Risk Management for Medical Device Manufacturers: [MD and IVD]

By Joe W. Simon

As a quality professional in the medical device industry, you know all too well the importance of a risk management process-and how iterative it can be. Industry regulations and standards-like ISO 14971-help medical device manufacturers define risk management processes, but they don't make them bulletproof, that is, ensure the efficacy of their products while minimizing future liability.

This book can help you build a bulletproof, risk process. You will learn how:
Designing product and manufacturing processes controls risks
Using consistent language in a holistic, closed-loop risk management system leads to greater efficiency
Creating useable and audit-ready risk documents can support verification/validation (V/V) sampling plans
Developing labels and instructions can help end-users and patients clearly understand the pertinent risks
Creating post-market surveillance (PMS) processes is essential to determine if additional clinical/performance studies are necessary

Joe Simon holds an MBA and has been a member of ASQ since 2008. Over his nearly 30-year career, he worked with numerous companies as an employee and a consultant to build or improve complaint analysis, trending, post-market surveillance (PMS), nonconformance (NC), corrective action/preventive action (CAPA), stewardship, and risk management processes.

• Language: English
• Publisher: ASQ Quality Press
• Release date: Jan 20, 2022
• ISBN: 9781636940144

Joe W. Simon

Growing up in International Falls, Minnesota (“the icebox of the nation”), Joe started his studies at St. Olaf College but transferred to Bemidji State University where he earned his bachelor of science degree in chemistry (with honors). He later earned a master of business administration (MBA) degree through Jones International University. He has been a member of the American Society of Quality (ASQ) since 2008. Starting out as a bench chemist performing environmental and nutritional labeling testing, Joe rewrote almost every analytical method he touched and developed a few new ones. It was during this time that he learned the importance of accuracy, linearity, range, and (especially) system suitability (for example, reagent blanks, matrix blanks, duplicate samples, blank-spikes, matrix spikes, check samples, etc.) for a test method. He also performed minimum detectable limit (MDL) studies for a battery of herbicides and pesticides. This also introduced him to the concepts of good laboratory practice (GLP) and FDA requirements. He eventually transitioned into pharmaceutical quality assurance and quality control. Working for five years at a pharmaceutical company that was under the FDA’s Application Integrity Policy (AIP), he learned the importance of being transparent with your quality problems and your processes. During his time in pharma, he became familiar with AQL sampling tables and started developing quality trending and metrics. In 2005, Joe started consulting, and his first project was helping a large, multinational medical device manufacturer build process FMEAs for all its products. In the intervening years, he worked with numerous companies to build or improve their complaint analysis, trending, postmarket surveillance (PMS), nonconformance (NC), corrective action/preventive action (CAPA), stewardship, and risk management processes. With more than 25 years of experience, Joe recently retired from consulting. As a manager, he was responsible for direct management of the consulting personnel as well as ensuring the competency, quality, experience, project management, and service excellence of the engagement teams. He helped many companies by teaching them how to be more compliant and efficient. Now that he’s retired, he gets to enjoy spending more time with his family.

Book preview

Risk Management for Medical Device Manufacturers

● ● ●

Joe Simon

Quality Press Milwaukee, Wisconsin

American Society for Quality, Quality Press, Milwaukee, WI, 53203 All rights reserved. Published 2022.

© 2022 by Joe Simon

No part of this book may be reproduced in any form or by any means, electronic, mechanical, photocopying, recording, or otherwise, without the prior written permission of the publisher.

Publisher’s Cataloging-in-Publication data

Names: Simon, Joe W., author.Title: Risk management for medical device manufacturers / Joe Simon.Description: Includes bibliographical references and index. | Milwaukee, WI: ASQ Quality Press, 2022.Identifiers: LCCN: 2021951458 | ISBN: 978-1-63694-013-7 (paperback) | 978-1-63694-014-4 (epub)Subjects: LCSH Medical instruments and apparatus industry—Risk management. | Medical instruments and apparatus—Quality control. | Medical instruments and apparatus—Safety measures. | BISAC BUSINESS & ECONOMICS / Industries / Manufacturing | BUSINESS & ECONOMICS / Industries / Healthcare | MEDICAL / Instruments & Supplies Classification: LCC R856.6 S56 2022 | DDC 610.284—dc23

ASQ advances individual, organizational, and community excellence worldwide through learning, quality improvement, and knowledge exchange.

