|
1
|
- 33rd Annual Meeting - AMDM
- April 21, 2006
- Bill McLain
- Keystone Regulatory Services, LLC
|
|
2
|
- Introduction to ISO 14971:2000 and Risk Management Concepts
- Overview of ISO 14971:2000
- Integrating Risk Management and the Quality Management System
- Including ISO 14971:2000 in Your Internal Audit Process
- Upcoming Changes to ISO 14971:2000
- Some Examples of Deliverables
|
|
3
|
- Risk Analysis
- October 1997 - EN 1441 published
- October 1998 - ISO 14971-1 published
- Risk Management
- July 1996 - EN 60601-1-4 published
- October 2000 – ISO14971 published
- July 2002 - EN ISO 14971 becomes harmonized
- July 2003 – ISO 14971/A1 Annex H published
- April 2004 – EN 1441 no longer has presumption of conformity
- 2006 – ISO 14971:200X revisions
|
|
4
|
- International Acceptance
- US
- Consensus standard for use in submissions and QMS.
- Europe
- For the essential requirements of MDD, AIMD, and IVDD, the device is
presumed to conform with requirements for mitigating and reducing
risks if the RM process conforms to ISO14971:2000, a harmonized
standard.
- Other countries recognizing ISO 14971:2000
|
|
5
|
|
|
6
|
- The System
- Management Responsibilities
|
|
7
|
- RM is applicable to all stages of the life cycle of the device
- Applies a systematic approach to the process.
- Use of all medical devices entails some degree of risk.
- The process “lives”. It’s not
once and done.
|
|
8
|
- hazard – potential source of harm
- harm – physical injury or damage to the health of people, or damage to
the property or the environment.
- objective evidence – information which can be proven true, based on
facts obtained through observation, measurement, test or other means
- risk – combination of the probability of occurrence of harm and the
severity of that harm
|
|
9
|
- risk control – process through which decisions are reached and
protective measures are implemented for reducing risks to, or
maintaining risks, within specified levels
- risk evaluation – judgment, on the basis of risk analysis, of whether a
risk which is acceptable has been achieved in a given context based on
the current values of society.
- safety – freedom from unacceptable risk
- severity – measure of the possible consequences of a hazard.
|
|
10
|
- Define the policy for determining acceptable risk, taking Standards and
Regulations into account
- Ensure the provision of adequate resources
- Ensure the assignment of trained, qualified personnel (must maintain
records showing person has appropriate qualifications)
- Review results of risk management at defined intervals to ensure
suitability and effectiveness
|
|
11
|
- Scope of the plan, describing the device and life cycle phases for which
plan is applicable
- A verification plan
- Allocation of responsibilities
- Requirements for reviewing risk management activities
- Criteria for risk acceptability
|
|
12
|
|
|
13
|
- Analysis of intended use using Annex A as a basis
- Description of the device/accessory analyzed
- Identification of person who conducted the risk assessment
- Date of the analysis
|
|
14
|
- Description of the intended use AND any reasonably foreseeable misuse
- Listing of qualitative and quantitative characteristics that could
affect safety
- Excellent self-analysis questions can be found in Annex A of the
Directive
|
|
15
|
- You need to compile a list of foreseeable hazards that could lead to a
hazardous situation
- List must be maintained in risk management file
|
|
16
|
- After identifying hazard, risk in normal and fault conditions must be
estimated
- If you can’t estimate risk, possible consequences should be prepared and
include in file
- Methods of risk estimation and other techniques found in Annexes E and F
|
|
17
|
|
|
18
|
- Must evaluate every hazard and determine whether estimated risk is so
low that risk reduction is not required
- Standard does not specify acceptable risk levels
- Compare to medical devices already in use
- Risk can be accepted if benefits outweigh risks
|
|
19
|
- After evaluating hazards, you need to ask:
- Is risk so low that there is no need to consider it?
- Is the risk outweighed by the benefit?
