Foundations of a Risk Management Program

By Mark Durivage, Quality Systems Compliance LLC

Mark Durivage, Quality Systems Compliance LLC

In the FDA Regulated Industries, the concepts of risk management and risk-based thinking are often ignored, misunderstood, and/or misapplied. Identifying and preventing risks and their associated hazards can help reduce adverse events, product recalls, and regulatory enforcement actions. Additionally, an effective risk management program can help the organization effectively deploy its resources. This article will discuss the benefits of utilizing risk management and risk-based thinking throughout the quality management system (QMS) and present a common risk management model currently used within the FDA Regulated Industries. Subsequent articles in this series will provide examples and the application of some of the most commonly used risk management tools currently used in the FDA Regulated Industries.

For the Medical Device Industry, the Food & Drug Administration’s 21 CFR 820Quality System Regulation is the primary document driving safety and effectiveness of medical devices for patients and users. The application of risk management and risk-based thinking can be applied holistically to the QMS including; production, design & development, inspection, testing, verification, validation, purchasing, nonconformances, environmental control, corrective and preventive actions (CAPAs), complaints, and internal auditing.

Before discussing risk management and risk-based thinking further, it is important to define some of the terminology associated with risk management and risk-based thinking. ANSI/AAMI/ISO14971:2007Medical devices—Application of risk management to medical devices provides the following key definitions:

• Risk: ‘combination of the probability of occurrence of harm and the severity of that harm’
• Harm: ‘a physical injury or damage to the health of people, or damage to property or the environment’
• Severity: ‘measure of the possible consequences of a hazard’
• Hazard: ‘potential source of harm’

These definitions are widely accepted and used in a variety of FDA regulated industries.

Risk management and risk-based thinking should be applied in a broader context to all processes of a quality management system. The International Conference on Harmonisation (ICH) Tripartite Guideline Quality Risk ManagementQ9 provides a useful and often used model for the risk management (refer to Figure 1: Quality risk management process model).

The model is comprised of three primary phases consisting of Risk Assessment, Risk Control, and Risk Review supported by Risk Management Tools and Risk Management Communications.

Risk Assessment Phase

The risk assessment phase begins with the identification of hazards, and an analysis and evaluation of risks associated with the identified hazards. Performing a risk assessment is like developing a project plan and should begin with a well-defined scope (process, system, etc.).Once the scope is defined, the types of information needed to address the risk become more apparent. A process flow chart is a good way help bracket and identify potential risks (refer to Figure 2:Example process flow diagram).

To identify and define the risk(s), three questions are typically used:

1. What may go wrong? (hazard)

2. What is the likelihood it will go wrong? (risk)

3. What are the potential consequences? (harm)

Risk Control Phase

The goal of the risk control phase is to reduce the identified risk(s) to an acceptable level. Risk control should be proportionate to the significance of the risk. In other words, risks determined to be higher should be given priority over risks considered to be lower. Relative risk scores and Pareto Analysis are two common methods used to prioritize risk management activities.

Risk Review Phase

The risk review phase should be an ongoing part of the risk management process. A formal mechanism to review and monitor production and post-market events should be established and implemented. Risk management activities are part of an on-going process and are living documents which require evaluation and periodic review to ensure efficacy.

During the risk review phase, new knowledge and experience gained may need to be assessed and integrated into the risk assessment and risk control phases of the risk management process. Post-market surveillance data from complaints, adverse events, and recalls can be used as part of risk review. Furthermore, internal sources of data including corrective and preventive actions, nonconformances, deviations, maintenance records, calibrations, validations, training, etc. can also provide valuable insight.

Risk Communication Phase

The risk communication phase consists of sharing of pertinent information about risk and risk management activities between the various internal and external interested parties. Formal and informal communications regarding risk may occur at any stage of the risk management process.

Risk Management Tools

There are several risk management tools that can be used to support an effective risk management program. The three most common risk management tools used in the FDA Regulated Industries are Failure Modes Effects Analysis (FMEA), Hazard Analysis Critical Control Point (HACCP), and Hazard Analysis and Risk-Based Preventive Controls(HARPC).  Each of these tools can help identify and control risks to ensure the safety and effectiveness of medical devices.

Risk Management Tool Prerequisites

Risk management tools are most effectively used in a team environment. The first and most important rule in any risk management activity is that a team always will make a better decision than an individual. One of the most commonly used tools used to generate several ideas or thoughts in a short time is known as brainstorming.

Brainstorming begins with the team agreeing on the risk topic to brainstorm, which is documented and displayed so the team can remain focused on the risk topic. Team members contribute ideas related to the risk topic, which is generally accomplished by each team member verbally providing a single idea. The idea is recorded, and the next team member verbally provides a single idea and the idea is recorded. This process continues until the team runs out of ideas.

Once brainstorming process has generated several ideas, the team may wish to organize the ideas into categories or groupings using an affinity diagram. Team members use complete an affinity diagram by using sticky notes to group ideas into logical categories or natural groupings. This helps the team organize their thoughts and gain consensus.

Process flow charts are another tool which can help the risk management team conceptualize the various tasks or steps in a process. The risks for each step or task can then be assessed and controlled.

Benefits of a Risk Management Program

A comprehensive risk management program will first and most importantly protect the recipient/patient safety, protect the donation, can provide a solid foundation for the organization’s compliance with regulatory and accreditation compliance. A risk program can also help channel the organization’s limited resources where they can provide the most impact upon the organization.

Conclusion

I want to reinforce that risk management activities should be based upon an organization's risk acceptance determination threshold, industry practice, guidance documents, and regulatory requirements.

There may be industry recognized standards that will prescribe risk management activities.  If standards are available, I suggest they be utilized as appropriate.