Bookstores, wholesalers, schools, libraries, businesses, and organizations: Quality Press books are available at quantity discounts for bulk purchases for business, trade, or educational uses. For more information, please contact Quality Press at 800-248-1946 or books@asq.org.

To place orders or browse the selection of all Quality Press titles, visit our website at: http://www.asq.org/quality-press.

Printed in the United States of America.

26 25 24 23 22 SWY 7 6 5 4 3 2 1

Table of Contents

Cover

Simon_titlepg

Simon_cip

Simon_dedication

Simon_acknowledgments

Simon_preface

Simon_listofabbreviations

01_Simon_Sec1Ch1

02_Simon_Ch2

03_Simon_Ch3

04_Simon_Ch4

05_Simon_Ch5

06_Simon_Ch6

07_Simon_Ch7

08_Simon_Ch8

09_Simon_Sec2Ch9

10_Simon_Ch10

11_Simon_Ch11

12_Simon_Ch12

13_Simon_Ch13

14_Simon_Ch14

15_Simon_Ch15

16_Simon_Sec3Ch16

17_Simon_Ch17

18_Simon_Ch18

19_Simon_Sec4Ch19

20_Simon_Ch20

21_Simon_Ch21

22_Simon_Ch22

23_Simon_Sec5Ch23

24_Simon_Ch24

25_Simon_Ch25

26_Simon_Ch26

27_Simon_Ch27

28_Simon_Ch28

29_Simon_Ch29

30_Simon_End

Dedication

This book is dedicated to my parents, Bette and Orin Simon. Their continuous support and love made my life, education, work, and this book possible.

Acknowledgments

● ● ●

To Ravi Bhullar (a genuine Indian Guru), without whom this book would not have happened.

To Steve Stegmeier, who provided the epiphany for the mustache curve (and, as I recall, had a pretty good mustache himself).

To an old supervisor, who said validation was too complicated for me—challenge accepted and obliterated.

Preface

● ● ●

You may be asking, Why do I need to read this book? What makes this different from all the risk books, articles, and presentations I’ve been exposed to in the past? The short answer is…that there is no short answer. You’re reading this book because the ISO 14971 standard is not geared toward manufacturers. As a result, your risk documents have been collecting dust in a corner while your teams do the best they can to get product out the door and not hurt people in the process. Your systems are likely disconnected, and your people are aimlessly guessing how to design, validate, monitor, and update your products.

This book will help you fix all that. It will show you how to properly build and connect your risk documents, so you can have an efficient, effective, and compliant risk process that supports (rather than hinders) your people and your processes. The concepts in this book will help you make better products without all the guesswork and help you respond to issues faster and more effectively. As a bonus, when your people see how the work they do connects and helps improve the product (and, by extension, the lives of your users and patients), they will enjoy their jobs more and take better ownership of their work.

After finishing this book, you will understand that risk management really is simple and intuitive when done right. Yes, it’s broad in scope—but it doesn’t have to be so difficult, confusing, and convoluted. If you only take one thing from this book, I hope it’s that the occurrence rates in your risk documents need to be meaningful. They need to connect directly to your verification/validations and be the thresholds for your nonconformance (NC) and complaint processes (Chapters 3-4, 8, 12, and 16-17). If the only change you are able to make at your company is to implement the concepts in Chapters 3-4 (i.e., to capture your NC rates in your risk documents), much of the rest of the changes may happen organically.

