Regulatory Open Forum

 View Only
Reg Intel Conference 2024
Back to discussions
Expand all | Collapse all

Risk Management - A call to action

  • 1.  Risk Management - A call to action

    Posted 18-Apr-2020 18:22

    The Forum, on occasion, includes issues related to risk management. Often these issues suggest a lack of understanding of risk management. I also see these problems in my consulting practice. Typically, companies don't follow the standard as written. Worse, they create unnecessary complexity.

    In my opinion, the industry has the sense that "compliance requires complexity". I take the opposite view; simplicity is essential.

    In risk management, I see a lot of problems, but they generally fall into two categories: failure to follow the standard and failure to recognize that the standard is the basis for other standards.

    ISO 14971:2019 is a process standard. It is well written and describes a simple and straight forward process. The process steps follow in a logical order. Most implementations use an Excel workbook. The column headings should be the process steps in order. The rows are the individual instances; there could be many rows, but each row follows the process.

    Before developing the Hazard Analysis, identify the device and its characteristics. Write the Risk Management Plan (or plans) that cover the life cycle of the device.

    After completing the Hazard Analysis analyze the overall residual risk, review the process, and release the device to production.

    After release to production, monitor the production and post-production information.


    The major problems I see in this category are:
    Failure to recognize that the Hazard Analysis is not an FMEA or FMECA. A hazard can lead to patient or user harm. The harm can occur either a normal or a fault condition. In contrast, an FMECA is a reliability tool that analyzes single point failures in a failure mode. An FMECA misses half the Hazard Analysis issues (harm in a normal condition) and does not follow the standard.

    Failure to identify the sequence of events. Often patient or user harm requires more than one thing to go wrong. This is the sequence of events and is a strong component of accident prevention and investigation. The key to sequence of events is the connection to risk reduction, which should address the sequence steps. In the best case, the risk reduction measure breaks the chain in the sequence.

    Confusing risk reduction with mitigation. Risk reduction addresses the severity or probability of the patient or user harm. The methods apply before the harm. Mitigation applies after the harm occurs and reduces it impact on the patient or user. Risk reduction prevents the loss of a body function. Mitigation compensates for the loss should it happen.

    Not linking the tools. For example, a risk reduction measure in the manufacturing process should be part of t PFMECA. If the PFMECA shows that a nonconforming product could escape, analyze the effect in the Hazard Analysis.

    The second problem is applications of risk management.
    There are some standards that require risk management because they deal with patient or user harm. Typically, these standards have a file to collect the associated documentation. These files could be either part of the ISO 14971:2019 Risk Management File or separate files linked to the Risk Management File and its contents.

    In each case, implement ISO 14971:2019 as a basis for the specific application. There may be specific files or specific requirements beyond ISO 14971:2019. Determine the file structure, any specific changes to the basic flow, and any specific documents required for the application.

    I've identified the following standards and other applications that require risk management.
    EU-MDR
    EU-IVDR
    FDA's guidance documents on changes to a 510(k) device
    IEC 60601-1 on medical electrical equipment
    IEC 62366-1:2015 on usability engineering
    ISO 62304 on software
    FDA's guidance documents on pre-market and post-market cyber security
    ISO 10993-1:2018 and associated family members on biocompatibility
    ISO 22442-1:2015 and associated family members on the use of animal tissue
     

    Call to action
    When writing about risk management, follow the standard as written. In particular, do not suggest that an FMEA or FMECA satisfies the standard.

    Understand the standard and advocate its use as written.

    Eschew complexity!



    ------------------------------
    Dan O'Leary CQA, CQE
    Swanzey NH
    United States
    ------------------------------

    Attachment(s)

    docx
    Hazard Analysis - Instructions.docx   26 KB 1 version
    xlsx
    Hazard Analysis - Template.xlsx   15 KB 1 version


  • 2.  RE: Risk Management - A call to action

    Posted 19-Apr-2020 07:55
    Dan,

    I have great respect and admiration for your direct, logical and pragmatic approach to problem solving and compliance.  You are always on point that a critical understanding of the spirit as well as the written requirements, and application of the least burdensome solution are best practice.

    One of my tenets, which I have adopted in my practice is a "modified" quote attributed to, but probably not from, Pablo Picasso. The quote is 'Learn the Rules Like A Pro So You Can Break Them Like An Artist', which I have modified to "Learn the Rules Like A Pro So You Can Use Them Like An Artist" to adapt to the reality of the legal nature of our efforts.

