Blog

Archive for ISO 14971:2019 (Risk Management)

What are the IVDR risk management requirements?

This article reviews unique IVDR risk management requirements for CE Marking of in vitro diagnostic (IVD) devices in Europe.

Last week I posted a blog about “How to create an IVDR checklist.” The article was very popular because we included a form for downloading a free IVDR checklist. That form included the opportunity for people to ask a question about the IVDR. One of the subscribers, a gentleman from New Zealand, entered a very simple comment: “risk management requirements.” My first thought was that the risk management file is the required technical documentation for the IVDR. Then I quickly remembered that in 2012, EN ISO 14971:2012 was released with three new annexes for the three directives: ZA (for the MDD), ZB (for the AIMD), and ZC (for the IVDD). In Annex ZC there were seven deviations, and even though ISO 14971 was updated in 2019, the international standard continues to deviate from the European regulations in significant ways. Therefore, this blog provides an overview of the IVDR risk management requirements.

If you are already compliant with ISO 14971:2019, do you meet the IVDR risk management requirements?

The biggest difference between the ISO 14971:2019 standard and the IVDR risk management requirements is that the standard only requires a benefit-risk analysis to be performed if risks are unacceptable. In contrast, the IVDR requires that a benefit/risk analysis be performed for all risks and the overall residual risk. Therefore, you must include a benefit/risk analysis in your technical file submission regardless of risk acceptability. The harmonized version of the standard (i.e. EN ISO 14971:2019/A:11:2021) was released in December of 2021. If you already purchased ISO 14971:2019, you only need to purchase the amendment which consists of Annex ZA (comparison between the standard and Annex I of MDR) and ZB (comparison between the standard and Annex I of the IVDR).

In the amendment, it states that manufacturers must have a risk management policy that is compliant with Annex I of the EU regulation. There are notes at the beginning of each harmonization annex that indicates that the risk management process needs to be compliant with the IVDR, which means risks have to be ‘reduced as far as possible’, ‘reduced to a level as low as reasonably practicable’, ‘reduced to the lowest possible level’, ‘reduced as far as possible and appropriate’, ‘removed or reduced as far as possible’, ‘eliminated or reduced as far as possible’, ‘prevented’ or ‘minimized’, according to the wording of the corresponding section in Annex I of the IVDR. The comparison table has a column with remarks/notes. In most cases, the deficiency identified states, “Device-specific execution of the process is not covered.” There are also two remarks/notes that state “Device-specific and usability-specific execution of the process is not covered.” 

Where are the IVDR risk management requirements?

Blog tip 1024x183 What are the IVDR risk management requirements?

IVDR risk management requirements are found in Annex II, Section 5 of the IVDR. However, there are 228 references to the word risk throughout the IVDR. The following risk-related requirements in IVDR are particularly important:

  • Article 10, Sections 2 & 8(e) – risk management procedure requirement
  • Annex I, Section 3 – reiteration of risk management procedure requirement, but specific steps in the risk management process are identified (e.g. a risk management plan, hazard identification, estimation of risks, evaluation of risks, etc.)
  • Annex I, Section 4 – Priority of risk control measures
  • Annex I, Section 5 – Elimination or reduction of use-related risks
  • Annex III, Section 1(b) – Reassessment of the benefit-risk analysis and risk management using post-market surveillance data

How should you document your risk management file for the IVDR?

In your risk management file of course. There is no format requirement for risk management files, but there are requirements for the content and there is a GHTF guidance document for risk management, and ISO/TR 24971:2020 is a new guidance document on the application of ISO 14971 to medical devices. Neither of these guidance documents is specific to IVDR risk management requirements. Annex H of ISO/TR 24971:2020, however, provides guidance specific to IVD devices.

What do the IVDR risk management requirements include for risk analysis?

In our March 23, 2022 blog posting, I described four types of risk analysis:

  1. Design risk analysis
  2. Process risk analysis
  3. Software hazard analysis
  4. User-related risk analysis (URRA)

Of these four types of risk analysis, only the software hazard analysis is sometimes not applicable. For an FDA 510(k) submission, you would need to provide software hazard analysis and URRA in the actual submission. The other two types of risk analysis would only be included in your design history file (DHF), and the FDA would review the design and process risk analysis during a routine inspection when the DHF is sampled as part of the design control process.

In contrast, the IVDR requires that a complete risk management file be submitted as part of the technical file (see Annex II, Section 5):

“Benefit-risk analysis and risk management

The documentation shall contain information on:

    • the benefit-risk analysis referred to in Sections 1 and 8 of Annex I, and
    • the solution adopted and the results of the risk management referred to in Section 3 of Annex I.”

The above documentation typically consists of design risk analysis and does not typically include process risk analysis, software hazard analysis, or use-related risk analysis. These other three risk analysis documents are IVDR risk management requirements, but they are referenced by the technical file in other sections. The most obvious IVDR risk management requirements are referenced in Annex I, Sections 1-9. These are referred to as the General Safety and Performance Requirements (GSPRs), and this requirement is typically met by including a GSPR checklist in the technical file to meet the requirement of Annex II, Section 4.

The process risk analysis is typically included with manufacturing information to meet the requirement of Annex II, Section 3.2. This documentation may include, any and all of the following elements:

  1. a process failure mode and effects analysis (pFMEA)
  2. a risk control plan including all processes from receiving inspection to final inspection and product release
  3. a process validation plan that is risk-based and linked to the risk control plan

The best practice for estimation of process risks is to link the probability of occurrence and probability of detection to the quantitative data gathered during process validation. In addition, you may establish a risk management policy that prescribes specific types of process risk controls (e.g. automated inspection) for the highest risk processes where manufacturing process errors are not acceptable residual risks. For example, an inspection of printed circuit board assemblies (PCBAs) typically requires automated optical inspection (AOI) methods, because visual inspection is not sufficient by itself and not all PCBAs allow sufficient ICT coverage, and functional testing is limited.

The software hazard analysis, if applicable, is typically performed in accordance with IEC/TR 80002-1:2009, Guidance on the application of ISO 14971 to medical device software. In the software hazard analysis, it is unnecessary to estimate the probability of occurrence of harm. Instead, it is only necessary to identify hazards and estimate harm. Examples of these hazards include loss of communication, mix-up of data, loss of data, etc. Software failures are systemic in nature and the probability of occurrence cannot be determined using traditional statistical methods. Therefore, we recommend that you assume that the failure will occur and estimate software risks based on the severity of the hazard resulting from the failure. For these reasons, it is recommended that software hazard analysis documentation is maintained as a separate document from your design risk analysis. The software hazard analysis documentation should be referenced in your risk management report, but the software hazard analysis should be included as part of your software verification and validation. The IVDR requires that you include a summary of software verification and validation in Annex II, Section 6.4 rather than the complete hazard analysis document.

A use-related risk analysis should be part of your useability engineering file for IVD devices as required by EN 62366-1:2015. Use-related risks are mentioned in Annex I, Section 5:

“In eliminating or reducing risks related to use error, the manufacturer shall:

    • reduce as far as possible the risks related to ergonomic features of the device and the environment in which the device is intended to be used (design for patient safety), and
    • Give consideration to the technical knowledge, experience, education, training and use environment, where applicable, and the medical and physical conditions of intended users (design for lay, and professional, disabled or other users).”

The above requirement includes not only the ability to read and interpret test results of IVD devices but also the ability of laypersons to properly self-select if an IVD is intended to be sold as an over-the-counter product. Usability also is mentioned in Article 78, Section 3(f):

“for the identification of options to improve the usability, performance and safety of the device;”

Therefore, there should be specific elements of your post-market surveillance plan that are designed to gather feedback on the usability of your IVD device. 

When should risk management activities be performed for IVD devices?

The IVDR does not specifically define when in the design and development process the various risk management activities shall be performed. However, the required risk management activities are specified in the IVDR within Annex I. ISO 14971:2019, however, is more descriptive of the risk management activities and the risk management process. Therefore, your risk management plan should align with the process defined in ISO 14971:2019, Clause 4.1.

Unfortunately, most companies do not include risk management as an integral part of the design and development process. Instead, risk management documentation is created retroactively as part of the documentation preparation for technical file submission. For this reason, most medical device executives fail to see the benefit associated with the risk management process. Even biomedical engineers struggle to appreciate the necessity of following the process outlined in the risk management standard in order to prevent device malfunctions and use errors.

The following is a list of the required risk management activities in the order that they should be occurring. Each activity also references the applicable clause of ISO 14971:2019. We have also grouped the activities into the five phases of design and development:

Design Controls with risk 1024x542 What are the IVDR risk management requirements?

