The 2015 MD&M West conference featured a roundtable of risk management experts on the challenges manufacturers face in implementing the ISO 14971 standard on the application of risk management to medical devices. The experts presented a series of practical case studies, providing attendees with solutions for overcoming the obstacles associated with complying with this standard. Roundtable participants included David Vogel, founder and president, of Intertech Engineering Associates; Orlando Guillory, director of quality engineering at Edwards Lifesciences; Walt Murray, director of quality and compliance services at Mastercontrol; and Seyed Khorashahi, director, software engineering at Covidien.
In the following Q&A, Murray offers his thoughts on how to master ISO 14971.
MDDI: How do you propose establishing and maintaining a more robust risk management program?
Murray: As a product risk model, ISO 14971 is a standard that was firmly embedded into the medical device quality management system standard. To make this standard more robust means to incorporate the components of this risk standard into the ISO 9001 quality management system. This year marks a unique milestone in quality management because ISO 9001, the final updated version of which is expected in the fourth quarter of 2015, has basically abolished all of the static components of the system and adopted a risk-based approach for all system elements. This approach diverges from the way the system was developed and used in the past.
As a risk management approach, the ISO 14971 risk management system requires that there be a top-down orientation to acceptability, assessment, analysis, and reporting. If the elements in the risk management standard were included in the ISO 9001 quality management standard, day-to-day operations would become much more effective, especially from a strategic planning perspective.
Murray will be speaking during two sessions at the MD&M East Conference, June 14-16, in New York City. Register now to hear him discuss design control risks and a risk assessment plan for mobile health.
MDDI: Beyond failure mode and effects analysis (FMEA), what are the most effective risk assessment methods?
Murray: There are many different risk assessment methods out there. Over and above the FMEA approach, one of the methods that I find to be most effective is Hazard Analysis and Critical Control Points (HACCP) planning. I add the word 'planning' because when you're looking at critical control points in an operation, the idea is to perform a formal assessment of the most critical components of a process related to producing a product and then determine how that process presents risks. A method for determining these risks is what I call the 6-M orientation of risk analysis, one of whose tools is FMEA.
You can marry HACCP and FMEA because the HACCP component for creating a critical control point is typically a risk control orientation. Thus, control measures would be the output of HACCP relative to the input of failures modes associated with these critical control points. As such, HAACP and FMEA would marry very well because the former is a formal method for exposing and analyzing failure modes while the latter analyzes, considers, and implements control measures as control points within the process as a cause-and-effect relationship.
MDDI: Please go into the change to amendment 2 in ISO 14971. How does this change affect the use of risk control?
Murray: Amendment 2 is designed to make the system more effective by increasingly evaluating the use of the risk assessment matrix at a higher level of opportunity within top management. The amendment offers a quantitative orientation for looking at relative risks relating to hazards and then having management do a more formal assessment of how these hazards are prioritized. In the past, this approach was not formally practiced. From a risk management planning standpoint, medical device manufacturers always looked at the total benefits associated with the intended use of a product, upsized and downsized in relation to the hazards. Now, management must seek to understand and prioritize risks based on a more formal analysis of their impact, severity, and probability in relation to one another.
Bob Michaels is senior technical editor at UBM Canon
[Editor's note: This piece was updated and repromoted in April 2016]