In all the years that I have worked in the medical device and pharmaceutical industries, I have noticed first hand that risk management is a close second to design controls when it comes to upsetting the cultural pattern of a successful medical device company. Risk management may be based upon “good science and engineering” principles but, when facilitated properly, risk management will question and impose upon those very core competencies and standards that made your company what it is. The most varied imposition to the cultural threads of any company (large or small) is the fact that decision-making is no longer qualitatively-based but, in fact, based upon quantitative conclusions and decision-making that is dependent upon measurement rather than varying degrees of savvy. It not only sends a shock wave to the reactive, fire-fighting cultures, but also to companies that depend upon large groups of human beings to “make it happen” rather than depending upon process controls. You may have heard that “people (and companies) that don’t like change…don’t like to change.” Installing risk management into your company will force the “change” issue to the brink and sometimes beyond what your present Quality Management System (QMS) can endure to still be successful.
Risks are Part of our Everyday Living
Generally speaking, we live with risk taking and risk aversion every day. Making correct decisions can be a risky business, and the goal is to enable these decisions toward a successful outcome by minimizing the uncertainties that are naturally presented to all of us. Operating an automobile presents risks whether we travel every day or just use the car to go to the grocery store now and then. We minimize the risks associated with driving our cars by making sure we are well trained to err on the side of caution, by making sure our tires have the correct air pressure, the brakes have enough pad, the headlights work and so on. When you think about it, we prepare ourselves for risk by doing all of the things we are supposed to do to minimize the uncertainties associated with failure without compromising safety and effectiveness.
The same types of uncertainties associated with automobiles can be correlated to the development and intended uses of medical devices. The concepts of risk management are particularly important in relation to medical devices because of the variety of stakeholders, including medical practitioners, the organizations providing healthcare, governments, industry, patients and members of the public. All stakeholders need to understand that the use of a medical device entails some degree of risk. The acceptability of a risk to a stakeholder is influenced by the components listed above and by the stakeholder’s perception of the risk.
Each stakeholder’s perception of the risk can vary greatly depending upon their cultural background, the socio-economic and educational background of the society concerned, the actual and perceived state of health of the patient and many other factors. The way a risk is perceived also takes into account, for example, whether exposure to the hazard seems to be involuntary, avoidable, from a man-made source, due to negligence, arising from a poorly understood cause or directed at a vulnerable group within society.
ISO 14971 specifies a process through which the manufacturer of a medical device can identify hazards associated with a medical device, estimate and evaluate the risks associated with these hazards, control these risks and monitor the effectiveness of that control.
The fundamental requirement for enabling a risk management process at a medical device manufacturer is to essentially establish, document and maintain procedures to minimize uncertainties throughout the life of the medical device and the processes that support that “womb-to-tomb” cycle of activity. Risk management is not just associated with the medical device itself but, in fact, affects key processes, such as purchasing controls, corrective and preventive action, manufacturing, complaint handling, non-conforming products, servicing, post-market quality data, etc. The basic foundation of risk management is built upon identifying hazards associated with a medical device and the processes that support this device, estimating and evaluating the associated risks, controlling these risks, and then monitoring the effectiveness of the controls. This process should include the following elements:
- risk analysis
- risk evaluation
- risk control
- production and post-production information