Design Planning

    • Risk management planning (Clause 4.4)

Design Inputs

    • Identification of hazards and hazardous situations (Clause 5.4)

Design & Development

    • Risk estimation (Clause 5.5)
    • Risk evaluation (Clause 6)
    • Risk control option analysis (Clause 7.1)
    • Implementation of risk control measures (Clause 7.2)
    • Residual risk evaluation (Clause 7.3)

Design Verification and Validation

    • Benefit/risk analysis (Clause 7.4)
    • Risk control effectiveness verification (Clause 7.6)

Design Release

    • Evaluation of overall residual risk (Clause 8)
    • Risk management review (Clause 9)

If your company is preparing a 510(k), the company may be able to submit the 510(k) immediately after completion of risk control effectiveness verification. You may also be able to postpone the benefit/risk analysis until you submit your IVD technical file for CE Marking approval. The benefit/risk analysis is not required by ISO 14971 unless the risks are unacceptable, and the FDA does not require a benefit/risk analysis except for novel devices seeking market authorization through a De Novo Classification Request or a Pre-Market Approval (PMA). The FDA also does not require the submission of the complete risk management file.

IVDR risk management requirements are quite different than the US FDA requirements for risk management. An IVD technical file must include a risk management summary report that summarizes all activities that were performed according to the risk management plan. A benefit/risk analysis is required for each risk and the overall risk. The Notified Body auditor is also expected to sample the complete risk management file during quality system audits. Finally, the IVDR includes a requirement for a post-market surveillance plan that includes the collection of production and post-production data as feedback on the risk management process and a post-market clinical performance follow-up (PMPF) plan. 

What production and post-production information should you be collecting for IVD devices?

Medical device manufacturers struggle to see the benefits of requiring a post-market surveillance system, and smaller companies, in particular, complain that the cost of the new European post-market surveillance requirements is excessive and prohibits innovation. However, the primary role of post-market surveillance is to ensure rapid initiation of containment and corrective actions for devices that malfunction and/or present unacceptable risks to the intended users and intended patient population. The purpose of generating the post-market surveillance data is defined in the IVDR within Article 78, Section 3.

The minimum requirements for post-market surveillance are defined in Annex III, Section 1(a):

  • Information concerning serious incidents, including information from PSURs, and field safety corrective actions;
  • records referring to non-serious incidents and data on any undesirable side-effects;
  • information from trend reporting;
  • relevant specialist or technical literature, databases and/or registers;
  • information, including feedback and complaints, provided by users, distributors, and importers; and
  • publicly-available information about similar medical devices.

The IVDR is not prescriptive regarding what production data shall be collected for post-market surveillance, but the reason for this is that there are many different types of manufacturing processes with different process risks. In addition, the IVDR includes software as a medical device where there is no manufacturing process at all. Therefore, the best approach for determining what production data to collect is the review your process risk analysis (e.g. pFMEA). The process risk analysis for each manufacturing process should allow you to identify the manufacturing process steps that have the greatest residual risks (e.g. risk priority number or RPN) and potentially the highest severity of the effect. The risks should be identified as a priority for post-market surveillance. You should also include process parameter monitoring data for any validated processes (e.g. sterilization time, temperature, and pressure). Finally, you should also monitor rejects at incoming inspection, in-process inspection, and final inspection operations.  

Other IVD Risk Management Resources

The following resources may be helpful for creating and maintaining your IVD risk management file:

  1. EN ISO 14971:2019 + A11:2021
  2. ISO/TR 24971:2020
  3. GHTF/SG3/N15R8
  4. Regulation (EU) 2017/746 (i.e. IVDR)
  5. IEC/TR 80002-1:2009
  6. EN 62366-1:2015 + A1:2020

Note: Whenever possible, hyperlinks to the Estonian Centre for Standardization and Accreditation (EVS) are provided for procedures, because we find that this source is frequently the least expensive, and digital versions are available on-demand as a multi-user license.

Posted in: ISO 14971:2019 (Risk Management), IVDR - Regulation (EU) 2017/746

Leave a Comment (0) →

What are the four types of risk analysis?

You are familiar with design and process risk analysis, but do you know all four types of risk analysis?

Last week’s YouTube live streaming video answered the question, “What are the four different types of risk analysis?” Everyone in the medical device industry is familiar with ISO 14971:2019 as the standard for medical device risk management, but most of us are only familiar with two or three ways to analyze risks. Most people immediately think that this is going to be a tutorial about four different tools for risk management (e.g. FMEA, Fault Tree Analysis, HAZOP, HACCP, etc.). Instead, this article is describing the four different quality system processes that need risk analysis.

What are the four different types?

The one most people are familiar with is risk analysis associated with the design of a medical device. Do you know what the other three are? The second type is process risk management where you document your risk estimation in a process risk analysis. The third type is part of the medical device software development process, specifically a software hazard analysis. Finally, the fourth type is a Use-Related Risk Analysis (URRA) which is part of your usability engineering and human factors testing. Each type of risk analysis requires different information and there are reasons why you should not combine these into one risk management document or template.

Design Risk Analysis

Design risk analysis is the first type of risk analysis we are reviewing in this article. The most common types of design risk analysis are the design failure modes and effects analysis (dFMEA) and the fault-tree analysis (FTA). The dFMEA is referred to as a bottom-up method because you being by identifying all of the possible failure modes for each component of the medical device and you work your way backward to the resulting effects of each failure mode. In contrast, the FTA is a top-down approach, because you begin with the resulting failure and work your way down to each of the potential causes of the failure. The dFMEA is typically preferred by engineers on a development team because they designed each of the components. However, during a complaint investigation, the FTA is preferred, because you will be informed of the alleged failure of the device by the complainant, but you need to investigate the complaint to determine the cause of the failure. Regardless of which risk analysis tool is used for estimating design risks, the risk management process requires that production and post-production risks be monitored. Therefore, the dFMEA or the FTA will need to be reviewed and updated as post-market data is gathered. If a change to the risk analysis is required, it may also be necessary to update the instructions for use to include new warnings or precautions to prevent use errors.

Process Risk Analysis

Process risk analysis is the second type of risk analysis. The purpose of process risk analysis is to minimize the risk of devices being manufactured incorrectly. The most common method of analyzing risks is to use a process failure modes and effects analysis (i.e. pFMEA). This method is referred to as a bottom-up method because you begin by identifying all of the possible failure modes for each manufacturing process step. Next, the effects of the process failure are identified. After you identify the effects of failure for each process step, the severity of harm is estimated. Then the probability of occurrence of harm is estimated, and the ability to detect the failure is estimated. Each of the three estimates (i.e. Severity, Occurrence, and Detectability) are multiplied to calculate a risk priority number (RPN). The resulting RPN is used to prioritize the development of risk controls for each process step.

As risk controls are implemented, the occurrence and detectability scores estimated again. This is usually where people end the pFMEA process, but to complete one cycle of the pFMEA the risk management team should document the verification of the effectiveness of the risk controls implemented. For example, if the step of the process is sterilization then documentation of effectiveness consists of a sterilization validation report. This is the last step of one cycle in the pFMEA, but the risk management process includes monitoring production and post-production risks. Therefore, as new process failures occur the pFMEA is reviewed to determine if any adjustments are needed in the estimates for severity, occurrence, or detectability. If any of the risks increase, then additional risk controls may be necessary. This process is continuously updated with production and post-production information to ensure that process risks remain acceptable.

Software Hazard Analysis

Sofware hazard analysis is becoming more important to medical devices as physical devices are integrated with hospital information systems and with the development of software as a medical device (SaMD). Software risk analysis is typically referred to as hazard analysis because it is unnecessary to estimate the probability of occurrence of harm. Instead, it is only necessary to identify hazards and estimate harm. Examples of these hazards include loss of communication, mix-up of data, loss of data, etc. For guidance on software hazard identification, IEC/TR 80002-1:2009 is a resource. FDA software validation guidance indicates that software failures are systemic in nature and the probability of occurrence cannot be determined using traditional statistical methods. Therefore, the FDA recommends that you assume that the failure will occur and estimate software risks based on the severity of the hazard resulting from the failure. 

Use-Related Risk Analysis

The fourth and final type of risk analysis is use-related risk analysis (URRA). Most development teams assume that they are able to use traditional hazard identification techniques to identify the potential use-related risks. However, use-related risks are inextricably linked to the experiences of the user. The development team has unique knowledge of the device they are developing, and therefore it is likely that use-related risks associated with a lack of knowledge about the device will result in use errors that the development team would not realize. For this reason, formative testing is necessary to identify unforeseen use-related risks. Once formative testing identifies these risks, additional formative usability testing can be used to create and refine the instructions for the use of a medical device. Finally, formative testing can be used to develop user training programs that prevent potential use errors. Once the development team has completed the necessary formative testing, then summative usability testing is used to validate the effectiveness of the risk controls that were implemented.
 
In the past, I believed that the FDA’s focus on usability was the review of summative usability testing. However, I have learned that the FDA feels it is equally important to begin the human factors testing process by first performing a use-related risk analysis and then identifying the critical tasks. Without identifying these critical tasks, it is not possible for the FDA to determine if the moderator of the summative testing has observed all of the critical tasks being performed correctly. An example of a Use-Related Risk Analysis (URRA) was provided by the FDA in a 510(k) AI deficiency letter that we received. The example is provided below.
URRA table example from the FDA 300x117 What are the four types of risk analysis? Example of a URRA Table provided by the FDA
 

Can you use only the IFU to prevent use-related risks?

