Blog

Archive for ISO 14971:2019 (Risk Management)

Labeling risk controls – Deviation #7 in EN ISO 14971:2012

Requirements for the Instructions for Use and labeling as labeling risk controls for medical devices in ISO 14971.

Residual Risks Labeling risk controls   Deviation #7 in EN ISO 14971:2012This article reviews the requirements for Instructions for Use and labeling as risk controls in the risk management standard for medical devices: ISO 14971. Specifically, the impact of the seventh deviation identified in the EN ISO 14971 Standard is reviewed. This is the 7th and final blog in our EN ISO 14971:2012 risk management series. If you would like additional, risk management training, we have a training webinar.

Why are labeling risk controls not effective?

Labeling, instructions, and warnings are required for medical devices. Unfortunately, the information provided by manufacturers is not effective at preventing hazardous situations and foreseeable misuse–especially if the user throws the paper leaflet in the garbage 10 seconds after the box is opened. Since the information provided to the user and patients is not effective in preventing harm, the European Commission indicated that this information (i.e. labeling risk controls) should not be attributed to risk reduction.

Labeling risk controls do not quantitatively reduce risks

The European Commission is not suggesting that your company should stop providing directions or warning users of residual risks. This deviation intends to identify incorrect risk estimation procedures. For example, if you are using Failure Mode And Effects Analysis (FMEA), (see Annex G.4 of the risk management standard) to estimate risk for a new product, you should not be listing labeling risk controls as the primary risk control. Clause 6.2 of the ISO 14971 Standard correctly identifies “information for safety” provided by the manufacturer as risk controls. Still, the effectiveness of labeling risk controls is so poor that you should not estimate that the implementation of labeling and IFUs reduces risks.

In Clause 2.15 of the ISO 14971 Standard, residual risk is defined as “risk remaining after risk control measures have been taken.” However, I prefer the following definition, which incorporates the concept of clinical evidence, design validation, and post-market surveillance:

“Residual risks are risks that remain: 1) after implementation of risk controls, 2) when products are used for new indications for use, 3) when products are used for wider user and patient populations, 4) when products are misused, and 5) when products are used for periods of time longer than the duration of pre-market clinical studies.”

The second essential requirement (ER2) states that users shall be informed of residual risks, but the conclusion that “information about residual risks cannot be a risk control” is incorrect. The most important wording in the deviation is “the information given to the users does not reduce the (residual) risk any further.” Failure to reduce risks any further is due to the lack of effectiveness of risk controls. Validation of risk control effectiveness should be performed during design validation, but validation will be limited to a small group of users and patients.

Risk management reports & post-market surveillance planning

In your risk management report, risk control options analysis should be summarized. Instead of evaluating risk acceptability before implementing risk controls, risk controls should be implemented, and any residual risks should be identified. A benefit/risk analysis must be performed for each residual risk and the overall residual risks. If the conclusion is that the benefits of the device outweigh the residual risks, then the device can be commercially released.

At the time of the final design review and commercial release, a Post-Market Surveillance (PMS) plan should be developed that includes an updated risk management plan. The updated risk management plan should specifically address how to estimate residual risks and verify the effectiveness of information provided to users and patients. Verification of risk control effectiveness should be part of the design verification and validation activities, but verification of effectiveness should also be part of ongoing PMS.

To facilitate future updates of your risk management report, you may want to organize risk controls into the following categories (in this order):

  1. Design elements (highly effective)
  2. Materials of construction (highly effective)
  3. Methods of manufacture (highly/moderately effective)
  4. Protective measures & alarms (moderately effective)
  5. Information provided to users & patients (least effective)

Each of the above risk controls will need to be addressed by your PMS plan.

Posted in: ISO 14971:2019 (Risk Management)

Leave a Comment (3) →

Risk Control Options for Medical Devices: Deviation #6

This blog discusses risk control options for medical devices; the 6th deviation identified in the European National version of the Risk Management Standard.%name Risk Control Options for Medical Devices: Deviation #6

Design is not the same as design and construction. This is the interpretation of the European Commission. The sixth of the seven deviations identified in the European National (EN) version of the Risk Management Standard (i.e., EN ISO 14971:2012; http://bit.ly/ISO14971-2012changes), states that “inherent safety by design” is not precise enough. Section 2 of the Essential Requirements (i.e., Annex I of the MDD) states that the first risk control option must be selection of design and construction that eliminates or reduces risk as far as possible, while the international (ISO) risk management standard (i.e., ISO 14971:2007) only states that inherent safety by design is required.

The difference between the requirements of the ISO and the EN standard are not just semantics. If you read part II of the Essential Requirements (ERs; i.e., ER 7-13), there are many examples of how the construction of devices should be considered. The following are three examples:

  • ER 7.5 – leaking from the device
  • ER 8.2 – tissues of animal origin
  • ER 9.2 -aging of materials

Therefore, in order to comply the the intent of the Directive, you must consider far more than just the design of the device.  Construction is interpreted as both the risks associated with the materials to fabricate a device and the methods of manufacture. In the proposed EU regulations, the European Commission seeks to clarify the requirements for implementation of risk controls, but the draft legislation still seems vague.

