Emily Ysaguirre, VERSE Solutions07.26.17
“People generally prefer present benefits over future benefits, and prefer future harms over present harms, so time-preference may need to be captured when risks and benefits occur at different times,” stated an Association for the Advancement of Medical Instrumentation (AAMI) Whitepaper: “Risk Principles and Medical Devices: A Postmarket Perspective, 2015.”
Instant gratification is more appealing to human nature; it’s normal to want $20 now as opposed to getting that same $20 later. And when given the choice, most people would push negative experiences off for as long as possible. This isn’t always possible in everyday life, but it can be in the world of quality by integrating risk management into quality systems.
ISO 14971 as the International Risk Management Standard
ISO 14971:2007 (still in effect today) is the international risk management standard. In 2012, the European Union (EU) identified seven differences in the interpretation of ISO 14971:2007, which are called the content deviations and are contained within Annex Z of EN ISO 14971:2012.
To meet the applicable Medical Device Directive, medical device manufacturers must conform to both ISO 14971:2007 and EN ISO 14971:2012. To conform, updates to existing documentation may be necessary based on new guidance provided to the industry through a consensus paper for interpretation and application of ISO 14971:2012 version 1.1. This guidance was immediately created and required compliance with no grace period when initially stated. The “as low as possible” (ALAP) risk ranking method was introduced, replacing the “as low as reasonably possible” (ALARP) risk ranking method using high, medium, and low as a label in the Risk Matrix table, to include and assess all risks.
Prevailing Concerns of FDA and Notified Bodies: Post-Market Safety and Risk Management
According to a recent VERSE webinar entitled “ISO 14971 Risk Management: Industry Procedures and Best Practices,” low-frequency, high-risk is a concern for the U.S. Food and Drug Administration because companies have an enormous reliance on multiplying serial fractions to get a low frequency number to reduce risk. This is surprising because low-frequency, low-risk events are not tolerated in vulnerable populations. (This is a matter of what will come now vs. what will come later.) The 2012 standard raised the topic of systematic trends vs. frequency, like the events compromising the now instead of the later.
But there is somewhat of a disconnect. The webinar also stated that the “Industry and CDRH are not aligned,” and discussed the risk principles in correlation to the risk factors. ISO 14971:2012 examines the misunderstandings within the 2007 edition, along with harmonization of the standard with a risk management directive.
The ISO 14971:2007 regulation is currently under review, and based on the recently approved EU Medical Device Directives, so is EN ISO 14971:2012. There is discourse about producing a single harmonized Risk standard to replace the two that exist.
What’s the Disconnect?
Medical device manufacturers cannot eliminate risk through design solutions alone—medical device manufacturers must use protective measures as well. As stated by the Medical Device Academy, there are only two acceptable reasons for not implementing risk controls. The first is the risk control will not actually reduce additional risk, for example, something like “using redundant alarms to identify battery failure because it will eventually be ignored.” The second reason may be there’s a more effective risk control that cannot simultaneously be implemented. For example, “having only enough real estate to have one fixation element at each location,” meaning, if someone needs a knee implant, it is not going to hold if there is an implant already anchored to their femur with metal posts.
The primary reason medical device companies must use safe materials augmented with risk controls that determine residual risks is because controls can become redundant and end up being completely bypassed.
Properly Integrating Risk Management into Quality Software
Risk tools are built to enable users to create risk templates and configure them into any process. Risk Matrices help to automatically calculate risk, incorporate a decision tree, and add risk filtering. Risk tools provide multiple levels of risk ranking, the ability to filter out adverse events by their risk, and use any number of models.
A Risk Management flow, like anything else, is a process. This process takes potential hazards and assigns a weight to them. From there, it allows for a method of control.
“ISO 14971 for Medical Device Companies” is an effort to create a method to identify hazards, estimate and evaluate risks, and develop, implement, and monitor the effects of risk control measure.
If users can see where systemic issues live, they can make the necessary adjustments to mitigate the chance of occurrence and return. Having the tools will dramatically reduce risk in the long run in all areas. With proper risk management, users can identify trends in risk and take the initiative to put an end to future “surprises” and inopportune events.
Creating an Internal Risk Management Process with a Risk Matrix
The Risk Matrix is a simple-to-tread method of quantifying risk levels. The Risk Matrix categorizes data and places it in respective chart levels. It shows whether an event is minor, negligible, marginal, critical, or catastrophic.
From there, it determines if the threat is frequent, probable, occasional, remote, or improbable. Companies are able to then determine and answer which categories the event will strike on a scale of one to five. Since there are many methods to understand risk, the Risk Matrix is unique because it helps determine the likelihood and criticality of the occurrence source.