The information presented in this book assumes the reader has at least a basic understanding of risk management—specifically, familiarity with the concepts in ISO 14971, hands-on experience with risk tools (for example, fault tree analysis and failure mode and effects analysis), and knowledge of the applicable regulations that apply to their products and to risk (for example, 21 CFR 809, 21 CFR 820, and the EU Medical Device Regulation [MDR] and/or the In Vitro Diagnostic Regulation [IVDR]). Hopefully, you are open to fixing some of the issues you have been struggling with for years. (If you are new to risk management, read through the regulations and standards, and consider taking an introductory-level course prior to reading further.)

As someone experienced with risk management, you already know that there are numerous inputs and outputs for each step in the risk process. Additionally, the process is very iterative. In other words, sometimes you need to begin the process before you’re able to clearly define your criteria. For example, if you are building a risk management process for your company’s first product, you won’t have similar products from which to define a master harms list. Because of this variety of inputs/outputs and the iterative nature of the process, it’s not very linear. This made it difficult to write a book and still address all the necessary background before digging into each topic. As a result, some topics may rely on information that is presented later in the book. I have made every effort to minimize this and present the information in as linear a fashion as possible, but the reader should be aware that this is a broad and interdependent process.

The information presented here is based on my knowledge and experience gained over many years of working and consulting in various areas of risk management. The information is also based on the regulations and standards that were available at the time this text was being written. As regulations and standards are updated, the infor­mation and references presented here will undoubtedly become outdated. Therefore, it is recommended that the reader not only assess how best to implement the concepts in this text, but also assess whether any changes have occurred to the referenced regulations and standards that would alter the implementation of the concepts.

Some of the concepts presented here were developed and honed while assisting a medical device company that was dealing with thousands of lawsuits for its trans-vaginal mesh products (you may remember the lawyers’ commercials). We were asked to help the company make its risk processes and labeling bulletproof (their words)—specifically, to ensure the benefits of its products objectively outweighed the risks (so the company could defend keeping its products on the market) and to properly disclose the risks to minimize the company’s future liability. While not all of these concepts were developed during that project, it emphasized for me the importance of the risk management process and started an effort to develop more meaningful and applicable risk documents. With the advent of the EU MDR and IVDR, there has been a focus to make sure risk management processes have the necessary procedural relationships to ensure the proper data are flowing in and the proper decisions are flowing out to drive necessary changes.

If you follow the steps laid out in this book:

✔ Your risk documents will have meaningful criteria and thresholds.

✔ Your products and manufacturing processes will be designed to control risks.

✔ You will have validated and verified your risks (initial and ongoing testing).

✔ Your verification/validation (V/V) sampling plans and sample sizes will be based on risk.

✔ Your V/V sampling plans will be adjusted based on where the variation is in your process.

✔ Your test method validations will be based on risk.

✔ Your NCs and complaints will use the risk thresholds to determine when a corrective action/preventive action (CAPA) is needed.

✔ Your NC process will work for product, process, and quality system nonconformances.

✔ Your risks will be properly communicated to the users and patients through labeling, instructions for use (IFU), training, etc.

✔ You will have an efficient closed-loop risk management system.

And,

• Your post-market surveillance (PMS) process can feed into the risk management system to determine if you need additional clinical/performance studies.

• Your risk documents will be audit ready.

These bulletproof strategies have been used at large, multinational manu­facturers with hundreds of products and various departments working collaboratively. They have also been used at a small dental company with a single quality engineer tasked to do it all herself for a hand­ful of products. They have been used in medical device companies as well as in vitro diagnostic medical device companies. Because the con­cepts rely heavily on ISO 14971 and ISO 13485, which are medical device standards, they are not specifically tailored to the pharmaceutical industry (though they could be, but I’ll leave that for someone else to write).

Some of the concepts presented involve or rely heavily on statistics. While my degrees are not in statistics, I was blessed to have mathe­ma­ticians for parents. I have also worked with several statisticians, and much of my career has involved hands-on work with large piles of data, spread­sheets, trending, etc. Most of the formulas presented here reference the source; however, some were created by me or by my coworkers. All formulas should be vetted for your company before applying them to your processes and products.

