Why failing to update your risk matrix is a problem

It may get you warning letter from the FDA

In a recent warning letter to a manufacturer of a modular cooler-heater device (MCH), the FDA is citing an observation that the firm failed to update their risk matrix when a new risk of biofilm formation was identified through complaints. There are other issues cited in this warning letter related to risk evaluation process, design controls and the CAPA process.

In this case, there is a gap between the review of complaints and the risk management process, where we need to update new hazards, hazardous situations and harms during the post-market phase of our medical device.

Why is this a problem?

When new risks are identified during the post-market phase, it is important to review them and take timely action to prevent further harm to patients. In this case, if a new risk of biofilm formation is identified, and appropriate risk mitigation measures are not implemented, then there is an increased likelihood of infection. In fact, FDA is citing several complaints of bacterial contamination on the device and 1 case of patient infection during the review timeframe to support their observation.

A bigger issue here is whether the medical device would still be considered safe and effective by the FDA. Keep in mind that the regulatory bar for market authorization is safe and effective, which essentially means that probable benefits of the device exceed the probable risks. If the review of complaints indicates that there are new risks which are not appropriately mitigated in a timely manner, then the overall benefit-risk balance of the medical device may no longer be sufficient to support continued market authorization. Of course, a warning letter by itself does not imply that the benefit-risk is no longer acceptable. However, it is an initial step by the FDA that may lead to other, more serious enforcement actions including seizures, injunctions and criminal prosecution following such determination.

Consider these best practices

1. Establish a dedicated process for safety surveillance

In general, Complaints handling departments in the medical device industry are very busy and severely resource constrained. They have to receive complaints, record them accurately, do investigations and, most importantly, evaluate all complaints for reportability. Complaints handling is a day-to-day operation, not a surveillance operation.

An industry best practice is to establish a separate post-market surveillance process to monitor trends, detect safety signals and prioritize follow-up actions. This process is aligned closely with the complaints handling process, but it also involves other functional experts. A key success factor is availability of competent resources and clear assignment of roles and responsibilities. The output of this process can be integrated with periodic regulatory reporting such as Post-market Surveillance Reports (PMS), Periodic Safety Update Reports (PSUR) or Clinical Evaluation Reports (CER).

2. Establish a direct link between risk analysis and design controls

Design and development process is time-limited, bookmarked by a beginning and an end. Risk management process, on the other hand, is continual and remains active throughout the medical device lifecycle. In particular, the post-market phase of the lifecycle may involve subsequent actions through design changes, process changes and/or labeling changes.

A direct linkage between the outputs of risk analysis, specifically hazard analysis, and design inputs is needed. Think of this as a map of hazards, hazardous situation and harms and how they are linked to different design inputs. Note that not all design inputs may be safety-related. However, all safety-related design inputs should be clearly identified and linked to appropriate design outputs that are effectively implemented and verified/validated.

An industry best practice is to develop an efficient system of cross-referencing each risk item in a risk trace matrix with one or more design inputs/outputs in a design input trace matrix.

When new hazards, hazardous situations or harms are identified during the post-market phase, this cross-referencing allows a quick assessment to decide whether existing risk control measures are sufficient or if additional risk control measures are required.

3. Develop a risk-based approach to CAPA investigations, resource allocation and effectiveness check

Generally, the CAPA process (Corrective and Preventive Actions) is used to investigate quality/safety issues and to implement corrective/preventive actions. As a result, there is a tight linkage between the post-market surveillance process described above and the CAPA process.

It is also a general observation that the CAPA process requires a lot of resources and oversight. Yet, the CAPA process is frequently cited for significant deficiencies in audits and FDA inspections.

There is now a realization in the industry that a risk-based approach is needed to improve effectiveness. But what is a risk-based approach and how do you implement it consistently and systematically?

One way is to focus on the severity of the potential outcomes. Higher severity outcomes require more urgent attention and quick action to prevent further harm. But the other component of risk is likelihood (or rate of occurrence). There are many low severity outcomes that may suddenly increase in frequency that may also require urgent attention.

It is clearly a balancing act! One element of effectiveness of your post-market surveillance process is its ability to separate signal from noise. If your post-market surveillance process is working well, it will correctly identify only high-risk signals as inputs for the CAPA process. It will also give you a solid case to document a justification why a CAPA is not required in other cases. There is no cookie-cutter formula for this; just realize that it will require not only good analytical skills (statistics etc.) but also good decision making abilities and judgment.

4. Clearly define timeline expectations for key actions and monitor closely

In this warning letter, FDA noted that the risk matrix had not been adequately updated even after 6 months since the first complaint about biofilm was received. It was noted that the complaint procedure required a review of complaints against the risk analysis procedure, but there were no clear instruction on the frequency and scheduling of these reviews.

Is 6 months too long for appropriate follow-up? What is timely? What should be reasonably expected?

The challenge here is that timely action is expected by regulatory authorities, but there is no clarity on what is considered timely. We have to decide what makes sense in light of the type of device and scale of our operation. Even within the same organization, timeliness expectations may be different under different circumstances.

It may be useful to understand what might be considered not timely. In this warning letter, FDA is citing additional evidence that complaints of bacterial contamination on the device and even 1 case of patient infection was reported to the firm. Yet, the risk matrix had not been updated at the time of the FDA review. This observation supports the conclusion that the firm's response is not timely, since the risk of contamination (and infection) may have been actually realized in the field before suitable action was taken.

Therefore, one factor affecting timeliness may be the interval between awareness of risk and actual realization of risk. This involves understanding likelihood and some amount of judgment. Whatever approach you use, be mindful that it is not a good idea to establish a single timeliness requirement for different processes and their deliverables. Rather, a case-by-case approach may be needed.

In conclusion

This warning letter highlights the importance of an effective post-market surveillance process that facilitates risk-based decisions and timely actions. Expecting the complaints handling department to also lead surveillance activities is not realistic. Rather, a separate process is needed which aligns with complaint handling and operates on a suitable frequency. Post-market surveillance is only one part of the overall risk management process, which is expected to be integrated across other key operations such as design controls.