Instructions for use (IFU) are required to include warnings and precautions. This information provided by the manufacturer explains how to use a medical device correctly and identifies the residual risks. This is a form of risk control, but it is the least effective form of risk control and should be the risk control of last resort. Not everyone reads the IFU, and you cannot guarantee that everyone will understand the instructions. You certainly can’t be sure that users will remember all your warnings or precautions when they are tired, stressed, or acting in an emergency situation. Design controls and protective measures should be implemented as the first and second priority for risk controls, and the IFU should be your lowest priority.
 
This is the reason why we have color-coding, design features that eliminate the possibility of a use error, we provide training to users, and we are required to monitor use-related risks for medical devices. Formative usability testing is intended to identify use errors we did not anticipate, to help us develop instructions for use (IFU), and help us develop training for users. Summative testing is intended to validate that the design, training, and IFU are effective at preventing use errors. All three of these aspects work together–not the IFU alone. In fact, there is an entire alarms standard that identifies protective measures that shall be used for electromedical devices to prevent use errors (i.e. – IEC 60601-1-8).

 

Facilitating Risk Management Activities – An Interview with Rick Stockton

I listened to our YouTube video about the four different types of risk analysis, you may have heard my reference to Rick Stockton’s interview that we posted on our YouTube channel and embedded above. In our interview with Rick Stockton, we discussed how to facilitate risk management activities during the design and development of medical devices. If you are interested in learning more about Rick and facilitating risk management activities, please watch the video of our interview with Rick.
 

Posted in: ISO 14971:2019 (Risk Management)

Leave a Comment (1) →

Contract Manufacturers Need Strong Risk Management Processes

This blog discusses why contract manufacturers need to have a strong risk management process, and your company needs to help your contract manufacturers. This article was updated on April 28, 2022, and the original publication was January 05, 2011. Please ignore the date of publication at the top of the post for articles that are more than a year old.

Risk management is not our responsibility Contract Manufacturers Need Strong Risk Management Processes

Can contract manufacturers exclude risk management from the scope of their quality system?

Most contract manufacturers in the medical device industry exclude design from their Quality Management Systems. Unfortunately, most of the contract manufacturers also associate risk management with only the design process. Risk Management cannot be “not applicable” in an ISO 13485 Quality Management System. The requirement of section 7.1 is: “The organization shall establish documented requirements for risk management throughout product realization. Records arising from risk management shall be maintained.” The Standard also references ISO 14971 as a source of guidance on Risk Management.

Medical Device Academy also offers a Two-Part Risk Management Training Webinar for ISO 14971:2019.

Have you experienced an audit dialogue at a contract manufacturer similar to this?

The auditor asks, “How do you manage risk throughout the production process?” Then the auditee responds, “That is the responsibility of our customers. We will prepare a risk analysis if customers pay for it, but usually, customers do the risk analysis.”

For a contract manufacturer, compliance with ISO 14971 is not my primary concern as an auditor. My primary concern is to verify that contract manufacturers analyze risks associated with the processes that they perform and do their best to minimize those risks. What I don’t understand is why more companies don’t want to have strong risk management processes. Risk management is how we prevent bad things from happening. Bad stuff like scrap, complaints, and recalls. Should we expect our suppliers to have a strong risk management process?

Duh.

Why your company needs to be involved in the risk management process?

Risk is a process 1 1024x1024 Contract Manufacturers Need Strong Risk Management Processes

Contract manufacturers should be doing everything they can to get better at risk management. During pre-production planning, they should be asking, “What happens if…” The contract manufacturer knows best HOW things will fail in production, while the customer knows best WHAT happens when things fail in production. To be safe and effective, both companies need to collaborate on risk analysis.

In any risk analysis, you need to estimate the severity of potential harm and the probability of occurrence of that harm. For production defects, the contract manufacturer can estimate the probability of occurrence of defects (i.e., P1 in Annex E of ISO 14971:2007), but the likelihood of occurrence of harm is less. The probability of occurrence of harm is the product of multiplying P1 and P2. The probability that occurrence will result in harm is P2, and P2 is a number that is less than 100% or 1. Your company can gather pre-market clinical data and post-market clinical data to estimate P2, but before launching your product, you can only guess at the value of P2. Your contract manufacturer, however, is not able to estimate P2 at all. It’s ok to estimate risk without P2 during the design phase because this will overestimate risks and result in more conservative decisions.

In addition to P2, your contract manufacturer is also not capable of estimating the severity of potential harm. As the designer of the medical device, you will know best how your device is used and what the likely clinical outcomes are when a device malfunctions. There may even be multiple possible clinical outcomes. The contract manufacturer knows what can go wrong during manufacturing, but you will need to define the clinical outcomes due to malfunctions.  

Why do contract manufacturers avoid doing risk analysis?

The reason contract manufacturers avoid doing risk analysis is because it’s time-consuming and tedious.

Too bad, so sad.

Balancing my checkbook is time-consuming and tedious too, but I balance my checkbook to prevent an overdraft charge. Not doing a risk analysis can be much more painful. Scrapping out a part can cost tens or hundreds of dollars. Complaints can cost thousands of dollars. Recalls can cost millions of dollars.

If I owned a contract manufacturing company, I would ensure that everyone in the company is involved in risk management. We don’t want scrap, we can’t afford mistakes that lead to complaints, and a recall could put us out of business.

How Medical Device Academy Can Help? 

Medical device academy can help both the contract manufacturer and the specification developer utilizing a contract manufacturer as a supplier! We offer training on 14971:2019 as well as procedures on risk management and supplier quality management.

Two-part Risk Management Training Webinar for ISO 14971:2019 – Part 1 of this webinar will be presented live on Tuesday, March 29 @ 9-10:30 am EDT. Part 2 of this webinar series will be presented live on Tuesday, April 5 at 9-10:30 am EDT. Purchase of this webinar series will grant the customer access to both live webinars. They will also receive the native slide decks and recording for the two webinars.

Risk Management Training for ISO 149712019 Button 1024x337 Contract Manufacturers Need Strong Risk Management Processes

sys001 supplier quality management procedure button 1024x323 Contract Manufacturers Need Strong Risk Management Processes

sys010 risk management procedure button 1024x339 Contract Manufacturers Need Strong Risk Management Processes

Posted in: ISO 14971:2019 (Risk Management)

Leave a Comment (1) →

ISO 14971 3rd Edition Available for Purchase

The 3rd edition of ISO 14971, the risk management standard for medical devices was released on December 16, 2019.

Risk management process 2019 1024x773 ISO 14971 3rd Edition Available for Purchase

2019 Risk Management Process – 3rd edition

In October of 2018, I wrote a blog on the draft version of ISO 14971 3rd edition of the risk management standard for medical devices. That article explained the differences between the different versions of the ISO 14971 standard (i.e., 2000, 2007, 2009, and 2012). I also explained what changed between ISO 14971:2007 and ISO/DIS 14971:2018. The final 2019 version of ISO 14971 3rd edition is now available.

The changes proposed in the draft included subtle changes to the names of the processes and a minor adjustment to the numbering of the clauses. Many of the annexes were also moved to ISO/TR 24971 guidance–which was released in 2020. The draft did not, however, result in a change in the overall process of risk management.

All of the changes that were discussed in my 2018 review were maintained in the final 2019 version that was released, but the ISO/TR 24971 guidance was not released at the same time as the committee had hoped for.

There are not any surprises in the 3rd edition (i.e., 2019 version). Therefore, I plan to wait until the ISO/TR 24971 guidance is released and then prepare a new blog specific to the guidance. If you are interested in training on the ISO 14971:2019 standard, the training I recorded on October 19, 2019, provides an excellent overview of these changes and highlights some of the challenges that you will encounter when trying to harmonize your risk management procedure between the ISO 14971:2019 standard and Regulation (EU) 2017/745.

Below are additional risk management resources:

This is a lot of information to absorb. Therefore, I recommend purchasing the October 2019 webinar and your copy of the ISO 14971:2019 standard from AAMI. Anyone that has already purchased either the webinar or the procedure will receive an email offering them a discount on this new bundle that credits them for their previous purchase. If you have purchased both, you will receive credits for both purchases. Just think you can watch the video and read the new version of the standard while you are working out at the gym in January. Learn and burn!

Posted in: ISO 14971:2019 (Risk Management)

Leave a Comment (0) →

What is a pFMEA? (i.e., process Failure Mode and Effect Analysis)

This article explains what a pFMEA is (i.e. Process Failure Modes and Effects Analysis) and how to use them as part of your risk management process.

