We want to do it "right", but we are stuck!
When it comes to risk management, we seem to be stuck in compliance.
It all started with a simple question I posed to my colleagues on LinkedIn in a recent poll:
Would you still do risk management for your medical device if it was not expected (or required) by regulatory authorities?
The response was an overwhelming YES!
Now, this by no means, is a scientific poll. But as reflected by the comment below, it is a common sense view held by a majority of my colleagues.
Yes, it’s good business sense. Not incorporating risk management can lead to exorbitant costs (and the obvious, patient safety issues) for a company in corrections and removals, not to mention the lawsuits if and when a device fails.
So, why do we all have this feeling that risk management is generally viewed as a paperwork exercise in the medical device industry, mainly to comply with regulatory requirements?
I explored this topic further in a recent live session, where we tried to imagine a different world. One where we did not have a compliance focus, rather we did risk management for the right reasons.
Here are 5 key points that emerged from our discussion.
1. Doing it right makes business sense
Everyone in our industry intuitively understands that risk management is important. It is the right thing to do for our patients and other stakeholders. We must develop, launch and consistently produce safe and high-quality medical devices.
"It's good business sense", as noted by one of our colleagues in the comment above.
2. We have a strong desire to be patient-focused
Everyone who works in the medical industry is highly passionate about our patients. We work very hard to build products that save lives. In my 10+ years in the industry, I have seen a very high level of commitment across the board. Many of us work long hours, even on nights and weekends. We give up personal family time to show up and do whatever it takes to keep serving our patients and other stakeholders.
However, there is also a feeling that most of our work related to risk management activities is driven by compliance.
So the question is not whether we should do risk management. The question is more about how to do it with a focus on the patient, and not on compliance.
3. We are stuck in a system focused on compliance
In practice, risk management in the industry feels more like an exercise in documentation for the purpose of regulatory compliance. It feels highly burdensome, especially because we are required to maintain and update our risk management files throughout the lifecycle of each product. Countless hours are spent in keeping up with changing risk levels and updating our documents. We often feel stuck!
This feeling of regulatory burden is even more prevalent today in light of the EU-MDR/IVDR1.
However, a lot has to do with our own confusion. There seems to be an impression that regulations require risk management to be done in a certain way. Regulations tell us the what, not the how. Did you know that compliance to ISO 14971:20192, the International Standard for risk management of medical devices, is not mandatory? It is certainly a good idea, because ISO 14971:2019 is the state-of-the-art in risk management, but you don't have to do it. Further, you don't have to comply with any of the guidance in annexes or in ISO/TR 24971:20203. You can do it any way you want as long as you can satisfy the requirements in clauses 1-10 of ISO 14971.
Part of the reason for confusion and inefficient, burdensome practices in the industry is the way Notified Bodies conduct their assessments. We can detect a sense of frustration in this comment from an industry colleague:
Yes, and we could already start to change if Notified Bodies and other agencies weren't "gatekeeping" risk management by demanding FMEA (not mandatory for medical devices), arguing about wordings, etc. I wonder if their expertise is based on too narrow training to allow critical thinking? Or is the narrow tolerance due to liability?
In short, the problem is not the requirements, or the regulations, but the way we have implemented them in our system. This is where we need to take a deeper look and challenge the status quo.
However, we all feel stuck in the current system. We often find ourselves running against the clock, trying to fix gaps and vulnerabilities purely from a compliance viewpoint.
What if we took a "clean sheet of paper" approach? Ed Bills talked about this in another live session with us where we talked about the history and evolution of ISO 14971. But first, we need to be honest and acknowledge the current state.
4. Automation can help but only if the process is right
During our live session, one of our colleagues suggested that we could use automation to help alleviate the documentation burden and improve the efficiency.
This is a good idea. However, the underlying process needs to be robust.
There are still many points of confusion which lead to many mistakes and inconsistencies in our risk analysis process. We have to first identify and fix these issues before we deploy automation. Otherwise we will suffer from GIGO (garbage-in-garbage-out!), which will make the situation even worse.
Bottom line, before you rush to implement the latest high-tech automation solution - and there are many such solutions out there - you need to take a careful look at the underlying logic and structure of your risk management process.
5. Safety can be an explicit business goal
What would you say if I told you that a leading automotive manufacturer aspires to aim toward zero fatal accidents in 2030?
And they have declared it publicly in their 2021 integrated report4.
Yes, this is bold. Yes, this must be intimidating to their rank and file. Yes, this must be achieved under the heavy burden of industry regulations.
But is it inspiring? You bet it is.
Would you buy this manufacturer's model as a first car for your teenage child who just got their driver's license? Very likely.
Why would they want to declare it so boldly? Because they know their customers care.
Therefore, it is certainly possible to make safety not only a part of your vision statement, but also an explicit business goal. It is good for business and it will inspire your entire organization.
As another colleagues commented:
When properly implemented, consideration of risk is less burdensome and inherent to the culture of the organization.
Ask any CEO of a medical device company and they are sure to emphasize that patient safety is number one for them. I believe it to be so. However, we don't see an explicitly stated business goal around safety performance in our industry.
What if we did? Wouldn't it inspire us to do things differently?
Maybe, then we could get unstuck! I invite you to share your thoughts.
Subaru: Integrated Annual Report 2021
This article is right on - it's possible to do strategic risk management, but too many fall back on surface-level compliance. When it comes down to making more money or reducing more risk, most companies choose making more money - that's why we need regulation, but the implementation doesn't have to be a weighed-down anchor; it can be a lightweight sail.