- Is the overall balance of all risks and benefits acceptable?
|
|
20
|
|
|
21
|
- There are two types of failure:
- Random failure
- Systematic failure
- Statistical probability can often be assigned to random failures
|
|
22
|
|
|
23
|
- Need to identify risk control measures that are appropriate for reducing
risk to an acceptable level. Must be evaluated in order of priority:
- Inherent safety by design
- Protective measures in the device or manufacturing process
- Information for safety
- Must be maintained in risk management file
|
|
24
|
- Manufacturer needs to implement risk control measures
- Proof of implementation of measures and verification of effectiveness
must be kept on file
- Residual risk must be evaluated
- Gather data and conduct a risk/benefit analysis
|
|
25
|
|
|
26
|
- Results of the risk management process must be contained in risk
management report which needs to contain:
- Traceability for each hazard in the risk analysis
- The risk evaluation
- Implementation and verification of risk control measures
- Assessment that residual risk is acceptable
|
|
27
|
- Need to maintain a systematic procedure to review information in
post-production phase and evaluate:
- Previously unrecognized hazards
- Whether the estimate risk from a hazard is no longer acceptable
- If the original assessment is otherwise invalidated
|
|
28
|
- General Clauses
- Clause 1. Scope of Standard
- Clause 2. Terms and definitions
- Clause 3. General requirements
for risk management
|
|
29
|
- Requirements Clauses
- Clause 4. Risk Analysis (Steps
1, 2 and 3 of flow chart)
- Clause 5. Risk evaluation (Step
4)
- Clause 6. Risk control (Steps 5
to 10)
- Clause 7. Overall residual risk
evaluation (Step 11)
- Clause 8. Risk management report
(Step 12)
- Clause 9. Post-production
information (Step 13)
|
|
30
|
- The Annexes
- Annex A (informative) Questions that can be used to identify medical
device characteristics that could impact on safety
- Annex B (informative) Guidance on risk analysis for in vitro diagnostic
medical devices
- Annex C (informative) Guidance on risk analysis procedure for
toxicological hazards
- Annex D (informative) Examples of possible hazards and contributing
factors associated with medical devices
|
|
31
|
- The Annexes (cont’d)
- Annex E (informative) Risk concepts applied to medical devices
- Annex F (informative) Information on risk analysis techniques
- Annex G (informative) Other standards that contain information related
to the elements of risk management described in this International
Standard
- Bibliography
|
|
32
|
|
|
33
|
- Provide insights how ISO 14971 integrates with the modern QMS.
- Directly (Clause 7 in ISO 13485:2003)
- Indirectly (Remaining Clauses)
|
|
34
|
|
|
35
|
- Key Processes
- Processes vital to operation of company – Core Process.
- Processes supporting Core Process
- Processes covered by key standards.
- Vary by organization
|
|
36
|
- Key Processes
- Examples
- New Product Development
- Customer Service
- Marketing?
- Purchasing
- Inspection
- Packaging, Sterilization, Final Release
- Shipping and Installation
- Risk Management
|
|
37
|
- Requirements for Risk Management In ISO 13485 (Clause 7)
- Clause 7.1
- The organization shall establish documented requirements for risk
management throughout product realization. Records arising from risk
management shall be maintained (see 4.2.4 and Note 3).
- NOTE 3 See ISO 14971 for guidance related to risk management.
|
|
38
|
- Requirements for Risk Management In ISO 13485 (Clause 7)
- Clause 7.3.2 Design and development inputs
- Inputs relating to product requirements shall be determined and
records maintained (see 4.2.4). These inputs shall include
- e) output(s) of risk management (see 7.1).
|
|
39
|
- Management Responsibilities
- incorporate RM into organization.
- planning including risk planning.
- resources and establishing responsibilities and authorities
- review of the QMS and the RM system.
|
|
40
|
- Outsourcing
- Many items outside manufacturer’s direct control. (sterilization,
tooling, test, design, manufacturing)
- RM can be applied to outsourced operations to determine levels of
control
|
|
41
|
- Planning
- Both the QMS and the RMS span the entire lifecycle of the medical
device.
