Risk Management
Applying Risk Management Principles to Your Quality System
By Dan Riordan
While all manufacturers must perform risk management activities, they are most critical for medical device companies. Malfunctioning medical equipment poses high risks for consumers, and even small flaws can have tremendous impact on the OEM—including fines, product recalls and permanent damage to the company’s reputation. While every function in a company should have its own policies regarding risk management, it is particularly important for the quality department. The risks associated with devices have obvious ties to product quality, and quality managers must work to minimize them at every stage of the design, production and post-production processes.
While regulatory bodies acknowledge the importance of managing risk, it can be challenging to interpret best practices from the language of their standards. FDA 21 CFR Part 820 only mentions risk in the context of design validation. ISO 13485, the medical device quality standard, recognizes that risk management should be performed throughout the product lifecycle but offers no specific guidance about best practices. ISO 14971, the risk management standard for medical device manufacturers, offers details on how to perform hazard analysis and risk mitigation. Because there are two separate standards for quality management and risk management, it may seem logical to perform these functions separately. However, risk assessment and mitigation should be a part of every quality activity throughout the entire product lifecycle, from design to manufacturing and post-delivery quality control.
In following a few guiding principles to integrating quality and risk, manufacturers can strengthen their quality management function while minimizing the impact of harm to users of their products.
Build Risk Management Into Devices
Even in the earliest stages of product development, it is vital to perform risk management activities. Before they begin design and development, manufacturers must identify the hazards their devices may pose. Quality team members should gather information about potential hazards from a number of sources, such as historical data, laws, codes and standards, informed hypotheses, industry research and customer feedback. When armed with a thorough, realistic understanding of the risk landscape, manufacturers can design safer devices.
While careful quality planning makes it possible to eliminate certain risks, there are inherent risks in any manufacturing environment. It is the responsibility of manufacturers to analyze the severity and likelihood of each potential risk, determine an acceptable level of risk, and develop programs to control them. Failure mode effects analysis (FMEA) is a popular method for managing product-related risk. This technique helps manufacturers identify potential sources of failure and measure the consequences of defects. It also enables manufacturers to prioritize all potential failures when deciding on actions to help them reduce risk.
The FMEA method is necessary not only for products, but also for manufacturing processes. Manufacturers should devise control plans for any potential process failures, such as poorly trained employees and malfunctioning equipment. These plans should include steps for minimizing the likelihood of these failures (requiring mandatory training sessions, scheduling regular calibrations) and steps for mitigating the impact should such failures occur.
Quality managers also must plan for risks in the post-production phase. They should ask themselves the following questions: What is the likelihood that this label would be misinterpreted by a doctor in a high-pressure situation? Is the product packaged to minimize damage during shipping? What hazards may occur when a patient misuses my product? When device manufacturers account for every possibility, they minimize the risk of liability.
It is imperative that manufacturers document all their risk management activities during the advanced product quality planning stage. This helps them demonstrate their processes to regulatory bodies and serves as a reference later in the product cycle. An electronic document control system is best for storing and organizing vast amounts of product-related data, because it enables constant revision of documentation with no confusion about which version is current. Systems with search capabilities enable easy search-and-retrieval of information. And companies that have built-in processes for communicating changes to management for review and approval expedite efficient quality planning.
Continually Perform Risk Activities
While quality planning is the critical first step, it is vital that manufacturers continue to practice risk management long after the design and development phases. Consistent attention to risks during the manufacturing process is the best way to improve product safety and minimize the impact of hazards.
The quality department should establish written procedures for continual risk assessment and control. Management should impress the importance of controlling risk on its employees—on a continual basis—and reward those who demonstrate commitment to the company’s risk policies.
Risk management is particularly challenging to device makers who outsource all or part of their production. It is difficult to regulate suppliers, but since the OEM will face the consequences of its outsourcing partner’s quality problems, it must insist on rigorous risk management standards. While some OEMs might insist that suppliers adhere to the same risk management policies they require, others might audit a supplier to ensure its unique practices meet the OEM’s standards. To determine which method is best, OEMs should evaluate the risk potential of outsourced products and parts as well as the level of trust they have for their suppliers, based on past performance and company reputation.
Continuous inspection and testing is the best way to control risks, both for original equipment and outsourced goods. Manufacturers and suppliers should perform regular calibrations to prevent failure of manufacturing equipment. They also must regularly inspect finished goods and collect and trend data to identify any larger product problems that may not immediately be evident. These processes should be detailed in the control plan, and results always should be documented.
Re-evaluate Processes Based on Real-World Criteria
Once a product is released on the market, quality managers must keep apprised of defects and failures to strengthen their risk management processes. Customer complaints, customer surveys, non-conformances, medical device reports and product recalls all are sources of information about product hazards. Quality managers must assess whether post-market problems exceed the level of acceptable risk they determined during the quality planning stages. If so, they then must pinpoint the issue’s cause, using methods such as fault tree analysis (FTA), which offers a top-down way to identify part failure as a cause of functional failure. Companies that keep scrupulously detailed information about their quality planning, manufacturing processes and customers should be able to identify the source of problems. From there, quality managers must assess whether the actions they took were sufficient to mitigate the problem.
If the risk controls proved inadequate, or if problems arise that are outside the scope of previously identified risks, companies should adapt their processes to account for these findings. Management may balk at the costs and efforts of changing product design or manufacturing processes. But failing to correct inherent problems in the system can have major effects down the line. Companies that show willingness to learn from their mistakes win favor with auditors and customers.
* * *
Because of the inherent risks involved in manufacturing medical devices, companies must define rigorous processes for identifying, evaluating and controlling risks. By building risk management into their quality processes, companies avoid government censure and improve customer relations.
