Risk based approach to building a QMS in a startup
Insights from a Let's Talk Risk! conversation with Becki Hiebert
Note: this article highlights key insights gained from a conversation with Becki Hiebert as part of the Let’s Talk Risk! with Dr. Naveen Agarwal series on LinkedIn. Listen to the full recording of the discussion below.
Summary
Here are a few key points that emerged from our discussion:
Take a strategic approach to QMS
Focus on building the right mindset about Quality
Use a risk-based approach to create a flexible system
Collaboration is the key to success
Risk management is about patient safety, not compliance
Take a strategic approach to QMS
Becki recommends taking a strategic approach to building and implementing a Quality Management System (QMS) in a startup. Unlike a mature, established organization, a startup operates in a fast-paced and rapidly changing environment. That is why you have to think about both speed to support the near term goals, and scalability to support rapid growth in the future.
Clearly understanding stakeholder expectations and their business strategy is important. We have to look at not only the first product to go out of the door, but also the growth strategy over the next 3-5 years and beyond. Relatively low risk products requires fewer controls compared to higher risk products. Regulatory requirements and expectations vary across different markets in the world. We have to keep all this mind when thinking about our QMS strategy. Most importantly, our short-term and long-term strategy should align with the business strategy.
In the near term, speed to market is most important. It is good to be nimble in our approach to the QMS, but we should also not ignore the value of building a good foundation for the future. It is useful to take a project-based approach so that a QMS is implemented in time to support product launch.
A key challenge for Quality and Regulatory (QA/RA) professionals is to have a good understanding of the business strategy. Spend some time talking to key stakeholders to understand their expectations and growth plans. Then build your strategy for the QMS and seek alignment to get their full support.
Focus on building the right mindset about Quality
The main focus in a startup is on product development and market launch. It is important to keep in mind that talking about Quality and documentation requirements may be seen as a barrier to these near term goals.
In particular, the process of implementing design and development controls proves to be challenging in a startup environment. This is especially true for startups launching from an academic setting where the focus is more on discovery and not as much on keeping good records. Making a transition from very light documentation to the level required (and expected) by regulatory authorities is not easy.
It is our job to have a solid understanding of regulatory requirements and many unwritten expectations of auditors or certification bodies. But we have to present it in a way that helps the team understand the why behind these requirements, not just the what of everything that needs to be done.
We have to focus on building the right mindset about Quality; that it is not about slowing the pace of innovation, but about taking advantage of our work to reduce wasted effort and to improve the chance of success. When we build a habit of documenting our work, we can keep track of what worked and what didn’t. In this way, good documentation habits can support both innovation and regulatory compliance.
Use a risk-based approach to create a flexible system
It is useful to take a risk-based approach, not only in a stage-based implementation of QMS elements, but also in building flexibility in procedures and workflows.
As an example, not every CAPA1 involves a high risk issue. Your procedure should allow flexibility to apply the right amount of rigor to analysis, corrective and/or preventive actions, and documentation. This is the essence of a least-burdensome approach2, which is also supported by the US FDA.
However, it is easier said than done!
As QA/RA professionals, we need to get comfortable with a lighter version of QMS documentation based on risk. This can be challenging, especially when we are transitioning from a mature organization to a startup. Our past experience may have followed the maxim that if you didn’t write it down, it didn’t happen! In those situations, we are used to Quality System practices at a much higher level of maturity. But in a startup situation, a more nimble approach is needed.
We have to change our own mindset first.
Collaboration is the key to success
When Quality and Regulatory professionals take the time to talk to the product team, they develop a better understanding of common challenges and decisions made to manage risk.
In the end, we are all trying to achieve the same goal. We want to launch the best product which also meets regulatory requirements for safety and effectiveness. As QA/RA professionals, we focus on documentation to demonstrate safety and effectiveness in a convincing way to the regulators. But it is not the quantity of documentation that matters, but how it is compiled and presented to the regulatory authorities.
That is where collaboration becomes critical to success. We may have a good understanding of regulatory requirements and standards, but we don’t necessarily know the best way to answer the safety and effectiveness question. It is only when we work collaboratively with the product team that we can build a good story.
Beck shares how she became aware of the need to change her approach when she received feedback for improvement. It is important to be open minded and willing to change. Collaboration does not mean compromising on key principles, especially when it comes to patient safety. It means that we encourage and participate in robust discussions where different viewpoints are respected and heard before reaching a final decision.
Risk management is about patient safety, not compliance
In general, risk management is still seen as a check-the-box activity for the purpose of regulatory compliance. It is not yet integrated adequately with our core processes.
When we ship a medical device, we are essentially saying that it is safe to use our device. We make a judgment about safety of our medical device by balancing risks against benefits. That is why risk management is not simply an exercise in generating a report for compliance. It is about how we can convince ourselves, our customers and the public that our devices are safe to use, and that we have done our best to control all potential risks.
In the end, it is a judgment call. We need to be mindful that our judgment may not be correct. It is best to involve a cross-functional team of experts including those with direct, hands-on experience with the device in a clinical setting. This is one way of creating a system of checks and balances, where safety-related decisions are not taken in functional silos.
Another point to keep in mind that safety is not a static or absolute concept. We may be perfectly justified making a claim of safety and effectiveness at launch based on limited clinical data. But we need to continually monitor risks during the post-market phase to ensure continued safety. Our post-market surveillance process must be able to detect safety signals before they become a trend so we can take timely action. It should also provide a feedback of lessons learned for developing the next generation of products.
In this way, risk management activities span the entire lifecycle of a medical device. When building a QMS in a startup, it is important to think ahead and create a process with linkages to support these activities.
About Becki Hiebert
Becki Hiebert is currently the QA/RA lead at PulseMedica in Canada, where she is helping the development and commercialization of 3D imaging and laser targeting systems for precise retinal surgery. In her 10+ years of professional experience across both pharmaceutical and medical device industries, she has developed a hands-on expertise in regulatory requirements for current good manufacturing practices. She has served in a variety of roles in quality planning, process improvement, internal audits, quality system training and supplier/purchasing programs.
About Let’s Talk Risk! with Dr. Naveen Agarwal
Let’s Talk Risk! with Dr. Naveen Agarwal is a weekly live audio event on LinkedIn, where we talk about risk management related topics in a casual, informal way. Join us at 11:00 am EST every Friday on LinkedIn.
Disclaimer
Information and insights presented in this article are for educational purposes only. Views expressed by all speakers are their own and do not reflect those of their respective organizations.
CAPA: Corrective and Preventive Action. See 820.100 in Subpart J of FDA Quality System Regulation (21 CFR 820)
“Least burdensome” is defined by the US FDA as the the minimum amount of information necessary to adequately address a relevant regulatory question or issue through the most efficient manner at the right time. Source: The Least Burdensome Provisions.
This is a superb roadmap for companies looking to build a QMS.