Marc Miller11.17.08
Outrage...Over Risk Acceptance Criteria?
Marc Miller
This year’s annual conference of the Regulatory Affairs Professionals Society (RAPS) featured a standing-room-only presentation on the application of ISO 14971:2007 (risk management), led by Dr. Jeff Schakenraad of KEMA, a global Notified Body headquartered in the Netherlands. If packed attendance is any indication, this is a topic of intense interest on the part of the device industry’s regulatory profession. Material in the formal presentations, as well as answers to post-presentation questions from the audience, made one point crystal clear: Under the new revision of ISO 14971, manufacturers are responsible for setting risk acceptance criteria when assessing the risk/benefit relationship for their specific devices. Not only that, they also are responsible for setting appropriate risk acceptance criteria for the components, processes and services that go into their devices. This is especially true in the case of outsourced suppliers whose products or services may affect the ability of the device to conform to essential requirements.
On the surface, risk acceptance does not seem to be a subject to stir great passions. However, we need look no further than recent headlines to know that risk acceptance lies at the heart of issues such as melamine-tainted infant milk and the financial industry’s self-inflicted turmoil. The mortgage industry’s acceptance of risk in the form of low-doc, no-doc and subprime housing loans, the securities industry’s acceptance of the risk represented by the bundling of these loans into vast mortgage-backed debt obligations, along with their further acceptance of the risk represented by exotic, leveraged derivatives based on these same securities, has led to a meltdown of historic proportions.
Learning From Current Events
Speaking to National Public Radio, Sen. Christopher Dodd (D-CT), chairman of the Banking, Housing and Urban Affairs Committee, pointed to the US mortgage market as the ultimate source of the crisis that has claimed the independent existence of industry stalwarts such as Merrill Lynch, Lehman Brothers and AIG. He also pointed to a lack of sufficient oversight, prompted by the current administration’s disdain for regulation, as a primary contributor to an environment where lax business practices could flourish. Jamie Dimon, CEO of JP Morgan Chase, voiced a similar opinion in a recent private dinner with industry executives in New York.
Regardless of your particular political affiliation, we can all agree that effective regulation and regulatory input is necessary to ensure appropriate risk management. In the immediate aftermath of regulators’ massive market interventions—the purchase of AIG and a 1980s savings-and-loan-style bailout plan—the stock market surged more than 700 points. In the following days, the only pauses to the market’s steady decline have been preceded by regulatory intervention. This is proof positive that regulation is essential to risk management and the orderly function of commerce.
In the medical device industry, effective regulation is essential to protect patient safety. Again, at this year’s RAPS annual conference, Dr. Jos Kraus of the Dutch Healthcare Inspectorate summed up the regulator’s perspective: “Unfortunately, people don’t do what you expect, but only do what you inspect.” This in response to a question about a 2007 study that demonstrated a 50% failure rate in the risk management function of Class III labeling—and a 2008 follow-up that showed little improvement. Based on the disappointing results, Dr. Kraus indicated that appropriate action from the Dutch Competent Authority soon would be forthcoming.
Increased scrutiny by external regulators—especially in the area of risk management—is one point of commonality between devices and financial services. This is due to a common cause: occasional permissiveness in the effective application of risk management by internal regulatory professionals. For instance, outsourcing in the medtech industry enjoys a 15% compound annual growth rate.
Looked at another way, the US market for outsourcing is projected to double from 20% of medical equipment production (2005) to 40% (2010). A rapid increase in demand often leads (at least temporarily) to a reduction in quality—particularly if supply is lightly controlled. This is the effect that we noted in July’s column, “Beware Foreign Entanglements,” which has provided us with public health scares such as adulterated heparin. It prompted Harvey Rudolph, co-author of ISO 14971 and 25-year FDA veteran, to note:
Until recently, outsourcing has often been pursued by companies in a less-than-thought-through manner. Now, supplier control issues are getting special attention in ISO 13485 registration audits, and all regulators are expressing newfound concerns about supplier risk management—not just FDA.
Now, like the financial services markets, additional regulation is coming to medical devices. The FDA Globalization Act of 2008 proposes a “corps of inspectors dedicated to inspections of foreign food, drug, device and cosmetics facilities and establishments.” Proposed penalties include “…$100,000 per violation. Each day during which a violation continues shall be considered a separate violation.”
Establishing Risk Acceptance Criteria
At the heart of the nation’s financial fiasco and resulting regulation—just as with inspection of overseas medical device suppliers—is the issue of risk acceptance criteria. What is an acceptable level of risk associated with a mortgage repayment? Can this risk be mitigated in the absence of basic due diligence (eg, no-doc, low-doc loans) and under the pressure of predatory lending practices? What is an acceptable level of risk associated with medical device suppliers who provide a critical component or service? Can this risk be mitigated in the absence of effective audits or by making “lowest bid” the sole criteria for supplier selection?
Questions such as these are why issues of risk acceptance criteria often take on an ethical tenor. Especially in the medical device industry, acceptance criteria are what drive decisions with direct consequences for patients. Sometimes, the ethical nature of these choices is obscured by misguided business practices or poor decision-making by unqualified resources. A recent email from the manufacturer of a Class III woman’s health device to the supplier of a critical service reads:
After reviewing the three quotes I obtained, I've chosen to move forward with a company whose pricing came in the lowest...
Follow-up conversations revealed no risk acceptance criteria in place, neither was regulatory input sought or required for the supplier selection. In fact, the manufacturer had designated an unqualified resource for a decision with real risk management implications for patient safety and business operations.This is the way risk creeps into systems and organizations—small failures of regulatory oversight and lapses in rigor that create a growing exposure to hazard, which, in turn, produce risk. When the inevitable harm emerges, it is met with outrage: How could the manufacturer sacrifice patient safety in the interest of cost savings? But, generally speaking (with a few notable exceptions), manufacturers do not actively decide to endanger patients. Rather, patient harm comes about through a lack of conscious decision-making about risk acceptance criteria. In the absence of clear-cut criteria, individuals make decisions based on other values: cost, turnaround and personal relationships.
The keynote speaker for the 2008 RAPS annual conference was Dr. Atul Gawande, author of the book Better: A Surgeon’s Notes on Performance and a leader in the development of the World Health Organization’s just-published surgical checklist. Dr. Gawande is a strong proponent for simple, effective solutions to complex problems. His checklist approach to surgical safety is credited with reducing the risk of catheter-induced bloodstream infection by 67%, which roughly translates to 1,800 lives and $200 million dollars saved every year.
Manufacturers can take a similar approach to managing their supplier risk. A simple checklist can help determine a supplier’s importance and ensure that supplier decisions with risk-management impact receive the appropriate regulatory consideration. Most importantly, regulatory affairs professionals must take an active role in establishing and enforcing supplier risk acceptance criteria. Failure to establish appropriate risk acceptance criteria for critical inputs is definitely a failure of both regulatory oversight and senior management—and it is one that places both patient and manufacturer in jeopardy.