Regulatory Open Forum

In all the years that I have been in Regulatory Affairs, creating risk management files has always been the responsibility of QA.  I am receiving for the first time in my 19 years in regulatory, pushback that this is a regulatory function. Could someone please let me know your experience in this area?

First, take a deep breath and make sure your emotions don't get the best of you and undermine your credibility in case there is a detail that you might be overlooking.

Next, consider that, for the medical device sector, you and your SOP should assure that your risk management process complies with ISO 14971 / EN ISO 14971 [as amended; versions chosen based on the applicable jurisdiction(s); hereinafter "14971"].  Specifically, per 14971, the "manufacturer" shall establish the Risk Management File (RMF).  Neither 14971 nor its guidance ISO/TR 24971 prescribe further details about specifically who within the manufacturer is responsible for creating/maintaining the RMF other than to place the ultimate responsibility on Top Management.

Thus, operationally speaking, 14971 gives us (i.e., all stakeholders on all sides of the discussion) flexibility to decide and assign via the Risk Management Plan (RMP) which particular person, personnel, group, department, etc., shall create/maintain the RMF.  I've seen this be Regulatory, Quality, or Engineering.  14971 permits any of these, and maybe even others such as document control, though I wouldn't feel comfortable unless at least one of the first three was closely involved.

Accordingly, a few questions to ask yourself and be versed on before you push too far in the discussion:

•    What does the subject RMP state?
•    What does your SOP state?
•    What does your document/record control SOP state?
•    What does your design/development control SOP state?

All of these need to be aligned with one another and the stakeholders along with the aforesaid 14971 parameters.

------------------------------
Kevin Randall, ASQ CQA, RAC (Europe, U.S., Canada)
Principal Consultant
Ridgway, CO
United States
© Copyright by ComplianceAcuity, Inc. All rights reserved.

Original Message:
Sent: 28-Mar-2024 12:06
From: Anonymous Member
Subject: Responsible Function for Risk Management File

This message was posted by a user wishing to remain anonymous

In all the years that I have been in Regulatory Affairs, creating risk management files has always been the responsibility of QA.  I am receiving for the first time in my 19 years in regulatory, pushback that this is a regulatory function. Could someone please let me know your experience in this area?

In addition to what Kevin said, I recommend considering Section 4.3 of ISO 14971:2019, "Persons performing risk management tasks shall be competent on the basis of education, training, skills, and experience appropriate to the tasks assigned to them. Where appropriate, these persons shall have knowledge and experience with the particular medical device (or similar medical devices) and its use, the technologies involved or the risk management techniques employed. Appropriate records shall be maintained."

Regardless of function & title, this should be considered to ensure personnel leading or applying RM are competent - and, of course, one can always seek in-depth training to address this.

I have traditionally seen RM led/primarily handled by Quality Engineering or Development Engineering as they would commonly meet the criteria described above. However, that certainly would not preclude others.

Finally, I'll draw attention to the Note in this section - that RM can be performed by several functions, "each contributing their specialist knowledge." I would personally encourage cross-functional participation in RM throughout the product's lifecycle (and would be wary about attempts to solely assign this to one specific function).

Good luck!

First, take a deep breath and make sure your emotions don't get the best of you and undermine your credibility in case there is a detail that you might be overlooking.

Next, consider that, for the medical device sector, you and your SOP should assure that your risk management process complies with ISO 14971 / EN ISO 14971 [as amended; versions chosen based on the applicable jurisdiction(s); hereinafter "14971"].  Specifically, per 14971, the "manufacturer" shall establish the Risk Management File (RMF).  Neither 14971 nor its guidance ISO/TR 24971 prescribe further details about specifically who within the manufacturer is responsible for creating/maintaining the RMF other than to place the ultimate responsibility on Top Management.

Thus, operationally speaking, 14971 gives us (i.e., all stakeholders on all sides of the discussion) flexibility to decide and assign via the Risk Management Plan (RMP) which particular person, personnel, group, department, etc., shall create/maintain the RMF.  I've seen this be Regulatory, Quality, or Engineering.  14971 permits any of these, and maybe even others such as document control, though I wouldn't feel comfortable unless at least one of the first three was closely involved.

