Featured Video
This Week in Quality Digest Live
FDA Compliance Features
Michael Causey
Be proactive in anticipation of new leadership and direction at the FDA
Jon Speer
A proactive approach in a high-risk sector
Robert M. Califf
Progress and potential report
Dirk Dusharme @ Quality Digest
FDA’s MRI program, better coaching, Olympus Vanta XRF analyzer, and more
Dara Corrigan
A new path for pharmaceutical inspections in Europe and beyond

More Features

FDA Compliance News
Awards help states implement multiyear produce-safety systems
The future of medical product development?
Manage risk while meeting regulatory requirements and compliance
FDA believes you can use openFDA to create products that promote public health
Company headquarters and 30 jobs in Dayton, operations in Europe, stay in place
Four guidelines for industry offer useful tools for manufacturers

More News

  •  

  •  

  •  

  •  

     

     

  • SUBSCRIBE

Jon Speer

FDA Compliance

Key Challenges for Risk Management in Medical Device Development

A proactive approach in a high-risk sector

Published: Monday, February 13, 2017 - 12:01

If you’re in the business of developing medical devices, then risk and risk management become terms synonymous with your daily operations. Your overall task is to bring a device to market that not only provides a needed function to a patient, but is also proven to be safe to use—maybe even used by someone who is near and dear to you.

Risk management can be a daunting and often confusing subject. Even the most experienced businesses trip over it from time to time, so it always pays to keep your knowledge up to date.

We looked into some key challenges that have been common in risk management lately, because it’s always good to know where the challenges lay, and what to do about it. Here is what we’ve found:

1. Keeping up with changes to ISO 13485

If one thing is certain in the world of medical device development, it’s that change is our constant companion. ISO 13485:2016—“Medical devices—Quality management systems—Requirements for regulatory purposes” was published in the first quarter of 2016 and contains amendments for how companies are to ensure that their quality management systems (QMS) incorporate a risk-based approach.

The challenge here is that almost every company that is operating with an ISO 13485 QMS in place will have to take action to update procedures and processes to account for risk-based approaches. For some companies, this could involve major changes within their operations.

While the adoption period for 2016 is technically three years from its publication (or 2019), registrars are already working with companies to transition to the new version. The bottom line? Knowing what is changing and making plans to comply early will save your company hassle down the line and possible issues with noncompliance.

Medical device manufacturers: Get conversant with ISO 13845:2016 now.

Tips for ISO 13485:2016
Assuming your company is one that would like to be ahead of the game, now is the time to be conducting a gap analysis to determine the impact of the changes in ISO 13485:2016 and establish quality plans to implement any updates as soon as possible.

Here are a few tips for ensuring you’re equipped with the right information:
• The full text of ISO 13485:2016 is available now for purchase. You will find appendices to compare changes vs. the 2003 version of the standard.
• Our website greenlight.guru has put together some webinars to help inform you about specific changes in ISO 13485:2016. You can find them here.
• Changes are wide-ranging but focus mainly on risk management. For example, there is now a specific requirement for documenting the maintenance of equipment that is used in production, as well as controlling the work environment, and monitoring and measurement. See a Slideshare presentation we put together for more information.
• Seek assistance from an accredited registrar to help with your transition.

2. Consistent application of ISO 14971

First of all, ISO 14971—“Medical devices—Application of risk management to medical devices” is a standard for applying risk management to medical devices. Although this standard has been established for many years, many companies seem to struggle with consistent application and get flagged for compliance issues.

All product-related risk management procedures and practices must be in alignment with ISO 14971, so it’s worth knowing about specific areas that continue to be an issue. This is the standard across the board, no matter which country you’re developing in.

Common challenges
 Here are some of the common challenges we’re seeing:
• Overuse or over-reliance on FMEA (failure mode and effects analysis) as a tool. While FMEA is a very good tool for assessing single-fault failure modes and reliability, using only FMEA as a means to identify, assess, and evaluate risks has shortcomings.
• Specifically, FMEA only assesses failure modes, and single-fault failures at that. ISO 14971 is very clear that a company needs to evaluate hazardous situations. This means considering foreseeable sequence of events. This also means considering non-failure mode situations. We wrote a detailed post on why FMEA is not ISO 14971 for risk management here.
• Risk management is often not continued throughout the entire product lifecycle. Companies do a decent job of risk management during the product development process (aside from the above noted overuse of FMEA). However, once a device is transferred from development into production, risk management documentation is often neglected and not kept up to date. ISO 14971 is clear that risk management is a total product lifecycle process, including production and post-production.

Regulatory agencies (such as the FDA) as well as registrars and notified bodies are becoming more sophisticated with their knowledge, understanding, and expectations regarding the application of ISO 14971, regardless of the version in use. We go over the “plain English” of it here, and include a handy infographic. You can also find webinars and risk management guides in our resources.

3. Risks associated with manufacturing processes

In our experience, many companies are neglecting to capture risks associated with manufacturing processes. ISO 14971 does specify that the risks associated with manufacturing processes are to be included as part of a product’s risk management file. The actual practice of doing so is very inconsistent within the industry.

It’s important to remember that risk management is a full lifecycle activity for medical device development. Risk documents need to be transferred between each stage (such as from product development to production), and a management plan needs to be in place for the manufacturing process. You can check out our guide to ISO 14971 compliance here.

4. Confusion over applicable ISO 14971 version

Do you sell medical devices into the European Union market? If so, this is for you in particular. There has been some confusion about ISO 14971:2007 vs. EN ISO 14971:2012, and which is applicable to whom. If you sell into the EU, then the EN version is for you.

The normative requirements of these two standards are the same. The EN version introduced a few new “Z” annexes. The Z annexes specify the need to document risk/benefit analysis for every single risk item, regardless of how significant. The Z annexes also require risk controls be identified for every single risk item, regardless of how significant. The 2007 version specifies risk/benefit analysis and risk controls for higher-risk items.

Many companies are still not clear if and/or when EN ISO 14971:2012 applies to them. Additionally, many companies do not consistently align with the Z annexes.

Tips for understanding the ISO 14971 version of compliance
• If you’re manufacturing devices for the EU market, then EN ISO 14971:2012 is for you.
• Pay attention to the “Z” annexes in particular; these are where the EN ISO 14971 standard does and does not meet the requirements of the European Directives.
• The Annex Zs describe these differences as “content deviations” for each directive. You must assess and take care of the gaps between the standard and the directives.

Final thoughts

We’re seeing some key challenges appear for risk management in medical device manufacturing, but with a bit of planning, these can be overcome. Be aware of the changes being implemented with ISO 13485:2016 and plan to be on top of them early. Know the common challenges with ISO 14971 compliance, and be prepared to mitigate those in your own processes.

Risk management is a full lifecycle activity for medical device development; be systematic and review often.

It is also helpful for device makers to use a QMS and risk management software to simplify their compliance to both the updated ISO 13485:2016 and ISO 14971.

Discuss

About The Author

Jon Speer’s picture

Jon Speer

Jon Speer is the co-founder and vice president of quality assurance and regulatory affairs at greenlight.guru, a software and services company that produces beautifully simple quality management software exclusively for medical device companies. greenlight.guru provides consulting as well for regulatory compliance, quality management, and risk management. Follow Speer on Twitter @creoquality.