- Several opportunities to integrate RM requirements into the QMS – the
daily functioning of the business.
|
|
42
|
- Design and Development
- An area of strong ties to the RM process
|
|
43
|
- Design and Development Planning
- Risk Management planning
- Determine risk acceptability criteria by management
|
|
44
|
- Design and Development Input
- Identify hazards and harms
- Estimate risks
- Evaluate risks
- Determine requirements for risk control measures.
|
|
45
|
- Design and Development Output
- Design risk controls
- device design
- process design
|
|
46
|
- Design and Development Verification
- Determine if individual residual risk is acceptable
- Have new safety requirements been identified?
- Design and Development Validation
- Are overall residual risks acceptable?
- Have new safety requirements been identified?
|
|
47
|
- Traceability
- Risk data can be used to determine which components require
traceability
|
|
48
|
- Purchasing Controls and Acceptance Activities
- Supplier selection, evaluation and re-evaluation criteria should be
tied to risks and hazards associated with purchased products and
services.
- Acceptance criteria (and specifications) for purchased products and
services should be identified risks and risk control measures.
|
|
49
|
- Production and Process Controls
- Another area of strong ties to RM process
|
|
50
|
- Production and Process Controls
- Manufacturing processes source of identified hazards.
- equipment, processes, environment, personnel, etc.
|
|
51
|
- Production and Process Controls
- Must identify
- what can go wrong at each step of the process
- the impact of failure of the medical device
- the likelihood of the failure
- controls to detect and prevent failure or causes
- Process validation and revalidation may be tied to RM activities.
|
|
52
|
- Production and Process Controls
- Process validation and revalidation may be tied to RM activities.
|
|
53
|
- Servicing
- Repair and maintenance activities
- RM activities should provide input into preventive maintenance,
servicing, etc.
|
|
54
|
- Corrective and Preventive Action
- CA/PA is a cornerstone of the QMS.
- Repository for events and issues.
- Regular review and comparison.
|
|
55
|
- See Attachment 3 for a larger view.
|
|
56
|
|
|
57
|
- Build a case for inclusion of ISO 14971 in the internal auditing
process.
- Provide suggestions for advanced audit checklist items.
|
|
58
|
|
|
59
|
- Self Evaluation Integral in Achieving Excellence
- World-class operations actively seek out best practices.
- World-class operations aren’t afraid to “peek under the hood” and
self-analyze.
- Auditing the RM process enables this to occur.
|
|
60
|
- Auditing is an Integral Part of Continual Improvement
- “Plan / do / check / act” cycle.
- Auditing is a primary tool for checking the system.
|
|
61
|
- Build Management Awareness
- Many Sr. Managers will read audit reports – increasing awareness.
- Including comments or nonconformities on the standard (depending on
scope) will enable management to monitor the status of system and
provide inputs to management review.
|
|
62
|
- Regulator Buy-In / Expectations
- Europe
- Presumed Conformity to Essential Requirements for AIMD, MDD and IVDD.
- Many NB’s do not accept technical files for review unless ISO
14971-compliant RM Report is included.
- US
|
|
63
|
|
|
64
|
- Assumptions
- Goal is to provide suggestions which will indicate if a system is
working, broken or a figment of management’s imagination.
|
|
65
|
- The Purpose of Auditing
- Meet compliance requirements
- Independent Assessment
|
|
66
|
- Training Auditors
- Auditors need at least a basic understanding of the standard and
requirements of the standard.
- Management Review
- Risk Evaluation / Risk Reduction / Residual Risk Reduction vs. Overall
Residual Risk
|
|
67
|
- Audit Scope / Audit Report
- Ensure ISO 14971 is specifically listed in the scope of the audit, or
at least…
- Discuss with management how it will be included
- N/C’s written?
- Comments only?
|
|
68
|
- Create a Basic Checklist
- Go through standard elements and generate basic checklist…
|
|
69
|
- Advanced Checklist Items
- “Between the Lines” Items
- Interrelation of Systems
- Selected QMS elements – not all will be discussed.
|
|
70
|
- Advanced Checklist Items
- 3.2 Risk management process
- Cover entire scope of product lifecycle?
- All devices covered?
- Process sensitive to devices of different risk?
- RM an integral part of operations or “extra”?
- Does RM process tie in to QMS? – CA/PA, Design controls, Control of production and service
provision?
|
|
71
|
- Advanced Checklist Items
- 3.3 Risk management responsibilities
- Management involved at all?