Accordingly, a few questions to ask yourself and be versed on before you push too far in the discussion:

•    What does the subject RMP state?
•    What does your SOP state?
•    What does your document/record control SOP state?
•    What does your design/development control SOP state?

All of these need to be aligned with one another and the stakeholders along with the aforesaid 14971 parameters.

------------------------------
Kevin Randall, ASQ CQA, RAC (Europe, U.S., Canada)
Principal Consultant
Ridgway, CO
United States
© Copyright by ComplianceAcuity, Inc. All rights reserved.

Original Message:
Sent: 28-Mar-2024 12:06
From: Anonymous Member
Subject: Responsible Function for Risk Management File

This message was posted by a user wishing to remain anonymous

In all the years that I have been in Regulatory Affairs, creating risk management files has always been the responsibility of QA.  I am receiving for the first time in my 19 years in regulatory, pushback that this is a regulatory function. Could someone please let me know your experience in this area?

First, take a deep breath and make sure your emotions don't get the best of you and undermine your credibility in case there is a detail that you might be overlooking.

Next, consider that, for the medical device sector, you and your SOP should assure that your risk management process complies with ISO 14971 / EN ISO 14971 [as amended; versions chosen based on the applicable jurisdiction(s); hereinafter "14971"].  Specifically, per 14971, the "manufacturer" shall establish the Risk Management File (RMF).  Neither 14971 nor its guidance ISO/TR 24971 prescribe further details about specifically who within the manufacturer is responsible for creating/maintaining the RMF other than to place the ultimate responsibility on Top Management.

Thus, operationally speaking, 14971 gives us (i.e., all stakeholders on all sides of the discussion) flexibility to decide and assign via the Risk Management Plan (RMP) which particular person, personnel, group, department, etc., shall create/maintain the RMF.  I've seen this be Regulatory, Quality, or Engineering.  14971 permits any of these, and maybe even others such as document control, though I wouldn't feel comfortable unless at least one of the first three was closely involved.

Accordingly, a few questions to ask yourself and be versed on before you push too far in the discussion:

•    What does the subject RMP state?
•    What does your SOP state?
•    What does your document/record control SOP state?
•    What does your design/development control SOP state?

All of these need to be aligned with one another and the stakeholders along with the aforesaid 14971 parameters.

------------------------------
Kevin Randall, ASQ CQA, RAC (Europe, U.S., Canada)
Principal Consultant
Ridgway, CO
United States
© Copyright by ComplianceAcuity, Inc. All rights reserved.

Original Message:
Sent: 28-Mar-2024 12:06
From: Anonymous Member
Subject: Responsible Function for Risk Management File

This message was posted by a user wishing to remain anonymous

In all the years that I have been in Regulatory Affairs, creating risk management files has always been the responsibility of QA.  I am receiving for the first time in my 19 years in regulatory, pushback that this is a regulatory function. Could someone please let me know your experience in this area?

In all the years that I have been in Regulatory Affairs, creating risk management files has always been the responsibility of QA.  I am receiving for the first time in my 19 years in regulatory, pushback that this is a regulatory function. Could someone please let me know your experience in this area?

All of these responses are good, but I am sure you are looking for more help.  I am in Quality Assurance and specifically Design Assurance.  In my career, Design Assurance is the most capable to handle the creation and maintenance of the risk management file.  One reason is divide and conquer.  Product Development owns the design history file and design assurance can own the risk management file and for that matter the usability file.  Risk and usability go hand and hand.  The teams still have to work together, but during the development process the design assurance team is also working with the post market team and clinical to identify hazards, hazardous situations, and harms.  I have seen this work well.

The second reason I recommend this is that typically Design Assurance stays with the product after launch through to obsoletion.  Product Development does not always stay with the product, especially when there is defined NPD versus Sustaining organizations.  The Design Assurance team stays connected to the post-market and clinical teams.  This has proven even more beneficial in today's EU MDR world with annual design dossier file updates and PSUR's.

