Risk Management, complaint handling and CAPA system

[alimary15]

Good morning,

I would like to know how to do you handle the risk management process toward the complaint handling?

When a complaint related to a specific product is received, the complaint handling team is responsible to rate the complaint assigning to it a probability and a severity.

My questions are:

1) Does the rating of the complaint needs to be done according to the risk management plan of the particular product? ( In my opinion YES!- But how do you make sure that the complaint analysts are rating the complaint in accordance to the product risk analysis ? E.g. a risk that is rated unacceptable by R&D might be rated with a lower severity or probability by the CAPAs )

2) Could you suggest best practices on how to handle complaints in regard of the collection of post-production information?

Thanks

 

[Mark Meer]

...rate the complaint assigning to it a probability and a severity.

I'm confused. What is the "probability" of a complaint that you've already received? Is it the probability of it happening again? ...in most cases this would be very difficult (if not impossible) to estimate.

As for "severity", complaint handling usually includes a determination of "reportability" (i.e. whether the complaint involves an adverse event - usually death or serious injury - that needs to be reported to regulatory authorities). This determination is pretty straight forward. ...is this what you mean by complaint "severity"?

The bottom-line however is that the probability/severity risk-management approach isn't really suited for complaint handling.

What the complaint-handling process might want to consider however, is whether there was an incident that necessitates review of risk files. In otherwords:
a) Are there new hazards, previously unidentified?
b) Does the incident call into question previous risk evaluations, or effectiveness of control measures?

If so, a risk design review should be held (which includes appropriate authorities, knowledgeable personnel), so the risk-files can be updated.

 

[Mark Meer]

2) Could you suggest best practices on how to handle complaints in regard of the collection of post-production information?

I don't know about "best practices", but I can certainly offer suggestions.

Whatever data you collect should be useful.
Ideally, the data helps to evaluate established Quality Objectives.

For us, we collect the following:

• Is it reportable? (necessary, for obvious reasons)
• Does it necessitate a return? (good to track, because returns are costly)
• Is the item under warranty?
• A general "cause" category. For example: misuse/abuse, user-error, or non-conforming product. (good for identifying negative trends and areas for improvement)
• General "resolution" categories. For example: return, servicing, replacement, support, no action taken. (good for evaluating the resources spent to resolve the complaint).

Just some suggestions. Ultimately up to you. Good luck!

 

[Bev D]

I agree with Mark - it is non-sensible to assess the probability when you get a complaint. certainly complaint handles aren't equipped to figure this out.

severity can be consistently assigned with well developed and well worded guidelines.

For example we assign a severity rating of a 3 (we use a 1-5 scale which we find reduces inconsistent assignment) if the practice lost 15 or more minutes of workflow time due to the incident.

 

[alimary15]

everyone.

I am currently looking at already existing procedures which assign probability to complaints. This is why I got confused cause I also wondered how this assignment could be done!

My question is: how do you link the complaint handling and analysis to the risk management process?

If a complaint is received, how can the risk anaylsis be updated in terms of risk assesment?

1) If I get a complaint that constitute a new risk--> then ok I just add it into the risk management file
2) If I get a complaint that is not new--> Is there a best way to assess whether an update to the Probability/Severity of the risk needs to be performed?

Also my concern is that sometimes the analysis of a complaint is done by someone who is not a 100% technical expert of the device--> thus how to ensure that from that complaint the risk is well identified?

Thanks

 

[Mark Meer]

1) If I get a complaint that constitute a new risk--> then ok I just add it into the risk management file
2) If I get a complaint that is not new--> Is there a best way to assess whether an update to the Probability/Severity of the risk needs to be performed?

Complaints don't really tie into the ISO14971 framework except, as I mentioned in post #2, the following:
1. Is there a new, previously identified hazard?
2. Does the complaint involve an incident that calls into question previous risk-evaluations or the effectiveness of control measures? For example:
- Did a control measure fail?
- Did an event deemed improbable occur?
- Did an event occur whose consequences were more severe than the worst-case considered in the risk-file?

In either case, a risk file review should be held to ensure that all appropriate expertise is present.

"Just add[ing] [a hazard] into the risk management file" involves a process, and shouldn't be treated lightly. Any new hazard must be evaluated, and risk controls prescribes if necessary. This requires expertise. Similarly, updating an evaluation or a control measure also require expertise.

Fortunately, in practice, most complaints probably won't involve reassessing the risk file.

My suggestion would be to:
1. Add an evaluation of the 2 criteria above to your complaint forms. (e.g. yes/no checkboxes)
2. Add to your procedure that if "yes" is checked for these on a complaint form, then a risk-file review is necessary (which will include appropriate expertise).