Tuesday, June 6, 2017

Risk vs. Risk

RISK  VS. RISK

"Risk-based ...", a source of confusion to the medical products industries.

Some say this should be a generalized approach throughout a company. This is partially correct.  If a company is primarily addressing ISO 9001, then they are focused on ISO 31000, Risk Management, which addresses all manner of business risk.    
   
However, if we are dealing with medical products, the U.S. FDA wants to see “risk” tied specifically to to patient (and user) risk. The recently revised ISO 14971:2019 requires the patient risk be considered in all applicable company's QMS systems.  

I have always recommended that companies tie such key medical product risk-based decisions to a Product Risk Document -  ISO 14971 Risk Management File / Review, or ICH Q9 file;
     -  Cite specific line items, e.g., from a FMECA;
     -  Include “Normal” as well as “Failure / Fault” in Hazard List / FMECAs.

“Risk” in FDA-regulated industries usually means patient risk, not business, IT, legal, etc., risks, though some are obviously tied together.  If you are marketing medical products both in the U.S. and EU / overseas, then your documentation will have to clearly address both types of risk, product / patient, and business.


ISO 14971 patient risk / safety vs. ISO 31000 business risk / financial risk / schedule risk / compliance risk / “safety”, et al.

Understanding such patient “risk” will determine how far to proceed on test cases, failure investigations / root cause analysis, degree of documentation, etc., needed to resolve a medical product risk issue.

Additional references:


"Pharmaceutical cGMPs for the 21st Century - A Risk-Based Approach", September 2004: 


"FDA has identified a risk-based orientation as one of the driving principles of the CGMP initiative.  The progress outlined below reflects FDA's commitment to the adoption of risk management principles that will enhance the Agency's inspection and enforcement program, which is focused on protecting the public health."  (bottom paragraph, page 3; emphasis added).

 - https://www.fda.gov/media/77391/download


John E. Lincoln        jel@jelincoln.com
Updated 05/23/2022; 06/20/2022

ISO 14971:2019 in its Introduction defines risk as 1) Patient risk; 2) User (clinician ...) risk; and/or 3) Use environment risk. - JEL 02/06/2023  

ISO 14971 is risk management for devices (and the device's QMS); ICH Q9 is risk management for drugs. Recently, the FDA has also used "risk" in the context of security risk, especially related to cybersecurity issues, but even here the emphasis is on patient safety. - JEL 09/06/2023 
... and CGMP compliance risk, which also emphasizes people risk. - JEL 10/20/2024 

No comments:

Post a Comment