Implementing Risk Control Options for Medical Devices

The following wording for implementation of risk control options in the new proposed second Essential Requirement is below:

“The manufacturer shall apply the following principles in the priority order listed:

a. identify known or foreseeable hazards and estimate the associated risks arising from the intended use and foreseeable misuse;

b. eliminate risks as far as possible through inherently safe design and manufacture

c. reduce as far as possible the remaining risks by taking adequate protection measures, including alarms; and

d. provide training to users and/or inform users of any residual risks.”

In this proposed wording, the word “construction” was replaced by the word “manufacture.” However, in other parts of the new proposed Essential Requirements (http://bit.ly/NewERCGap) the materials of fabrication are specifically addressed, as well. For example:

  • ER 7.1d) was added as a new requirement…”d) the choice of materials used, reflecting, where appropriate, matters such as hardness, wear and fatigue strength.”
  • ER 7.6 was added as a new requirement to address risks associated with the size and properties of particles—especially nanomaterials.

The new proposed Essential Requirements also include numerous examples of how the manufacturing processes must ensure proper safety. Essential Requirement 10 specifically references new Commission Regulation (EU) No 722/2012 (http://bit.ly/AnimalTissueReg)–specific to devices manufactured using animal tissues or cells of animal origin.

Even though the proposed regulations are more detailed with regard to application of risk management, they do not specify if it is required to implement risk control options for both materials and methods of manufacture simultaneously, or if the manufacturer may choose between the two. The phrase “taking account of the generally acknowledged state of the art” is used in the second Essential Requirement, but “state of the art” is a moving target, and the European Commission may find existing Standards to be deficient.

For reducing the risk of infection, the Commission does not require that companies implement aseptic processing, antimicrobial materials and terminal sterilization. One of the three is sufficient. This is why we have ISO Standards for sterilization validation, and we define “sterile” as a sterility assurance level of 10-6.

If the Commission maintained the language of the ISO 14971:2007 Standard, “as low as reasonably practicable,” then manufacturers could select risk control options based upon acceptability of risk. However, the EN version of the risk management standard creates significant challenges for implementation, and we are forced to evaluate the risk control measures we implement against those used by other manufacturers during the process of risk option analysis.

If you are interested in ISO 14971 training, we are conducting a risk management training webinar on October 19, 2018.

Posted in: ISO 14971:2019 (Risk Management)

Leave a Comment (1) →

Risk Control Selection – Deviation #5 in ISO 14971

ISO 14971:2012 deviation #5 is specific to selecting risk control options and protective measures for CE Marking medical devices.

%name Risk Control Selection   Deviation #5 in ISO 14971If your company is CE Marking medical devices, you are required to satisfy the Essential Requirements for Safety and Performance as defined in the three European Directives: the MDD, the AIMD, and the IVDD. Throughout these Essential Requirements, there is a requirement to reduce risks “as far as possible” (AFAP) by implementing risk controls. At one time, the expectation was for companies to implement state of the art concerning risk controls, and “state of the art” was interpreted as the latest version of the harmonized ISO Standards. However, lawyers dominating the European Commission appear to disagree with the status quo.

Therefore, in 2012, the European National (EN) version of the Medical Device Risk Management Standard was revised. There is no change to the content of Clauses 1 through 9. Instead, the European Commission identified seven content deviations between the ISO 14971 Standard and the EU Directives. These deviations are identified and explained in Annexes ZA, ZB, and ZC. This blog is the fifth installment of Medical Device Academy’s seven-part blog series on this topic. The goal of the series is to identify solutions for meeting the Essential Requirements by suggesting changes to the current best practices of implementing a risk management process for medical device design.

Discretion as to the Risk Control Options/Measures

Essential Requirements 1 and 2 require that risk control options are implemented for all risks before determining the acceptability of residual risks. The 2nd Essential requirement also requires manufacturers to implement all risk control options—unless the risk controls do not further reduce risk.iso14971 deviation 5 Risk Control Selection   Deviation #5 in ISO 14971

Clause 6.2 of the 14971 Standard suggests that you only need to use “one or more” of the risk control options, and Clause 6.4 indicates that further risk control measures are not required if the risk is acceptable. There is an apparent contradiction between the intent of the Standard and the Directives.

If risk acceptability has no impact on whether you will implement risk controls, there is no need for performing a preliminary risk evaluation. Therefore, I have three recommendations for changes to your current risk management process:

  1. Ignore Clause 5 of the 2007/2009 version of ISO 14971
  2. Eliminate the second step of risk assessment from your flow chart for risk management (see Figure 1 from the 14971 Standard)
  3. Define risk management policies upon clinical benefits, rather than absolute risks

Instead of performing a preliminary risk evaluation (Clause 6.5), risk/benefit analysis should be moved to Clause 7, where the evaluation of overall residual risk acceptability is required. By making this change, risk controls will be implemented, regardless of risk acceptability, and the acceptability of risks will be dependent upon the risk/benefit analysis alone.

Impact of this Deviation

Implementing changes to your risk management process to address this deviation has great potential to impact the design of devices—not just the risk management documentation. Design teams will no longer be able to stop the design process with an initial design that has an “acceptable risk.” Instead, design teams will be forced to implement additional risk controls and protective measures for device designs that already have a low risk of harm for specific failure modes.

The requirement to implement additional risk controls will increase the cost of devices that may have been relatively safe without the risk controls. For example, if a device is not intended to be implanted, it is a potential foreseeable misuse. Your company may have used the instructions for use to communicate the residual risk associated with misuse of the device. However, now your company will have to implement design controls (e.g., –a selection of materials suitable for implantation) to eliminate the risks associated with misuse and protective measures (e.g., – radio-opaque thread) to help retrieve product that was implanted in an “off-label” usage.

If you are interested in risk management training, Medical Device Academy offers a risk management training webinar.

Posted in: ISO 14971:2019 (Risk Management)

Leave a Comment (2) →

Benefit-Risk Analysis – Deviation #4 in ISO 14971

Review of ISO 14971 Deviation #4 specific to the requirement for benefit-risk analysis. This blog is the fourth in a seven-part series.

%name Benefit Risk Analysis   Deviation #4 in ISO 14971

This blog is the fourth installment in our seven-part series, which reviews each of the content deviations between the three device directives for Europe and international risk management standard (ISO 14971:2007). The deviations were identified in the new European National version of the Standard released in 2012. There was no change to the content of Clauses 1 through 9 in ISO 14971, but then there were seven deviations from the directives identified by the European Commission.

Discretion as to Whether a Benefit-Risk Analysis Needs to Take Place

The fourth deviation is specific to the requirement for risk-benefit analysis. Clauses 6.5 and 7 of the 14971 Standard both imply that a risk/benefit analysis is only required if risks exceed a threshold of acceptability, and Annex D.6.1 indicates that “This International Standard does not require a benefit-risk analysis for every risk.” However, essential requirements 1 and 2 require that you perform a risk/benefit analysis for each risk and overall residual risk. Essential requirement 6a also requires a risk-benefit analysis as part of the conclusion in your Clinical Evaluation Report (http://bit.ly/ER6aMEDDEV).

Your company may have created a risk management procedure, which includes a matrix for severity and probability. The matrix is probably color-coded to identify red cells as unacceptable risks that require a benefit-risk analysis, yellow cells that are ALARP, and green cells that are acceptable. Based upon the guidance provided in ISO 14971, your company probably identified that a benefit-risk analysis is only required for a risk that falls in the red zone of the matrix where the risk is “unacceptable.”

Deviation 4 Benefit Risk Analysis   Deviation #4 in ISO 14971

Unfortunately, this approach is not compliant with the European Directives, because the Directives require that a benefit-risk analysis be performed for each risk and all residual risks—not just the risks you identify as unacceptable. The fourth deviation between the ISO 14971 Standard and the Essential Requirements of the European Directives is relatively simple to address with a change to your risk management process. To comply with EN ISO 14971:2012, the “red zone” should not be labeled as a benefit-risk analysis, because even risks in the “green zone” require benefit-risk analysis.

Impact of this Deviation

In a previous blog about deviation #2, we determined that the implementation of risk controls must reduce all risks. In this blog, we established that after the implementation of risk controls, all residual risks must be subject to a benefit-risk analysis. Your company will need to eliminate the use of a risk evaluation matrix like the one shown above. Instead of relying on a risk management policy for evaluating the acceptability of risk, your company should be performing a benefit-risk analysis to determine the acceptability of risks.

The best way to integrate benefit-risk analysis for the evaluation of the acceptability of all risks is to integrate this with the clinical evaluation process. In addition to using clinical literature, clinical study data, and post-market surveillance as inputs for your clinical evaluation, your company should also be using residual risks as inputs to the evaluation. The clinical evaluation should be used to assess the significance of these residual risks, and verify that there are not any risks identified in the clinical evaluation that were not considered in the risk analysis.

In order to document that your company has performed a benefit-risk analysis for each residual risk, you will need to reference the risk management report in the clinical evaluation and vice-versa. Both documents will need to provide traceability to each risk identified in the risk analysis, and conclusions of risk acceptability will need to be based upon the conclusions of the clinical evaluation.

Once the product is launched, you will need to update the clinical evaluation with adverse events and other post-market surveillance information. As part of updating clinical evaluations, you will need to determine the acceptability of the risk when weighed against the clinical benefits. These conclusions will then need to be updated in the risk management report—including any new or revised risks.

If you are interested in ISO 14971 training, we were conducting a risk management training webinar on October 19, 2018.

Posted in: ISO 14971:2019 (Risk Management)

Leave a Comment (7) →

ALARP vs As far as possible – Deviation #3

This third blog in a seven-part series reviews deviation #3, ALARP vs. “As far as possible,” with regard to risk reduction.

chart dev 3 ALARP vs As far as possible   Deviation #3In 2012, the European National (EN) version of the Medical Device Risk Management Standard was revised, but there was no change to the content of Clauses 1 through 9. Instead, the European Commission identified seven content deviations between the 14971 Standard and the requirements of three device directives for Europe. This seven-part blog series reviews each of these changes individually and recommends changes to be made to your current risk management policies and procedure.

Note: This is 2013 blog that will be updated in the near future, but the following link is for our current risk management training.

Risk reduction: “As Far As Possible” (AFAP) vs. “As Low As Reasonably Practicable” (ALARP)

The third deviation is specific to the reduction of risk. Design solutions cannot always eliminate risk. This is why medical devices use protective measures (i.e., – alarms) and inform users of residual risks (i.e., – warnings and contraindications in an Instructions For Use (IFU). However, Essential Requirement 2 requires that risks be reduced “as far as possible.” Therefore, it is not acceptable to only reduce risks with cost-effective solutions. The “ALARP” concept has a legal interpretation, which implies financial considerations. However, the European Directives will not allow financial considerations to override the Essential Requirements for the safety and performance of medical devices. If risk controls are not implemented, the justification for this must be on another basis other than financial.