General knowledge of what’s going on?
- Management review of RM session?
Included with QMS MR?
- Conflicts of Interest Avoided?
- RM Included in visible organization structure?
|
|
72
|
- Advanced Checklist Items
- 3.4 Qualification of personnel
- Auditors trained?
- Evidence of management awareness?
|
|
73
|
- Advanced Checklist Items
- 3.5 Risk management plan
- RM planning coincident with design control documentation or an
afterthought?
- RM plans vary according to device risk?
- RM plan apply to all stages of device lifecycle?
|
|
74
|
- Advanced Checklist Items
- 3.6 Risk management file
- RM documents revised as often as DHF documents or at least
coincidental with design reviews?
- “Good Documentation Practices” utilized?
- Good traceability between hazards and mitigations?
|
|
75
|
- Advanced Checklist Items
- 4.2 Intended use/intended purpose and identification of characteristics
related to the safety of the medical device.
- Agreement among submissions, labeling, DHF, DMR, RM File?
|
|
76
|
- Advanced Checklist Items
- 4.3 Identification of known of foreseeable hazards
- Process for identifying foreseeable hazards?
- Routine misuse taken into account?
- Device use with typical accessories considered?
|
|
77
|
- Advanced Checklist Items
- 4.4 Estimation of the risk(s) for each hazard
- Follow the RM plan?
- Variety of data or benchmark sources been used? Literature, expert input,
verification and validation data form DHF, production?
|
|
78
|
- Advanced Checklist Items
- 5 Risk evaluation
- According to plan?
- Are technical standards included in risk evaluation?
|
|
79
|
- Advanced Checklist Items
- 6.2 Option analysis
- Have a variety of mitigation options been utilized (i.e. not all
labeling mitigations)?
|
|
80
|
- Advanced Checklist Items
- 6.3 Implementation of risk control measure(s)
- Are ALL risk control measures verified for effectiveness?
- 6.4 Residual risk evaluation
- Have ALL risks been mitigated to acceptable levels?
|
|
81
|
- Advanced Checklist Items
- 6.5 Risk/benefit analysis
- Decisions made by market pressures?
- Legitimate sources being used for clinical rationale?
|
|
82
|
- Advanced Checklist Items
- 6.7 Completeness of risk evaluation
- Have key QMS processes been reviewed for suitability in inclusion in
RM process?
- Has the manufacturing process been thoroughly reviewed and included in
RM process?
- Does RM extend to servicing, repair and installation?
|
|
83
|
- Advanced Checklist Items
- 7 Overall risk evaluation
- Does anything go? Is there a
limit? Is this qualitative or quantitative?
- Was it planned in advance?
|
|
84
|
- Advanced Checklist Items
- 8 Risk management report
- Good organization, good traceability, good pointers to required
documents?
- Updated regularly or at least with design reviews?
- Is it defined as a quality record with appropriate record retention
requirements?
|
|
85
|
- Advanced Checklist Items
- 9 Post-production information
- Is this section of standard implemented at all?
- Is this a once and done evaluation or recurring?
- Mentioned in RM plan?
- Defined methods for data analysis?
|
|
86
|
- Firms pursuing operational excellence will include RM in the internal
auditing process.
- Successful auditors will look for more than fundamental compliance.
|
|
87
|
- Note: Not representative of a
complete RM program.
|
|
88
|
- Risk Chart with Legend
- Risk Management Summary Table
|
|
89
|
- Good communication tool.
- Will probably be part of RM plan.
- Will probably be part of RM Report – shows traceability from risk to
verification.
|
|
90
|
|
|
91
|
|
|
92
|
- Good communication tool.
- Usually directly output from an FMEA.
- Part of the RM Report
|
|
93
|
|
|
94
|
- Another RM Summary Table Example
(Additions would be required to meet RM report requirements)
|
|
95
|
|
|
96
|
|
|
97
|
|
|
98
|
- Questions or Follow-up…
- Bill McLain
- Principal Consultant
- Keystone Regulatory Services, LLC
- 717-656-9656
- bill.mclain@keystoneregulatory.com
- www.keystoneregulatory.com
|