    I find, as you have, that there are too many who do things because they are told to without researching and understanding the actual reasons and objectives for any before trying to achieve compliance nor trying to use logic, reason and efficiency as the best way to comply.

    Also, I have another modified quote from Yogi Berra that sums up what happens if you follow the process without a firm goal in mind. "If you don't know where you are going, you'll end up someplace else."  My revision is "If you do not know where you are going, you cannot know when you get there". I suggest that in following a process, or even developing a design, knowledge of where your are going, or what you will expect at the conclusion is the only way to knw that you have achieved your goals. 

    Enough for a Sunday sermon.  I fully support and applaud you call to arms.

    ------------------------------
    Lee Leichter RAC
    President
    Fort Myers FL
    United States
    ------------------------------

    Original Message


  • 3.  RE: Risk Management - A call to action

    Posted 19-Apr-2020 09:08

    Dan, 

    Your comments are right on target. A complete Risk Analysis requires the use of multiple tools. And I use the Risk Analysis term, because we are analyzing Risk and not Hazards. It is also the term used in ISO 14971 in all its editions. Hazard Analysis only appears in the proper name of tools such as PHA and HACCP, but not in the process identified in the standard. So Risk Analysis is the proper term. Clause 5 of the 2019 edition of ISO 14971 identifies the requirements for Risk Analysis.  Clause 4.5 identifies the requirements for Risk Traceability  


    The GHTF, in SG3/N15 in 2005, identified the use of Risk Management Summary Tables, in Annex C, to consolidate all of the information collected by use of multiple tools.  It is important to have this consolidated view to have all the risks listed in one place to perform Overall Residual Risk Evaluation, and to get a good picture of the product Risk Profile to decide the product is ready, from a risk management perspective, for release to users. The Summary Table also provides a Knowledge Management  connection to all the information collected during the risk management process to make it available to those researching post-production information and design updates. I wrote about the Risk Traceability Summary in an AAMI publication, Horizons, in the Spring 2015 issue.  You can find the GHTF document for free at International Medical Device Regulators Forum



    ------------------------------
    Edwin Bills MEd, CQA, RAC, BSc, CQE, ASQ
    Principal Consultant
    Overland Park KS
    United States
    elb@edwinbillsconsultant.com
    ------------------------------

    Original Message


  • 4.  RE: Risk Management - A call to action

    Posted 19-Apr-2020 19:13
    Dan, Lee, Edwin,

    Thank you for your perspective. I think you are spot on. 

    I too see the implementation of 14971 go off the rails. This often results in the risk management becoming very burdensome and consequently the stakeholders becoming frustrated because they feel like they don't know how to contribute effectively. If the cross functional team is not engaged, the outcome will likely have gaps, which the design doesn't address. Gaps in the design unfortunately lead to surprises in the field. Ugh.

    Thankful for this forum and contributors.

    ------------------------------
    Adam Atherton
    Farragut TN
    United States
    ------------------------------

    Original Message


  • 5.  RE: Risk Management - A call to action

    Posted 21-Apr-2020 12:41
    Isn't it always like this?  Haven't you seen ISO 13485 go off the rails?  Lean? Six Sigma? There seems to be an underlying force at play, but I'm not in a position to identify it.  What do you think?

    ------------------------------
    Julie Omohundro, ex-RAC (US, GS), still an MBA
    Principal Consultant
    Class Three, LLC
    Mebane, North Carolina, USA
    919-544-3366 (T)
    434-964-1614 (C)
    julie@class3devices.com
    ------------------------------

    Original Message


  • 6.  RE: Risk Management - A call to action

    Posted 20-Apr-2020 07:41
    Hi Dan,

    Thank you for your typically thorough and structured mini-treatise.  I will admit to not always being as inclusive as both you and the standard state so you've helped me with your call and attachments.

    The reason why I'm commenting is that in your list of standards requiring risk management you left out ISO 13485:2016.  Not that you needed to be completely inclusive but especially in this Forum I would have expected that one to be there.  In the service of clarity and understanding, am I missing something?

    ------------------------------
    Rem Siekmann BSE, MBA, ASQ CBA
    Senior Principal Engineer
    Bellaire MI
    United States
    ------------------------------

    Original Message


  • 7.  RE: Risk Management - A call to action

    Posted 20-Apr-2020 08:12

    Unlike the other standards I listed, ISO 13485:2016 does not have any version of 14971 as a normative reference.