RPN Scoring Table What is a pFMEA? (i.e., process Failure Mode and Effect Analysis)

I recently had someone ask for help understanding the Process Failure Mode and Effect Analysis (pFMEA) a little better. I can’t blame them, because I was lost the first time I tried to fill out a form for one. It can be confusing and overwhelming if you have never created one before.

First things first, what is a pFMEA

FMEA= Failure Modes and Effects Analysis

A lower-case letter will come before the FMEA, and that denotes the ‘what’, of what the failure is that is being analyzed. A pFMEA will often be examining process failures where a dFMEA might evaluate design failures. (dFMEA’s can be confusing as well, Robert Packard created training on how to document risk management activities without using one in his Death of the dFMEA Webinar)

Some systems capitalize all the letters. Some capitalize none. That is not what is important as long as it is consistent throughout your system. Everyone should be able to easily understand that whatever variation of pfmea is used; it means “process failure modes and effects analysis.” 

What does a pFMEA do?

A pFMEA will break down your manufacturing process into its individual steps and methodically examine them for potential risks or failures. For companies that utilize our Turn-Key Quality Management System, FRM-025 process Failure Modes, and Effects Analysis can be used as a template.

For this example, we will look at receiving inspection of injection-molded casing parts for a medical device. This receiving inspection includes a manual inspection of 10 randomly selected parts out of each delivery of 100 using an optical overlay.

Process Step

This area, as the section title suggests, is the process step. When looking at the process as a whole, the pFMEA will break it down into each and every step included in that process. This area is simply that individual step that is going to be examined.

The Process Step or item function depending on what your form uses for this scenario, is going to be part of the random sampling for manual inspection of the received parts using an optical overlay. Our example is going to be the backlighting element of the optical overlay display. The backlighting element will illuminate the inspected part against the template to verify that the part is within specific dimension criteria.

Potential Failure Modes

A failure mode is a way in which that process step might fail. Since it is failure modeS, it needs to be considered that there may be more than one way for the process step to fail. Do not be fooled that because this box on the form has been filled in that the pFMEA will be complete. A thorough examination of all of the possible failures should be investigated.

Our example in this process requires the backlighting element to illuminate a visual template over the parts. The light not illuminating properly is a potential failure mode of this process.

Potential Effects of Failure

the potential effects of the failure is a look into what the ramifications would be if that failure for that process step actually happened.

In our scenario, one of the potential effects of the lighting not functioning properly is that parts outside of the designated sizing acceptance criteria may be accepted rather than rejected as non-conforming parts.

S (Severity)

The next area is the first area that requires an estimated grading of the failure. That is ‘Severity’ which is abbreviated as S. There is a scale provided in the rating section of FRM-025 that outlines the numbering system that Medical Device Academy uses.

Below is a snippet of the rating scale used, this is included with the purchase of the SYS-010 Risk Management Procedure.

Severity (S)
Severity of the effect Scale Definition
Business Risk 0 No potential harm to patient or user
Superficial 2 Little potential for harm to patient or user

In this case, our example is using molded plastic pieces of the outside casing of a medical device. Pieces that are too large or too small will not fit when making the final assembly of the device. These plastic pieces do not happen to be patient contacting, and do not affect the function of the device.

The evaluation of this failure is determined to have no potential effect on patient safety or increase any potential for risk of harm, therefore the severity is assigned as a ‘business risk’ meaning that it bears no risk for the user or the patient. This makes the Severity Score 0.

Causes of Failure

This column is exactly that. What might cause this identified failure to happen? In our example might be the light bulbs in the overlay machine may slowly burn out over time with use. This burnout causes potential failure.

If the bulb is expected to only have a lifetime of 100 hours, then the more hours the bulb is used, the dimmer the light may become. A slowly dimming light decreases the sharpness of the overlay template and our parts that are supposed to have a + or – size criteria of 10% now have a fuzzy template that in reality changes the overlay to show closer to + or – 13%. Now parts that are too small or too large may be accepted.

O (Occurrence/Probability)

This grading criterion is also found in the Rating section of FRM-025. This is how often the failure is expected to occur. How often will the lighting element of our optical overlay fail to function in the appropriate manner for this cause?

Hopefully not very often. In fact, regularly scheduled maintenance and calibration of the overlay machine could prevent this from ever happening in the best-case scenario. Our evaluations determine that the probability of this happening is low. However, since we cannot be certain it will never happen the potential for this risk exists and makes the Occurrence score a 4.

Current Process Controls

What is currently being done to control this risk? Our example uses regularly scheduled maintenance and calibration to prevent bulb burnout affecting the overlay.

D (Detectability)

Our current process is based on routine maintenance and visual inspection. This means that the bulb burnout is something that is visually inspected for and visual inspections for detectability on the rating scale are graded as 8. This chart is found in the Rating Section of FRM-025.

RPN (Risk Priority Number)

This is a number that is found by multiplying the Severity, by the Probability, by the Detectability. In our example, the numbers RPN is  0X4X8=32 for an RPN of 32 which is considered LOW.

pFMEA math

Below is a short video explaining the math behind calculating the Risk Priority Number

https://www.youtube.com/watch?v=OWfyHyx-zhI&feature=youtu.be

Recommended Actions

What if anything can be done to improve this process? In our example, a recommended action may be to transfer from visual only inspections to verification of light output by the meter. This makes the Detectability of the failure measurable by meter or gage which is a detectability score of 4.

This changes the RPN now to 0X4X4=16

The pFMEA shouldn’t be a solo thing

If it can be avoided this type of analysis should be done by a multidisciplinary team. Sometimes in smaller companies, people end up having to wear more than one hat. There are many entrepreneurs that have to function as the CEO/CFO/Design Engineer/RA/QA manager.

Ideally, a team approach should be used if feasible. Have the management level staff who have ownership of the processes participating in this analysis. They should know the process more intimately than anyone else in the company and should have more insight into the possible failure modes of the processes as they have likely seen them first hand. They are also the type of employee who would know the types of recommended actions to control the risk of those failures as well.

The pFMEA should also be a living document

As new failure modes are discovered they should be added to your pFMEA. A new failure mode might be discovered through a CAPA because the process had an actual failure that was not originally analyzed. Take an instance like that as an opportunity for improvement and to update your pFMEA as part of a living breathing risk management system. Also, use this as a time to re-brainstorm potentially similar failure modes that may not have been considered previously so that they can be controlled before they happen.

If you took the time to watch the video above it is also mentioned that in some instances the very first FMEA must be based on estimates because there is no data. Managers and engineers may be forced to estimate the probability of occurrence. If that is the case the FMEA should be updated in the future to adjust the (O) score to reflect what is occurring in actuality based on real data and not the theoretical data that was used for the initial estimate.

Posted in: ISO 14971:2019 (Risk Management)

Leave a Comment (2) →

ISO 14971 Risk Management Updates in ISO/DIS 14971:2018

This article describes updates being made to the ISO 14971 Standard in the new draft version released for comment in July 2018.

There are two versions of ISO 14971 that are currently available. The first is the international version: ISO 14971:2007. The second is the European normative version: EN ISO 14971:2012. There is also a new draft being created by the TC210 committee for release in 2019.

Explanation of the different versions of the ISO 14971 standard

In 2000, the first edition of ISO 14971 was released as the international standard for risk management of medical devices. In 2007, the second edition of ISO 14971 was released. When new international standards are released, a European normative version is also released. The “European Norm” or EN version is intended to identify any gaps between the international standard and the requirements of the applicable European directives (i.e., the MDD, AIMD, and the IVDD). These gaps historically were included in the ZA annex at the end of the EN version. However, in 2009 this annex was split into three annexes (i.e., ZA, ZB, and ZC) to address each of the three directives separately. In reality, the 2009 annex only differed concerning the directive referenced. In 2012, a new EN version was released. This new standard included seven deviations, which were controversial. These deviations were intended to identify contradictions between the directives and the international standard, but the interpretations were not agreed with by companies or most of the Notified Bodies. Ultimately, the seven deviations were required to be addressed in the risk management files for any medical device that was CE Marked.

What changed between ISO 14971:2007 and ISO/DIS 14971:2018?

The TC210 working group assigned to update the ISO 14971 standard (JWG1) was tasked with improving guidance for the implementation of ISO 14971. Still, the committee was also tasked with making these improvements without changing the risk management process. Also, the committee was asked to move the informative annexes at the end of ISO 14971 from the standard to the guidance document ISO/TR 24971. Therefore, in July, the committee released a draft for comment and voting. Draft versions are identified with the prefix “ISO/DIS.” The ISO/DIS 14971 standard released in July has only three annexes: A) Rationale for the requirements, B) Risk management process for medical devices, and C) Fundamental risk concepts (formerly Annex E). The other seven annexes were moved to the draft of ISO/TR 24971. The reason stated for moving these Annexes to the guidance document was to make future revisions to the guidance easier to implement because it is a guidance rather than a standard. However, there were also some objectionable recommendations in the informative annexes that were the subject of deviation #3—ALARP from Annex D.8 vs. “As far as possible,” in the first indent of section 2 of Annex I in the MDD.

