An example of risk analysis of class I MD

[Marco83]

Good morning,

My name is Marco, I'm not an expert in medical devices field. With the company where I work I must write a Technical dossier and a risk management following the iso 14971.
I've already read that ISO but i don't know how to set up the risk management report.
The product is already on the market as cosmetic. It has all the features to become a medical device.
I know that this product is really safe but unfortunatly the manufacturer never planned a periodic review.
I really don't know how to start with the risk analysis and management.
Does some format or MD's risk analysis example exist?

 

[Tidge]

A Risk Management Report should not be created in isolation to attempt to satisfy 14971. At the very least, the manufacturer should establish a Risk Management Plan that describes the device, the process/methodology used for risk management throughout the product's life cycle, and a statement about the current risk acceptability of the device.

If you were to generate a Risk Management Report document whose entire content could be reduced to "We know the product is really safe", this would not meet the intent of 14971. For multiple reasons, including that the manufacturer ought to have a mechanism by which customer complaints can feed into the risk profile while the device is available for use.

 

[Ronen E]

Good morning,

My name is Marco, I'm not an expert in medical devices field. With the company where I work I must write a Technical dossier and a risk management following the iso 14971.
I've already read that ISO but i don't know how to set up the risk management report.
The product is already on the market as cosmetic. It has all the features to become a medical device.
I know that this product is really safe but unfortunatly the manufacturer never planned a periodic review.
I really don't know how to start with the risk analysis and management.
Does some format or MD's risk analysis example exist?

Hi,

To me ISO 14971 is quite self-explanatory, including what a RM Report should include (the annexes are very informative and quite enlightening). BTW, an updated version (2019) is about to become available. If you feel ISO 14971 is not enough as guidance, consider also purchasing ISO 24971 - a dedicated guidance on implementing ISO 14971. The updated version is about to get published in early (January?) 2020, and I believe it's going to be useful. I wouldn't buy the 2013 version - I think it doesn't add a lot of value above and beyond ISO 14971 itself.

If you still feel that written guidance is not enough, and you (as well as anyone else in your org) lack experience in implementing ISO 14971, I strongly recommend you engage someone experienced to walk you through. Disclosure: I do this kind of work as part of my business.

Good luck!

 

[Marco83]

A Risk Management Report should not be created in isolation to attempt to satisfy 14971. At the very least, the manufacturer should establish a Risk Management Plan that describes the device, the process/methodology used for risk management throughout the product's life cycle, and a statement about the current risk acceptability of the device.

If you were to generate a Risk Management Report document whose entire content could be reduced to "We know the product is really safe", this would not meet the intent of 14971. For multiple reasons, including that the manufacturer ought to have a mechanism by which customer complaints can feed into the risk profile while the device is available for use.

Thank you for your answer.
We won't generate a Risk Management Report declaring that the product is safe. I have some problems to assign risk score. What is it based on?
About Customer complaints i was thinking to generate a SOP about the handling of complaints.

 

[Tidge]

We won't generate a Risk Management Report declaring that the product is safe. I have some problems to assign risk score. What is it based on?

Trying to avoid a specific implementation of RM, and also trying to not man-splain 14971: A 'risk score' can be based on

0) Hazards / Hazardous Situations / Use Cases
1) Harms (to Patients, Users, Environment)
2) P1 = Probability of a Hazardous Situation Occurring
3) P2 = Probability of a Hazardous Situation leading to a Harm

Once a manufacturer has established a methodology for scoring, prior to scoring individual devices the acceptability criteria for the (types of) devices should be established. These acceptability criteria (along with the troublesome 'As Low As Possible' refrain) are the metrics used to evaluate the risk profile of the device. This may seem counter-intuitive at first, but typically Class I devices have LOWER thresholds for unacceptability (HIGHER thresholds for acceptability) than Class II or class III devices.

Depending on the nature of the specific device, you may want to have an independent assessment of both the Harms (and their ratings) and the acceptability criteria for the types of products being manufactured. For many types of (especially simple) devices a thorough literature and database review may be sufficient. I'm not convinced that external auditors concern themselves too much with the actual genesis of risk acceptability ratings, as long as those ratings look familiar to them. It may be that the push to "As Low As Possible" with mandatory Risk Benefit Analysis for every line in a risk file has made the 'true origin' of the risk acceptability ratings meaningless.

