BN5208

Biomedical Quality and Regulatory Systems

Risk analysis and mitigation, and

Post market obligations
Agenda: what we will learn today…

• Housekeeping stuff…
• Practice questions…
• ISO 14971 and risk management
• What is risk and hazard
• Rubric for risk and hazard
• Estimation of risk and its mitigation/management
• Why some medical devices fail (sterilization and biomaterials issues and
long term consequences)…
• Post market surveillance (PMS) and vigilance
• Proactive vs reactive strategies
• Complaint handling, reporting and CAPA
• Case studies
 Important housekeeping information
The details of the CA quiz is:
• 25MCQ administered through Luminus
• 90 min duration
• Open book (but no communication allowed, the working space should be
visible during the exam duration)
• MCQs similar to the practice questions 
• No memorization needed (focus on understanding and analysis and NOT on
memorization)

Final presentation:
• Week 12: Gps 1-8
• Week 13: Gps 9-15
• Each group will have 12 min (+/-) 1 minute allowance

I will collate all practice questions into a single document and share it so that you
may practice them prior to the exam
Something to think about…isn’t it…
 Whole process in a Nutshell

Feedback
Loop
Premarket On market Postmarket

User need
identification
Design and
attributes
Prototyping and
manufacturing
Preclinical and
clinical trials Approval Packaging and
labelling
Advertisement
and sales
Post-market
obligations
Use and disposal

Initiation of Risk Verification Validation Surveillance/vigilance

identification and planning and QMS and Recall (if necessary)

This slide provides the general overview of the various critical steps and milestones that ‘ALL’ medical devices have
to undergo to reach the market, with particular emphasis on performance and safety. To facilitate your
understanding, I have not made it too technical. The feedback loop provides the necessary information to make the
next generation of medical devices, and to make it more safe and technologically advanced.
 ISO 14971: Application of risk management
to medical devices

• ISO 14971 provides manufacturers with a framework to

manage the risks associated with the use of medical devices

• ISO 14971 specifies a process for a manufacturer to identify

the hazards associated with medical devices, to estimate and
evaluate the associated risks, to control these risks, and to
monitor the effectiveness of the controls.
 Risk Management

• Risk management is the identification, assessment, prioritization and mitigation of risks

• Coordinated and economical application of resources to minimize, monitor, and control the probability and/or
impact of unfortunate events
• How they may be controlled (don’t confuse with removal of the risk)
• Assess risk/benefit ratio of risks that could not be reduced to an acceptable level
• Concept of residual risk and risk acceptability : Minimal risk that is acceptable to patients as part and parcel of
using a particular high risk medical device
 Concept of risk and Hazard
Hazard: Busy street
Event –
The ball rolls into Exposure P1
the busy street
Hazardous situation:
Small child playing
with a ball
P1 × P2
Harm P2

Harm: child is injured

Probability of
Severity of harm × occurrence of Risk
the harm
 Harm/hazard matrix

Severity/Pro Not likely Remote Occasional Frequent

bability
low Low Low Moderate High
moderate Low Moderate Moderate High
major Low Moderate High V. high
Severe (fatal) Moderate High V. high V. high

High and V high: not acceptable ;

Moderate risk: risk analysis and mitigation plan
Low risk: acceptable and approved
Risk analysis and management
Risk Analysis
• Intended use and identification of characteristics
related to the safety of the medical device
• Identification of hazards
• Estimation of the risk for each hazardous situation

Risk Evaluation

Risk control
• Risk control option analysis
• Implementation of risk control measures
• Residual risk evaluation
• Risk / benefit analysis
• Risk arising from risk control measures
• Completeness of risk control

Evaluation of overall residual risk acceptability

Risk management report

Production and post-production information

 Robust Practices for Risk Mitigation

Risk Mitigation

Proactive safety surveillance and Robust risk identification, Stringent post marketing
identifying new safety signals/ evaluation, characterization Adverse effect vigilance (PMV)
potential adverse-events and management reporting (AE)

Integrated approach
Inefficient documentation Noncompliant

Patient safety Reputation Litigation

Effective practices fundamental to risk management strategies

 Medical device failure (biomaterials and
sterilization issues)
• Failure can occur in many forms (Ethical and legal ramifications
…Class action lawsuit…Sulzer Inc.)
– Fracture
– Wear and tear over many years
– Infection
– Corrosion
– Immune response
– Sterilization compromised
– Inappropriate biomaterials
Post-market Surveillance (PMS)
and Vigilance
 Post-market surveillance (PMS) and vigilance
system

