Recently, our Scilife CEO Filip invited Mika Siitonen, Medical Development Manager at Labquality and seasoned expert in medical device regulatory guidelines, to answer anything and everything you wanted to know about performing Risk Management under the new MDR/IVDR regulations in what turned out to be exceptionally insightful Ask Me Anything Webinar full of valuable information for those operating in the medical device industry.
Below, you’ll find the top 10 questions from the session and a summary of Mika’s answers.
What are the key aspects of the new MDR and IVDR regulations?
Mika explains that the regulations are much stricter than previous IVDR versions for notified bodies and manufacturers. There’s a much, much larger amount of requirements, many more than previous versions. Notably, in the new MDR and IVDR regulations, there is much more emphasis on software and on data. Many older Class 1 medical devices have been upclassified, which will have a heavy impact on medical device manufacturers. This also impacts notified bodies, as there are now many more devices that will need to be inspected. Mika stresses that the heart of these new medical device regulations is risk perspective. A risk-based approach should be used everywhere and for everything!
Which are the top 3 things where to focus when working with MDR and IVDR risk management systems?
Mika explains that for MDR compliance it’s important to utilize the harmonized standard. However, for MDR there’s none yet for risk management, although there will be soon. He adds that it’s important to include risk management in the clinical or performance evaluations too. When considering the top 3 things to focus on, Mika describes the following:
- For medical device risk analysis it’s vital to have a complete risk management team, and not just rely on one person! Individuals with clinical, manufacturing, software, security, usability, development, risk management expertise are all required.
- Secondly, documentation is important. A Risk management file is not a single file! It’s essential to have at least 3 documents: a risk analysis consists of a plan, the analyses, and the report.
- Thirdly, set up a working linking method from risk to risk. Traceability back and forth is important. If you have a design requirement in the risk analysis to reduce your risk level there should be linking to the requirement. All analysis and requirement sheets need to be linked well.
What are the main struggles implementing the MDR and IVDR regulations?
Our webinar participants shared their top 3 challenges:
- Managing the entirety of all risk management files for all products, production, processes, facilities, etc, to keep on top of everything.
- The practicality of risk management: Risk management can be really challenging in practical terms while continuing to align with MDR regulations
- Aligning with all the MDR requirements which are sometimes conflicting can be confusing, coming from different harmonized standards and MDR / IVDR related to risk management. MDR mandates override everything on the harmonized standard, which is sometimes very conflicting.
What level of complexity does a risk assessment need to have?
Mika explains that it’s not easy to find the right level of complexity of identifying risks. He highlights that if you really think about every possible risk of a product it gets way too deep and overwhelming, so it helps to have someone on board the risk management team that has experience with the risk management process itself to guide the ‘depth’ of the risk assessment. For example, hundreds of possible risks for one single product means the risk assessment is getting too thorough.
What are the steps to follow in the risk management plan? Where to start in the implementation?
Mika notes that three steps are fundamental to starting a risk management plan:
- You should have your risk-based approach for pretty much everything and you need to have your QMS processes evaluated from a risk perspective.
- Product risk analysis is most important, but business risk analysis is also beneficial to have.
- Drill down into product risk management as early and as heavily as possible to get the product to the market sooner than later, other risk analyses typically come later.
How do you make a master list of risks according to MDR and IVDR regulations?
Mika mentions that 14971 covers this very well. MDR and IVDR regulations don’t specify that you must have separate risk analyses to list your risks. So you can create a single place (master list) with all your identified risks. Make sure you’re able to filter these risks with category variables. He stresses that it’s useful to focus on the risks you can identify with your team. He also explains that a master list has downsides because some risks such as cybersecurity will be mislabeled as low impact and might therefore be missed. However, there are tools to help with this, he mentions.
How can we implement a quantitative method for determining the risk-benefit ratio and thresholds for risk acceptability?
Mika answers that you must have numerical value for risk levels, and to get a calculated risk-benefit ratio you must also evaluate numerical values for benefits, which is often difficult.
Which are the main points of risk management to be included in the clinical evaluation?
Ranking is the single most important factor, Mika states. You need to have your highest risks documented in the clinical evaluation plan or performance evaluation plan so you can focus on those risks & find them. Ranking is very important. Update risk management when your team encounters new risks too, but always concentrate on highest ranked risks.
How would you implement a risk-based approach in the cybersecurity context?
Cybersecurity is becoming ever more fundamental in risk management. Mika sums up how to implement a risk-based approach for this:
- MDR says that you can utilize the 1471 approach for cyber security. There's no reason to utilize anything else, but you don't have to utilize that because cyber security people talk a totally different language: there are threats and, they don't tend to use sequence of events. So you are free to utilize other methods for cyber security.
- No matter what your approach, you need to have one risk analysis for cyber security.
- You need to have your acceptance criteria also for cyber security risks.
- If it's on a different scale than the other risks, then you need to have the linkage to the other risk analysis- if it has clinical impact, you need to link it to the clinical analysis, etc.
To what level cybersecurity risks need to be mitigated if there are no patient or user risks?
Mika explains that there are multiple angles to consider. In general risk analysis is a tool to identify, prioritize and correct problems and issues with your product and have them proactively corrected before they occur.
He explains that you need to structure your risk management file, separate the cybersecurity risk analysis from clinical risk analysis (since they typically have different abstraction levels) but generally include it in the overall Product Risk Management report.
He also explains that MDR and IVDR state not to focus only on highest risk, but that you should reduce all risks that are already ‘acceptable’ as low as possible. A cybersecurity risk is still potentially related to product and user, he adds. It might not have clinical impact but does have some impact that might mean you can't use the device, or a safety impact.
Finally, he mentions that from a vigilance perspective, if there's a serious incident, even if it originates from cybersecurity, it counts as any other serious incident and needs to be reported to local competent authority.
We hope Mika and Scilife could clear up some of your doubts about the process of managing risks under the new MDR and IVDR regulations! Thank you for joining us and sharing your valuable expertise Mika!