“Using Instructions for Use and Labeling as Risk Controls in ISO 14971” is the second in the “The Best Of” Medical Device Academy’s previously published blogs. We’re republishing these blogs due to tremendous popularity and response from our readership. In this blog, Rob Packard reviews the impact of the seventh deviation identified in the European national version of the ISO 14971 Standard.
Labeling, instructions and warnings are required for medical devices. Unfortunately, information provided by manufacturers is not effective at preventing hazardous situations and foreseeable misuse–especially if the user throws the paper leaflet in the garbage 10 seconds after the box is opened. Since information provided to the user and patients is not effective in preventing harm, the European Commission indicated that this information shall not be attributed to risk reduction.
The European Commission is not suggesting that your company should stop providing directions or warning users of residual risks. The intent of this deviation is to identify incorrect risk estimation procedures. For example, if you are using Failure Mode And Effects Analysis (FMEA), (see Annex G.4 of the risk management standard) to estimate risk for a new product, you should not be listing labeling and IFUs as a primary risk control. Clause 6.2 of the ISO 14971 Standard correctly identifies “information for safety” provided by the manufacturer as risk controls, but the effectiveness of these risk controls is so poor that you should not estimate that risks are reduced by implementation of labeling and IFUs.
In Clause 2.15 of the ISO 14971 Standard, residual risk is defined as “risk remaining after risk control measures have been taken.” However, I prefer the following definition which incorporates the concept of clinical evidence, design validation and post-market surveillance:
“Residual risks are risks that remain: 1) after implementation of risk controls, 2) when products are used for new indications for use, 3) when products are used for wider user and patient populations, 4) when products are misused, and 5) when products are used for periods of time longer than the duration of pre-market clinical studies.”
The second essential requirement (ER2) states that users shall be informed of residual risks, but the conclusion that “information about residual risks cannot be a risk control” is incorrect. The most important wording in the deviation is ¨the information given to the users does not reduce the (residual) risk any further.¨ Failure to reduce risks any further is due to the lack of effectiveness of risk controls. Validation of risk control effectiveness should be performed during design validation, but validation will be limited to a small group of users and patients.
Risk Management Report & Post-Market Surveillance Plan
In your risk management report, risk control options analysis should be summarized. Instead of evaluating risk acceptability prior to implementing risk controls, risk controls should be implemented and any residual risks should be identified. A risk/benefit analysis must be performed for each residual risk and the overall residual risks. If the conclusion is that the benefits of the device outweigh the residual risks, then the device can be commercially released.
At the time of the final design review and commercial release, a Post-Market Surveillance (PMS) plan should be developed that includes an updated risk management plan. The updated risk management plan should specifically address how to estimate residual risks and verify the effectiveness of information provided to users and patients. Verification of risk control effectiveness should be part of the design verification and validation activities, but verification of effectiveness should also be part of ongoing PMS.
In order to facilitate future updates of your risk management report, you may want to organize risk controls into the following categories (in this order):
- Design elements (highly effective)
- Materials of construction (highly effective)
- Methods of manufacture (highly/moderately effective)
- Protective measures & alarms (moderately effective)
- Information provided to users & patients (least effective)
Each of the above risk controls will need to be addressed by your PMS plan.
If your company needs risk management training, please see our Implementing a Risk Management Process Compliant with ISO 14971 Webinar.