This is just my opinion.  I am sure that there are others out there that have different experience.  There is no one size fits all with the ownership of risk management files.  I would say that the important thing is to have the consistency in ownership from cradle to grave and who has the continued connection with the post market team and clinical.

In all the years that I have been in Regulatory Affairs, creating risk management files has always been the responsibility of QA.  I am receiving for the first time in my 19 years in regulatory, pushback that this is a regulatory function. Could someone please let me know your experience in this area?

The Design Quality Assurance role is a really effective way of ensuring risk management is performed throughout the life of the medical device.  When I was in that type of role (AQE at Stryker), it was simple to hand off/ensure the risk management file was maintained after launch by the post-market teams. Unfortunately I have found that such a straight forward and intentional approach to risk management is hard to find.

All of these responses are good, but I am sure you are looking for more help.  I am in Quality Assurance and specifically Design Assurance.  In my career, Design Assurance is the most capable to handle the creation and maintenance of the risk management file.  One reason is divide and conquer.  Product Development owns the design history file and design assurance can own the risk management file and for that matter the usability file.  Risk and usability go hand and hand.  The teams still have to work together, but during the development process the design assurance team is also working with the post market team and clinical to identify hazards, hazardous situations, and harms.  I have seen this work well.

The second reason I recommend this is that typically Design Assurance stays with the product after launch through to obsoletion.  Product Development does not always stay with the product, especially when there is defined NPD versus Sustaining organizations.  The Design Assurance team stays connected to the post-market and clinical teams.  This has proven even more beneficial in today's EU MDR world with annual design dossier file updates and PSUR's.

This is just my opinion.  I am sure that there are others out there that have different experience.  There is no one size fits all with the ownership of risk management files.  I would say that the important thing is to have the consistency in ownership from cradle to grave and who has the continued connection with the post market team and clinical.

In all the years that I have been in Regulatory Affairs, creating risk management files has always been the responsibility of QA.  I am receiving for the first time in my 19 years in regulatory, pushback that this is a regulatory function. Could someone please let me know your experience in this area?

To support Christopher's post, I would like to emphasize that Risk Management is not a "one person show", it takes a team of knowledgeable individuals to manage the process in ways to get correct results.  The person responsible for managing the file is one who make sure it is up to date, and may not be doing the work of following up on any issues such as design changes, complaint investigation, MDR investigation etc.  ISO 13485 in Clause 8 Monitoring and Feedback requires that activities in this clause provide input to the risk management process, so that work needs to be monitored as well.

What I am trying to say, is the individual for managing the RMF is often not the one doing the work, but is providing oversight to make sure the file is updated with the results of all the activities taking place during the entire lifecycle of the device.  And yes, it may be transferred to different people during that lifecycle, but they must be capable and responsible to see that the file is up to date.  They need communications with all the associated parts of the organization to assure that they are aware of anything that may impact the RMF, and will follow up with those who are performing any activity that will impact the file.

All of these individuals need to be competent in the areas of work according to both ISO 14971 and ISO 13485.  This is not a simple part-time task but will require a significant part of the individuals time, so choose accordingly.

The Design Quality Assurance role is a really effective way of ensuring risk management is performed throughout the life of the medical device.  When I was in that type of role (AQE at Stryker), it was simple to hand off/ensure the risk management file was maintained after launch by the post-market teams. Unfortunately I have found that such a straight forward and intentional approach to risk management is hard to find.

All of these responses are good, but I am sure you are looking for more help.  I am in Quality Assurance and specifically Design Assurance.  In my career, Design Assurance is the most capable to handle the creation and maintenance of the risk management file.  One reason is divide and conquer.  Product Development owns the design history file and design assurance can own the risk management file and for that matter the usability file.  Risk and usability go hand and hand.  The teams still have to work together, but during the development process the design assurance team is also working with the post market team and clinical to identify hazards, hazardous situations, and harms.  I have seen this work well.

The second reason I recommend this is that typically Design Assurance stays with the product after launch through to obsoletion.  Product Development does not always stay with the product, especially when there is defined NPD versus Sustaining organizations.  The Design Assurance team stays connected to the post-market and clinical teams.  This has proven even more beneficial in today's EU MDR world with annual design dossier file updates and PSUR's.