▪ Prior to placing the product on the market, the manufacturer will put in
place, as part of its quality management system, a process to assess the
continued conformity of the device to the Essential Principles of Safety
and Performance through the post-marketing phase. This process will
include complaint handling, post-market vigilance reporting and
corrective & preventive actions. It is a system for gaining and reviewing
experience in the post marketing phase.
▪ Conformity assessment and PMS is complementary to each other by
allowing safety, performance, and public confidence of the product
 Proactive vs. Reactive strategies

Proactive surviellance Reactive surveillance

Expert uses groups/focus groups Customer complaints
Customer surveys User feedback
Post-market clinical trials Devoted phone# and email ID to
Medical Affairs immediate redressal
Device tracking/implant registries List of FAQ’s
Central database of FAQ’s Regulatory agencies
Active ongoing communication with
stakeholders

• PMS could be ‘proactive’ – endeavours meant to anticipate and curtail events before they occur;
there are many types such as user surveys, manufacturer-sponsored studies, feedback forms etc.
In ‘proactive’ PMS activities, information is actively sought to gain insight and data into the real-
world performance of the device.

• PMS could be ‘reactive’ – responding after an event; of which there are many types ranging from
complaints to those involving serious injury or in an extreme case where a serious injury or death
has occurred. May involve feedback forms on adverse events and ‘hotline’ phone to connect to the
company and medical affairs
 Miscellaneous useful information
• Member economies need to have a regulatory mechanism for continual oversight
of the safety and performance of medical devices

• While pre-market review and registration pays attention to the design of the device
to assure its quality, safety and performance, it is only at the post-market level that
there can be oversight on the actual use of devices.

• Medical devices will inevitably be subject to various operating conditions upon

placement in the market, and no amount of rigor in the pre-marketing clinical
evaluation and review process can fully identify all possible device failures or
incidents arising from device misuse or failure.

• Such problems may arise from batch manufacturing error, unfamiliarity of the end-
user with the technology, or use of the device out of its intended scope of clinical
indications.

• It is through actual use that unforeseen problems related to safety and

performance can be detected.
 Roles of stakeholders

Regulatory • Oversee post-market activity

Authority

• Shoulder responsibility to most of the post-market

Manufacturer activity

• Report adverse event to regulatory authority or

User manufacturer

Regulatory authorities: maintain oversight on post-market activities including reviewing adverse event reports and
monitoring investigation and field safety corrective actions from local device dealers

Device dealers: shoulder responsibility for most of the obligations in the post-market framework. Key surveillance
activities to include in the QMS are maintenance of distribution records, complaint handling, reporting of adverse
events and carrying out corrective actions and preventive actions, including field safety corrective actions
(FSCA)/recall

Patients and users: should report adverse events either directly to the regulatory authority, or to the local device
dealers, or to both depending on national practices. If the user informs the regulatory body directly about an event,
the regulatory body should ensure that the pertinent manufacturer is informed without delay of such a notification.
Complaint handling for ISO-13485
Explanation of the procedure:
The organization is mandated, according to ISO 13485:2016, to implement a complaint-handling procedure that addresses the
following:
1.Applicable Regulatory Requirements: The organization shall document procedures for timely complaint handling in accordance
with applicable regulatory requirements
2.Receiving & Recording Information: A complaint communicated by oral, written, or electronic means. The procedure should
address how all received complaints are routed within the organization, recorded, and saved in a complaint log or Complaint
Management System
3.Complaint Evaluation: The information is evaluated to determine whether it is valid or not. If the complaint is declared to be non-
valid due to substantial reasoning (for example, the defect resulted from mishandling of the device, misinterpretation of a particular
issue as a defect, etc.), the customer is notified and no further proceedings are made.
4.Report to Regulatory Authorities: Serious complaints about medical devices are those which have an adverse impact on a patients’
health, surgical operation, etc have to be reported to regulatory authorities. The authority can stop sales of this product for the
period of investigation and resolution. In some cases, a particular device should have to be recalled from the market. The complaint
has to be resolved and closed by the regulatory authority.
5.Complaint Investigation: This is the most important part of complaint management, as it helps to identify the root cause. It is only
through the identification of the root cause that subsequent actions can be identified.
6.Handling of Complaint about Related Product: The complaint management procedure should also address the handling of
customer-related products that are returned to the vendor or supplier organization.
7.Correction and Corrective Action: After analyzing the root cause, the vendor must correct damages to resolve the complaint. A
correction can be accomplished by rework, or sometimes it is done by offering a replacement. Corrective action includes actions to
address the root cause. Records for corrections and corrective actions must be maintained.
8.Third-Party Involvement: Sometimes the complaint is a result of a third-party’s services in the manufacturing or delivery of a
medical device – for example, shipping services or external forging vendor of the medical device. The complaint-handling procedure
should address the mode of communication with external providers.
9.Review of Servicing Records: Servicing records are details of activities taken under scheduled or breakdown maintenance. If
records identify any servicing issue as a complaint, then the whole complaint management process has to be initiated.
10.Complaints & Product Quality Risk Management: ISO 13485:2016 has a requirement to assess the risk of product failure and its
inability to meet quality requirements. Complaints must also play a part in increasing the risk of failure. Complaints should be used as
an input to the product’s quality risk management cycle.