About Customer complaints i was thinking to generate a SOP about the handling of complaints.

If so, the Risk Management Plan would reference the SOP, and the mechanism by which complaints can feed into corrective actions.

 

[Marco83]

Thank you very much.
I'm sorry if still I insist on the topic.
I know that an maybe auditor wants to see some tables, some calculations as R=PxG etc.
If i don't know anything about my product I cannot give a "number" assigne a "value" to calculate my risk. In my opinion (I'm not expert) it's better to establish a risk managment based on a simple HACCP (that is permitted by 14971) at least for the first year on the market as MD, than I'll have a something real and concrete to change and upgrade my risk managment.

 

[Tidge]

If you are trying to comply with 14971 you need to have a methodology described in an approved Risk Management Plan, and then you need to apply the methodology. Ideally, you have some documented assessment that the risks are acceptable prior to marketing the medical device.

Quite frankly: if this device has been on the market 'as a cosmetic' and the manufacturer can't calculate risks associated with the device's use as a medical device until after at least a year on the market, it sounds like the sort of medical device that is not acceptable for use. A quick search of the FDA warning letter database for 'adulterated' or 'misbranded' devices show plenty of examples of manufacturers who might have avoided those troubles by implementing a 14971-compliant process. I think there was at least one example in the past few years of a cosmetic contact lens manufacturer that ran afoul of FDA in part because the manufacturer was very lax in the area of risk management.

(perhaps) less inflammatory: Can anyone attest that they've been successful defending a risk management file that is based only on HACCP?

 

[Ronen E]

Quite frankly: if this device has been on the market 'as a cosmetic' and the manufacturer can't calculate risks associated with the device's use as a medical device until after at least a year on the market, it sounds like the sort of medical device that is not acceptable for use.

(My emphasis)

I respectfully disagree. ISO 14971:2007 doesn't require calculating anything. It requires assessment and evaluation.

The fact that a product has been on the market as a cosmetic is not necessarily relevant. Cosmetics are not necessarily subject to the same level of scrutiny as medical devices or pharmaceuticals, and therefore lesser postmarket data collection is not necessarily an indication of lack of manufacturer diligence or potential product adulteration. Cosmetic contact lenses are quite an extreme example in that it's almost a borderline device. A cosmetic could be something like a moisturising cream sold OTC in a supermarket - such a product could be the subject of postmarket data collection, analysis and quantitative update of the risk evaluation, but if that didn't happen I still wouldn't conclude malpractice (or even negligence) on the manufacturer's part.

 

[Watchcat]

I'm not an expert in medical devices field. With the company where I work I must write a Technical dossier and a risk management following the iso 14971.

What are you an expert in? Manufacturing? Engineering? Product development? Compliance? Marketing?

 

[Marco83]

If you are trying to comply with 14971 you need to have a methodology described in an approved Risk Management Plan, and then you need to apply the methodology. Ideally, you have some documented assessment that the risks are acceptable prior to marketing the medical device.

Quite frankly: if this device has been on the market 'as a cosmetic' and the manufacturer can't calculate risks associated with the device's use as a medical device until after at least a year on the market, it sounds like the sort of medical device that is not acceptable for use. A quick search of the FDA warning letter database for 'adulterated' or 'misbranded' devices show plenty of examples of manufacturers who might have avoided those troubles by implementing a 14971-compliant process. I think there was at least one example in the past few years of a cosmetic contact lens manufacturer that ran afoul of FDA in part because the manufacturer was very lax in the area of risk management.

(perhaps) less inflammatory: Can anyone attest that they've been successful defending a risk management file that is based only on HACCP?

Good morning.
I read on the ISO that approaches as HACCP are premitted by the ISO. I don't know if someone attested in the past a successfully risk management based only on HACCP, I just know that the manufacturer has never write a risks management plan, so I have nothing to work on it.