Medical Device Risk Management Quiz

Questions and Answers

What is the primary goal of Risk Control?

To document all instances of risk

To identify all potential hazards at once

To reduce risks to specified levels (correct)

To administer medical interventions to all risks

What does the term 'Serious Injury' encompass?

Any injury requiring a doctor's visit

Injuries resulting from any type of mishap

Life-threatening injuries or those needing surgical intervention (correct)

Temporary impairments that heal without intervention

Which classification model is used for assessing the safety of software systems in medical devices?

ISO 9001 model

FDA classification model

Risk Management model

IEC 62304 classification model (correct)

What is the definition of Security in the context provided?

Protection of sensitive data from unauthorized access

What is the purpose of a Risk Management File?

To maintain records from the risk management process

What is the primary purpose of the risk management process at Compass Health?

To manage risks related to medical device development and manufacturing

Which standards does the risk management process at Compass Health comply with?

ISO 14971:2019 and IEC 62304

At which phase in the product lifecycle is risk management applied at Compass Health?

From the concept phase to the end of life of the product

What is included in the risk management documentation for Compass Health?

Risk analyses, evaluations, and control measures

Who is responsible for approving the SOP for risk management at Compass Health?

A team of approvers including the COO and engineering leads

Study Notes

Approvals

• Author: Tenzin Yangzom
• Position: Head of QA/RA
• Role: Author
• Date: 02 Jan 2024
• Approver: James Baskin
• Position: COO
• Date: 02 Jan 2024
• Approver: Kevin Kennedy
• Position: Engineering
• Date: 02 Jan 2024
• Approver: Scott Crawley
• Position: CEO
• Date: 02 Jan 2024

Revision History

• Version: 1.0
• Date: 03 Jan 2024
• Description: Initial Release

Introduction

• Document outlines risk management process at Compass Health for product development and manufacturing.
• Risk management process is part of overall medical device product development and Quality Management System.
• Process applies to all medical devices from concept to end of life, following ISO 14971 and IEC 62304.
• Includes risks from approved changes and complaint resolution.

Applicable and References Documents

• FDA QSR § 820.30 Design Controls
• ISO 13485:2016 Section 7.3. Design and Development
• ISO 14971:2019 Application of Risk Management to Medical Devices
• IEC 62304:2015 Medical Device Software – Software Life-cycle Processes
• IEC 63266:2015 Medical devices – Application of usability engineering to medical devices
• IEC 60812:2018 – Failure modes and effects analysis (FMEA and FMECA)
• TG(MD) Sch1 P1 2, Sch3 P1 Cl 1.4(5)(c)(iii)
• SOP: Product Development Process QMS-SOP-0007
• SOP: Usability Engineering Process QMS-SOP-0011
• Risk Management Plan and Report Template QMS-TMP-0054
• Usability Engineering Plan and Report Template QMS-TMP-0055
• SOP: Post-market surveillance QMS-SOP-0030

Acronyms and Definitions

• MTR: Maximum Tolerable Risk
• EEA: European Economic Area
• MDD: Directive for Medical Devices (MDD)
• SOUP: Software of Unknown Provenance
• Anomaly: Any deviation from expected (requirements, design, experiences, standards)
• Evaluation: Systematic determination of an entity meeting specified criteria
• Failure Mode and Effect Analysis (FMEA): Evaluation of potential failure modes for processes, products, and their impact on outcomes
• Harm: Physical injury, damage, or both to health or damage to property/environment

Hazard Analysis

• Determines potential areas of harm in a system using risk assessment to mitigate hazard risks.
• Ensures product design and testing eliminate or reduce patient/operator risks.
• Uses A.L.A.R.P. (As Low as Reasonably Possible) guidelines.
• Identifies potential harm sources (hazard) and hazardous situations.
• Details intended use, manufacturer responsibility, and medical device software system.
• Includes detailed documentation of problem reports, software item definitions, software products, and software safety classifications (per IEC62304).

Risk

• Defined as a combination of occurrence probability and harm severity.
• Risk analysis involves using available information to identify and estimate hazards.
• Risk control involves implementing decisions and measures to reduce or maintain risks within specified levels.
• Risk management applies management policies, procedures, and practices to risk analysis, evaluation and control.
• Risk Management File is maintained for each medical device to track risk management activities.

Risk Management Process

• Risk management process applies throughout product development to identify risks.
• Prevents later changes from introducing unforeseen risks.
• Procedures start with assigning roles (Risk Management Team)
• Team evaluates if design or process FMEA is required depending on device nature.
• Team identifies hazards, evaluates risks, and identifies mitigation strategies.
• Documentation details, including Hazard Analysis, Risk Evaluation, and mitigation details.

Process Roles

• Product Manager: Responsible for decisions, rationale, and regular audits.
• QA/RA: Relays audit results and ensures compliance with SOP.
• Risk Management Team (RMT): Comprises personnel from Engineering, Marketing, Customer Success, QA/RA, and the Product Manager. Evaluates design or process FMEAs based on device characteristics.