Prioritizing Actions with Risk Assessments
Effective prioritization is key to getting things done, especially in terms of safety and quality. Risk can be an especially useful metric to determine and prioritize actions. A Risk Matrix uses methods to get the most out of processes. It determines the potential impacts of an event on the organization with quantitative risk tools in numerical form. This provides a measurable quality of what is acceptable, undesirable, or unacceptable. High-risk items can also be handled before those not as concerning in the long run. With the ability to filter corrective actions by risk, prioritizing the workload with safety measures is ideal.
Risk Matrices also allow for verification. By recalculating the risk after its corrective action process, users can see if the actions taken were effective in reducing or eliminating the risk.
The Risk Matrix Alone Is No Longer Enough
In order to achieve an ALAP rating and stay in compliance, companies must have visibility into compliance risks. Seeing where they reside and having a leg up on them is all well and good, but it is also important to have a method for gap analysis.
This can be done by:
Build Risk Templates: Creating and building templates to configure risk parameters allows users to incorporate risk tools into any process within the system, for example, creating risk-based decision tree questions.
Report on Risks: Leveraging the risk templates to understand and build a history of risk events allows users to generate reports on various forms throughout the entire business and stay connected. This creates a macro-level view across all processes.
Tack Actions on Risks: From risk forms, users can automatically and consistently launch predefined corrective action measures, action items, or sub-activities. Each record will inherit the risk information and link to the original assessment record.
Design controls with risk analysis help throughout each stage of production to keep all products within their respective limits of ISO 14971:2012.
Planning QMS with Risk in Mind
Incorporating “risk-based thinking” into processes requires an understanding of materials, components, interactions, individual supplier performance, and corrective action tools. Risk Management and Risk Assessment are designed as means to measure and make decisions affecting compliance, and ensure the product continues to meet its intended purpose.
Measuring risks and taking actions enables a built-in history of risk and allows organizations to know where their risks are at a high level, where they can then determine how to meet their standards, and keep them within acceptable limits.
The entire risk process should be documented, controlled, and built with work instructions and roles. When it is standardized—especially with newly introduced elements—activities can be conducted that will better meet standards. Because “acceptable risk” is not a blanket term, it is important to identify each and every hazard associated with both a specific device and company as a whole. This entails good practices and technologically advanced solutions like the Risk Matrix, Risk control methods, and gap analysis. These risk practices should be applied to all products as well as mature, legacy products on an established schedule, ensuring that new risk knowledge is applied as part of a continuous improvement process.
Emily Ysaguirre is a writer for VERSE Solutions, a cloud-based compliance management software solution that helps automate the processes surrounding quality, compliance, and environmental health and safety. Learn more about VERSE by visiting www.versesolutions.com or blog.versesolutions.com
Instant gratification is more appealing to human nature; it’s normal to want $20 now as opposed to getting that same $20 later. And when given the choice, most people would push negative experiences off for as long as possible. This isn’t always possible in everyday life, but it can be in the world of quality by integrating risk management into quality systems.
ISO 14971 as the International Risk Management Standard
ISO 14971:2007 (still in effect today) is the international risk management standard. In 2012, the European Union (EU) identified seven differences in the interpretation of ISO 14971:2007, which are called the content deviations and are contained within Annex Z of EN ISO 14971:2012.
To meet the applicable Medical Device Directive, medical device manufacturers must conform to both ISO 14971:2007 and EN ISO 14971:2012. To conform, updates to existing documentation may be necessary based on new guidance provided to the industry through a consensus paper for interpretation and application of ISO 14971:2012 version 1.1. This guidance was immediately created and required compliance with no grace period when initially stated. The “as low as possible” (ALAP) risk ranking method was introduced, replacing the “as low as reasonably possible” (ALARP) risk ranking method using high, medium, and low as a label in the Risk Matrix table, to include and assess all risks.
Prevailing Concerns of FDA and Notified Bodies: Post-Market Safety and Risk Management
According to a recent VERSE webinar entitled “ISO 14971 Risk Management: Industry Procedures and Best Practices,” low-frequency, high-risk is a concern for the U.S. Food and Drug Administration because companies have an enormous reliance on multiplying serial fractions to get a low frequency number to reduce risk. This is surprising because low-frequency, low-risk events are not tolerated in vulnerable populations. (This is a matter of what will come now vs. what will come later.) The 2012 standard raised the topic of systematic trends vs. frequency, like the events compromising the now instead of the later.
But there is somewhat of a disconnect. The webinar also stated that the “Industry and CDRH are not aligned,” and discussed the risk principles in correlation to the risk factors. ISO 14971:2012 examines the misunderstandings within the 2007 edition, along with harmonization of the standard with a risk management directive.
The ISO 14971:2007 regulation is currently under review, and based on the recently approved EU Medical Device Directives, so is EN ISO 14971:2012. There is discourse about producing a single harmonized Risk standard to replace the two that exist.
What’s the Disconnect?