List of Abbreviations

● ● ●

5W2H Who, What, When, Where, Why, How, and How Much

8D Eight Disciplines Problem-Solving Process

AAMI Association for the Advancement of Medical Instrumentation

AFAP As Far as Possible

ALARP As Low as Reasonably Practicable

ANOVA Analysis of Variance

ANSI American National Standards Institute

AQL Acceptance Quality Limit

ASQ American Society for Quality

BOM Bill of Materials

BS British Standard

CAPA Corrective Action/Preventive Action or Corrective and Preventive Action

CEN European Committee for Standardization

CENELEC European Committee for Electrotechnical Standardization

CEP/PEP Clinical Evaluation Plan/Performance Evaluation Plan

CER/PER Clinical Evaluation Report/Performance Evaluation Report

CFR Code of Federal Regulations

CGMP Current Good Manufacturing Practice

CNC Computer Numerical Control

Cpk Process Capability Index

CPSP Clinical Performance Study Plan

CPSR Clinical Performance Study Report

CQE Certified Quality Engineer

CS Common Specification

CTQ Critical to Quality

dFMEA See FMEA.

DFU Directions for Use

DMR Device Master Record

DOE Design of Experiments

DV&V Design Verification and Validation

EC European Commission

EMA European Medicines Agency

EN European Standard (from Europäische Norm)

ERC Essential Requirements Checklist

ETSI European Telecommunications Standards Institute

EU IVDR European Union In Vitro Diagnostic Medical Device Regulation 2017/746

EU MDR European Union Medical Device Regulation 2017/745

Eudamed European database on medical devices

FDA Food and Drug Administration

FD&C Act Federal Food, Drug, and Cosmetic Act

FMEA Failure Mode and Effects Analysis (aka FMECA, Failure Mode and Criticality Effects Analysis); may include use, design, and process variations

FTA Fault Tree Analysis

GR&R Gage Repeatability and Reproducibility

GSPR General Safety and Performance Requirements (checklist)

ICH International Council for Harmonization of Technical Requirements for Pharmaceuticals for Human Use

ICS International Classification for Standards

IEC International Electrotechnical Commission

IFU Instructions for Use

IQ Installation Qualification

IOQ Installation and Operational Qualification

ISO International Organization for Standardization

ISO/FDIS International Organization for Standardization/Final Draft International Standard

ISO/TR International Organization for Standardization/Technical Report

IT Information Technology

IUS Intended Use Statement

IVD In Vitro Medical Device

IVDR See EU IVDR.

LOD Limit of Detection (aka Detection Limit or MDL)

LOQ Limit of Quantitation

LTPD Lot Tolerance Percent Defective

MAUDE Manufacturer and User Facility Device Experience

MD Medical Device

MDL Method Detection Limit or Minimum Detection Limit (aka LOD)

MDR See EU MDR.

MDR/MDV Medical Device Reporting/Medical Device Vigilance

NB Notified Body

NC Nonconformance

NCEA Nonconformance Effect Analysis (may include use, design, and process variations)

NCi Initial Probability of Occurrence of the Nonconformance

NCr Residual Probability of Occurrence of the Nonconformance

NCR Nonconformance Report

NIST National Institute of Standards and Technology

OC Operating Characteristic

OOS Out of Specification

OQ Operational Qualification

ORA Office of Regulatory Affairs

OSHA Occupational Safety and Health Administration

OUS Outside of the United States

P (including (Initial and residual) Probability of occurrence of the

Pi and Pr) harm

Px (including Probability of occurrence of one of the events leading

P0, P1, P2, PE, PF) to harm

PDP Product Development Process

PEP See CEP/PEP.

pFMEA See FMEA.

PMS Post-Market Surveillance

Ppk Process Performance Index

PPM Part Per Million

PPQ Process Performance Qualification

PQ Process Qualification

P/T Ratio of the precision