequency for evaluation and reporting and describe how this post-market surveillance data is used to re-evaluate the risk of the medical device.
Medical Device Post-Market Surveillance: Procedures
Product risks can never be eliminated so companies need to continually monitor feedback through post-market surveillance to maintain risk at an acceptable level. Indeed, one of the key requirements of ISO 14971 is to manage the risk of the product throughout its entire lifecycle. Your risk management procedure should be directly linked to your post-market surveillance procedure and the requirement of the European Medical Device Directive (93/42/EEC).
Post-market surveillance of medical devices (or post-production monitoring as described in ISO 14971) should include:
- Determination if changes must be made to the original medical device risk assessment;
- A systematic process to evaluate product (not just customer complaints);
- Inclusion of objective evidence in the risk management file;
- Evaluation of any new hazards;
- Determining whether there have been changes in the acceptability of risks as originally defined;
- Inclusion of feedback and revisions of risk assessment/management as required.
One important thing to remember: you need to show proof in the form of documentation and audit trail that medical device post market surveillance is being performed and data is feeding into the other systems.
In summary, medical device risk management is a not a one-time project. It is an ongoing process of review and risk assessment throughout the life of the device. Companies that take the process seriously will reap the rewards of fewer defects, increased user safety and, in some cases, reduced risk of litigation. Post-market surveillance and vigilance (alert watchfulness) are key tools in this process.