Understanding the interface between clinical evaluation and risk management
Insights from a Let's Talk Risk! conversation with Alexej Agibalow
Note: this article highlights insights from a conversation with Alexej Agibalow as part of the Let’s Talk Risk! with Dr. Naveen Agarwal series on LinkedIn. Listen to the full recording of the discussion below.
Item 33 in the introduction to the EU-MDR1 emphasizes the need to align the risk management system with the clinical evaluation process so that all relevant clinical risks are adequately addressed:
The risk management system should be carefully aligned with and reflected in the clinical evaluation for the device, including the clinical risks, to be addressed as part of clinical investigations, clinical evaluation and post-market clinical follow up. The risk management and clinical evaluation processes should be inter-dependent and should be regularly updated.
The challenge is that the term “clinical risk” is not clearly defined in the EU-MDR. This has created a lot of confusion in the medical device industry about the scope of clinical risks that need to addressed through a clinical evaluation and appropriately integrated with the risk management system.
ISO 14971:20192 is the current version of the International Standard for application of risk management to medical devices. Generally speaking, industry practice of risk management is driven by an engineering approach which focuses primarily on risks arising from potential device failures. This approach, which relies heavily on using FMEAs3, misses many potential risk(s) of harm in the application environment that may arise even when the medical device is operating normally according to its design.
Risks associated with the use of a medical device in a clinical procedure are generally assessed through clinical evaluation. Clinical evaluation is a process which generates, collects and evaluates clinical data to verify safety and performance of medical devices during clinical use. In principle, the clinical evaluation process should connect and align with the risk management process to ensure that all risks associated with the intended use and foreseeable misuse are identified early in the design and development process. However, this interface is generally not well-defined in the industry. Interfaces with other processes such as usability and post-market surveillance are also not well-defined.
The result is a disconnect between various processes, which makes it difficult to continually monitor and update risks during the device lifecycle to ensure continued safety and effectiveness.
It doesn’t apply to just risk management or clinical evaluation. We have the same issue with usability. We have the same issue with post-market surveillance. People are not talking enough.
In a recent article4, Alexej explains that the interface to clinical evaluation is not just an additional requirement (of the EU-MDR), but an inherent part of the risk management process. He has proposed a conceptual model that illustrates how the scope of a clinical evaluation overlaps with the scope of medical device related risk management according to ISO 14971.
As shown above, clinical evaluation considers all potential risks inherent to the medical procedure, as well as those arising from the intended use of a medical device. Risks arising due to abnormal use5 are not included unless they are observed to occur repeatedly. Risk management, according to ISO 14971, includes only device-related risks, and those arising from reasonably foreseeable misuse. However, evaluation of the overall residual risk involves balancing all potential risks, including medical procedure related risks, against clinical benefits gained from using a medical device.
Therefore, the two processes are interconnected and should be aligned with each other throughout the device lifecycle. Industry practice, generally speaking, is to run these processes separately. It is not uncommon to see the clinical evaluation process to start when the device design has already been finalized. As noted above, risk management in the industry is generally engineering-driven with little to no clinical input in the early phase of design and development.
Engineers and clinicians both care about safety, but they look at risk differently.
It is critical to include clinical experts early, even during the concept development phase, to understand the clinical context for the device and to define user requirements in sufficient detail. Planning for the clinical evaluation, including synchronizing different activities during the post-market phase is essential.
During our conversation we also learned that ISO/TC 194 has started working on a new ISO standard6 for clinical evaluation of medical devices. A suggestion was made by a colleague to include ISO 14971 as a normative reference in this new standard.
Here are a few ideas and best practices that emerged from our discussion:
Talk more, collaborate more: risk management requires cross-functional expertise. Safety and effectiveness is a much bigger question which cannot be answered simply through engineering. ISO 14971 requires adequate planning for risk management including availability of competent personnel from different functions required to support key activities. Risk practitioners need to recognize gaps in available expertise on their team and facilitate collaboration across functions as well external resources. Risk management cannot be done in silos!
Understand interfaces, synchronize activities: although we have focused mostly on the interface between clinical evaluation and risk management, there are other parallel but connected processes such as human factors and post-market surveillance. Risk practitioners should consider a systems approach to risk management, clearly understanding different interfaces and designing working processes to align and synchronize different activities. As an example, literature search to evaluate safety and effectiveness is an ongoing part of both clinical evaluation and post-market surveillance. Information gained from literature search may also be useful for R&D.
Get involved, shape the conversation: As noted above, a new standard for clinical evaluation of medical devices is under development. Our industry is going through a massive change, both in technology and the regulatory environment. EU-MDR has renewed the focus on safety and risk management is now more important than ever. However there is a lot of confusion about how to satisfy these new requirements. There is a need for risk practitioners to engage broadly and add their voice to the conversation to help shape emerging best practices.
About Alexej Agibalow
Alexej Agibalow is a risk management expert at Escentia GmbH and manager of risk and regulatory affairs at Drager.
About Let’s Talk Risk with Dr. Naveen Agarwal
Let’s Talk Risk with Dr. Naveen Agarwal is a weekly live audio event on LinkedIn, where we talk about risk management related topics in a casual, informal way. Join us at 11:00 am EST every Friday on LinkedIn.
Disclaimer
Information and insights presented in this article are for educational purposes only. Views expressed by all speakers are their own and do not reflect those of their respective organizations.
EU-MDR: Medical Device Regulation (EU) 2017/745 of the European Parliament and of the Council published in the Official Journal on 5th May 2017.
ISO 14971:2019 - Medical devices - Application of risk management to medical devices.
FMEA: Failure modes and effects analysis is a common technique to identify potential failure modes of a medical device, their causes and effects, and to mitigate the risk of failure by identifying and implementing appropriate risk control measures. See IEC 60812:2018.
Alexej Agibalow article: Interface between clinical evaluation and risk management
Abnormal use is a subset of reasonably foreseeable misuse , which may include intentional acts of misuse, or intentionally using a medical device for a purpose outside the intended use as specified by the manufacturer.
ISO/AWI 18969: Clinical evaluation of medical devices. Under development.
Interesting article - reminded me of the sometime-disconnect between software developers and security personnel: different views of risk, security people are not always involved early enough in the product lifecycle, etc.