There are two acceptable reasons for not implementing certain risk controls. First, risk control will not reduce additional risk. For example, if your device already has one alarm to identify a battery failure, a second alarm for the same failure will not reduce further risk. The redundant alarms are often distracting, and too many alarms will result in users ignoring them.

The second acceptable reason for not implementing a risk control is that there is a more effective risk control that cannot be simultaneously implemented. For example, there are multiple ways to anchor orthopedic implants to bone. However, there is only enough real estate to have one fixation element at each location. If a femoral knee implant is already being anchored to the femur with metal posts and bone cement, you cannot also use bone screws at the same location on the femur to anchor the implants in place.

ALARP does not reduce risk “As far as possible”

Annex D.8 in ISO 14971, recommends the ALARP concept in Clause 3.4 of the 14971 Standard. Therefore, the risk management standard is contradicting the MDD. This contradiction is the primary reason why medical device companies should discontinue the use of phthalates and latex for most medical devices. Even though these materials are inexpensive solutions to many engineering challenges presented by medical devices, these materials present risks that can be avoided by using more expensive materials that are not hazardous and do not pose allergic reactions to a large percentage of the population. The use of safer materials is considered “state-of-the-art,” and these materials should be implemented if the residual risks, after implementation of the risk control (i.e., – use of a safer material) are not equal to, or greater than, the risk of the cheaper material.

Recommendation for eliminating ALARP

Your company may have created a risk management procedure that includes a matrix for severity and probability. The matrix is probably color-coded to identify red cells as unacceptable risks, yellow cells that are ALARP, and green cells that are acceptable. To comply with EN ISO 14971:2012, the “yellow zone” should not be labeled as ALARP. A short-term solution is to simply re-label these as high, medium, and low risks. Unfortunately, renaming the categories of risk high, medium, and low will not provide guidance as to whether the residual risk is reduced “as far as possible.”

Resolution to this deviation

As companies become aware of this deviation between the 14971 Standard and the Essential Requirements of the device directives, teams that are working on risk analysis, and people that are performing a gap analysis of their procedures will need to stop using a matrix, like the example above. Instead of claiming that the residual risks are ALARP, your company will need to demonstrate that risks are reduced AFAP, by showing objective evidence that all possible risk control options were considered and implemented. Your procedure or work instruction for performing a risk control option analysis may currently state that you will apply your risk management policy to determine if additional risk controls need to be applied, or if the residual risks are ALARP.

This procedure or work instruction needs to be revised to specify that all risk control options will be implemented unless the risk controls would not reduce risks further, or the risk controls are incompatible with other risk controls. Risk control options should never be ruled out due to cost.

Posted in: ISO 14971:2019 (Risk Management)

Leave a Comment (3) →

Risk Acceptability – Deviation #2 in EN ISO 14971

This 7-part blog series continues with the author reviewing deviation #2, risk acceptability, in the EN ISO 14971:2012 Standard.
%name Risk Acceptability   Deviation #2 in EN ISO 14971

In 2012, the European National (EN) version of the Medical Device Risk Management Standard was revised, but there was no change to the content of Clauses 1 through 9. Instead, the European Commission identified seven content deviations between the 14971 Standard and the requirements of three device directives for Europe. This seven-part blog series reviews each of these changes individually. The second deviation is specific to risk acceptability.

Discretionary power of manufacturers as to Risk Acceptability

The second deviation is specific to determining risk acceptability in the risk evaluation process. The ISO 14971 Standard indicates in Annex D4 that the acceptability of risk is not specified by the Standard and must be determined by the manufacturer. Clause 3.2 of the 14971 Standard, it states that “Top management  shall: define and document the policy for determining criteria for risk acceptability.” This risk management policy is intended to indicate a threshold for risk acceptability. In Clause 5 of the 14971 Standard, the manufacturer is instructed to evaluate whether risks are acceptable using the risk management criteria defined in the risk management policy.

Essential requirements 1 and 2 require that risks be reduced as far as possible and that all risks shall be included in a risk-benefit analysis—not just the risks that exceed a certain threshold for risk acceptability. Therefore, the requirement to establish a risk policy for the acceptability of risk directly contradicts the MDD.

Since the 2nd edition of the 14971 Standard was first issued (i.e., -2007), clients have been asking me how to establish risk acceptability criteria, for new devices, I recommend benchmarking the risks of the new device against existing devices. In other words, if the new device presents equal or lower risks than existing devices, then the risks of the new device are acceptable. For existing devices, I recommend performing a risk-benefit analysis, evaluating adverse events observed with the device against the benefits of using the device. Unfortunately, most companies choose arbitrary thresholds for risk acceptability. Instead of relying upon benchmarking or risk-benefit analysis, companies will establish a policy that all risks must be below a quantitative value. For example, if the range of possible risk scores is from 1 to 1,000, all risks of 100 or less may be acceptable.

What is acceptable?

In order to comply with the EN ISO 14971:2012 version of the risk management standard, you will need to implement risk controls for all risks, regardless of acceptability. However, you will also need to perform a risk-benefit analysis. The risk-benefit analysis should consider not only the benefits to patients and the risks of using the device, but the analysis should also consider the relative benefits of using other devices.

