Medical Device Risk Management explained through 1980's pop culture

I have three skills in this world: medical device development, teaching, and 1980's pop culture. I combined all three for this article, which I began while recovering from surgery that used products for which I had consulted. I've continuously improved it to be a practical guide for anyone wanting to apply risk management to medical device development, not only to comply with the global healthcare regulations but to create safer, innovative products.

Background

Government regulations require that a company selling medical devices must reduce risk to patients in a process of continuous improvement. Risk is defined as the severity of harm and how likely it is to happen. Companies should assign numbers to the level of severity and to the probability of occurrence. Those numbers should be based on both their products and current best-practices of competitors, and should be updated in a process of continuous improvement.

As simple as this sounds many companies don't do it effectively. 44% of medical device recalls could have been prevented by design-controls that included risk-reduction. Today, up to 250,000 people die each year from accidental deaths in the American healthcare system. Healthcare is equally risky internationally, such as almost 400,000 people recently receiving toxic implants from a French company.

We can help society by understanding and applying regulations meant to improve patient safety.

The big picture

The space shuttle Challenger exploded in 1986 because of an o-ring gasket that failed because it was designed for warmer weather than the cold launch day. The engineers knew this but there wasn't an effective risk management plan in place.

The root cause of the explosion was a lack of procedures to ensure communication between engineers, suppliers, and the launch team. I wrote an article re-analyzing the Space Shuttle Challenger explosion as if we could have applied the 2007 international standard for Risk Management in the year 1986. A condensed version is:

1. Have a diverse team plan acceptable risk levels, how to monitor assumptions, and how to improve the plan; have all departments refer to this p
2. Document hazardous situations and the sequence of events that could cause them.
3. Estimate risk levels.
4. Apply risk controls.
5. Monitor assumptions and continuously improve the plan.

The article gives tools and some mathematical ways to represent risk but no amount of analysis will reduce risk if we don't start with team-driven discussions. NASA had the world's best mathematicians analyzing incomplete information. To improve risk management, encourage a culture of open and transparent communication

Risk analysis

Hazardous situations lead to harm. In the case of the space shuttle, the hazardous situation was cased by a sequence of events, starting with an o-ring designed for 40-degrees and resulting with a January launch date in when the weather was below 40-degrees. The harm that resulted from that hazardous situation was the explosion and death of seven people.

Risk quantifies the severity of that harm and the probability of it occurring. Pre-determined levels of acceptable risk allow teams to focus on reducing the likelihood of harm until risk is at an acceptable level. Most companies document acceptable and unacceptable risk levels in tabular format. Once the probability of harm is determined they can work towards reducing the likelihood of it occurring.

To help employees prioritize work teams calculate risk, which is the severity of harm times the likelihood of it happening, using standardized methods that help people understand the importance of their work. One of the most popular methods is called "Failure Mode Effects and Analysis." Though the FMEA is a popular tool, it doesn't do a good job of letting everyone see the big picture. One of my favorite tool is called a cause-and-effect diagram, a fishbone diagram, or an Ishikawa diagram after the Japanese inventor of this technique.

A cause-and-effect diagram allows all departments to see how their work contributes to risks or rewards. It's a visual representation of all processes, allowing employees to see how all processes are linked.

A FMEA starts with the question, "What harm happens if this part fails?" and the fishbone diagram starts with the question "How could this harm happen?" In other words, one starts with the product and leads to harm, the other starts with harm and leads to the product. Theoretically, both meet in the same place. The international standard for risk management, ISO 14971, doesn't specify which tools to use but requires that both approaches are documented. In other words, it requires providing both the hazardous situations and the risk estimate for each contribution to those situations.

Regardless of which method you use in analysis the intention is to reduce risk using risk control.

Risk control

Anyone who has assembled store-bought furniture knows we rarely read instructions, which is why ISO 14971 prioritizes risk control built into the design of a product or as safeguards against harm. These priorities can be visualized using an analogy provided by Oriel STAT-A-MATRIX, a company that provides corporate training workshops:

An exposed fan would likely cause harm, even with written warnings. Plastic safeguards would be less likely to cause harm, but if for some reason the safeguards fell off then someone could still cut themselves. But, a safe design won't cut someone.

Unfortunately, that level of risk control isn't always possible with medical devices. For example, a needle must pierce your skin to do it's job, so we can't eliminate the point. But, we can add safeguards that cover the needle after use to prevent accidental sticks. The benefit of needles outweighs the remaining risk of a sharp point.

We can't completely reduce the risk but we can prioritize risk controls until the benefits outweigh the risks. The European Union Medical Device Requirements and the European version of risk management, EN ISO 14971, requires a risk/benefit analysis at the end of risk control. The risk/benefit is based on current best practices and must continuously update and improve to reduce risk as far as possible.