Although the committee was tasked to make improvements in the implementation of ISO 14971 without changing the process, the new draft has subtle changes in the process. Most of these changes can be identified quickly by reviewing the updated risk management flow chart provided in Figure 1. The updated flow chart now has two places where risks are evaluated. The first place is identical to the original Figure 1, but now the associated section is clarified to be specific to evaluating individual risks. The second place in the flow chart is new and specific to the evaluation of overall residual risks. The draft standard also states that different acceptability criteria and methods of evaluation may be used for each evaluation phase in the process. There have also been subtle changes to the names of process phases:

  • Section 7.4 is now “Benefit/Risk” analysis instead of “Risk/Benefit” analysis—although the draft flow chart does not reflect this.
  • Section 9 is now “Risk Management Review” instead of “Risk Management Report”
  • Section 10 is now “Production and post-production activities” instead of “Production and post-production information”

There is also more detail in the diagram under the phases for 1) risk analysis, 2) risk control, and 3) production and post-production activities.

Three new definitions are introduced in the draft standard: 3.2, benefit; 3.15, reasonably foreseeable misuse; and 3.28, state of the art. The section for identification of hazards, Clause 5.4, was reworded and expanded to consider the reasonably foreseeable sequences or combinations of events that can result in a hazardous situation. The draft standard now states that your risk management plan must also include a method to evaluate the overall residual risk and the criteria for the acceptability of the overall residual risk. In the section for risk estimation, Clause 5.5, the draft standard states that if the probability of the occurrence of harm cannot be estimated, the possible consequences shall be listed for use in the risk evaluation and risk control. The risk control option analysis priorities in section 7.1 are updated to match the new MDR, Regulation (EU) 2017/745, nearly exactly. In section 9, risk management reports were changed to risk management review, and the Clause now requires determining when to conduct subsequent reviews and when to update reports. This emphasizes the requirement to continuously update risk management documentation with input from production and post-production information. This mirrors the emphasis on continually updating post-market clinical follow-up in Regulation (EU) 2017/745, Annex XIV, Part B, Section 5, and continuously updating clinical evaluations in Regulation (EU) 2017/745, Annex XIV, Part A, Section 1.

Will ISO 14971 2019 eliminate the deviations ISO 14971 Risk Management Updates in ISO/DIS 14971:2018

Will ISO 14971:2019 address the 7 Deviations in EN ISO 14971:2012?

The new MDR, Regulation (EU) 2017/745, revised and clarified the wording of the essential requirements in the MDD. The MDR attempts to explain the requirements for risk management files of CE Marked products, but the MDR remains different from the requirements of ISO 14971. Unfortunately, because the ISO/DIS 14971 was not intended to change the risk management process of ISO 14971:2007, there will continue to be “deviations” between the MDR and standard.

Some people have tried to use ISO/TR 24971, the risk management guidance, as the official interpretation of how the risk management standard. However, the guidance is also a product of the TC210 committee, and it does not meet all requirements of the MDD or the MDR.

The new draft does, however, include changes that address some of the deviations in EN ISO 14971:2012. Below, each of the seven variations is listed, and hyperlinks are provided to other articles on each deviation.

  1. Negligible Risks – The word “negligible” was only in one location in the body of the standard as a note referring to Annex D.8. In the draft, Annex D was removed and relocated to ISO/TR 24971, and the note was eliminated from Clause 3.4—now Clause 4.4 in the draft. The draft should fully resolve this deviation.
  2. Risk Acceptability – Clause 7 was renumbered to Clause 8 in the draft. Still, the title of this Clause was also changed from “Evaluation of overall residual risk acceptability” to “Evaluation of overall residual risk.” However, if you read the Clause it still refers to determining the acceptability of risks. In note 2 of Annex ZA of the draft, it states that determining acceptable risk must comply with Essential Requirements 1, 2, 5, 6, 7, 8, 9, 11, and 12 of the Directive. The draft should fully resolve this deviation.
  3. ALARP vs. “As far as possible” – The European Commission believes that the concept of “ALARP” implies economic considerations, and some companies have used economics as a reason for not implementing certain risk controls. ALARP was eliminated from the notes in the risk management plan clause and by moving Annex D.8 to ISO/TR 24971 and adding note 1 in Annex ZA. The draft should fully resolve this deviation.
  4. Benefit/Risk Analysis – The contradiction in requirements between the International Standard and the MDD, as it relates to determining when a benefit/risk analysis must be conducted, has not been updated. The draft does not resolve this deviation. Companies that CE Mark products will need to perform a benefit/risk analysis for all residual risks and all individual risks—despite the wording of the standard.
  5. Risk Control – The contradiction in requirements between the International Standard and the MDD, as it relates to determining when risk controls must be implemented. The International Standard gives companies the option to avoid the implementation of risk controls if the risk is acceptable. At the same time, the MDD requires that risk controls be implemented for all risks unless the risk controls create additional risks that increase risks, or the risk controls do not reduce risks further. The draft does not resolve this deviation. Companies that CE Mark products will need to implement risk controls for all individual risks—despite the wording of the standard.
  6. Risk Control Options – The intent of Clause 6.2 in ISO 14971:2007 was likely to be the same as the MDD. However, the European Commission identified the missing word “construction” as being significant. Therefore, to prevent any misunderstandings, the TC210 committee copied the wording of Regulation (EU) 2017/745. The draft should fully resolve this deviation.
  7. IFU Validation – Again, to prevent any misunderstandings, the TC210 committee copied the wording of Regulation (EU) 2017/745. However, the examples of information for safety (i.e., warnings, precautions, and contraindications) were not included. Hopefully, the final version of the 3rd edition will consist of these examples. Clause 8, evaluation of overall residual risk, was also reworded to state, “the manufacturer shall decide which residual risks to disclose and what information is necessary to include in the accompanying documentation to disclose those residual risks.” The draft should fully resolve this deviation.

Recommendations for your Risk Management Process?

The most important consideration when establishing a risk management process for medical devices is whether you plan to CE Mark products. If you intend to CE Mark products, then you should write a procedure that is compliant with the current requirements of the MDD and future requirements of Regulation (EU) 2017/745. Therefore, the seven deviations should be addressed. Also, you need to maintain compliance with the current version of the standard.

I recommend creating a process based upon the newly updated process diagram in the latest draft. The process should begin with a risk management plan. For your plan, you may want to create a template and maintain it as a controlled document. It could also be part of your design and development plan template, but the plan should include each of the following risk management activities:

  1. Hazard identification
  2. Risk estimation
  3. Risk evaluation
  4. Risk control option analysis
  5. Risk control verification of effectiveness
  6. Benefit/Risk analysis
  7. Evaluation of overall residual risk
  8. Risk management review
  9. Production and post-production activities

Your procedure should also be integrated with other processes, such as 1) design control, 2) post-marketing surveillance, and 3) clinical evaluation. Your procedure must indicate the priority for the implementation of risk control options. The best strategy for ensuring risk control priorities are compliant is to copy the wording of the new EU Regulations verbatim. Your process should include performing benefit/risk analysis. You should also define your process for risk management review. Your review process should specify when subsequent reviews will be done, and when your risk management report will be updated. Finally, you should identify a post-market surveillance plan for each device or device family, and use that post-market surveillance data as feedback in the risk management process.

The one element that appears to be weakly addressed in the body of the standard is the requirement for traceability of each hazard to the other aspects of the risk management process. Although traceability is mentioned in Clause 3.5 of the 2nd edition, and Clause 4.5 of the draft 3rd edition of ISO 14971, that is the only place is mentioned in the body of the standard. Traceability is mentioned several more times in Annex A, but the focus seems to be on the risk management file. Companies need more guidance on how to achieve this traceability. The appropriate place for this guidance is probably in ISO/TR 24971. Still, in order to maintain this documentation, a software database will likely be critical to maintaining traceability as changes are made during design iterations and after commercialization. This type of software tool is also needed to expedite the review of risk management documentation during a complaint investigation.

Which Risk Analysis Tool should you use?