https://advisera.com/13485academy/blog/2017/03/21/how-to-comply-with-iso-134852016-requirements-for-handling-complaints/
 Classification of complaint
● Incident-driven
⮚ An incident that caused serious harm or death and occurred due to malfunction of the
medical device will require immediate attention of the complaint handling unit.

● Review-driven
⮚ When reviewing internal or external data, if a pattern of repeated failures or flaws at
inhouse acceptance activities area or from external for example that leads /qualifies
as a complaint.

Essentially, postmarket issues can be placed into one of two buckets. The first type is an “incident-driven” issue. For
instance, let’s say you receive a report from a hospital that an electrical malfunction has occurred. The failure could
have led to serious harm or death of the patient. This is an incident-driven issue that requires immediate action.

The second type of issue that arises is one driven by a review of data. For example, while reviewing service records
you may notice a trend in repeated failures of the software under certain conditions, which qualifies as a complaint.
That’s certainly a reliability problem and falls within the ISO 13485 and FDA definitions of complaints.
 Medical device complaint procedure

Step 1: Step 2: Step 3: Complaint

Intake complaint Investigate Close Management

Initial triage LEVEL I Closure occurs in Risk management

Valid? Initial investigation conjunction with
Potentially investigation (Step 2),
provided that Vigilance reporting
reportable? LEVEL II
Investigate to applicable parallel
probable cause processes are Immediate field action
completed
LEVEL III Corrective and
Investigate to preventive action
root cause (CAPA)

All complaints are feedback, but not all feedback is a complaint.

Step 1: Evaluate whether the complaint is valid or potentially reportable
The evaluation is performed to determine whether the information is truly a complaint or not and...whether
the complaint needs to be investigated or not. If the evaluation decision is not to investigate, the
justification must be recorded.

STEP 2 Investigate
In many cases, an initial investigation is conducted to determine that no further research is necessary. On
the other end of the spectrum are incidents where harm was done to a patient or user. These need to be
investigated all the way through to get at the root cause of the issue.

LEVEL 3: Investigate to root cause

You need to define the problem and then investigate its root cause. You will also need to determine
whether a recall is needed or if some other corrective/containment action is warranted.

How and when to close complaints

After investigation has been conducted and appropriate actions taken, it’s time to close the complaint.
If you ended your investigation after Level I and II, you need to document in your complaint files that
further investigation was not required and why. Include all data and reports, as well as a summary
statement for the complaint file.
if the complaint proceeds to Level III and you end up preparing While you are investigating and closing
complaints, you may also be updating your risk management files, preparing a vigilance report, and/or – in
extreme circumstances – taking immediate action to mitigate further harm.
 Corrective and preventive action (CAPA)

Relates to non-conforming products (deviate from the

usual functionality)

Establish procedures for investigation pertaining to:

• Identification (defective, non conforming specimens)
• Documentation (maintain complaints file)
• Evaluation (investigation of the reason)
• Segregation (isolate the defective specimen)
• Disposition (Destroy such specimen)
 Requirements for regulatory reporting

● Generally, Manufacturer needs to file a report with a medical device

Regulatory Body when:
⮚ A death or serious injury of health has occurred.
⮚ A serious public health threat has emerged.
⮚ A sustained negative trend (trending is documented and observed) has developed.
⮚ A recall or field safety corrective action (FSCA) has been issued.

