Remediation: Risk Priorities

By Maria Fontanazza

Part III of the series on remediation looks at how companies can tie risk priorities into the remediation process.

Mark Leimbeck, UL
Mark Leimbeck,
Program Manager,Medical Regulatory Advisory Services, UL, LLC

In our final Q&A series on remediation, Mark Leimbeck, program manager, solutions at UL, LLC, talks about the role of controls, business risks, process maturity and post-production monitoring in the process.

MedTech Intelligence: What are some of the risk priorities that must be tied into the remediation process?

Mark Leimbeck:


A fundamental question to ask is whether risk controls or mitigations are truly risk based. It’s important to make sure that employees understand the relationship of the given control to the basic safety or essential performance of the device. Some elements of the device might be there primarily for marketing purposes (i.e., bells and whistles) versus elements that are critical to the clinical function of the device. Those aspects or features of a device that are there only for convenience or appearance need not have the same level of control as an aspect or feature that, should it not perform as intended, result in patient harm. This again relates back to the concept of essential performance. We must understand what aspects or features are needed to ensure effectiveness of the device and patient safety, and then implement (risk) controls to ensure that those specific performance aspects or features are preserved in all conditions of use and foreseeable misuse.

Did you miss Part II? Remediation: Considerations During the ProcessA caution on business risks

Risk is a term that has recently become widespread in the standards community, and certainly, there are many types of risk. However, the different risks being considered and addressed by various stakeholders can create regulatory problems if it is not carefully managed and applied. Specifically, a number of manufacturers have not only ISO 13485 registration, but have also received certification to ISO 9001. Explicitly stated in ISO 9001 is that an organization:

“…shall determine… issues that are relevant to its purpose and its strategic direction and that affect its ability to achieve the intended result(s) …

NOTE…Understanding the external context can be facilitated by considering issues arising from … competitive, market, … and economic environments …”

That is a perfectly reasonable requirement, but it creates a conflict with the regulatory requirements of the European Union. The EU regulations place a strong emphasis on ensuring that financial concerns do not enter into the equation when making risk judgments. Therefore if you’re dual certified to ISO 9001 and ISO 13485, it’s critically important that you understand what is stated in your documentation, and whether there is a clear line of delineation between financial risk and safety risk.

Attend: Practical Risk Management | in person (Washington, D.C.) or via webcast) | November 8-9, 2017 | Learn moreProcess maturity

Within the system, related to maturity of an organization, do people actually connect the dots?  When thinking about your current design outputs, how do they relate to your design inputs? Is there a one-to-one?  And, are those design inputs traceable to user needs—the basic safety and essential performance—because that’s the key. In addition, ensure you have full traceability and show the linkage. That’s a clear risk priority.

Post-production monitoring

The other thing that most organizations could probably do a better job of is post-production monitoring. I expect an increasing emphasis on this in the future – after all, there’s a reason the Unique Device Identifier (UDI) is being implemented. So the question I would be asking is, “How robust is my process?”  Post-production monitoring is not just a job, and it’s not just looking at customer complaints. A person can be directly and severely harmed by a device. Post-production monitoring is a key element and needs to have a strong emphasis. As one of my friends at the FDA likes to quip:

“How can you have Risk Management without post-production monitoring?”

Indeed. The last time I checked, management without a feedback loop is not management. I expect that the next round of revision for ISO 14971 would be well served by including more guidance in the area of post-production monitoring.

Related Articles

  • MedAccred Logo

    The purpose of the Best Practices in Supply Chain Resiliency and Quality Working Group is to improve medical device quality and supply chain resiliency by expanding MedAccred adoption through the tiers in the supply chain, identifying best practices to supplement…

  • RQM plus logo

    Jordi labs and its team of Ph.D. analytical chemists developed a proprietary, multi-detector approach to ensure that all extractables are accurately characterized to comply with global materials testing regulatory requirements.

  • MedTech Regulatory Intelligence Summit

    Registration is now open for the MedTech Regulatory Intelligence Summit in Washington, DC, May 16-17. Join us as we take a closer look at strategies and best practices in developing an effective and sustainable regulatory strategy for today’s global market.

  • MedTech Regulatory Intelligence Summit

    On May 16-17, device developers, regulatory affairs and regulatory intelligence professionals will come together in Washington, DC, for two days of education, discussion and networking to share strategies and best practices on navigating current and on the horizon regulatory requirements.

About The Author

Maria Fontanazza, MedTech Intelligence