What’s New, What’s current in ISO 14971: Application of Risk Management to Medical Devices. Paul McDaniel ASQ CQM/OE Executive VP Operations and QA Sicel Technologies
Background Medical device risk management activities came about primarily because of their regulated nature –In the most general sense, using the FDA as an example, the US population, by way of their representatives, determined that someone must look after the manufacturer’s to make sure products are safe and effective –As the industry matured, it became apparent that in many cases, the manufacturer’s were best able to determine safety so the regulatory bodies asked for generally accepted practices to be performed by all But leave and objective evidence trail to follow!
ISO The standards community determined it was time for a harmonized approach to risk management processes. –For many of the regular reasons level the playing field allow market introduction to be more predictable describe the state of the art –For some of the unique reasons To save a life, some times you have to introduce a risk of harm, medical devices are somewhat unique the consumer should be able to trust that the risk is outweighed by the potential benefit
ISO The first edition was issued in 2000 –Follows a quality systems model –Processed focused –was a compilation of industry practices, and the thoughts of technical experts and regulatory agencies as the “right” requirements After a minor amendment in 2003, the second edition was issued in 2007.
What’s it all about? Risk: combination of the probability of harm and the severity of that harm Harm: physical injury or damage to the health of people, property, or the environment Hazard: a potential source of harm Hazardous situation: circumstance in which people, property or the environment are exposed to one our more hazards
Standard Overview General requirements –Risk management process –Mgmt responsibilities –Qualification of personnel –Risk management plan –Risk management file Feeling a little ISO 9000–ish? –Definitely a little ISO 13485–ish? Medical devices – quality management systems, requirements for regulatory purposes
ISO Main Body Risk Analysis Risk Evaluation Risk Control Evaluation of overall residual risk acceptability Risk Management Report* Production* and Post Production Information * Changes in 2007 edition
Risk Analysis -Intended use and Id of Char related to safety of the device -Id hazards -Est risk for each hazardous situation Risk evaluation Risk Control -Option analysis -Implement controls -Residual risk evaluation -Risk/benefit analysis -Risks arising from control measures -Completeness of risk control Risk Assessment Evaluation of overall residual risk acceptability Risk Management Report Production and post-production information Risk Management Adapted from ISO 14971:2007 Figure 1
8 Risk Management Report Prior to release for commercial distribution of the medical device, the manufacturer shall carry out a review of the risk management process. –RM Plan was implemented –Overall residual risk is acceptable –Appropriate methods for production and post- production data collection are in place
9 Production & Post Production Information Establish, document and maintain a system to collect and review information about the device… The system should concider –Operator, user, installation, use and maintenance feedback is collected and processes –New or revised standards –Publicly available information about similar devices
9 Production & Post Production Information (cont) Evaluate this information for relevance to safety –Are previously unrecognized hazards or hazardous situations present? –Are the estimated risks no longer acceptable? –Feedback any “yes” answers into the risk assessment and controls processes for action.
Risk Analysis in Production Non-conforming material and Material Review Board Processes? –Can they effectively consider risks on each occurrence? Control charts, acceptance data –Are risk controls part of acceptance testing? –Frequency of occurrence suggesting anything “Risk of failure was ranked as remote yet we’ve had three catastrophic hot-pot test failures this month!”
Informative annexes A Rationale for requirements B Process overview C Questions that can be used to identify medical device characteristics that could impact safety D Risk concepts applied to medical devices E Examples of hazards, foreseeable sequences of events and hazardous situations F Risk management plan G Information on risk management techniques H Guidance for in-vitro diagnostic hazards I Guidance for Biological hazards J Information for safety and information about residual risk BIBLIOGRAPHY –37 very useful references
Information on Techniques Preliminary Hazard Analysis Fault Tree Analysis FMEA HAZOP HACCP Failure consequences and liability management Product safety and liability FMEA/FMECA in design FTA in design Reliability modeling and prediction ISO Annex G Sample keywords from ASQ Certified Reliability Engineer BOK
Developing Risk Measures There is more and more indication that “quantitative” risk assessment is preferred over qualitative. Consider the products liability landscape in the US when you decide to transverse that path. –The standard requires management set a policy for determining risk acceptability, not 3 deaths per million is ok
Risk Acceptance For those lawyers out there: define the scope of your process –The records produced will be subject to second guessing if harm occurs: don’t allow hindsight to change the rules –Document your information sources!!!!!!! When you made your risk acceptability decision, what information was available and used? We can only be diligent, not psychic
Risk Acceptability Once you start applying the process, you must maintain diligence –most risks represent “smoking guns” if you thought a risk could only be realized once in a device lifetime and you have two reports, revisiting your mitigation decision would be very prudent! –what society accepts today will probably be too great a risk tomorrow The term is a little stale, but “state of the art” is the concept
Key to Success No engineer, clinician, production associate, marketeer, president, janitor, wants to make and sell unsafe products Risk management process and techniques, when applied early and often gives everyone the ability to do the right stuff –Applied late in the game, it makes most involved feel poorly about any potential risks remaining The ISO Standard is really applicable to all industries as a best practice
IEC General Requirements for Basic Safety and Essential Performance of Medical Electrical Equipment Influences of Risk Management on the Third Edition
Terms Basic Safety –Freedom from unacceptable risk directly caused by physical hazards when ME equip is used under normal and single fault conditions Essential Performance –Performance necessary to achieve freedom from unacceptable risk Note: is most easily understood by considering whether its absence or degradation would result in an unacceptable risk 139 defined terms to “apply !!!!!
Key Risk Related Concepts Basic Safety and Essential Performance required for normal use, reasonably foreseeable mis-use, in normal condition and single fault conditions. Thankfully, Medical equipment is presumed to be operated under the jurisdiction of qualified or liscensed persons and the operator has the skill required for a medical application and acts according to the instructions for use. –No lawn mowers as hedge trimmers
Medical Equipment Risk Criticality 8 key differentiators for medical equipment as compared to other electrical equipment are mentioned: –Non-detectable hazards (radiation) –Patient may not be able to react to hazards ill, unconscious, impaired functioning –Multiple equipment connections –Electrical circuits are applied directly to the body –……. –These make ISO a medical device requried practice as compared to general industry.
Risk Management? 4.2 Risk Management process for Med Elect equipment or Systems –A Risk Management Process complying with ISO shall be performed 4.7 Single Fault for ME Equipment –The results of risk analysis shall be used to determine which failures shall be tested. Probably will need an FMEA or similar detailed analysis to support this requirement!
Good clarifications Annex A Risk Management Process –Compliance with the clauses of this standard that contains specific, verifiable requirements is presumed to reduce the associated risk(s) to an acceptable level. –Other than these specific requirements, and single fault compliance, the manufacturer’s responsibility is to set acceptable risk levels and explain the rationale in the risk management file.
Risk Management Conformity There is a bell sounding in the compliance community –With the normative reference of ISO in IEC , we may need third party certification of risk management “systems”
3 rd Party Certification The intent of the standards working group was to have a standalone risk management process if no quality system existed. We tried hard to recommend that if a Quality system existed, risk management should be integrated into it. Fight this trend to transfer money from medical device development to systems conformity companies! –Integrate the processes with your quality system –Look for standards work item proposals related to this concept and vote them down. –Get another certification body if you get a quote for ISO compliance assessments/audits/certification
What’s next From the ISO 14971:2007 Forward –For the purposes of future IEC maintenance, Subcommittee 62A has decided that the contents of this publication will remain unchanged until the maintenance result date (2014) –A search of IEC subcommittee 62A and ISO Technical Committee 210 show no work item proposals for ISO 14971