In Annex G of ISO 14971:2007 and the EN 2012 version, there are five different risk analysis tools described. The word “described” is emphasized because informative annexes are not “recommended.” The committee that created the 2nd edition of ISO 14971 wanted to provide several suggestions for possible risk analysis tools to consider. However, each tool has strengths and weaknesses. Additionally, the widespread use of the failure-mode-and-effects analysis (FMEA) tool in the automotive and aerospace industries has spread to the medical device industry, and companies seem to believe that regulators prefer the FMEA tool. This is not true. Companies should be trained in all of these tools, and training should consist of more than just reading Annex G, and the tools should be used where they are most beneficial. My recommendations are below:

  1. Preliminary Hazard Analysis (PHA) – This process is critical during the development of design inputs. It is also the most underutilized analysis tool. I have not seen a single example of this tool written in a procedure by any medical device company. I believe this process should be continuously updated as part of training new design team members and should be both product and project-specific.
  2. Fault-tree Analysis (FTA) – This process is a top-down approach to risk analysis. It is heavily utilized by transportation engineers when intersections are designed, and accidents are investigated. This tool depicts risk analysis pictorial as a tree of fault modes representing each possible root cause for failure. At each level of the tree, fault mode combinations are described with logical operators (i.e., AND, OR). The information displays the frequency of each fault mode quantitatively. Therefore, when you are investigating a complaint, the tree can be used to help identify possible fault modes that may have been the root cause of device failure. You may also be interested in the standard specific to Fault tree analysis (FTA): IEC 61025:2006.
  3. Failure Mode and Effects Analysis (FMEA) – This process is a bottom-up approach to risk analysis. The automotive and aerospace industries heavily utilize it. This tool systematically lists all failure modes in groups organized by component. Risks are estimated based upon the severity of effect, probability of occurrence, and detectability. Over time, the FMEA process split into three tools: 1) process FMEA (pFMEA), 2) design FMEA (dFMEA), and 3) use FMEA (uFMEA). The first is ideal for analyzing and reducing risks associated with the manufacturing of devices. In particular, the detectability factor can be linked closely with process validation. The second evolved from the realization that the detection of a risk after the device is in the user’s hands does not reduce risk. A risk reduction only occurs if detectability is proactive. Therefore, this was stated in Annex G.4, and companies began to eliminate detectability and continued to use FMEA as their primary tool. Due to the widespread familiarity with the FMEA tool, usability FMEAs became popular for documenting risks associated with the use of a device. Unfortunately, the only real advantages of a dFMEA and uFMEA are familiarity with the tool. You may also be interested in the standard specific to FMEA: IEC 60812:2018.
  4. Hazard and Operability Study (HAZOP) – In addition to the risks of using devices, there are also risks associated with the production of devices. Processes related to coating, cleaning, and sterilization are all processes that typically involve hazardous chemicals. The chemical and pharmaceutical industries use HAZAP as a tool to analyze these process risks and prevent injuries. You may also be interested in the standard specific to HAZOP: IEC 61882:2016.
  5. Hazard Analysis and Critical Control Point (HACCP) – This process is primarily used by the food industry to prevent the spread of contaminated food supplies. Even though medical device manufacturers do not typically use it, it should be considered as a tool for managing the supply chain for devices. This model is useful when manufacturing is outsourced, or secondary processing is conducted at second and third-party suppliers. Since many FDA inspectors started in the food industry as inspectors, this is also a method that is supported by the FDA as a risk control process for outsourced processes.

How to document your risks?

For simple devices, risk management documentation is a burdensome task. For complex devices, a spreadsheet could include hundreds of lines or more than even one thousand individual lines. Also, the requirement for traceability requires additional columns in a table. Therefore, it becomes nearly impossible for you to include all the required information on a page that is 11 inches wide. If you expand your page to 17 inches wide, the size of your font will need to be very small. If you make a change, your spreadsheet can be challenging to update quickly. You could purchase a 43” widescreen TV for your monitor, or you can use dual monitors for your display, but changes remain challenging to implement without a mistake.

You need to stop relying upon spreadsheets. Use a database, and don’t use Microsoft Access. Purchase a database that is designed to document design controls and risk management traceability. If your company has software expertise, develop your software tool to do this. You should also design standardized templates for exporting your reports. By doing this, it will only take minutes to create an updated report when you make design changes. If you describe the risk management activities as notes in your software, the description of these activities can also be automatically converted into summary pages for each report summarizing that risk management activity. You can even prompt the user to answer questions in the software to populate a templated document. For example, you can prompt users to input subsequent updates of your risk management reviews, and that can be automatically converted into a summary paragraph. This reporting capability is especially helpful when responding to FDA review questions asking for cybersecurity risks.

Additional Training Resources for ISO 14971

The risk management training webinar has been completely rewritten for the second time (i.e. the first time was on October 19, 2018). The newest version will be a two-part webinar series. Part one of two will focus on Clauses 1 through 7.1 of the ISO 14971:2019 standard. Part two of two will focus on Clauses 7.2 through 10. We selected Clause 7.2 to begin the second part of this webinar series, because it marks the beginning of the verification of the risk controls your company has implemented (i.e. – Post “Design Freeze”). Part 1 will be hosted live on March 29, 2022 @ 9-10:30 am EDT, and Part 2 will be hosted live on April 5, 2022 @ 9-10:30 am EDT. Both sessions will be recorded if you are unable to participate in the live sessions.

SYS-010, Medical Device Academy’s Risk Management Procedure, is compliant with EN ISO 14971:2019. The procedure includes templates for documentation of design risk management and process risk management. The procedure is also compliant with ISO/TR 24971:2020 and Regulation (EU) 2017/745. Both the two-part risk management training webinar, and the risk management procedure, are included in Medical Device Academy’s turnkey quality system

Posted in: ISO 14971:2019 (Risk Management)

Leave a Comment (10) →

Risk Management Requirements – 510k vs DHF

This article compares the risk management requirements for a 510k submission with the risk management requirements for your design history file (DHF).

Design Controls and Risk Management Risk Management Requirements   510k vs DHF

Risk Management Requirements and Design Control Requirements

Last week I presented a free webinar on how to combine risk management with design controls when planning to submit a 510k. Many questions were asking what the design control and risk management requirements are for a 510k.

What are the Design Control Requirements in a 510k?

There is no specific part of the regulations stating what the 510k design control requirements are. However, some aspects of the DHF are required as 510k design control documentation, but not necessarily in the exact form as maintained in the DHF. For example, Design Inputs and Design Outputs are presented as applicable recognized standards and design specifications, while others will remain precisely the same (i.e., verification and validation test reports).

What are the Risk Management Requirements in a 510k?

For 510k submissions, the only risk management requirements are the inclusion of risk documentation for devices containing software of at least moderate level risk. There are some exceptions to this as well, though, based on a few special control guidance documents—especially when the submission type is an abbreviated 510k. This is article identifies which of the DHF and RMF elements are 510k design control requirements and 510k risk management requirements.

510k Design Control Requirements

Design Controls are identified in 21 CFR 820.30. Every manufacturer of any class II or class III devices and certain Class I devices (class I devices with software, tracheobronchial suction catheters, surgeon gloves, protective restraints, radionuclide applicators, radionuclide teletherapy devices) need to control design per this regulation. The requirement for a Design History File is item j) and states:

“Each manufacturer shall establish and maintain a DHF for each type of device. The DHF shall contain or reference the records necessary to demonstrate that the design was developed following the approved design plan and the requirements of this part.”

The “requirements of this part” refer to the other bullets in 21 CFR 820.30 which can be summarized as:

a) Establish and maintain procedures to control the design of a device.

b) Design and Development Planning – Each manufacturer shall establish a plan that describes the design and development activities, and defines responsibilities for implementation.

c) Design Inputs – Manufacturers need to ensure design requirements relating to a device are appropriate and address the intended use of the device.

d) Design Outputs – Design outputs need to be documented in terms that allow an adequate evaluation of conformance to design input requirements. Design outputs that are essential for the proper functioning of the device should be identified.

e) Design Review – Formal documented reviews of design results should be planned and conducted at appropriate stages of device development.

f) Design Verification – Design verification confirms that the design output meets the design input requirements.

g) Design Validation – Design validation shall be performed under defined operating conditions on initial production units or their equivalents. It shall ensure that devices conform to defined user needs and meet the intended use of the device.

h) Design Transfer – Design transfer documentation shall ensure that the device design is correctly translated into production specifications.

i) Design Changes – changes should be identified, documented, validated/verified, reviewed, and approved before their implementation.

The Design History File is intended to be a repository of the records required to demonstrate compliance with your design plan and design control procedures. While companies are required to create and maintain this documentation according to the FDA regulation, not all of the documentation will be reviewed as part of the 510k. The following table compares the elements that comprise a DHF with the 510k design control requirements.

DHF Element 510k Design Control Requirements
Design Plan Not Required
User Needs Not Required
Design Inputs

Cover Sheet (Section 1) and

Declaration of Conformity (Section 9)

Some design inputs will appear in the form of standards in FDA Form 3514 (Cover Sheet) and the Declaration of Conformity FDA Form 3654 (Standards Data Report)

Design Outputs

Device Description (Section 11)

The Device Description lists the specifications of the device, and your Design Outputs document will help populate the Device Description. This can include drawings, pictures, or written specifications that describe your device.

Labeling

Proposed Labeling (Section 13)

The labeling is usually considered part of the Design Outputs within the DHF and is included specifically in the labeling section of the 510(k) submission. This includes both the Instructions for Use and any Package Labeling.

Verification and Validation Protocols

Not Required

You do not have to include the protocols, but the reviewer may ask to see them if they have any questions when reviewing the reports.