This is just my opinion.  I am sure that there are others out there that have different experience.  There is no one size fits all with the ownership of risk management files.  I would say that the important thing is to have the consistency in ownership from cradle to grave and who has the continued connection with the post market team and clinical.

In all the years that I have been in Regulatory Affairs, creating risk management files has always been the responsibility of QA.  I am receiving for the first time in my 19 years in regulatory, pushback that this is a regulatory function. Could someone please let me know your experience in this area?

All of these responses are good, but I am sure you are looking for more help.  I am in Quality Assurance and specifically Design Assurance.  In my career, Design Assurance is the most capable to handle the creation and maintenance of the risk management file.  One reason is divide and conquer.  Product Development owns the design history file and design assurance can own the risk management file and for that matter the usability file.  Risk and usability go hand and hand.  The teams still have to work together, but during the development process the design assurance team is also working with the post market team and clinical to identify hazards, hazardous situations, and harms.  I have seen this work well.

The second reason I recommend this is that typically Design Assurance stays with the product after launch through to obsoletion.  Product Development does not always stay with the product, especially when there is defined NPD versus Sustaining organizations.  The Design Assurance team stays connected to the post-market and clinical teams.  This has proven even more beneficial in today's EU MDR world with annual design dossier file updates and PSUR's.

This is just my opinion.  I am sure that there are others out there that have different experience.  There is no one size fits all with the ownership of risk management files.  I would say that the important thing is to have the consistency in ownership from cradle to grave and who has the continued connection with the post market team and clinical.

In all the years that I have been in Regulatory Affairs, creating risk management files has always been the responsibility of QA.  I am receiving for the first time in my 19 years in regulatory, pushback that this is a regulatory function. Could someone please let me know your experience in this area?

As others have said, it may depend on individuals at least as much as department titles. At one company, we had assigned it to Quality Engineering, and it was not working well at all. Eventually I realized that none of those with the "Quality Engineer" title was actually an engineer, and the technical stuff was way over their heads. That's not to say that someone who majored in Business can't have excellent risk management skills, but you can't just assume it. At another company, when we wanted to transfer responsibility from Development to Sustaining Engineering, I was careful to check if the Sustaining "engineers" actually had any engineering background, or if the department title was assigned to techs and admins.

Which is to say, in some companies, RA might happen to be a good fit. As well as the technical skills, though, make sure the assigned owner is properly staffed to do the work. Risk management isn't a minor extra task - it takes time.

All of these responses are good, but I am sure you are looking for more help.  I am in Quality Assurance and specifically Design Assurance.  In my career, Design Assurance is the most capable to handle the creation and maintenance of the risk management file.  One reason is divide and conquer.  Product Development owns the design history file and design assurance can own the risk management file and for that matter the usability file.  Risk and usability go hand and hand.  The teams still have to work together, but during the development process the design assurance team is also working with the post market team and clinical to identify hazards, hazardous situations, and harms.  I have seen this work well.

The second reason I recommend this is that typically Design Assurance stays with the product after launch through to obsoletion.  Product Development does not always stay with the product, especially when there is defined NPD versus Sustaining organizations.  The Design Assurance team stays connected to the post-market and clinical teams.  This has proven even more beneficial in today's EU MDR world with annual design dossier file updates and PSUR's.

This is just my opinion.  I am sure that there are others out there that have different experience.  There is no one size fits all with the ownership of risk management files.  I would say that the important thing is to have the consistency in ownership from cradle to grave and who has the continued connection with the post market team and clinical.

In all the years that I have been in Regulatory Affairs, creating risk management files has always been the responsibility of QA.  I am receiving for the first time in my 19 years in regulatory, pushback that this is a regulatory function. Could someone please let me know your experience in this area?

In all the years that I have been in Regulatory Affairs, creating risk management files has always been the responsibility of QA.  I am receiving for the first time in my 19 years in regulatory, pushback that this is a regulatory function. Could someone please let me know your experience in this area?