Good day to all and welcome back to another week of MedTech Compliance Chronicles! This week we focus on one of the most core, foundational concepts of the QMS and, indeed, medical device regulations period: Risk Management. This is a perfect follow up to last weeks post about planning for product realization because documenting at least one process of risk management is a requirement for product realization. One so large, it needed its own dedicated post. A ‘risk-based approach’ to virtually all activities which an organization performs has slowly been becoming more and more the norm and direction that all international standards and regulations have been taking over the last 5-10 years. Of late, quality requirements are slightly less specific and prescriptive and instead provide a general requirement that should be applied commensurate to the risk associated with the specific subject of the requirement at hand. For example, a requirement for verification of product conformity to requirements is being applied to create an inspection checklist for a product. Feature A will result in a much greater risk to the patient if it does not conform to requirements than feature B will. Therefore, feature A’s inspection method and plan must reflect this greater risk, which could be a number of things from a more frequent inspection, larger sampling plans for inspection of this feature or more precise measuring equipment.
The overall goal of regulating medical devices is to ensure that all medical devices which are legally available on the market are safe and effective for their intended use, with their intended patient population. That goal should always be in the back of your mind when constructing any part of your QMS and risk management is essentially how you determine a ‘stopping point’ for your mitigation activities. All aspects of your organization that can potentially have an impact on product quality or the QMS itself must be analyzed for the risks they present. After this is done, depending on the degree of risk and your company’s risk acceptability policy, you must take actions to control or mitigate these risks to a degree proportional to the risk they pose to the safety and efficacy of the finished medical device or the QMS. Depending on what exactly you are performing risk management on (product, process, equipment, changes, etc.) you may use different tools or approaches but the general process will be the same. Your organization must establish its policy towards risk and define what is and is not acceptable risk, you must then go through your selected risk management tools and processes to determine the associated risks of what is being evaluated and then you must make a decision based on the results of your evaluation and what your organization’s policy is.
Risk Policies
Risk management, like most processes involved in the making of medical devices, is a scientific process. As with any scientific process, in order to ensure the integrity of the results and mitigate human error and subjectivism, the acceptance criteria should be established before the process actually begins. Predetermination of acceptance criteria is essential as it ensures that the actual results conform to expected results, as opposed to the expected results being modified to fit the actual results. The organization as a whole assists in this effort by establishing a policy for risk acceptability and what constitutes different levels of risk.
The organization should set a risk acceptability policy, which should include some manner to judge the degree of risk posed by a particular event or combination of events, and determine the acceptability of that risk. At many companies, this takes the form of a 1-5 or 1-10 scale that ranks the severity of harm resulting from a particular scenario, as well as the probability of that harm resulting from the scenario. It is important to clearly define each level in both severity and probability, for example it is standard practice for the maximum severity level (either 5 or 10 normally) to be defined as death or serious injury. Probability is usually ranked using the actual numerical value of the probability of harm occurring. An important thing to remember about probability is that what you want to know is the probability of the harm occurring. This is a combination of both the hazardous situation occurring and the harm, at the severity determined also occurring. Just because a situation occurs that exposes someone to a hazard does not necessarily mean that harm will occur, you must determine both probabilities based on the particular scenario you are examining.
Once you have a defined scale ranking severity and probability the next step is to develop the acceptability policy. You will take the scales of both and combine them in some way. Some companies multiply the values, others add them but it is probably most common to just create a 5x5 or 10x10 (or whatever your scales are) matrix with high, medium and low areas of risk shaded in (as in the picture at the top of this post). This will give you a ranking of what the organization considers a high, medium or low risk. It must then create a policy about what it considers acceptable or what it will do when a certain risk falls in X category. This is somewhat subjective and specific to the degree of risk the company is willing to take. However, you should do your due diligence in researching what degree of risk is generally acceptable for your organization’s type of device and more or less be at least as strict as what is generally accepted, otherwise you might have issues getting clearance.
Risk Management Process
The process of risk management itself is something that takes many different forms and names depending on the organization. The various tools include fault tree analysis (FTA) and failure mode effect analysis (FMEA) among many others. For medical device products, there is even a specific ISO standard for risk management, ISO 14971:2019. Regardless of which specific tool you are using or whether you are evaluating the risk associated with a product, process or something else, the fundamental process will look largely the same. I will steer clear of being too prescriptive, as a lot of the details are specific to the tools you will use. Instead I will try to develop a fundamental understanding of what the goal of the risk management process is. In general, the process of risk management involves; identification of hazards, determination of situations that expose the user(s) of the device to these hazards and a determination of both the likelihood that exposure to these hazards causes harm, and the severity of that harm.
A common mistake many make immediately is confusing hazards and harm. To illustrate the difference, let’s say we have a 100 kg metal object suspended by some system to a height of 3 m. For some reason, this object falls and a person standing underneath has a leg broken by the falling object. In this case, having a hard, heavy object suspended to some height over the floor is the hazard while the broken leg is the harm. A way the difference was explained to me early in my career that helped me understand it, is that hazards are inherent properties of the system, product or process that could cause harm if people (or in some cases other objects) are exposed to them in a certain manner or under certain conditions. Harm is then the actual injury that results from exposure to the hazard. Another common mistake alluded to earlier in the post, is assuming that just because a hazardous situation occurs the harm also occurs. This is not always true and if you calculate it this way you can end up severely overestimating your risk.
Now that you have your severity and probabilities calculated you can take them back to that general acceptability policy that was established to see where they fall on the acceptability scale. Depending on where they fall, you will have some decisions to make.
Decision Making
Risk management is fundamentally an iterative process. You have now determined what your risks are, ranked them and compared them to the risk acceptability policy. Based on where the risk fell within that policy you will need to make various decisions about how to proceed. The options to proceed are; accepting the risk as is and doing nothing, implementing risk controls to either lower the probability of occurrence or severity of the resulting harm, perform a risk-benefit analysis to determine if the benefit of using the device, to the patient outweighs the risk posed or, if none of these suffice, redesign or reconsider the feasibility of the product.
If you implement risk controls or redesign the product, you will need to perform the risk management process again on these controls or redesigned aspects. You must continue to do this process until all of your risks and the overall risk are acceptable, per your organization’s policy. Once all risks have been mitigated to an acceptable level, document the risk management process and outcomes and keep it handy, you must continually update it throughout the product's life in the market.
Conclusion
You should now have a foundation on one of, if not the most important concepts in quality management, risk management. Like all good objective processes, acceptance criteria must be pre-determined. You must think through all possible scenarios that could result in harm and determine their likelihood and how bad that hard would be. Finally, if it wasn’t perfect the first time (which it never is), you must iterate on this process with whatever mitigation methods you have chosen until all risks are acceptable.
Comments