The clinical evaluation report and the risk management report for the device should be based upon clinical evidence of the device for the intended use—including adverse events. For new devices that are evaluated based upon a literature review of equivalent devices, Notified Bodies expect a Post-Market Clinical Follow-up (PMCF) study to be conducted to verify that the actual risk-benefit of the device is consistent with the conclusions of the clinical evaluation. To perform this analysis, a clinical expert is necessary to properly evaluate the risk-benefit ratio of the device and to create a protocol for a PMCF study.

MEDDEV 2.12/2 rev 2, Post Market Clinical Follow-up Studies, indicates that the PMCF study protocol should indicate the study endpoints and the statistical considerations. In order to do this, your company will need to establish quantitative criteria for the acceptability of the identified risks. Therefore, the current 14971 Standard needs to be modified to clarify that risk acceptability criteria should be based upon clinical data, and evaluation of risks should be conducted at a later point in the risk management process (e.g., – as part of the overall risk-benefit analysis).

Impact of Deviation #2

As your company becomes aware of the second deviation between the 14971 Standard and the Essential Requirements of the device directives, your risk management team will need to change the risk management process to clarify when risk acceptability should be evaluated, and the risk management policy should specify how acceptability should be determined.

The risk management process at your company will need to specify that the implementation of risk controls is required for all risks—regardless of acceptability. You should also consider eliminating the evaluation of risk before the implementation of risk controls. Instead, your company should base the acceptability of risk solely upon the clinical risk-benefit analysis and should involve the manufacturer’s medical officer in making this determination.

Finally, your risk management process should specify the need for PMCF studies in order to verify that actual clinical data supports the conclusion that the risk-benefit ratio is acceptable over the lifetime of the device.

If you are interested in ISO 14971 training, we are conducting a risk management training webinar on October 19, 2018.

Posted in: ISO 14971:2019 (Risk Management)

Leave a Comment (6) →

Benefits of Incorporating Risk Management into Procedure Documents

By Guest Blogger, Brigid Glass
8971385878 db2fe2e49a q Benefits of Incorporating Risk Management into Procedure DocumentsThe author discusses the benefits of incorporating risk management into procedure documents. An example procedure for Record Control is included.

When I was first introduced to FMEA many years ago, I loved it. I loved the systematic approach and particularly appreciated using a Process FMEA to explain to those involved with a production process why certain controls had been put in place. I enthusiastically taught FMEA to our engineers. At the time, our bubbly, buoyant, outcomes-focused Training Manager said to me, “You Quality people have such a negative outlook. You’re always looking for what can go wrong!”  Well, yes, but it’s our role to prevent things from going wrong!  I’d found a tool to help me with that.

Next, there was EN 1441, a risk analysis standard that never satisfied, and always felt incomplete. ISO 14971 followed, covering the entire lifecycle of a product, with closed feedback loops.  So now, risks in product and process design were well covered, but ISO 13485 section 7.1 asks us to “establish documented requirements for risk management throughout product realization.”  Many of us would acknowledge that we could do better, even though we pass audits.  And what about the rest of the quality management system?  I know that when we document a procedure, we already apply risk management principles in our heads, but we usually don’t apply them systematically or write down the results.

The Idea

Recently, Rob Packard and I started work on a project that requires us to generate a full set of documentation for a QMS, compliant with both U.S. and EU requirements, including ISO 13485 and ISO 14971. We each had our ideas on how best to write a procedure, but this project provided us an opportunity to get some synergy going. Rob wanted to address risk management in each procedure. “Yes!” I said, thinking that there was a chance to fill that gap. But then it was my job to develop the template for the procedures and work out how to accomplish this…

My first results looked very complicated, so I took the KISS (Keep It Simple, Stupid) approach: one column for the hazards and consequences, and one for the risk control measures.

What I didn’t include:

  • I started with more complex hazard documentation (hazard ID, impact, trigger event, etc.). Still, I felt the benefits in the context of a procedure document was not balanced by the extra complexity and work required for analysis and training. It would be a hard sell to users within an organization who were not used to the risk management approach.
  • I decided not to assess risks and controls quantitatively for the same reasons as in the bullet point above.
  • Initially, I included references to implementation, but this would be difficult to maintain as other documents changed.
  • I thought about verification of the implementation of risk controls, then decided to leave that verification to reviewers.

Below is an example from a procedure for Record Control where records are completed on paper, then scanned as a pdf. My list won’t be the same as your list, but it is illustrative.

brigid chart 1 Benefits of Incorporating Risk Management into Procedure Documents

Standards and regulations are essentially a set of risk controls, so they are the first starting point when identifying hazards. The list should include direct risks to products, risks to the integrity of the QMS, and regulatory risks. For those of us who have been in this industry for a while, experience, past mistakes, questions fielded in external audits, and observations of other systems will yield further hazards and appropriate controls. Audits provide the opportunity to update and refine the list and test the control measures.

Benefits of Incorporating Risk Management into Procedure Documents

  • Impresses your ISO 13485 auditor!
  • When first writing procedure documents, starting the writing process by reviewing the external requirements, and systematically writing the risk section, sharpens the mind as to what must be included in the procedure. This is the same approach as in design controls, where we include risk mitigators that apply to product design in the design inputs. This is part of planning in the PDCA cycle.
  • Supports future decision-making, in the same way, that the risk file for a product is considered when a design is changed. The risk control section of a procedure provides the criteria against which any improvement or change can be assessed. Will it enhance the risk controls, or might it introduce a new hazard?
  • Serves as the basis for training on the procedure. Making visible the link between potential hazards and procedural controls much more convincing than saying, “Do this because the procedure says so,” or, “It’s in the procedure because the regs say so.”

