One of the more hazardous areas of compliance is risk management, not because it’s unfamiliar, but because the consequences of a risk management failure can be catastrophic for a device development program. In this third installment in a series, we’ll examine the approaches to risk management by the regulatory entities in Canada, the European Union (EU), the U.K. and the U.S.
The most prominent standard for risk management is the 2019 edition of ISO 14971, which has no exact parallel in the U.S. due to the fact that the FDA’s Part 820 does not have a section specifically dedicated to risk management. The good news is that other than the FDA, all these regulatory regionRs have adopted this third edition of 14971 as the primary risk management framework, although there are some complications in the EU’s use of the standard.
Much of the FDA’s thinking about risk is embodied in guidances, such as the agency’s two guidances for cybersecurity. The FDA formally recognized the 2019 version of ISO 14971 in December 2019, although the agency had previously recognized the previous edition. The FDA intends to continue to accept compliance with the second edition through Dec. 25, 2022, but will require demonstrations of conformity with the third edition of the ISO standard after that date.
The existing regulation for the U.K.’s Medicines and Healthcare Products Regulatory Agency (MHRA) has very little to say about risk management, although the agency stated in 2020 that compliance with ISO 14971 was acceptable. The draft regulation by MHRA is quite vague on risk management, so it seems reasonable to assume that the ISO standard will continue to be recognized in the U.K. going forward. Any unique approach by Health Canada to risk management seems largely predicated on postmarket risk management for devices with safety signals, although the agency has included 14971 among its list of recognized standards. Consequently, we’ll assume that 14971 not only applies in both the U.K. and Canada, but is the primary risk management modus for the purposes of the total product life cycle (TPLC).
FDA, ISO 14971 Encode Same Stages of Risk Management
As seen in this slide deck from June 2021, the FDA separates the risk management process into several stages across the TPLC. ISO 14971 uses these same stages, which are:
- Risk analysis
- Risk evaluation
- Risk control
- Evaluation of overall residual risk
- Risk management review; and
- Production and post-production activities.
The FDA sees risk analysis as addressing both intended use and reasonably foreseen misuse, and suggests the manufacturer identify the hazards of device use/misuse and any “hazardous situations” therein. Risk control includes both residual risk evaluation and benefit-risk analysis, but the FDA approach also suggests that the risks arising from risk control measures also be considered.
Interestingly, Section 7.5 of the ISO standard also cites the need to manage risks stemming from the implementation of risk control measures. Any new risks that arise in this context would be fed back into the risk management evaluation for that device such that the understanding of the overall risk-benefit framework is appropriately modified.
The approach in the EU is a somewhat modified version of ISO 14971, designated EN ISO 14971:2019+A11:2021, but this amendment was undertaken to coordinate the requirements of 14971 across the Medical Device Regulation (MDR) and In Vitro Diagnostic Regulation (IVDR). Thus, this does not constitute a substantive alteration of the ISO standard. We would remind the reader that 14971 states that for risk management purposes, the product life cycle runs from initial conception to decommissioning and disposal.
As is the case with the FDA, 14971 calls for risk management to account for reasonably foreseeable misuse, which is defined as the result of “readily predictable human behavior.” That term is defined as behavior that would be undertaken by both lay and professional users and covers both intentional and unintentional uses (the FDA rarely, if ever, cites the need to evaluate risk for lay users outside the 2016 guidance on human factors engineering).
However, 14971 is more granular than anything arising from the FDA about matters such as risk management plans. This is still the case with regard to the FDA’s proposed adoption by reference of a limited set of clauses from ISO 13485 into a new quality management regulatory framework. In that proposal, the FDA highlights its expectations that risk management will be woven in from the earliest stages of device development, but otherwise has little to say other than to refer to the general risk management features of 13485.
One of the potential hazards on relying solely on the ISO standard for products marketed in the EU is that Annex I of the Medical Device Regulation offers several different definitions of risk, depending on the context. With regard to radiation-emitting devices, Annex I of the MDR states that risks should be reduced as far as possible, but Chapter 1 states generally that risks should be reduced as far as possible without affecting the benefit-risk ratio. The problem of definitions is not eased by the fact that there are more than 240 mentions of risk in the MDR, which makes risk management perhaps one of the most complex elements of compliance for devices intended for the European market.
Design Controls a Key Aspect of Risk Management
For the most part, the FDA’s expectations regarding risk management are presumed to have been handled in the design phase, as depicted in this 2015 presentation for small businesses. In that presentation, the agency defined risk management and risk analysis as “the systematic application of management policies, procedures, practices, insight/judgment, and experience to the identification, analysis/evaluation, monitoring, and subsequent control/mitigation of risk.” Beyond that, there is little detail other than a statement that risk management and analysis are integrated into the design control process, and are central requirements. This presentation also makes note of ISO 14971.
Similarly, ISO 14971 states that risk control is part of the design and development process, and that verification of the effectiveness of risk control can be affirmed during design and development validation and/or verification. There is also a discussion of residual risk, but residual risk, as is the case with so much of the FDA’s approach to risk management, is more commonly found in guidance documents than in the regulation itself. One example of this is the 2015 FDA guidance for benefit-risk determinations for investigational devices. In that document, the agency offers little in the way of prescriptiveness other than to state that residual risk must be weighed against the anticipated benefits of the device.
As our clients are well aware, risk management is one of the more resource-consuming aspects of compliance in virtually all regulatory jurisdictions, but properly woven into the device development process from the start, risk management is a tremendous asset throughout the TPLC. Conversely, a poorly thought-out approach to risk management is a hazard to patients and to the manufacturer, which is putting patient welfare and its own viability at risk when risk management is given short shrift.