That’s fake news. Real news COSTS. Please turn off your ad blocker for our web site.
Our PROMISE: Our ads will never cover up content.
Jon Speer
Published: Monday, February 13, 2017 - 12:01 If you’re in the business of developing medical devices, then risk and risk management become terms synonymous with your daily operations. Your overall task is to bring a device to market that not only provides a needed function to a patient, but is also proven to be safe to use—maybe even used by someone who is near and dear to you. Risk management can be a daunting and often confusing subject. Even the most experienced businesses trip over it from time to time, so it always pays to keep your knowledge up to date. We looked into some key challenges that have been common in risk management lately, because it’s always good to know where the challenges lay, and what to do about it. Here is what we’ve found: If one thing is certain in the world of medical device development, it’s that change is our constant companion. ISO 13485:2016—“Medical devices—Quality management systems—Requirements for regulatory purposes” was published in the first quarter of 2016 and contains amendments for how companies are to ensure that their quality management systems (QMS) incorporate a risk-based approach. The challenge here is that almost every company that is operating with an ISO 13485 QMS in place will have to take action to update procedures and processes to account for risk-based approaches. For some companies, this could involve major changes within their operations. While the adoption period for 2016 is technically three years from its publication (or 2019), registrars are already working with companies to transition to the new version. The bottom line? Knowing what is changing and making plans to comply early will save your company hassle down the line and possible issues with noncompliance. Medical device manufacturers: Get conversant with ISO 13845:2016 now. Tips for ISO 13485:2016 Here are a few tips for ensuring you’re equipped with the right information: First of all, ISO 14971—“Medical devices—Application of risk management to medical devices” is a standard for applying risk management to medical devices. Although this standard has been established for many years, many companies seem to struggle with consistent application and get flagged for compliance issues. All product-related risk management procedures and practices must be in alignment with ISO 14971, so it’s worth knowing about specific areas that continue to be an issue. This is the standard across the board, no matter which country you’re developing in. Common challenges Regulatory agencies (such as the FDA) as well as registrars and notified bodies are becoming more sophisticated with their knowledge, understanding, and expectations regarding the application of ISO 14971, regardless of the version in use. We go over the “plain English” of it here, and include a handy infographic. You can also find webinars and risk management guides in our resources. In our experience, many companies are neglecting to capture risks associated with manufacturing processes. ISO 14971 does specify that the risks associated with manufacturing processes are to be included as part of a product’s risk management file. The actual practice of doing so is very inconsistent within the industry. It’s important to remember that risk management is a full lifecycle activity for medical device development. Risk documents need to be transferred between each stage (such as from product development to production), and a management plan needs to be in place for the manufacturing process. You can check out our guide to ISO 14971 compliance here. Do you sell medical devices into the European Union market? If so, this is for you in particular. There has been some confusion about ISO 14971:2007 vs. EN ISO 14971:2012, and which is applicable to whom. If you sell into the EU, then the EN version is for you. The normative requirements of these two standards are the same. The EN version introduced a few new “Z” annexes. The Z annexes specify the need to document risk/benefit analysis for every single risk item, regardless of how significant. The Z annexes also require risk controls be identified for every single risk item, regardless of how significant. The 2007 version specifies risk/benefit analysis and risk controls for higher-risk items. Many companies are still not clear if and/or when EN ISO 14971:2012 applies to them. Additionally, many companies do not consistently align with the Z annexes. Tips for understanding the ISO 14971 version of compliance We’re seeing some key challenges appear for risk management in medical device manufacturing, but with a bit of planning, these can be overcome. Be aware of the changes being implemented with ISO 13485:2016 and plan to be on top of them early. Know the common challenges with ISO 14971 compliance, and be prepared to mitigate those in your own processes. Risk management is a full lifecycle activity for medical device development; be systematic and review often. It is also helpful for device makers to use a QMS and risk management software to simplify their compliance to both the updated ISO 13485:2016 and ISO 14971. Quality Digest does not charge readers for its content. We believe that industry news is important for you to do your job, and Quality Digest supports businesses of all types. However, someone has to pay for this content. And that’s where advertising comes in. Most people consider ads a nuisance, but they do serve a useful function besides allowing media companies to stay afloat. They keep you aware of new products and services relevant to your industry. All ads in Quality Digest apply directly to products and services that most of our readers need. You won’t see automobile or health supplement ads. So please consider turning off your ad blocker for our site. Thanks, Jon Speer is the founder and vice president of quality assurance and regulatory affairs at Greenlight Guru, a software company that produces the only medical device quality management software solution. Device makers in more than 50 countries use Greenlight Guru to get safer products to market faster. Speer has served more than 20 years in the medical device industry and helped dozens of devices get to market. As a thought leader and speaker, he regularly contributes to numerous industry publications. He is also the host of Global Medical Device Podcast. Key Challenges for Risk Management in Medical Device Development
A proactive approach in a high-risk sector
1. Keeping up with changes to ISO 13485
Assuming your company is one that would like to be ahead of the game, now is the time to be conducting a gap analysis to determine the impact of the changes in ISO 13485:2016 and establish quality plans to implement any updates as soon as possible.
• The full text of ISO 13485:2016 is available now for purchase. You will find appendices to compare changes vs. the 2003 version of the standard.
• Our website greenlight.guru has put together some webinars to help inform you about specific changes in ISO 13485:2016. You can find them here.
• Changes are wide-ranging but focus mainly on risk management. For example, there is now a specific requirement for documenting the maintenance of equipment that is used in production, as well as controlling the work environment, and monitoring and measurement. See a Slideshare presentation we put together for more information.
• Seek assistance from an accredited registrar to help with your transition.2. Consistent application of ISO 14971
Here are some of the common challenges we’re seeing:
• Overuse or over-reliance on FMEA (failure mode and effects analysis) as a tool. While FMEA is a very good tool for assessing single-fault failure modes and reliability, using only FMEA as a means to identify, assess, and evaluate risks has shortcomings.
• Specifically, FMEA only assesses failure modes, and single-fault failures at that. ISO 14971 is very clear that a company needs to evaluate hazardous situations. This means considering foreseeable sequence of events. This also means considering non-failure mode situations. We wrote a detailed post on why FMEA is not ISO 14971 for risk management here.
• Risk management is often not continued throughout the entire product lifecycle. Companies do a decent job of risk management during the product development process (aside from the above noted overuse of FMEA). However, once a device is transferred from development into production, risk management documentation is often neglected and not kept up to date. ISO 14971 is clear that risk management is a total product lifecycle process, including production and post-production.3. Risks associated with manufacturing processes
4. Confusion over applicable ISO 14971 version
• If you’re manufacturing devices for the EU market, then EN ISO 14971:2012 is for you.
• Pay attention to the “Z” annexes in particular; these are where the EN ISO 14971 standard does and does not meet the requirements of the European Directives.
• The Annex Zs describe these differences as “content deviations” for each directive. You must assess and take care of the gaps between the standard and the directives.Final thoughts
Our PROMISE: Quality Digest only displays static ads that never overlay or cover up content. They never get in your way. They are there for you to read, or not.
Quality Digest Discuss
About The Author
Jon Speer
© 2023 Quality Digest. Copyright on content held by Quality Digest or by individual authors. Contact Quality Digest for reprint information.
“Quality Digest" is a trademark owned by Quality Circle Institute, Inc.