As Far As Possible

In 1987 Chuck D, frontman of the hip-hop group Public Enemy, asked: "How low can you go?"

In 2017 Europe responded: "As Far As Possible."

The European Union Medical Device Regulations went into effect in 2017, and by 2020 will require devices to reduce risk As Far As Possible. AFAP is probably the most confusing part of European risk management. Some clarity comes from the 2014 European Notified Body consensus paper on EN ISO 14971:2012, where they say they've clarified the concept in way that's "clear, easy to understand, and unambiguous."

I wrote an article 'based' around Public Enemy's opening lyric, "Bass! How low can you go?" to explain the AFAP concept and give practical ways to implement it, and an article explaining the psychology of why the concept's not clear, easy to understand, and unambiguous.

We're biased towards our previous policies and not receptive to conflicting concepts such as As Far As Possible that are not simply new forms but represent ambiguous concepts. For example, reducing risk as far as possible means that your technology must be "state of the art," which is another ambiguous concept.

State of the art doesn't mean always the latest technology, it means designing our product to be as safe or safer than the "generally accepted state of the art." For example, state of the art for car safety includes seatbelts, anti-lock brakes, and child safety seat attachments but there's not enough historical evidence for self-driving cars to be the generally accepted state of the art. This may change as more automobile manufacturers develop self-driving cars and we learn the risk/benefit of this technology, which means that "state of the art" is a continuously evolving concept rather than a clear definition. I use David Hasselhoff's 1982 self-driving car to demonstrate how to make state of the art medical devices.

Document everything

Regardless of which risk analysis tools and tables you use, maintain a risk management file for each product so that auditing organizations can see evidence of continuous improvement. The file should include a documented plan, hazard analysis, risk analysis, risk control methods, verification activities, and evidence of post-market surveillance linked to plan updates.

My advice for reducing unnecessary paperwork is to make your plan the same document as the risk file, which is also the final risk report. In other words, I recommend that the plan starts with the end in mind, listing all required documents (acceptable risk level documents, risk analysis documents including all FMEA's or Fishbone diagrams, verification and validation testing documents, a risk/benefit analysis document, etc.). The plan then becomes the final report and is continuously updated as products evolve to remain state of the art.

To be effective, a risk management plan should be at the highest level in a company, above differences between departments, so that everyone can make make risk-based decisions towards patient safety.

Risk-based decisions

The o-ring on the space shuttle Challenger was part of NASA's supply chain, which is an example of why risk management regulations requires companies to make decisions using shared information. To illustrate how to make risk-based decisions I wrote an article using another event from 1986, the film "Crocodile Dundee." In the film, an Australian crocodile hunter visiting New York City made a risk-based decision when someone tried to rob him with a knife.

That article builds upon Crocodile Dundee's decision to illustrate risk-based decisions in processes that are linked through the process approach to quality control.

The process approach

All regulations and standards require the process-approach, which ensures that departments are linked through processes of continuous improvement. This isn't always implemented correctly because many people do not fully understand the process approach. To help, I wrote an article on what is and what is not a process using pop culture references from the 80's and 90's. As a hint, the flow chart shown is not a process, though it's funny if you "get" the 80's and 90's.

Audits

Government audits will check your documentation for evidence of risk-based decisions in a process of continuous improvement. To pass any audit see my article where your guide to the FDA, Van Halen's David Lee Roth, explains how to use Brown M&M's to check compliance with regulations. My favorite part of this article is that it's based on actual Van Halen contracts, David Lee Roth's autobiography, and an interview with David. I cross-reference the concept with FDA warning letters and give the secret to passing any audit.

Regulations, Requirements, & Standards

Regulations are required, standards are strongly suggested and it's often easier to apply standards than to justify not using them.

Medical device manufacturing is regulated in United States by 21 CFR 820, and internationally by ISO 13485:2016. Both require risk analysis, but neither describes how, so we use methods from the International Standards Organization, ISO, which describes Risk Management in ISO 14971:2007. Additionally, the European Union added requirements in a supplemental standard, EN ISO 14971:2012, which was further explained in the 2014 European Notified Body consensus paper on EN ISO 14971:2012.

EN ISO 14971:2012 satisfies global risk requirements and allows an abbreviated regulatory process in the United States.

The European Union Medical Device Regulations, EU-MDR, will replace the Medical Device Directives and require companies to focus on continuously improving risk management. I summarize MDR changes in an article, "MDR: the medical device regulation formerly known as MDD."

Medical device companies must pass country-specific audits for each country in which they sell their product. An exception is the Medical Device Single Audit Program, MDSAP, which is currently accepted by five countries, including the United States. The official diagram illustrating MDSAP concepts shows that Risk Management is the highest priority and should oversee Purchasing and supply chains for all departments.

