2. The disconnected Risk Management
Separation in Lifecycle:
•Risk Management in sub systems of the Quality Management System
o Design/Product Risk Management
o Risk Management with your Suppliers
o Risk Management for Manufacturing
o Post Market Risk Management
Separation in Method:
•Patient/User focus, product focus, manufacturing focus, and supplier focus
•Different severity scales (3, 5 or 10 point scales)
•Different calculation of occurrences
•Use of detectability
3. How to start with an integrated approach?
• Get Senior Management approval for an integrated Risk
Management project
• Appoint project lead and project team (team needs to be cross
functional)
• Define Risk Management Integration Strategy and get it
approved by Senior Management
• Include culture, system, goals and KPI’s into your strategy
4. Integrated RM Strategy Elements
Culture Systems Goals & KPI’s
Focus of today’s
presentation
5. It Starts with the Risk to the Patient/User
Hazard
Sequence of
Events
Hazardous
Situation
Harm
Severity of
Harm
Probability of
Occurrence of Harm RISK
Exposure
• Manage the risk
associated with
the use of a
medical device
(ISO14971)
• Understand the
risks and benefits
of a medical
device
• Manage the risk
by system, product
family or therapy
P1
P2
P1 x P2
6. Risk Chain – Responsibility and Control
Functional Outputs
(electrical current, thermal energy,
force)
Disturbances to the
Environment
(EMC, debris, packaging)
Outputs from Device
Attributes
(biocompatibility, sterility)
Hazards
Likelihood of
Occurrence
Product Design and Manufacturing Product Use
Exposure
Hazardous Situation
Company Responsibility
Company Control Patient/HCP Control
7. Controlling the Outputs
Design Controlled Manufacturing Controlled Patient/HCP Controlled
Functional
Outputs
Specified, reviewed,
verified and validated
during design
Verified or validated
processes used to confirm
every product meets product
specification.
Follow labels and approved
procedures (Instructions for
use, labels, surgical
techniques, medical
procedures)
Disturbances to
the Environment
Identified and mitigated
during design process.
Limits established in
Product Specification.
Controls established and/or
inspections to verify products
are within established limits.
Handle in prescript way
(Instructions for use, labels)
Outputs from the
Device Attributes
Identified during design
process and documented
in Product Specification
Mostly depends on validated
processes to confirm product
compliance.
Use in prescript way
(Instructions for use, labels)
Control Risk throughout the Product Lifecycle
8. Process to Output Interaction
Design Operations Quality
Device Outputs Examples
DesignInput
DesignOutput
DesignReview
DesignVerification
DesignValidation
DesignTransfer
SupplierControl
ReceivingInspection
InprocessInspection
ProcessValidation
Calibration
PreventiveMaintenance
LabelControl
ComplaintManagement
CAPA
FieldAction
ChangeManagement
NonconformingMaterial
Functional Outputs electrical current, thermal energy, force ● ● ◕ ● ● ◑ ◕ ◔ ◕ ● ◕ ◔ ◕ ◔ ◔ ◕ ● ◔
Disturbance to the Environment EMC, debris, packaging ◕ ◕ ◑ ◕ ◑ ◑ ◑ ◔ ◕ ◑ ◔ ◔ ◔ ◔ ◔ ◕ ◕ ◔
Outputs from Device Attributes biocompatability, sterility ● ● ◕ ● ● ◑ ◕ ◔ ○ ● ◑ ◔ ◔ ◔ ◔ ◕ ● ◔
Legend: Definition:
●High interaction/broad scope
Interaction means the ability of the process to create or change
hazards
◕High interaction/narrow scope
Scope means the ability of the process to impact a small or larger portion of the product
population
◑Low interaction/broad scope
◔Low interaction/narrow scope
○No Interaction
9. Risk Management in Design
• The severity of the Harm determines the severity of the Hazard
• The severity of the Hazard determines the severity for each device
output
• Each device output is specified within the operating limits of the device
• Anticipate use of the device outside the operating limits
• Device output specifications and operating limits are verified and
validated during the design process.
• The Device Master Record (DMR) documents the approved product
design for manufacturing
• A well done and maintained Risk Plan and Risk Management File (RMF)
are a great starting point for the next product generation.
10. Concepts for integration
Design Build Use
Verified and
Validated
Device Design
(DMR/RMF)
Products fully
compliant to
Device Design
Risk Objective:
• Manage applicable quality system,
sourcing, manufacturing and packaging
processes to deliver only products
which are 100% compliant to the design
specification (DMR).
Concept:
• Transpose severity of device outputs to
manufacturing and packaging process
requirements.
• “What is the risk of not meeting the
device specification?”
• Reduce likelihood of failing to meet
specification for high risk specifications.
