During our last discussion on remediation, Mark Leimbeck, program manager, solutions at UL, LLC reviewed the documentation challenges that device companies encounter. Part two of this series details some of the fundamental considerations during remediation.
MedTech Intelligence: What key points should device companies consider during remediation?
If your company needs to generate information for legacy devices, you need to understand if your risk management process is fully operational today, and answer (and resolve) some tough questions. Most organizations typically have compliance, but is that enough? Is there some development needed on the basic process itself? For example, do you have an organization that functions in siloes? Are all parties that influence the safety and effectiveness of devices brought to market actually talking to each other, or do they work within their own area? They might satisfy “check the box” requirements, but are they really supporting the cross-functional activities needed in a mature risk management process? Does everyone actually share information and does it flow throughout the organization? Are we mature enough to be proactive organizationally?
As you start to look at your risk management and quality management system processes, how well integrated are they, and how well does the information flow from one to the other? When you’re considering remediation, this is a good time to up the ante and ensure you’re prepared for now and the future.
This is one of the new requirements in ISO 13485:2016. For some organizations, full traceability from user needs to design input requirements to design output requirements have yet to be fully established. The concept of essential performance, introduced in the 3rd Edition of IEC 60601-1, is not well understood. Yet this is a foundational element of the risk management process, linking risks directly to the (effective performance of) clinical functions of a device. It’s critical to ensure controls are effective and can be traced from the initial element of essential performance for the device, to design input requirements, and to design output requirements, such as supplier controls (e.g., Are you auditing first-tier suppliers only? Should you think about second or third-tier suppliers? Who in the supply chain can influence the critical aspect of the part/component and how is it being controlled?) Understanding what is critical to device safety and effectiveness, and having clear line-of-sight from that critical element to the associated risks and controls is paramount in ensuring safety and effectiveness.
Both the software standard (IEC 62304) and the usability standard (IEC 62366) provide some guidance on expectations for dealing with legacy devices and remediation. More important than remediation is how your processes are established to effectively mitigate that risk. Are your processes set up and organized to analyze field data? If so, that’s going to help you understand whether you have a good handle on the information that’s necessary to preserve basic safety and essential performance.
The final article in this three-part series will discuss risk priorities that companies must tie into the remediation process.