● If your labeling is sufficient, reporting is not required when:

⮚ A small likelihood of death or serious injury.
⮚ The incident was caused by patient/user error.
⮚ The service life or shelf life of the device was exceeded.
⮚ The side effects were predictable and disclosed.
⮚ A device problem was discovered by the user prior to use.
⮚ The device shutoff or fault mechanism worked as designed.
 Medical device reporting requirements
(example only)
Mandatory device reporting requirements (FDA)

Reporter What to report To whom Reporting timelines

Manufacturer Reports of deaths, serious injuries, and FDA
Within 30 days from the date
malfunctions
of awareness

Manufacturer i) Specific type of events as requested by FDA FDA

Within 5 days from the date
ii) Event that requires remedial action to
of awareness
prevent an unreasonable risk of substantial
harm to the public health
Importer Reports of deaths, serious injuries FDA and
Within 30 days from the date
manufacturer
of awareness

Importer Reports of malfunctions FDA and Within 30 days from the date
manufacturer of awareness

• Typically (e.g., when public health is not threatened) FDA requires medical device reporting within 30 days of
becoming aware of an issue, and that’s consistent with the EU Directives. There are exceptions that may require
manufacturer to report a serious incident in 5 days.

• When incidents happen, manufacturer needs to be prepared to investigate them quickly. That’s important
because manufacturer obviously want to ensure that no further harm is done to patients or users, but also
because Regulatory Authorities mandate a speedy response.
Quick Reference on Medical Device Reporting
Timelines

* European requirements are for the Medical Device Regulation (2017/745).

** Japan has specific reporting timelines for incidents involving device malfunctions, breakages, and fault that could lead to serious events.
*** Only required if you also sell the same device in this market. Types of reportable events vary by country.
 Global Model
What is a medical device Definitions

What is needed to ensure

Safety and performance Essential principles of safety and efficacy

How to meet the Essential

Principles
Use of established standards

What is needed to ensure Clinical Evidence

Clinical evaluations (as appropriate) Requirements
safety and efficacy

Labelling and instructions for use

What level of Conformity

Assessment is appropriate
Risk based classifications

Supporting Documentation Technical file

Regulatory Assessment Conformity assessment

•Quality System Registered/approved

•Design Control Process
•Full Technical Evidence
Market entry

Audit procedures and Post Market Vigilance and Reporting

protocols Procedures
 Case study I
Product
X Ray Tomography

Product description
A computed tomography is a diagnostic Xray system to produce cross sectional images of the body by
computer reconstruction of x ray transmission data from the same axial plane taken at different angles. This
generis type of device may include signal analysis and display equipments etc.

Event description
During patient scan, the technologist heard a noise and entered room to remove patient. Upon entering
room parts burst out of gantry. The technologist immediately hit power cut-off and removed patient who
was unharmed

Discussion
• Has an event happened?
• Is a clinical incident associated with the device?
• Did the event lead to any of the following outcome
1. A serious threat to public health?
2. Death of patient, user or other person;
3. Serious deterioration in state of health, user or other person
4. No death or serious injury occurred but the event might lead to death or serious
injury of a patient, user or other person if the event reoccurs
 Case study II

Product
Femoral implant

Product description
Multiple component metallic bone fixation appliances an accessories

Event description
• Patient experiences a snap in his hip, followed immediately by pain
• Presented to emergency room, implanted hardware in hip discovered broken on xray
• Surgically removed 3 days later and replaced with total hip prosthesis

Discussion
• Has an event happened?
• Is a clinical event associated with the device?
• Did the event lead to any of the following outcome
1. a serious threat to public health?
2. Death of patient, user or other person;
3. Serious deterioration in state of health, user or other person
4. No death or serious injury occurred but the event might lead to death or serious
injury of a patient, user or other person if the event reoccurs
Glossary of terms for reference
References:
RAPS.org
GC-MDRA program
FDA.gov
 Lets learn together on the following Medical device
controversies

• Group 10: Lifepak defibrillator by striker

• Group 12: GE Healthcare’s Giraffe and Panda i-Res
Infant Warmers

10-12 minutes per group followed by QnA/discussion

Owing to some prior engagements Gp 11 will present the following week

Objective: To encourage individual and peer-to-peer learning which is typically followed in an industrial setting where small groups working
together come up a potential suggestion/brainstorm
Suggestions for expected deliverables/
domains that may be covered

In your presentation you can discuss on issues like;

1. The background of this scandal
2. How and why it happened
3. What effect the scandal/controversy had on medical device regulations?
Can such occurrences be prevented in the future?
4. What role did the regulatory authority play in the controversy? Were there
any shortcomings on their part?
5. How was ethics compromised in your opinion?
6. Any other relevant/interesting findings from your research on the topic…