Verification and Validation Reports

Sterilization (Section 14)

Biocompatibility (Section 15)

Software (Section 16)

Electrical Safety and EMC (Section 17)

Bench Performance Testing (Section 18)

Animal Performance Testing (Section 19)

Clinical Performance Testing (Section 20)

Of course, not all of these sections will be applicable to every device. Still, you should include all relevant validation test reports within your submission in the appropriate part of the 510k. Typically, each of these sections will have a cover sheet that outlines the reports that are included within the section, and then you can just include the report from the DHF in its entirety behind the cover sheet in that section.

Process Validation Only required for sterilization validation typically, but there are exceptions for novel materials and coatings
Work Instructions Not Required for 510k
Design Review Meeting Minutes Not Required for 510k
Design Trace Matrix Only required for software
Risk Management File Sometimes – See Risk Management File Table Below
Post-Market Surveillance Plan Not Required, but a few exceptions for high-risk devices
Clinical Data Summary Required only if used to demonstrate safety and efficacy
Regulatory Approval It Will result from 510k Clearance, so nothing to be included in 510k submission.

510k Risk Management Requirements

Regarding the FDA regulations for risk management, there is a requirement under the Design Validation section of 21 CFR 820.30 that states:

“Design validation shall include software validation and risk analysis, where appropriate.”

For FDA compliance and CE Marking, both recognize ISO 14971 as the standard for risk management. FDA recognizes ISO 14971:2007 whereas EN ISO 14971:2012 is the European National version for CE Marking. Rob Packard wrote an article describing the contents of the risk management file as well as the specific differences in the requirements between the FDA and CE Marking with regard to ISO 14971.

For your 510k submission, the FDA only requires risk management documentation to be included if the product contains software, and the risk is at least a level of “moderate concern”. There are some other cases when risk management is required by special controls guidance documents, but even when it is required, you only have to submit your risk analysis. The table below describes the risk management requirements in greater detail.

RMF Element 510k Risk Management Requirement
Risk Management Plan Not Required
Hazard Identification

510ks with Software Only (Section 16)

Hazard Identification is only required for devices that have a software component. It is not required for most other devices.

Risk Assessment

510(k)s with Software (Section 16)

Certain Special Controls Guidance

The Risk Assessment is only required to be included in your device contains software, or if a special controls guidance document specifically requires a risk assessment. It is not required for other 510ks.

Risk Control Option Analysis Software and Certain Special Controls Guidance
Risk Control Verification and Validation

Sterilization (Section 14)

Biocompatibility (Section 15)

Software (Section 16)

Electrical Safety and EMC (Section 17)

Bench Performance Testing (Section 18)

Animal Performance Testing (Section 19)

Clinical Performance Testing (Section 20)

This will not be any additional or special documentation specific to Risk Management and was already included in the DHF breakdown above. Still, the verification and validation also relate to risk management in ensuring that the risks have been adequately mitigated.

Risk-Benefit Analysis

Not Required for 510(k)

Risk-Benefit analyses are only required for De Novo applications, Humanitarian Device Exemptions, and PMAs.

Informing Users and Patients of Risks

Labeling (Section 13)

Part of the risk management will appear in the Labeling section of the 510k as warnings, contraindications, and precautions within the Instructions for Use and Package Labeling.

Risk Management Report Not Required

Special Controls Guidance Documents with Risk Management Requirements

Your first step in preparing your 510k submission is to search the FDA Guidance Document Database to determine if there is an applicable guidance document for your device. You can read another blog we wrote to explain Special Controls Guidance documents, and how to determine if one applies to your device. The following list provides examples of Class II Special Controls Guidance documents that require risk analysis to be included within the 510k:

When there are 510k risk management requirements, the special controls guidance document will typically state, “We recommend that the summary report contain:

An identification of the Risk Analysis method(s) used to assess the risk profile in general as well as the specific device’s design and the results of this analysis. (Refer to Section 6 for the risks to health generally associated with the use of this device that FDA has identified.)

Discussion of the device characteristics that address the risks identified in this class II special controls guidance document, as well as any additional risks identified in your risk analysis.”

The special controls guidance will also identify risks to health that have been identified for products of that type, which you should be sure to include in your risk analysis as appropriate.

More Information on Design Control and Risk Management Requirements

Hopefully, you are now able to determine which elements of your DHF are 510k design control requirements and which elements of your RMF are 510k risk management requirements. If you would like more information about how to implement design controls and risk management within your product development process, please consider registering for one of our training webinars:

If you need any further information or specific assistance with your 510k submission, please feel free to send me an email at mary@fdaecopy.com or schedule a call with our principal consultant, Rob Packard. He can answer any of your medical device regulatory questions.


Click here to schedule a 15 minute call 300x62 Risk Management Requirements   510k vs DHF

Posted in: 510(k), Design Control, ISO 14971:2019 (Risk Management)

Leave a Comment (0) →

Checking adverse event history for your device and competitors

The article explains checking adverse event data for medical devices as part of design and development, risk management, and post-market surveillance.

TPLC Database Checking adverse event history for your device and competitors

When should you be checking adverse event history?

There are three times when you should be checking adverse event history:

  1. when you are planning a new or improved medical device, and you want to know how current devices on the market malfunction (design and development planning),
  2. when you are identifying hazards associated with a medical device as part of your risk management process, and
  3. when you are gathering post-market surveillance data about your device and competitor devices.

Where should you be checking adverse event history?

Most countries have some kind of database for gathering adverse event data for medical devices, but most of these databases are not open to the public. The most common question I am asked is, “How do you access the Eudamed database?” for reporting of adverse events in Europe. Unfortunately, you can’t access Eudamed. The Eudamed database is only available to competent authorities at this time. The primary publicly accessible database for adverse event reporting is the US FDA MAUDE database. The MAUDE database is also integrated with other FDA databases for 510k submissions and recalls. This combined database is called the Total Product Life Cycle database.

Are there other public databases for checking adverse event history?

Yes. The Therapeutic Good Administration (TGA) in Australia makes adverse event data publicly available. The TGA also has a national registry for implanted orthopedic devices that publishes an annual report. Other countries also have public registries.

When will checking adverse event data for Europe be possible?

The Eudamed database for Europe was created in 1999 by the German organization DIMDI. In 2000 the responsibility for the database was taken over by the European Commission. The latest update is that manufacturers will be responsible for updating the Eudamed database in the future as part of the new European Regulations. This requirement will be implemented during the next years. The database will also become accessible to the public.

When you collect post-market surveillance data, which data should you collect?

Searching for post-market surveillance data should be performed on a risk-based frequency. If you have a brand new device, a high-risk device, or a device that is implanted, post-market surveillance data should be reviewed frequently–either monthly or quarterly. The new European guidance document for clinical evaluation reports (MEDDEV 2.7/1 rev 4) requires that clinical evaluation reports be updated at least annually for these devices. It is also important that you collect post-market surveillance data for both your device and competitor products. Therefore, you should be reviewing all the publicly available adverse event databases. You should also be reviewing your complaint data, and you should be searching for journal articles that may include adverse event data–possibly associated with a clinical study.

Available Resources

If you want to learn more about post-market surveillance data collection, please visit our webinar page. There is also a procedure for Post-Market Surveillance (SYS-019).

Posted in: ISO 14971:2019 (Risk Management)

Leave a Comment (0) →

Risk Management Traceability for CE Marking Technical Files

How to use risk management traceability for CE Marking to cross-reference hazards, risks, and risk controls throughout your technical file.

Screenshot 2015 11 05 at 7.29.21 AM Risk Management Traceability for CE Marking Technical Files

This approach will more efficiently integrate risk management tools into your Design History File (DHF), post-market surveillance documentation, and clinical evaluation reports (CERs). The table above provides a simple template for the nomenclature of risk management elements that you need to cross-reference and provides risk management traceability throughout your technical documentation.

The table does not include a cross-reference code for verification and validation reports because there could and typically are multiple risk controls that are validated and verified for each risk. Many times they are applied across multiple product lines. Therefore, it is more efficient to simply reference the controlled document number for the verification report that is applicable to that risk control.

The basic concept of traceability

The concept of risk traceability is more than being able to identify the verification and validation study that was performed to verify the effectiveness of risk controls in your FMEA because it is in the same row of your table. The best practice is to number your hazards, risks, and risk controls so that you can cross-reference more easily throughout all your technical documentation [i.e., design requirements matrix, risk management file, clinical evaluation report, post-market surveillance plan/reports, and post-market clinical follow-up (PMCF) report].

Design Requirements Traceability Matrix (DRTM)

The design requirements traceability matrix (DRTM) is a combination of two documents that have been used for the past two decades by medical device manufacturers: 1) the design requirements matrix or IOVV (i.e., inputs, outputs, verification, and validation), and 2) the risk traceability matrix. The second document is less commonly used, but an example of one is provided in Figure 3 of the GHTF risk management guidance document SG3 N15R8.

