Staff competence and involvement
Many employees are not fully versed and competent on risk management. I use the word “competent” because it’s one of the expectations of the new ISO 13485 (published earlier in 2016)—it’s now a requirement not just for training but also for competence. It has been our experience that staff has had little or no formal training in risk management, and now the expectation is even higher. The question then becomes, how does one validate that staff members are in fact competent to perform the risk management activities that they are responsible for?
Related to the competence question, if you’re retrospectively looking at your devices and what information can be compiled to generate a risk management file, the first problem you’re likely to encounter is the fact that the original team that generated the information is no longer at the company. In most of the remediation cases I’ve seen for legacy devices, a company has purchased another company, and the people who originally generated the information are long gone. You’re looking for a needle in a haystack of documentation. There’s no one around to even ask who might have been involved. Further, it is virtually impossible that the processes the original team followed and the training they received was compliant with the new requirements, simply because the requirements didn’t exist at the time.
On the point of staff involvement during risk management and risk assessment, it’s important to identify the applicable disciplines that should be involved to get a true picture of the risks that may be involved. Best-in-class companies have true subject matter experts who can readily identify the risks related to their area of subject matter expertise. One example is clinical input: frequently I see files where a clinician and/or actual user was not engaged in identifying or reviewing the risks that may be associated with a device – that information is simply missing, resulting in a “blind spot” in the risk assessment.
In situations where regulatory mandates having a broad, sweeping scope are introduced, such as the new IVD regulation, project management and planning are critical to overcome the triple constraint of cost, time and resources. A great deal of work must be accomplished to generate the necessary information, and many normally separate functions must be brought together to achieve the goals. Who has the resources and what’s in it for them? It is no surprise that the politics and agendas of those involved must be considered and balanced to result in the best possible outcome.
It’s critical to understand if all stakeholders are on the same page. One common thing I see when I start working with clients to remediate their files is that everyone has their own perception based on what they’ve done before. Establishing expectations, defining a clear project plan and getting agreement from people is critical. Once this is established, communicate, communicate, communicate, until the project is complete. Also, it’s not a bad idea to debrief at the end for lessons learned.