This is part 1 in a series of blogs that leads up to our Roadmap to Iso 13485 Certification Courses

 

Posted in: ISO 14971:2019 (Risk Management)

Leave a Comment (0) →

Negligible Risks – Deviation #1 in ISO 14971

This blog reviews the treatment of the negligible risks, which is deviation #1 within the EN ISO 14971:2012 European normative risk management standard.

%name Negligible Risks   Deviation #1 in ISO 14971

In 2012, the European National (EN) version of the Medical Device Risk Management Standard was revised, but there was no change to the content of Clauses 1 through 9. Instead, the European Commission identified seven content deviations between the 14971 Standard and the requirements of three device directives for Europe. This seven-part blog series reviews each of these changes individually.

Treatment of Negligible Risks in ISO 14971

The first deviation is specific to the treatment of negligible risks. In Annex D8.2, the ISO 14971 Standard indicates that the manufacturer may discard negligible risks. However, Essential Requirements in the three device directives require that “All risks, regardless of their dimension, need to be reduced as much as possible and need to be balanced, together with all other risks, against the benefit of the device.”

Common Misinterpretations

One of the most common mistakes is to confuse the concepts of hazard, harm, and risk. Each of these terms is defined in the ISO 14971 Standard in section 2, but the common mistake is to think that the European Commission is saying that 100% of the hazards you identify need to be reduced as much as possible.

The intent is to require manufacturers to reduce risks, rather than hazards. The first step of the risk analysis process involves identifying hazards. Still, some of these hazards may never result in harm, due to risk controls that are inherent to the design your company has chosen. Also, the severity of harm that a hazard may present could be so low that it may present no risk to the user or patient.

The best practice in risk management is to identify as many hazards as possible at the beginning of the risk analysis process. Still, then these hazards must be sorted into those hazards that will be analyzed for risk. One of the common phrases used in training is: “It is better to estimate the risk of 10% of 1,000 hazards than it is to estimate 50% of 100 hazards.”

If you follow the logic behind the phrase above, your team will need to estimate risk for 100 hazards, rather than 50 hazards. Your risk analysis team will also need to document the rationale behind the categorization of hazards.

Categorizing Hazards

If a hazard is associated with adverse events in the Manufacturer and User Facility Device Experience (MAUDE) database for your device or a similar device, then you need to ensure that the risk associated with that hazard is assessed and there are adequate risk controls. This is also true for any hazard associated with a customer complaint that your company anticipates. Any hazard that presents a high potential severity of harm should also be included in your risk analysis. However, if a hazard is entirely eliminated by the design of your device, then you do not need to include it in the risk analysis.

I recommend writing a hazard identification report that includes all the hazards that were identified. This report should also categorize the hazard. You only need two categories: 1) hazards to be analyzed for risk, and 2) hazards that do not require risk analysis. You need a rationale for each risk that you do not perform risk analysis for, and you need traceability to risk controls and the risk-benefit analysis for each hazard that you do analyze.

Example of a Rationale for Not Analyzing the Risk of a Hazard

About eight years ago, the United States Food and Drug Administration (USFDA) issued an alert cautioning physicians to avoid the use of hemostatic agents near the spinal column, due to the potential hazard of paralysis caused by the swelling of a hemostatic agent as it absorbs the blood. My employer, Z-Medica, quickly received many customer inquiries asking about the safety of QuikClot near the spinal column. I was able to quickly respond that there were zero risks of QuikClot causing paralysis because that particular hemostatic agent did not swell. Instead of absorption, the product adsorbed blood and did not change in size or shape during the adsorption process.

Impact of Deviation #1 about “Negligible Risk”

As companies become aware of this deviation between the 14971 Standard and the Essential Requirements of the device directives, I believe teams that are working on risk analysis and people that are performing a gap analysis of their procedures will need to be more careful about which hazards are identified in their risk management reports. The burden of showing traceability from hazards to risk controls and risk-benefit analysis is substantial. Therefore, it is important to be systematic about how hazards are identified and to provide a clear justification for any hazards that are not included in the risk analysis.

The common phrase that has been used in risk management training classes should be reconsidered in light of feedback from the European Commission. Maybe a better phrase would be: “It is better to estimate the risk of 10% of 200 hazards than it is to estimate 50% of 20 hazards. However, it is important to provide a clear justification for any hazards that are not included in the risk analysis.”

If you are interested in ISO 14971 training, we are conducting a risk management training webinar on October 19, 2018.

Posted in: ISO 14971:2019 (Risk Management)

Leave a Comment (4) →

Auditing ISO 14971 – 4 Steps to Assess Compliance

This article describes four key steps for auditing ISO 14971, and suggested auditing questions are included.

Let’s say that you went ahead and purchased ISO 14971:2012, read Annex ZA, and identified a couple of gaps in your procedure. After you revised your Risk Management procedure to be compliant with the revised Standard, then what are you supposed to do?

Most QA Managers struggle over whether they should purchase ISO 14971:2012. I wrote a couple of blog postings about this matter, but my point was not to debate this question but to ensure companies are aware that they need to be compliant with the MDD and the ISO 14971 Standard. The “changes” from 2009 to the 2012 version are simply the European Commission reminding manufacturers that there are seven aspects of the ISO 14791 Standard that do not meet the requirements of the MDD. Therefore, if your company has already verified that your risk management process is compliant with the MDD–then you have nothing to change. However, if your risk management process is only compliant with ISO 14971:2009, then you need to revise your processes and procedures to address these seven aspects. 