Delivery from Design Team:
Expectation from Patient/User,
Health Care Provider and
Regulators:
11. Supply Chain Risk
Part
Part
Part
Part Qualification
Adjust qualification
requirements based on
Risk Level e.g. PPAP
Supplier
Qualification
Adjust qualification
requirements based on
Risk Level e.g. supplier
audits
Supplier
Incoming
Inspection
IQC
Adjust inspection
requirements and
sampling plans
Manufacturing
Final
Inspection
Final Inspection
Adjust inspection
requirements and
sampling plans
Manufacturing
12. Risk Level Determination
Part
number
Part
Description
Device
Classification
Part Risk Supplier
Risk
245765 Microcontroller
256741 Test connector
• Determine a methodology
for Risk Level assessment
which works for your
company and meets
requirements
• Keep it easy to execute and
integrated with available
data sources
Bill of Material
Risk Inputs
13. Risk Level Inputs
Device
Classification
FDA Classification
1 Class I devices
2 Class II devices
3 Class III devices
Part Risk Description
1 Contributes to non critical device
output
2 Contributes indirectly to critical
device output
3 Contributes directly to critical device
output
Supplier Risk Description
1 Well established manufacturing process,
existing facility
2 n/a
3 New manufacturing process, new
manufacturing facility, new inspection and test
requirements
• Select appropriate rankings for your
Risk Inputs
• Preferably these rankings are already
available (e.g. through other processes)
14. Risk Level Calculation
Risk Level Calculation:
Risk Level = Product Classification x
Part Risk + Supplier Risk
Score Risk Level
1-5 Low
6-8 Medium
9-12 High
Part number Part Description Device
Classification
Part Risk Supplier
Risk
Risk Level
245765 Microcontroller 2 2 1 5
256741 Test connector 2 3 3 9
• Align the Risk Level calculation
and scoring with the risk
acceptability levels of your
company and keep them
consistent
• Verify your calculation method
of Risk Levels before use
Example:
15. Risk Level based execution
Part
number
Part Description Device
Classification
Part
Risk
Supplier
Risk
Risk
Level
Supplier
Qualification
Part
Qualification
245765 Microcontroller 2 2 1 5 Self Assessment 5 Sections
256741 Test connector 2 3 3 9 On-site system
and process audit
16 Sections
Risk
Level
Supplier Qualification Part Qualification
Low Supplier Self-assessment
(supplier questionnaire)
COC, HSF, Component Specification, Packaging Specification, Labeling and
Traceability
Medium Supplier on-site quality system
audit
COC, HSF, Component Specification, Packaging Specification, Labeling and
Traceability, FA Submission Warrant, FAI Report
High Supplier on-site quality system
and process audit
COC, HSF, Component Specification, Packaging Specification, Labeling and
Traceability, FA Submission Warrant, FAI Report, Process Capability
Evaluation, Inspection Method, GR&R, Process Control Plan, Process Flow,
IQ,OQ,PQ, Material Certification, Drawing Review, FMEA
16. Process Risk
Test System Validation
Adjust validation
requirements based on
Risk Level
Calibration
Adjust calibration intervals
Process Validation
Adjust OQ an PQ
requirements based
on Risk Level
Process
Validation
Computer
Software
Validation
Calibration
Test System
Validation
(MSR)
Computer Software
Validation
Adjust validation
requirements based on Risk
Level
17. Process Capability/Gage R&R
Process Capability Measurement System Capability
Risk Level Best Good Best Good
High Cpk > 2 Cpk > 1.67 Cg > 2 Cg > 1.67
Medium Cpk > 1.67 Cpk > 1.33 Cg > 1.67 Cg > 1.33
Low Cpk > 1.33 Cg > 1.33
• Setting your validation up
for success
• Concentrating resources
where they are needed
most
• Avoiding compliance gaps
in supporting processes True product variance
Measurement
System
Capability
Measurement System impact
18. Process Validation – Acceptance Sampling
Risk Level
Confidence
Level
Reliability Level
Attribute Data
Sample Size,
c=0
Variable Data
Sample Size
***Poisson Data
Sample Size
High 95% 99% 299 *20 20
Medium 95% 95% 59 *20 20
Low 95% 90% 29 *20 20
• Samples for process validation are often a
challenge (e.g. small patches, cost, time to
build)
• Put the focus and effort where the highest
risk is
Reference: Crossley, Mark (2000) the Desk
Reference of Statistical Quality Methods. 1st Ed.,
ASQ Quality Press.
Where C is the confidence level, R is
the reliability, and n is the sample size.
For 95% confidence level, C = 0.95
Ref: Crossley 2000
Notes: * minimum sample size to assess process normality.
** should be used for microbiological evaluations of devices
19. Quality System Risk
KPI and Trending
Establish critical limits and
alerts based on Risk Level
Customer Complaints
Adjust escalation
requirements based on
Complaint Code (Risk
Level)
Nonconforming
Material
Customer
Complaints CAPA
Adjust CAPA due
dates based on Risk
Level
KPI and
Trending
CAPA HHE
Nonconforming
Material
Adjust escalation
requirements based on
Exception Type
Health Hazard
Evaluation
Adjust due dates
based on Risk Level
20. CAPA – Feeder Information
• Structure information in feeder processes so they can
be mapped easily to risk levels
• Examples: defect coding, complaint coding, trending alerts based on
indicators
• Allow for an adjustment of the risk level in the CAPA
system (with justification)
• Advantages of having the risk level connected with the
source information:
• Easier for an operator to assign a defect code rather than assessing
the impact to patient/user
• Provides more consistent assignment of risk levels
• Allows early phases of CAPA to be executed faster
• For certain codes it allows to initiate a CAPA directly
Issue Investigation /
CAPA Request
CAPA
Audits
CustomerComplaints
NonconformingMaterial
ManagementReview
Otherprocesses
21. CAPA – Advantages of Risk Levels
How can you use the Risk Level information in CAPA:
Thoroughness
• Establish different time lines for each CAPA phase based on Risk Level
• Create spare capacity to support fast timelines for high risk CAPA’s
Speed
Effectiveness
• Different requirements for tools used in root cause analyses
• Minimum requirements for cross functional team
• Use different confidence levels and reliability levels based on the
identified risk (similar to validation acceptance sampling)
22. Conclusion
• A fully integrated Risk Management System ALWAYS needs to start
with the risk to the patient/user
• Managing risk by System, Product Family or Therapy can help to make
your risk management more effective and efficient
• Well structured device outputs can help to align the risk management
between design and manufacturing
• Establish one Risk Level assessment method and use it consistently
across the company
• Connect all applicable sub systems to the Risk Levels
• Differentiate on how you execute your processes based on Risk Level
to achieve higher compliance, effectiveness and efficiency.