No medical device is without risk. And, in the manufacture of medical devices, risk management cannot be taken seriously enough. Failures can have far reaching impacts on the health and safety of consumers, as well as posing an existential threat to the companies producing them.
You don’t have to search far to find examples of medical device companies hit with Class I FDA recalls or voluntary recalls. In 2019, Medtronic was forced to issue a recall of more than 1,000 of its MiniMed insulin pumps due to a cybersecurity risk in which hackers could gain control of the pump’s remote control. The insulin pumps are used by people with diabetes to self-administer life-saving insulin. According to FDA, it was found that unauthorized people could access and instruct the pump to either over-deliver insulin, leading to low blood sugar (hypoglycemia), or stop insulin delivery, leading to high blood sugar, diabetic ketoacidosis, and even death. And, in April 2021, Cordis recalled its Precise PRO Rx US Carotid System, a device used to treat patients with narrowed carotid arteries. The recall was prompted by a risk of separation in the delivery system, which could cause a stroke. There have been seven complaints about this issue, including five reported injuries. No deaths have been reported.
These examples illustrate why FDA and the International Standards Organization (ISO) exist—to provide a watchful eye over manufacturers and assist them in identifying and mitigating risks. Specifically in the case of medical devices, ISO 14971 is the international gold standard for risk management. It provides a framework designed to assist manufacturers in identifying the potential hazards associated with individual medical devices, to estimate and evaluate the associated risks, and to control these risks.
The ISO standard covers the risks of injury related to the health of patients, the operator, and other persons, as well as potential damage to property, equipment, and the environment. The standard is reviewed and periodically updated to align with changes in medical device regulations around the world.
ISO 14971 specifies the procedures for review and monitoring during design, manufacturing, and post production. And, thankfully, risk management does not end when the product ships. Compliance with ISO 14971 also requires that companies manage risk throughout the entire lifespan of the product.
Risk Assessment and Management Standards
To ensure compliance with ISO 14971, companies must demonstrate that they have an effective risk management strategy in place. This encompasses the identification, assessment, and control of processes to prevent failures. They also must be able to perform risk analysis, or assessment, to identify potential problems that may be encountered in connection with using a medical device.
Risk assessment is something that is not new to ISO 14971 but has developed over time, beginning with the European standard EN 1441 on risk analysis, released in 1994. The developers of the international standard realized that there was more to the story than simply risk analysis and immediately embarked on the development of a standard to manage the entire risk process, which became ISO 14971, Application of Risk Management to Medical Devices, first released in 2000. That standard defined what continues to be the management of the entire lifecycle of risk management for medical devices.
While ISO specifies the terminology, principles, and processes for risk management of medical devices and provides a specific framework, manufacturers can do much more to ensure they are mitigating risk by building a culture of quality. This entails making quality management an enterprise-wide initiative, one that sits at the center of all design, production, and supply-chain decisions.
Taking a Proactive Quality Management Approach to Risk Management
As the pace of innovation in medical devices continues to accelerate, and the need to get new devices to market intensifies, it becomes even more important to prioritize quality. A compliance audit tells a manufacturer whether a product is compliant with current FDA and ISO regulations, but it offers no insight into how that company can improve its processes, anticipate and mitigate supply chain disruptions, optimize storage and distribution, and navigate the intricacies of compliance. That’s where proactive quality management strategies come into play.
Taking proactive measures to mitigate risk by instituting quality initiatives can have far-reaching effects—from more-efficient resource allocation to decreased probability of a recall.
Consider the following key steps to take a quality management approach to risk:
- Identify quality champions. These are the people within your organization, such as the Quality Assurance (QA) lead, who can set quality goals, evangelize the importance of quality initiatives enterprise-wide, and educate teams on the true value of quality as well as the cost of poor quality. While quality champions can develop the strategic quality management plan, support should come from the C-suite to ensure the plan becomes a part of the culture.
- Establish automated processes. Quality management systems (QMS) can help you identify problem areas, develop corrective action plans, automate core processes, better manage document control, and smooth the audit process. Unlike manual processes, automated systems reduce human error and enable greater efficiency.
- Take a proactive approach. An effective quality management plan doesn’t just provide a strategy to fix quality issues, it also thwarts them before they can occur. Leveraging advanced predictive analytics, companies can leverage historical data to gain insights into what could occur in the future.
- Work toward continuous improvement. While it’s crucial to establish clearly defined processes, it’s equally important to use quality management data to promote flexibility and drive critical changes in your manufacturing processes to ensure optimal health, safety, and business outcomes.
In a highly regulated, increasingly global industry, where patient lives and company reputations are on the line, risk management needs to move beyond a compliance check-off item and viewed within the broader context of quality management to keep consumer safety the top priority.