    One could have a fully compliant implementation of ISO 13485:2016 without even opening ISO 14971:2007 or ISO 14971:2019.



    ------------------------------
    Dan O'Leary CQA, CQE
    Swanzey NH
    United States
    ------------------------------

    Original Message


  • 8.  RE: Risk Management - A call to action

    Posted 20-Apr-2020 09:38
    Dear Dan,
    ISO 13485:2016 has references to ISO 14971 - even in the concept in Chapter 0.2 - this is one of the main changes of ISO 13485. Risk is defined according the definition of ISO 14971. You find this in 3.17 and 3.18, as well as 7.1, meaning the whole life cycle of a medical device has to undergo risk management according to 14971.
    Best regards
    Margit

    ------------------------------
    Margit Widmann MD
    Director Regulatory
    Günsberg
    Switzerland
    ------------------------------

    Original Message


  • 9.  RE: Risk Management - A call to action

    Posted 20-Apr-2020 10:51
    It is not a normative reference.

    While it might be an interesting recommendation, it is not a requirement.

    ------------------------------
    Dan O'Leary CQA, CQE
    Swanzey NH
    United States
    ------------------------------

    Original Message


  • 10.  RE: Risk Management - A call to action

    Posted 21-Apr-2020 08:07
    Hello Margit

    Dan is right.  When I search ISO 13485:2016, while risk is mentioned throughout, the references to ISO 14971 it is through definitions, references only, as only as a reference.  It does not mandate ISO 14971, only that risk be assessed.  Often, it is mentioning risk of process, where ISO 31000, Risk Management- Guidelines is frequently used to process/ business risks.  Unfortunately it is a mish mash, which has now confused everyone. 

    I did take and pass an Exemplar certified ISO 13485:2016 /QSR / Management Systems 4-day lead auditor course last spring (2019),  The instructor was adamant in saying ISO 14971 is one way to assessment risk, but not required.   

    Thoughts folks?  I am having clients look at multiple risk standards:  ISO 14971:2019,  ISO 31000,  IEC 80002-1, 
    AAMI TIR 57:2016, etc.    I know there are more out there for cyber - NIST ,etc.  ( can't cite them all off the top of my head).  But that is the confusion.  Risk approaches can vary depending on what you are trying to assess.

    ------------------------------
    Ginger Cantor, MBA, RAC
    Founder/Principal Consultant
    Centaur Consulting LLC
    River Falls, Wisconsin 54022 USA
    715-307-1850
    centaurconsultingllc@gmail.com
    ------------------------------

    Original Message


  • 11.  RE: Risk Management - A call to action

    Posted 20-Apr-2020 09:46

    This is a great discussion with many good points. In gaining a further understanding of ISO 14971, I find there are many who have not read the Rationale, Annex A In ISO 14971:2019 This section discusses the reasoning behind each of the requirements, which Lee identifies as one reason for these overly complex risk management systems that are forced on companies without understanding the requirements. 

    Dan identifies that ISO 13485 does not have a normative requirement for ISO 14971. It was a big discussion between the two standards committees back when the 2003 edition of ISO 13485 was under development. BUT, 13485 does require that the outputs of risk management are a design input in 7.3.3 (c) and does identify the definitions of "risk"(3.17)  And "risk management"(3.18)  as being from ISO 14971.   There is also a reference to ISO 14971:2007 in the Bibliography (which no one reads). Risk is used as a term more than 20 times in the standard (I counted once but forgot the exact number). So in reality the two standards are linked. And in ISO 14971:2019 Clause1 Scope it states that  "Risk management can be An integral part of a quality management system". 

    in another discussion, Ginger thought that the standard is too complicated for small companies and startups to implement. My thoughts are that these companies are not adopting something appropriate for the size of company and the particular product. As Lee is mentioning, there is not a "one size fits all" and way too many consultants and auditors are trying to apply a "one size fits all" solution which is not appropriate and comes from a lack of deep understanding of risk management and ISO 14971. It is also a sign of incorrect implementation when you find the use of only FMEA (or FMECA) as the risk Analysis. 

