How to improve current risk management processes, ensure companies retain corrective expectations for the use of RMF, and create a robust process that links PMS data to product risk assessments.

IMAGE COURTESY OF MD+DI

Risk management is defined as the systematic application of management policies, procedures, and practices to the tasks of analyzing, evaluating, and controlling risk, according to Kimberly Trautman, managing director at Trautman International Services, in her session at the current Boston MEDevice conference.

For medical device manufacturers, risk management failures can result in FDA or other regulatory agency ire, including warning letters and device recalls. In her session, Incorporating PMS Risk Assessment into an Integrated Quality and Regulatory System for Medical Products, she highlighted how to incorporate improvements to current risk management processes, the importance of ensuring companies retain corrective expectations for the use of risk management files (RMF), and creating a robust process that links post-market surveillance (PMS) data to product risk assessments.

So where should companies consider risk?

According to Trautman, risk should be considered throughout the total product life cycle — during design, manufacturing, and post-market use. As part of the design and development change control process, risk management is comprised of how change like those to existing designs or processes can affect risk, field performance, and design input as well as how input on supplier management processes effects the rest of the connected risk assessment.

Many risk management assessments are required to be conducted by companies, including specific ISO standards, like ISO 13485, section 7.1; ISO 14971, section 4.1; and ISO 13485.

However, according to Trautman, some companies continue to do the bare minimum required, despite an increase in FDA warning letters and notified body nonconformances connected to deficiencies in product development and design.

In what she calls the risk management stages of development, these companies are considered stage one, conducting a separate analysis after the design and development process to be included in regulatory submission with limited further use. This analysis is usually prepared and owned by a specialized team.

Stage two companies integrate risk management into the development process, with outputs used to support a few other QMS processes. Additionally, with this stage, a broader team is involved in developing and using the data.

Stage three companies, which Trautman recommended as the best stage to incorporate, is considered a fully integrated process that melds into the QMS. Its outputs then guide decisions across the QMS system where all relevant teams provide info to, and make use of, risk information.

What to do with all the data

A complete risk management file contains records and other documents created during risk management activities for a medical device throughout its life cycle — from initial conception to final decommissioning and disposal. The file should include a risk management plan, risk assessments, risk management reports, and production and post-production records.

“It is not necessary that the risk management file physically contains all the required records and related documents,” Trautman wrote in the session slides. “The records and related documents can be part of files required by other systems such as the manufacturer’s quality management system.”

Post-production surveillance

While risk assessment should begin during the design and development process, it should also be maintained throughout the life of the device, including post-production. The continual integration of post-production information into the risk assessment ensures the effective and ongoing management of risk.

Manufacturers are required to implement and maintain a PMS system to routinely monitor the clinical performance and safety of a device as part of its QMS.

The data gathered by the PMS, she said, should be used to: