Integrated Risk ManagementHow to connect Risk Management throughout the Quality Management System

The disconnected Risk ManagementSeparation in Lifecycle:

•Risk Management in sub systems of the Quality Management System o Design/Product Risk Managemento Risk Management with your Supplierso Risk Management for Manufacturingo Post Market Risk Management

Separation in Method:•Patient/User focus, product focus, manufacturing focus, and supplier focus•Different severity scales (3, 5 or 10 point scales)•Different calculation of occurrences•Use of detectability

How to start with an integrated approach?• Get Senior Management approval for an integrated Risk

Management project• Appoint project lead and project team (team needs to

be cross functional)• Define Risk Management Integration Strategy and get

it approved by Senior Management• Include culture, system, goals and KPI’s into your

strategy

Integrated RM Strategy Elements

Culture Systems Goals & KPI’s

Focus of today’s presentation

It Starts with the Risk to the Patient/User

Hazard

Sequence of Events

Hazardous

Situation

Harm

Severity of Harm

Probability of Occurrence of

Harm RISK

Exposure

• Manage the risk associated with the use of a medical device (ISO14971)

• Understand the risks and benefits of a medical device

• Manage the risk by system, product family or therapy

P1

P2

P1 x P2

Risk Chain – Responsibility and Control

Functional Outputs (electrical current, thermal

energy, force)

Disturbances to the Environment

(EMC, debris, packaging)

Outputs from Device Attributes

(biocompatibility, sterility)

Hazards

Likelihood of Occurrence

Product Design and Manufacturing Product Use

Exposure

Hazardous Situation

Company Responsibility

Company Control Patient/HCP Control

Controlling the OutputsDesign Controlled Manufacturing

ControlledPatient/HCP Controlled

Functional Outputs

Specified, reviewed, verified and validated during design

Verified or validated processes used to confirm every product meets product specification.

Follow labels and approved procedures (Instructions for use, labels, surgical techniques, medical procedures)

Disturbances to the Environment

Identified and mitigated during design process. Limits established in Product Specification.

Controls established and/or inspections to verify products are within established limits.

Handle in prescript way (Instructions for use, labels)

Outputs from the Device Attributes

Identified during design process and documented in Product Specification

Mostly depends on validated processes to confirm product compliance.

Use in prescript way (Instructions for use, labels) Control Risk throughout the Product Lifecycle

Process to Output InteractionDesign Operations Quality

Device Outputs Examples

Design

Input

Design

Output

Design

Review

Design

Verification

Design

Validation

Design

Transfer

Supplier

Control

Receiving Inspectio

n

In process Inspectio

n

Process

Validation

Calibratio

n

Preventiv

e Maintenance

Label

Control

Complain

t Managemen

tCAP

A

Field Action

Change

Managemen

t

Nonconforming Material

Functional Outputs electrical current, thermal energy, force ● ● ◕ ● ●◑ ◕ ◔ ◕ ● ◕ ◔ ◕ ◔ ◔ ◕ ● ◔Disturbance to the Environment EMC, debris, packaging ◕ ◕◑ ◕◑◑◑ ◔ ◕◑ ◔ ◔ ◔ ◔ ◔ ◕ ◕ ◔Outputs from Device Attributes biocompatability, sterility ● ● ◕ ● ●◑ ◕ ◔ ○ ●◑ ◔ ◔ ◔ ◔ ◕ ● ◔

Legend: Definition:

●High interaction/broad scope Interaction means the ability of the process to create or change hazards

◕High interaction/narrow scope Scope means the ability of the process to impact a small or larger portion of the product population

◑Low interaction/broad scope

◔Low interaction/narrow scope

○No Interaction

Risk Management in Design• The severity of the Harm determines the severity of the Hazard• The severity of the Hazard determines the severity for each

device output • Each device output is specified within the operating limits of

the device• Anticipate use of the device outside the operating limits• Device output specifications and operating limits are verified

and validated during the design process.• The Device Master Record (DMR) documents the approved

product design for manufacturing• A well done and maintained Risk Plan and Risk Management

File (RMF) are a great starting point for the next product generation.

Concepts for integrationDesign Build Use

Verified and Validated Device Design

(DMR/RMF)

Products fully

compliant to Device Design

Risk Objective:• Manage applicable quality system,

sourcing, manufacturing and packaging processes to deliver only products which are 100% compliant to the design specification (DMR).

Concept:• Transpose severity of device

outputs to manufacturing and packaging process requirements.

• “What is the risk of not meeting the device specification?”

• Reduce likelihood of failing to meet specification for high risk specifications.

Delivery from Design Team: Expectation from Patient/User, Health Care Provider and Regulators:

Supply Chain Risk

Part

Part

Part

Part QualificationAdjust qualification requirements based on Risk Level e.g. PPAP

Supplier QualificationAdjust qualification requirements based on Risk Level e.g. supplier audits

SupplierIncoming Inspection

IQCAdjust inspection requirements and sampling plans

Manufacturing

Final Inspection

Final InspectionAdjust inspection requirements and sampling plans

Manufacturing

Risk Level Determination

Part number

Part Description

Device Classification

Part Risk

Supplier Risk

245765 Microcontroller256741 Test connector

• Determine a methodology for Risk Level assessment which works for your company and meets requirements

• Keep it easy to execute and integrated with available data sources

Bill of Material

Risk Inputs

Risk Level InputsDevice Classification

FDA Classification

1 Class I devices2 Class II devices3 Class III devices

Part Risk Description

1 Contributes to non critical device output

2 Contributes indirectly to critical device output

3 Contributes directly to critical device output

Supplier Risk Description

1 Well established manufacturing process, existing facility

2 n/a3 New manufacturing process, new

manufacturing facility, new inspection and test requirements

• Select appropriate rankings for your Risk Inputs

• Preferably these rankings are already available (e.g. through other processes)

