In our final Q&A series on remediation, Mark Leimbeck, program manager, solutions at UL, LLC, talks about the role of controls, business risks, process maturity and post-production monitoring in the process.
MedTech Intelligence: What are some of the risk priorities that must be tied into the remediation process?
A fundamental question to ask is whether risk controls or mitigations are truly risk based. It’s important to make sure that employees understand the relationship of the given control to the basic safety or essential performance of the device. Some elements of the device might be there primarily for marketing purposes (i.e., bells and whistles) versus elements that are critical to the clinical function of the device. Those aspects or features of a device that are there only for convenience or appearance need not have the same level of control as an aspect or feature that, should it not perform as intended, result in patient harm. This again relates back to the concept of essential performance. We must understand what aspects or features are needed to ensure effectiveness of the device and patient safety, and then implement (risk) controls to ensure that those specific performance aspects or features are preserved in all conditions of use and foreseeable misuse.
Did you miss Part II? Remediation: Considerations During the ProcessA caution on business risks
Risk is a term that has recently become widespread in the standards community, and certainly, there are many types of risk. However, the different risks being considered and addressed by various stakeholders can create regulatory problems if it is not carefully managed and applied. Specifically, a number of manufacturers have not only ISO 13485 registration, but have also received certification to ISO 9001. Explicitly stated in ISO 9001 is that an organization:
“…shall determine… issues that are relevant to its purpose and its strategic direction and that affect its ability to achieve the intended result(s) …
NOTE…Understanding the external context can be facilitated by considering issues arising from … competitive, market, … and economic environments …”
That is a perfectly reasonable requirement, but it creates a conflict with the regulatory requirements of the European Union. The EU regulations place a strong emphasis on ensuring that financial concerns do not enter into the equation when making risk judgments. Therefore if you’re dual certified to ISO 9001 and ISO 13485, it’s critically important that you understand what is stated in your documentation, and whether there is a clear line of delineation between financial risk and safety risk.
Within the system, related to maturity of an organization, do people actually connect the dots? When thinking about your current design outputs, how do they relate to your design inputs? Is there a one-to-one? And, are those design inputs traceable to user needs—the basic safety and essential performance—because that’s the key. In addition, ensure you have full traceability and show the linkage. That’s a clear risk priority.
The other thing that most organizations could probably do a better job of is post-production monitoring. I expect an increasing emphasis on this in the future – after all, there’s a reason the Unique Device Identifier (UDI) is being implemented. So the question I would be asking is, “How robust is my process?” Post-production monitoring is not just a job, and it’s not just looking at customer complaints. A person can be directly and severely harmed by a device. Post-production monitoring is a key element and needs to have a strong emphasis. As one of my friends at the FDA likes to quip:
“How can you have Risk Management without post-production monitoring?”
Indeed. The last time I checked, management without a feedback loop is not management. I expect that the next round of revision for ISO 14971 would be well served by including more guidance in the area of post-production monitoring.