4 Steps in Auditing ISO 14971

Once you have made revisions to your risk management process, how do you perform auditing of ISO 14971?

Step 1: Planning your auditing ISO 14971

This will be an internal audit, and since you (the QA Manager) are the process owner for the risk management process, you personally cannot audit this process. You need to assign someone that has the technical skill to perform the audit, but this person cannot be the process owner (you) or a direct report to the process owner (the rest of the QA department). Fortunately, the Director of Engineering is also trained as an internal auditor at your company. She is trained on ISO 14971:2009, but she did not receive risk management training to the most current version. To address this gap, she must read the updated Standard to understand what’s new.

novcover preview 211x300 Auditing ISO 14971   4 Steps to Assess Compliance

Clause 3.2 of ISO 14971 requires that top management review the Risk Management Process for Effectiveness.

She has participated in risk management activities, but each product development engineer participates in risk management activities for their own design projects. Therefore, she has several projects she can sample risk management records from without auditing her own work. You have communicated that you need this audit finished sometime in December because you want any CAPAs resulting from the audit to be finalized before the next Management Review at the end of January. The timing of the Management Review is important because the risk management procedure requires that top management assess the effectiveness of the risk management process during Management Review meetings.

There are no previous audit findings to close from the last audit of the risk management process. Still, the Director of Engineering has seven specific items to emphasize from the 2012 revision of the Standard, and a revised procedure for risk management. Therefore, she will prepare for the audit by identifying some new interview questions to specifically address these changes–as well as some more general, open-ended questions.

Specific questions related to Annex ZA when auditing ISO 14971

1. How does the risk analysis evaluate the acceptability of risks in the lowest category? (This is a leading question, but it is specifically designed to determine if negligible risks are discarded).

2. Please provide a few examples of how risks in the lowest category were reduced. (In sections 1 and 2 of the Annex, I require all risks to be reduced as far as possible, and for all risks to be evaluated for acceptability. The wording of this question also allows auditors flexibility in their sampling).

3.  How did the design team determine when they had implemented sufficient risk controls to minimize risks? (Many companies use a color-coded matrix as a quasi-objective method for determining when risks are adequately reduced. This process is often referred to as the ALARP concept. Annex ZA specifically prohibits using economic considerations as part of this determination).

4. How did you conduct a risk-benefit analysis? (The Standard allows for performing a risk-benefit analysis when overall residual risks exceed the acceptability criteria as outlined in the risk management plan. However, the MDD requires an overall risk-benefit analysis in Section 1 of Annex I. Section 6 also requires that a risk-benefit analysis be performed for each individual risk).

5. How were risk control options selected? (Section 2 of the MDD implies that the manufacturer shall review All the control options and pick the most appropriate ones. Therefore, the auditor should specifically look for evidence that the team systematically reviewed all possible control options to reduce risks–rather than stopping as soon as the risks were reduced to an acceptable level).

6. What were your team’s priorities for the implementation of risk control options? (It’s possible that the previous question will be sufficient to gather evidence that risk controls were implemented with the required prioritization, as specified in the MDD. However, this question would be used as a follow-up question if it is not clear that the team prioritized the risk control options in accordance with Section 2 of Annex I).

7. How was the effect of labeling and warnings in the instructions for use incorporated into the estimation of residual risks? (Almost every company remembers to include residual risks in their IFU as a warning or caution statement. However, Section 2 of Annex I does not allow for including this information given to the users as a method of reducing risks. Therefore, in a Design FMEA, you would not list labeling and IFUs in your column for current risk controls when you determine the risk. This should be identified as an action to be taken–with no impact on the score for residual risk).

%name Auditing ISO 14971   4 Steps to Assess ComplianceThe above questions are not examples of using the process approach, but each question is phrased in an open-ended manner to maximize the objective evidence gathered during the interview process. If you are doing a process audit, it’s still acceptable to include questions that use the element approach.

Generic questions when auditing ISO 14971

1. When was the ISO 14971:2012 version of the Standard added to the controlled list of external Standards?

2. Please provide examples of where you have updated the Essential Requirements Checklist (a Technical File document) to reference the newest revision of ISO 14971:2012, and please show at least one example of how the risk management report was updated to reflect this revision.

3. How did you verify training effectiveness for the design team specific to the updated risk management procedure before conducting a risk analysis?

%name Auditing ISO 14971   4 Steps to Assess ComplianceThese generic questions do not require reading the ISO 14971:2012 Standard. Instead, each question forces the auditee to demonstrate their knowledge of the revised Standard by answering open-ended interview questions. Each of these questions is also designed to test linkages with other support processes. This is an example of how to use the process approach.

Step 2: Auditing ISO 14971

The next step is to conduct your audit of ISO 14971. During the auditing of ISO 14971, the Director of Engineering will gather objective evidence of both conformity and nonconformity for the risk management process. The generic interview questions that were developed allow her to evaluate the effectiveness of linkages between the risk management process and other processes, such as:

1) Document control

2) Creating technical documentation for regulatory submissions

3) The training process

Specific questions verify that each of the seven elements identified in Annex ZA of ISO 14971:2012 is adequately addressed in the revised procedure. When the audit is completed, the auditor will have a closing meeting with the process owner (you) and the auditee(s), so that everyone is clear about what the findings were, and if there were any nonconformities. This is the time to clarify what needs to be done to prevent each nonconformity from recurring.