Risk Level CalculationRisk Level Calculation:

Risk Level = Product Classification x Part Risk + Supplier RiskScore Risk Level

1-5 Low6-8 Medium

9-12 High

Part number

Part Description

Device Classification

Part Risk

Supplier Risk

Risk Level

245765 Microcontroller 2 2 1 5256741 Test connector 2 3 3 9

• Align the Risk Level calculation and scoring with the risk acceptability levels of your company and keep them consistent

• Verify your calculation method of Risk Levels before use

Example:

Risk Level based executionPart number

Part Description

Device Classification

Part Risk

Supplier Risk

Risk Level

Supplier Qualification

Part Qualification

245765 Microcontroller 2 2 1 5 Self Assessment 5 Sections256741 Test connector 2 3 3 9 On-site system

and process audit

16 Sections

Risk Level

Supplier Qualification Part Qualification

Low Supplier Self-assessment (supplier questionnaire)

COC, HSF, Component Specification, Packaging Specification, Labeling and Traceability

Medium Supplier on-site quality system audit

COC, HSF, Component Specification, Packaging Specification, Labeling and Traceability, FA Submission Warrant, FAI Report

High Supplier on-site quality system and process audit

COC, HSF, Component Specification, Packaging Specification, Labeling and Traceability, FA Submission Warrant, FAI Report, Process Capability Evaluation, Inspection Method, GR&R, Process Control Plan, Process Flow, IQ,OQ,PQ, Material Certification, Drawing Review, FMEA

Process Risk

Test System ValidationAdjust validation requirements based on Risk Level

CalibrationAdjust calibration intervals

Process ValidationAdjust OQ an PQ requirements based on Risk Level

Process Validation

Computer Software Validation

Calibration

Test System Validation

(MSR)

Computer Software ValidationAdjust validation requirements based on Risk Level

Process Capability/Gage R&R

Process Capability Measurement System Capability

Risk Level Best Good Best GoodHigh Cpk > 2 Cpk > 1.67 Cg > 2 Cg > 1.67Medium Cpk > 1.67 Cpk > 1.33 Cg > 1.67 Cg > 1.33Low Cpk > 1.33 Cg > 1.33

• Setting your validation up for success

• Concentrating resources where they are needed most

• Avoiding compliance gaps in supporting processes

True product variance

Measured product varianceMeasurement System Capability

Measurement System impact

Process Validation – Acceptance Sampling

Risk Level Confidence Level

Reliability Level

Attribute Data Sample

Size, c=0Variable Data Sample Size

***Poisson Data Sample

SizeHigh 95% 99% 299 *20 20

Medium 95% 95% 59 *20 20Low 95% 90% 29 *20 20

• Samples for process validation are often a challenge (e.g. small patches, cost, time to build)

• Put the focus and effort where the highest risk is

Reference: Crossley, Mark (2000) the Desk Reference of Statistical Quality Methods. 1st Ed., ASQ Quality Press.

 

Where C is the confidence level, R is the reliability, and n is the sample size. For 95% confidence level, C = 0.95Ref: Crossley 2000

Notes: * minimum sample size to assess process normality. ** should be used for microbiological evaluations of devices

Quality System Risk

KPI and TrendingEstablish critical limits and alerts based on Risk Level

Customer ComplaintsAdjust escalation requirements based on Complaint Code (Risk Level)

Nonconforming Material

Customer Complaint

sCAPAAdjust CAPA due dates based on Risk Level

KPI and Trending

CAPA HHE

Nonconforming MaterialAdjust escalation requirements based on Exception Type

Health Hazard EvaluationAdjust due dates based on Risk Level

CAPA – Feeder Information• Structure information in feeder processes so

they can be mapped easily to risk levels• Examples: defect coding, complaint coding, trending alerts

based on indicators• Allow for an adjustment of the risk level in the

CAPA system (with justification)• Advantages of having the risk level connected

with the source information:• Easier for an operator to assign a defect code rather than

assessing the impact to patient/user• Provides more consistent assignment of risk levels• Allows early phases of CAPA to be executed faster• For certain codes it allows to initiate a CAPA directly

Issue Investigation / CAPA Request

CAPA

Audi

ts

Cust

omer

Com

plai

nts

Nonc

onfo

rmin

g M

ater

ial

Man

agem

ent R

evie

w

Othe

r pro

cess

es

CAPA – Advantages of Risk LevelsHow can you use the Risk Level information in CAPA:

Thoroughness

• Establish different time lines for each CAPA phase based on Risk Level

• Create spare capacity to support fast timelines for high risk CAPA’s

Speed

Effectiveness

• Different requirements for tools used in root cause analyses

• Minimum requirements for cross functional team• Use different confidence levels and reliability levels based

on the identified risk (similar to validation acceptance sampling)

Conclusion• A fully integrated Risk Management System ALWAYS needs to

start with the risk to the patient/user• Managing risk by System, Product Family or Therapy can help

to make your risk management more effective and efficient• Well structured device outputs can help to align the risk

management between design and manufacturing• Establish one Risk Level assessment method and use it

consistently across the company• Connect all applicable sub systems to the Risk Levels• Differentiate on how you execute your processes based on

Risk Level to achieve higher compliance, effectiveness and efficiency.

Own it!Seek Solutions!Make it happen!

Thank You!

Manfred Walderwww.linkedin.com/in/manfredwalder