Medical device manufacturers cannot eliminate risk through design solutions alone—medical device manufacturers must use protective measures as well. As stated by the Medical Device Academy, there are only two acceptable reasons for not implementing risk controls. The first is the risk control will not actually reduce additional risk, for example, something like “using redundant alarms to identify battery failure because it will eventually be ignored.” The second reason may be there’s a more effective risk control that cannot simultaneously be implemented. For example, “having only enough real estate to have one fixation element at each location,” meaning, if someone needs a knee implant, it is not going to hold if there is an implant already anchored to their femur with metal posts.
The primary reason medical device companies must use safe materials augmented with risk controls that determine residual risks is because controls can become redundant and end up being completely bypassed.
Properly Integrating Risk Management into Quality Software
Risk tools are built to enable users to create risk templates and configure them into any process. Risk Matrices help to automatically calculate risk, incorporate a decision tree, and add risk filtering. Risk tools provide multiple levels of risk ranking, the ability to filter out adverse events by their risk, and use any number of models.
A Risk Management flow, like anything else, is a process. This process takes potential hazards and assigns a weight to them. From there, it allows for a method of control.
“ISO 14971 for Medical Device Companies” is an effort to create a method to identify hazards, estimate and evaluate risks, and develop, implement, and monitor the effects of risk control measure.
If users can see where systemic issues live, they can make the necessary adjustments to mitigate the chance of occurrence and return. Having the tools will dramatically reduce risk in the long run in all areas. With proper risk management, users can identify trends in risk and take the initiative to put an end to future “surprises” and inopportune events.
Creating an Internal Risk Management Process with a Risk Matrix
The Risk Matrix is a simple-to-tread method of quantifying risk levels. The Risk Matrix categorizes data and places it in respective chart levels. It shows whether an event is minor, negligible, marginal, critical, or catastrophic.
From there, it determines if the threat is frequent, probable, occasional, remote, or improbable. Companies are able to then determine and answer which categories the event will strike on a scale of one to five. Since there are many methods to understand risk, the Risk Matrix is unique because it helps determine the likelihood and criticality of the occurrence source.
Prioritizing Actions with Risk Assessments
Effective prioritization is key to getting things done, especially in terms of safety and quality. Risk can be an especially useful metric to determine and prioritize actions. A Risk Matrix uses methods to get the most out of processes. It determines the potential impacts of an event on the organization with quantitative risk tools in numerical form. This provides a measurable quality of what is acceptable, undesirable, or unacceptable. High-risk items can also be handled before those not as concerning in the long run. With the ability to filter corrective actions by risk, prioritizing the workload with safety measures is ideal.
Risk Matrices also allow for verification. By recalculating the risk after its corrective action process, users can see if the actions taken were effective in reducing or eliminating the risk.
The Risk Matrix Alone Is No Longer Enough
In order to achieve an ALAP rating and stay in compliance, companies must have visibility into compliance risks. Seeing where they reside and having a leg up on them is all well and good, but it is also important to have a method for gap analysis.
This can be done by:
- Compiling all legislative and regulatory requirements that apply to the company in one place
- Linking requirements to existing controls
- Identifying which requirements have no controls, or where controls are not sufficient to prevent noncompliance (gaps)
- Calculating the risk associated with each compliance gap to determine which needs to be addressed first
Build Risk Templates: Creating and building templates to configure risk parameters allows users to incorporate risk tools into any process within the system, for example, creating risk-based decision tree questions.
Report on Risks: Leveraging the risk templates to understand and build a history of risk events allows users to generate reports on various forms throughout the entire business and stay connected. This creates a macro-level view across all processes.
Tack Actions on Risks: From risk forms, users can automatically and consistently launch predefined corrective action measures, action items, or sub-activities. Each record will inherit the risk information and link to the original assessment record.
Design controls with risk analysis help throughout each stage of production to keep all products within their respective limits of ISO 14971:2012.
Planning QMS with Risk in Mind
Incorporating “risk-based thinking” into processes requires an understanding of materials, components, interactions, individual supplier performance, and corrective action tools. Risk Management and Risk Assessment are designed as means to measure and make decisions affecting compliance, and ensure the product continues to meet its intended purpose.
Measuring risks and taking actions enables a built-in history of risk and allows organizations to know where their risks are at a high level, where they can then determine how to meet their standards, and keep them within acceptable limits.
The entire risk process should be documented, controlled, and built with work instructions and roles. When it is standardized—especially with newly introduced elements—activities can be conducted that will better meet standards. Because “acceptable risk” is not a blanket term, it is important to identify each and every hazard associated with both a specific device and company as a whole. This entails good practices and technologically advanced solutions like the Risk Matrix, Risk control methods, and gap analysis. These risk practices should be applied to all products as well as mature, legacy products on an established schedule, ensuring that new risk knowledge is applied as part of a continuous improvement process.
Emily Ysaguirre is a writer for VERSE Solutions, a cloud-based compliance management software solution that helps automate the processes surrounding quality, compliance, and environmental health and safety. Learn more about VERSE by visiting www.versesolutions.com or blog.versesolutions.com