Step 3: Writing the Report & Taking Corrective Action(s)

This is no different from any other audit. Still, it is critical to have the report completed soon enough so that CAPAs can be initiated (not necessarily completed) before the Management Review.

Step 4: Verifying Effectiveness of Corrective Action(s)

Many people struggle with verifying the effectiveness of corrective actions–regardless of the process. My advice is to identify a process metric to measure effectiveness. Then the effectiveness check is objective. For example, monitoring the frequency of updates to the list of external standards can help verify that the process for monitoring when Standards are updated is effective. Likewise, the frequency of updates to the Essential Requirements Checklist and the risk management records referenced in the Essential Requirements Checklist indicates if the risk management process is being maintained. Finally, monitoring the lag between the time procedures are updated and when the associated training records are updated quickly identifies if there is a systemic problem with training or if a training gap is just an example of a single lapse.

Posted in: ISO 14971:2019 (Risk Management)

Leave a Comment (6) →

Do you need to purchase the latest EN ISO 14971 version?

It is not necessary to purchase the EN ISO 14971 version because you should already be compliant and amendments are sold separately.

Discussion about a risk management standard 1024x664 Do you need to purchase the latest EN ISO 14971 version?

If the above conversation sounds familiar, hopefully, this blog will help.

Note: This is a 2012 blog that will be updated and/or consolidated soon, but here’s a link for risk management training.

Question 1: What is the current version of EN ISO 14971?

Answer 1: EN 14971 was revised to 2012 on July 6, 2012. The previous 2009 version was withdrawn. The ISO version is not changing–just the EN version.

Question 2: What’s new in 2012?

Answer 2: Only the three Annexes related to harmonization with the three directives (MDD, AIMDD, and IVDD) were updated. The content of the Standard itself has not changed.

Question 3: Do I need to buy EN ISO 14971… which really hasn’t changed since 2007?

Answer 3:  No…unless you still have the 2000 version. (just my personal opinion … not anyone else necessarily agrees)

Why you don’t need to buy the  EN ISO 14971 version…

Historically, Annex ZA was the annex at the back of a Standard that would explain how it is harmonized with the European Directives. However, in 2009, Annex ZA was separated into ZA, ZB, and ZC. Each of these Annexes explained how the current version of ISO 14971  (then ISO 14971:2007) differs from each of the three directives. In addition, there was a correction to Figure 1 (i.e., – arrow in the wrong location). Neville Clarke provided a good summary of these minor changes that occurred in 2009. The European Commission was concerned with some of the differences between the 2009 Standard and the Directives. Therefore, the Standard has been updated to clarify these differences.

There are seven technical deviations from the Standard that are required for compliance with the European Directives. Marcelo Antunes is an expert on Standards, and he accurately describes these deviations as “weird” in a discussion thread on Elsmar Cove’s Forum. The deviation that seems to have caught the most attention is the requirement to reduce ALL risk to “as low as possible” (ALAP) rather than to a level that to “as low as reasonably practicable” (ALARP concept). The “ALAP” acronym was a joke, but it wouldn’t be the first time that something like this stuck (i.e., – SWAG).

An alternative approach to verifying compliance with EN ISO 14971

If you sleep with a label maker under your pillow, you should buy the new BS EN 14971:2012 version,  so you can ensure that you are staying in compliance with each of these seven deviations and that you have considered the implications fully in your procedure for Risk Management. However, if you are a practical person that prefers not to upset the entire development team, I recommend a different approach.

1. Download a copy of the relevant Directive from the Europa Website

2. Using Adobe, search the entire Directive for the word “risk”:

AIMDD = 24 times

MDD = 55 times

IVDD = 34 times

3. Systematically review where the word “risk” is used to determine if you need to make adjustments for your CE Marked products. If you already have a CE Mark, there should be no changes required to your risk management documents. Your procedures might need clarification to observe the requirements of the Directive when there is a difference between the Standard and the Directive.

Last Question: What is your Notified Body auditor going to do?

Final Answer: I’m not sure, because every auditor is a little different in their approach. However, as an instructor, I would teach an auditor to ask open-ended questions, such as: “How did you determine if there is an impact upon your procedures and design documentation with regard to the updated Standard?” (i.e., – impact analysis). If the company provides an impact analysis and explains why the existing risk documentation and procedure should not change, I believe this meets the requirements for “equivalency with the State of the Art.”

Honestly, I haven’t seen one single company that was 100% in compliance with the “letter” of the Directives or the Standard. Sometimes, rational thought must overcome political compromises and irrational behaviors.

On the other hand, it’s always possible that these seven deviations, and the information on corrective action, will fundamentally change the way your company approaches risk management (I just dare you to bring it up in your next management review).

If you would like a second opinion, the Document Center’s Standard Forum says, “As you can see, this material is essential to conformance with the EN requirements and will make the purchase of the EN edition (BS EN ISO 14971 is the official English language edition) mandatory for medical device manufacturers certifying to the standard for sales in Europe.” FYI…Document Center’s Standard Forum sells Standards. You can buy this one from them for $324.

 

Posted in: ISO 14971:2019 (Risk Management)

Leave a Comment (11) →
Page 2 of 3 123