Risk Management File

• Compass Health establishes and maintains a Risk Management File for each medical device considered.
• File provides traceability for each hazard to risk analysis, evaluation, risk control measures, assessment of risk, and risk management.

Identifying Potential Hazards

• Potential hazards identified by considering characteristics of medical product, users and environment.
• All components potentially contributing to hazardous situations are identified.
• Lists of potential hazards in normal and fault conditions are reviewed.
• Hazard level determines detail needed in hazard analysis.

Initiating Causes/Outcomes

• Each medical device potentially carries multiple hazards, each with multiple causes.
• Outcomes for each cause must be determined and documented.
• Consider legal/regulatory compliance implications of each outcome.
• Documentation should explicitly detail software systems causes and outcomes.

Estimating Risks

• For each potential hazard, risk estimation involves analyzing initiating events (or circumstances), sequences of events, mitigations, frequency of possible harmful consequences (deleterious consequences).
• Estimate the risk by analyzing its components (e.g., severity) separately.

Severity

• Risk severity categories (e.g., Category IV - Critical, Category III - Major) provide classification and define possible consequences (e.g., death, injury).
• Categorization details potential consequences of harm (e.g., death, serious injury) for each category.
• Risk probability (e.g., frequent, probable) defines likelihood of hazard occurrence during use.

Assign Risk

• For each hazard, combined severity and probability determine risk level.
• Documentation details procedure to determine numerical risk evaluation.
• Specific information-based criteria used for assigning risk (e.g., device usage frequency, user population).
• Assessment uses feedback, complaints, clinical evaluation, and corrective/preventive actions.

Risk Classifications

• Risk classification (e.g., High, Medium, Low) defines the severity and probability of harm.
• The criteria categorize risks by level and define associated actions.

Process FMEA

• Process FMEA used to analyze a process operation's effect on a product or process to identify activities/processes with a potential for failure.
• Early failure identification allows for implementation of preventive measures to mitigate failure risks.
• Methods use risk management team input (e.g., workflow, environment, work instructions, complaints, and previous capabilities).

FMEA Ratings

• Process and design FMEAs use defined rating systems to document Occurrence, Severity, and Detectability.
• The RMT (risk management team) uses these ratings to calculate a risk priority number (RPN).

Maximum Tolerable Risk

• Maximum Tolerable Risk (MTR) defined as a hazard/failure mode with a Low or Negligible risk level.
• Specific MTR risk levels applied as default but the plan might define other values for individual products.

Risk/Impact Evaluation Criteria

• Risk/impact evaluation uses criteria to assess risk in Business, Product, and Regulatory categories.
• Categories assess events, significant impacts to business processes, product compliance and functional safety, regulatory requirements.

Determine if Risks are Reducible

• If Risk level(s) exceed MTR, then risk elimination or reduction to MTR level (Low or Negligible) is required.
• This involves defining the mitigating/corrective/preventive actions needed.

Risk Reduction and Control

• Elimination or reduction of hazard using inherent design, protective measures, or preventive actions.
• Risk control methods encompass design and manufacturing, protective measures, training & instructions.
• Risk evaluation assesses and documents any residual risks.

Verify and Validate Risk Control and Mitigation

• Verification of implemented risk mitigation, control measures, and appropriateness determined.
• Recording of verification and validation results required.

Determine if New Hazards Have Been Introduced

• Review of mitigation controls performed to ensure changes haven't introduced new hazards or causes.
• New risk analysis, evaluation, and control activities performed if new hazards found (or causes).

Determine if Medical Product Safety is Adequate

• Adequacy of medical product safety determined if residual risk from all hazards below MTR level.
• Documentation details if safety is considered adequate.

Ongoing Activities

• Risk analysis reassessed with new information or data, changes in service/usage, or if initial risk assessment assumptions no longer valid.
• Post-market surveillance and monitoring of medical product use to capture and evaluate outcomes required.

Post-Market Surveillance

• Post-market surveillance is used to gather information and communicate with regulatory bodies or conformity assessment bodies.
• Surveillance information updates benefit/risk assessments, updating labels & instructions as needed.
• Surveillance documented and presented during product development presentations.

Quality Records

• Documentation of Hazard Analysis, Risk Management Plans/Reports, and Usability Engineering Plans/Reports is mandatory.

Risk Management Team Acknowledgement Form

• Form for listing risks management team members' responsibilities and acknowledgments.

###Appendix A - IEC 62304 Safety Classification Scheme

• Defines safety classification (A, B, or C) for software systems in medical devices and based on possible harm to patients, users, others.
• Different criteria for A, B, and C categories.

Description

This quiz covers the essential elements of the risk management process for medical device development and manufacturing as outlined in the document. It includes insights into applicable standards like ISO 14971 and IEC 62304, ensuring a comprehensive understanding of quality management in healthcare. Test your knowledge on risk management practices from concept to end of life.