    As a member of the standards committee, since 2000, that wrote ISO 14971, we have been trying to provide the information to properly implement the standard in the guidance document ISO TR 24971:2020, now 100 pages of help for those implementing risk management in their companies. Unfortunately we have been frustrated that it was not released in parallel with ISO 14971:2019. This was due to several small communications problems that compounded and led to a 12-week revote of the EN version that, according to the rules linking the two, delays the ISO version. 

    Any company using a consultant or other expertise, including internal, should determine they are qualified to provide the recommendations on risk management. For consultants this is part of supplier evaluation and selection under ISO 13485:2016 Clause 7.4.1 Purchasing process. For internal personnel, the requirements under 6.1 Resources and 6.2 Human Resources, apply



    ------------------------------
    Edwin Bills MEd, CQA, RAC, BSc, CQE, ASQ
    Principal Consultant
    Overland Park KS
    United States
    elb@edwinbillsconsultant.com
    ------------------------------

    Original Message


  • 12.  RE: Risk Management - A call to action

    This message was posted by a user wishing to remain anonymous
    Posted 20-Apr-2020 16:20
    This message was posted by a user wishing to remain anonymous

    Thanks all for the discussion. I just watched Edwin Bill's Greenlight Guru webinar yesterday and have started digging into the 14971:2019 standard (based on his commentary on certain sections), though I am using the FDIS version.
    Original Message


  • 13.  RE: Risk Management - A call to action

    This message was posted by a user wishing to remain anonymous
    Posted 22-Apr-2020 08:37
    This message was posted by a user wishing to remain anonymous

    Hi Dan,

    Thank you so much for initiating this thread . This is super helpful information. I have some questions ;
    1) Who should be the process owner to implement the correct Risk management procedures.( In most organizations everyone  feels its RA's prime responsibility)
    2) If an organisation has multiple business portfolios like Instruments/ med devices and IVD Kits where each portfolios have different standards how do one separate these templates from each other .
    2a) Do they need to have different risk assessment templates based on their respective standards?
    2b) Is there a way to scope out the standards for both the categories separately and use one template ?
    or what would be the ideal and best way forward.
    Managing risk assessments for wide range of product portfolios are always a challenge . Do you have recommended best practices?

    Thanks a lot !

    Original Message


  • 14.  RE: Risk Management - A call to action

    Posted 23-Apr-2020 09:22

    I've included the questions and put my response after each one.

    1) Who should be the process owner to implement the correct Risk management procedures. (In most organizations everyone feels its RA's prime responsibility)
    This is a difficult question because it depends on the company's organization structure and the allocation of responsibilities. I think that RA is responsible to understand the regulatory requirements in various markets, make submissions, etc. I think that QA is responsible for ensuring the product is correct, meets regulatory requirements, etc.

    My background is QA and I would have QA own the medical device risk management process.

    2) If an organization has multiple business portfolios like Instruments/ med devices and IVD Kits where each portfolio has different standards how do one separate these templates from each other?
    ISO 14971:2019 is a process standard, so is independent of the product. I like to have (at least) three templates: one for the risk management plan, one for the hazard analysis, and one for the risk management report. When completed, the information will differ by product; the template helps ensure the required information is present.

    There are standards for which ISO 14971, in some version, is a normative reference. This means that the standard has ISO 14971 as a, but has some specific requirements. ISO 10993-1:2018 is an example. In that case, I would have templates for the plan, hazard analysis, and report recognizing that they inherit the 14971 information and add additional information.

    2a) Do they need to have different risk assessment templates based on their respective standards?
    They may, depending on the standard. Usability engineering has the concept of a Hazard-Related Use Scenario. The sequence of events will include at least one use-error. It is generally not possible to estimate the frequency of occurrence of a use-error, so the acceptability criteria use severity only. The risk matrix collapses to a risk vector. It would be reasonable to have a more specialized template in this case.

    2b) Is there a way to scope out the standards for both the categories separately and use one template?
    I'm not clear about "both the categories separately". What are the categories?

    Managing risk assessments for wide range of product portfolios are always a challenge. Do you have recommended best practices?
    The challenge is common across many processes. For example, in FDA QSR 820.30 has a design process with process steps. Typically, a company will have a set of templates for the design process elements. Design changes, for example, invoke specific process steps. However, a design change for one product does not, usually, impact other products.

    Use the techniques that break these requirements into processes, develop templates for the various process elements and steps, and complete the templates for the various products.

     

     



    ------------------------------
    Dan O'Leary CQA, CQE
    Swanzey NH
    United States
    ------------------------------

    Original Message


Related Content