More than a regulation

When used properly risk management leads to safer products, more revenue, and improved business practices.

Healthier society

Hospital workers were often exposed to used needles, increasing their risk to diseases such as HIV and Hepatitis C. The first company to innovate a way to reduce this risk quickly dominated the market, and other companies scrambled to create their own designs. Now, patients all over the world benefit from multiple forms of risk reduction, ranging from different needle designs to user-friendly disposal containers.

More revenue

In the past, a patient with a heart attack had to wait for trained paramedics to arrive with a cardiac defibrillator. Paramedics were trained to ensure a patient had a heart attack, as opposed to an illness with similar effects, because using a defibrillator on someone without a heart attack could harm them. Companies innovated defibrillators that reduced this risk by detecting a patient's condition before allowing defibrillation, which allowed public defibrillators all over the world.

Improved business

We don't always need new products, sometimes we need to continuously improve our quality control methods. The Sulzer orthopedic company recalled one of their hip implants because a manufacturing change introduced risks into their product. Their quality system did not have modern risk management methods, resulting in thousands of patients with failed hips, secondary surgeries, and permanent damage to their livelihood. A billion dollars went towards lawsuits. This is a case where an ounce of prevention would have been worth a pound of cure; innovative companies must ensure they are continuously improving quality, production, and communication based on current best-practices.

Learn more

The high number of deaths from healthcare mistakes shows that lack of understanding and applying risk management is more harmful to patients than unethical people. As Ferris Bueller said in the 1986 film Ferris Bueller's Day Off:

"Problems don't come from bad intentions, problems come from apathy or ignorance."

That quote is actually an aphorism, an old saying that's often rephrased and mistakenly attributed to someone, which is an example of how there are nuances in definitions therefore we should ensure we use ISO's interpretation of a word, not our own. Also, it's not an aphorism, and it's not from Ferris Bueller. I made it up and created the image to demonstrate that we should research facts and develop our own understanding before trusting unofficial sources of information.

All regulations are available for free online, and most international standards are a negligible cost compared to using free articles that summarize information in witty and memorable ways.

"The cure for ignorance is to either seek knowledge or hire Jason Partin and follow him blindly." - Benjamin Franklin

Use these definitions to search regulations and standards:

• Harm - injury to people, or damage to property or the environment
• Hazard - something that can cause harm
• Hazardous Situation - a situation in which a hazard could cause harm
• Hazard Analysis - a process for identifying hazards and hazardous situations
• Risk - the severity of harm and the likelihood it will happen
• Risk Analysis - a process for estimating risks from hazard analysis
• Risk Control - actions taken to minimize risk
• Risk Management - a company's official, systematic process for reducing risk
• Risk Management Plan - a plan before risk activities, required by law and standards
• Risk Management File - a document tracing the location of all risk documents
• Risk Management Report - a report summarizing all risk management activities and how risk will be continuously reduced

As I mentioned, I recommend reducing paperwork by combining the risk management plan, file, and report into one document. That document would be continuously updated as products evolve to remain state of the art, and all departments use it to make risk-based decisions.

Get assistance

These consulting & training companies can help your team understand and apply regulatory requirements.

• Oriel STAT-A-MATRIX (I consult with Oriel)
• Maetrics
• LNE G-Med
• MDI Consultants
• Green Light
• Me (Jason :-)

Parting thoughts

Risky Business was a 1983 film that spring-boarded Tom Cruise into fame after he danced in his underwear, just like how my career began. (Just kidding.) In the film, a teenage Tom took risks, resulting in harm to his father's car and home. Like most movies in the 80's, their problems were solved with money and friends.

Healthcare is Risky Business that affects people's lives and well-being; harm can rarely be fixed with money. Patients who received harmful hip-replacements would give up their insurance settlements in oder to walk normally again, to play soccer with their children, or to enjoy aging without pain. Any heart-attack patient saved by a public defibrillator would be grateful for risk-reduction, and hospital workers all over the world are safer each day thanks to reduced risk of needle-sticks.

Our work is important. Government regulations are trying to provide safe, effective healthcare for what we predict will be 10 billion people by 2050. To do this will require all of us collaborating. Help society by learning more about risk management regulations and practicing leading from within an organization.

Take a break from making the world safer to have fun watching Tom Cruise dance in Risky Business, a risk that paid off.

THANK YOU

I consult on continuous improvement and socially-responsible, purpose-driven work.

I'm also continuously improving, especially in my choice of haircuts since this 1986 photo from my high school homecoming dance.

Please share if you think others could benefit.

See more articles at JasonPartin.com