The risk management summary table that is presented in Figure 3 of the guidance also provides cross-references to specific tests, and each test has an identification number for traceability. This approach is also used frequently in risk control plans–an excellent tool for production process controls and planning product realization before process validation.

Risk management traceability to post-market surveillance

I recommend that companies create a post-market surveillance plan for devices or device families during the design transfer process. This is NOT the post-market surveillance procedure. Your procedure should indicate the process you use for post-market surveillance. Still, your plan should be process-specific and identify specific risks that you intend to gather post-production data for. The post-market surveillance plan should provide traceability back to each risk in your risk management file (e.g., R1, R2, R3). You should include a post-market clinical follow-up (PMCF) protocol and report that also cross-reference to these risks and associated risk controls–or provide a justification for not conducting a PMCF study. In 2016, the new European Medical Device Regulations (EMDR) will require that both the protocol and the report be included in your post-market surveillance plan as a required section (see Annex II of the proposed regulations) of the technical file or design dossier. Finally, I recommend that you revise and update your risk management plan for post-production data collection at the time of design transfer. When you make this revision, I recommend moving the risk management plan from the design plan to your post-market surveillance plan as an integral part of the plan (i.e., one of the primary sections of the plan).

Risk Management Traceability for Your Clinical Evaluation Report (CER) 

In your clinical evaluation report (CER), if you simply said that “the clinical data reviewed addresses all of the residual risks identified in the risk management summary report,” you are not specific enough. Your clinical evaluation report (CER) should explain how the clinical study data you reviewed addresses each of the risks that you identified in your risk analysis. Personally, I like to have subsections in the discussion section of the clinical evaluation report (CER) for each of the risks identified in the risk management file. I also do this when I write my post-market surveillance plan. When I do this, I include a cross-reference to the applicable hazard in my design requirements matrix, risk analysis, and hazard identification summary report (e.g., “HZ1”, “HZ1” and “HZ3”).

Traceability to warnings & precautions

ISO 14971:2007 indicates that disclosing residual risks to users of your device is risk control. In Annex ZA, deviation 7 of EN ISO 14971:2012, indicates that you cannot claim to reduce the risks of your product by disclosing these residual risks–even though these are considered risk controls. You should still validate the effectiveness of the instructions for use, technique guide, and training through simulated use studies before product release. However, you cannot claim a quantitative risk reduction in your risk analysis as per deviation 7. Of course, there can be a reduction in overall risks when you train users, but you can’t claim it, and the prevalence of “use errors” demonstrates the limited effectiveness of IFUs and training.

Additional risk management references

I have published 14 previous blogs, specifically on the topic of risk management over the past couple of years. Please click here if you are looking for risk management training. You can expect many more blogs on this topic during the next six months because I will be presenting four presentations in Brussels at an international medical device conference scheduled for June 13-17, 2016.

Procedures & templates for risk management

If you are looking for a risk management procedure (SOP), SYS-010 meets the requirements of ISO 14971:2019 and Regulation (EU) 2017/745 for CE Marking.

Posted in: ISO 14971:2019 (Risk Management)

Leave a Comment (2) →

Risk Management File Compliance for 510k and CE Marking

This article compares risk management file FDA requirements for CE Marking and 510k submission requirements.

Risk Management File Risk Management File Compliance for 510k and CE Marking

The FDA only requires documentation of risk management in a 510k submission if the product contains software, and the risk is at least a “moderate concern.” Even then, the 510k only requires the submission of a design risk analysis rather than your complete risk management file. Knee implants do not require submission of risk analysis, even though manufacturers are required to perform risk analysis in accordance with ISO 14971, because knee implants do not contain software. Therefore, it is not uncommon for a product that is already 510k cleared to receive audit nonconformities related to the risk management documentation during a technical file review by a Notified Body.

The FDA recognizes ISO 14971:2007 as the standard for risk management of medical devices. CE Marking also requires compliance with ISO 14971, but specifically the European national version of the standard (i.e., EN ISO 14971:2012). The most common technical file deficiencies related to risk management during a CE Marking application include the following:

  1. compliance with ISO 14971:2007 instead of EN ISO 14971:2012
  2. reduction of risks as low as reasonably practicable (ALARP) instead of reducing risks as far as possible (AFAP)
  3. reducing risks by notifying users and patients of residual risks in the IFU
  4. only addressing unacceptable risks with risk controls instead of all risks–including negligible risks

Each of these deficiencies is also explained in Annex ZA, ZB, and ZC of EN ISO 14971:2012.

7 Deviations you must address in your risk management file

Notified Body auditors are supposed to be reviewing your risk management process and sampling your risk management file(s) to verify that you conform with the requirements for a risk management file as defined in EN ISO 14971:2012 and the applicable European directive. Most manufacturers with CE Certificates have updated their procedures for compliance with the European National version, but the updates are not always complete or done correctly. Therefore, auditors need to be systematic in their review for compliance. I recommend creating a three-column table in your audit notes for each of the seven deviations. The first column would state the requirement from the applicable annex of EN ISO 14971:2012. The second column is used to document wherein the risk management procedure, and each of the seven requirements is addressed. Suppose you can’t find it quickly during your review–as the person you are auditing to find it for you. The third column is used to document which risk management file you sampled, and wherein the risk management file, the auditor was able to find compliance with one of the deviations. Risk management training of the cross-functional risk management team should also be sampled by the auditor. If the auditor can’t find an example of compliance in the procedure or the risk management file, then there is a minor nonconformity that needs to be corrected and recurrence needs to be prevented.

Note: Remember that auditing is about verifying compliance–not scouring 100% of the records for nonconformity.

Procedure review

The first step in responding to correcting deficiencies in your risk management process is to update your procedure. The following basic elements need to be included in the procedure:

  • risk management plan
  • hazard identification
  • risk analysis
  • risk control option analysis
  • verification of risk control effectiveness
  • risk/benefit analysis
  • risk management report

Many of the procedures I review focus on the risk analysis process, and the most common tool for risk analysis is a failure mode and effects analysis. This is an excellent tool for process risk analysis, but it is only one of many possible tools, and it is not ideally suited for design risk analysis. In addition, your procedure is not adequate as a risk management plan. You need risk management plans that are product-specific or specific to a product family. Your risk management plan must also change and adapt as products progress from the design and development process to post-market surveillance. Finally, many of the procedures only require a benefit/risk analysis to be performed when risks are not acceptable, while the European MDD requires that all CE Marked products include a benefit/risk analysis for each risk identified in the risk analysis and the overall risk of the product or product family.

Risk management plans

Risk management is required throughout product realization, but the activities are quite different during the pre-market and post-market phases. Therefore, I recommend including a risk management plan as part of the design and development plan to address pre-market needs for risk management. Once a product development project reaches the design transfer phase, then a post-market risk management plan needs to be written. I incorporate this plan into the post-market surveillance plan for the product or product family. This approach ensures that the risk analysis will be linked directly with post-market surveillance after the product is released.

Hazard identification

Many companies do create a specific document that identifies all the hazards associated with a product. This is an important step that should occur early in the design and development process before design inputs are finalized. During the development process, these hazards may need to be updated as materials and production processes are developed. Some companies may choose to identify hazards at a different time or in a different way. Still, the proposed European Medical Device Regulations (EMDR) require that the dangers are recognized as one of the essential requirements. The ISO 14971:2007 standard suggests that design teams should identify as many hazards as possible, estimate the risks, and then implement risk controls for any unacceptable risks. The EN ISO 14971:2012 standard requires that risk controls be implemented for hazards–regardless of acceptability. For this reason, I recommend companies restrict their identification of hazards to the most likely product malfunctions and hazards of high severity. This list should include any hazards already identified in the FDA’s MAUDE database.

Benefit/risk analysis & risk traceability matrix

To perform a benefit/risk analysis, you have to know the likelihood of potential hazards resulting in harm and the clinical benefits of a product. Unfortunately, reduced costs cannot be used to justify the acceptability of a device. Benefit/risk analysis must be performed for each risk and the overall residual risks. Therefore, it is important to identify the clinical benefits that outweigh each of the risks. I recommend using a risk traceability matrix in order to document each benefit/risk analysis. This can be a separate risk management document, or it can be incorporated into a design requirements matrix. It is also important to identify any warnings, precautions, or contraindications that should be documented in the information provided to patients and users when risks cannot be eliminated. This may be the last column of your risk traceability matrix.

Risk management report

The risk management report should be a summary technical document (i.e., STED). The STED should reference the procedure that was used and indicate all the risk management activities that were performed specifically to the product or product family defined in the scope of the risk management report. The dates of activities, changes made, and cross-references to any controlled documents should be included in the risk management report. I recommend maintaining the risk management report as a controlled document and revising the document to reference additional risk management activities when they occur. The bulk of details should be contained in the referenced risk management documents within the report.

Procedures and templates for your risk management file

We also have a procedure (SOP) for risk management (SYS-010).

Posted in: ISO 14971:2019 (Risk Management)

Leave a Comment (4) →
Page 1 of 3 123