Close
Home
Collections
Login
USC Login
Register
0
Selected
Invert selection
Deselect all
Deselect all
Click here to refresh results
Click here to refresh results
USC
/
Digital Library
/
University of Southern California Dissertations and Theses
/
Risk management and recalls: a survey of medical device manufacturers
(USC Thesis Other)
Risk management and recalls: a survey of medical device manufacturers
PDF
Download
Share
Open document
Flip pages
Contact Us
Contact Us
Copy asset link
Request this asset
Transcript (if available)
Content
RISK MANAGEMENT AND RECALLS:
A SURVEY OF MEDICAL DEVICE MANUFACTURERS
by
Darin Seth Oppenheimer
A Dissertation Presented to the
FACULTY OF THE USC SCHOOL OF PHARMACY
UNIVERSITY OF SOUTHERN CALIFORNIA
In Partial Fulfillment of the
Requirements for the Degree
DOCTOR OF REGULATORY SCIENCE
May 2017
Copyright 2017 Darin Seth Oppenheimer
2
DEDICATION
I would like to dedicate this dissertation to my wonderful family. These four special ladies
sacrificed so much to support me with my endeavor. My loving wife, Christy, has
supported me tirelessly throughout my academic pursuit. My inspiring daughters, Tabitha,
Mackenzie, and Bailey, provided me with constant support and smiles to see this endeavor
to fruition.
“It is good to have an end to journey toward; but it is the journey that matters, in
the end.” ― Ursula K. Le Guin, The Left Hand of Darkness
3
ACKNOWLEDGEMENTS
This dissertation is the product of several years of study, research, and writing.
During that time, my learning was guided and influenced by many people, and I would like
to take this opportunity to express my sincerest gratitude as this would not have been
possible without them. I would like to thank my faculty advisor, mentor, and friend,
Dr. Frances Richmond, for her unwavering support, patience, and motivation through this
endeavor. Thank you for showing me true North through this journey. I would also like to
express my gratitude to the rest of my thesis committee, Dr. Michael Jamieson, Dr. Benson
Kuo, and Dr. Jerry Loeb, for their guidance and insights that helped strengthen this work.
I would like to thank the other students in the 2014 Doctoral Cohort and the staff of the
Regulatory Science program for their support, both personally and professionally.
4
TABLE OF CONTENTS
DEDICATION .................................................................................................................... 2
ACKNOWLEDGEMENTS ................................................................................................ 3
TABLE OF CONTENTS .................................................................................................... 4
LIST OF TABLES .............................................................................................................. 9
LIST OF FIGURES .......................................................................................................... 10
ABSTRACT ...................................................................................................................... 13
CHAPTER 1. OVERVIEW ...................................................................................... 14
1.1 Introduction .................................................................................................. 14
1.2 Statement of the Problem ............................................................................. 18
1.3 Purpose of the Study .................................................................................... 19
1.4 Importance of the Study ............................................................................... 20
1.5 Limitations, Delimitations, Assumptions ..................................................... 20
1.6 Organization of Thesis ................................................................................. 21
1.7 Definitions .................................................................................................... 22
CHAPTER 2. LITERATURE REVIEW .................................................................. 23
2.1 Evolution of a US Risk Culture ................................................................... 23
2.2 The Medical Device Amendments of 1976 ................................................. 26
2.3 The Safe Medical Device Act of 1990 ......................................................... 28
2.4 The Evolution of Design Control Related to Risk Management ................. 30
2.5 The FDA Recall Authority and Overview ................................................... 33
5
2.6 Risk Management for Medical Devices ....................................................... 35
2.6.1 Early Evolution of Risk Theory ...................................................... 35
2.6.2 ISO 14971 Risk Management - Application of Risk
Management to Medical Devices ................................................... 40
2.6.3 Risk Management Tools ................................................................. 43
2.6.3.1 Preliminary Hazard Analysis ............................................. 45
2.6.3.2 Failure Mode Effects Analysis (FMEA) / FMECA ........... 45
2.6.3.3 Fault Tree Analysis ............................................................ 47
2.6.3.4 Safety Assurance Cases ..................................................... 49
2.6.3.5 Hazard Analysis and Critical Control Points ..................... 50
2.6.3.6 Hazard Analysis and Critical Control Points ..................... 52
2.6.3.7 Using Multiple Tools ......................................................... 53
2.7 Integration of Risk Management Activities into Quality Activities ............ 58
2.7.1 Illustrative Failures in Risk Management ....................................... 60
2.7.1.1 Johnson & Johnson – Acuvue True Eye Contact
Lenses ................................................................................ 60
2.7.1.2 Johnson & Johnson – DePuy Orthopaedics Inc.—ASR
Hip System ........................................................................ 61
2.7.1.3 Baxter Healthcare Corporation – Colleague Infusion
Pump .................................................................................. 61
2.7.1.4 Customed Surgical Inc. Surgical kits ................................. 62
2.8 A Risk Complacent Industry ........................................................................ 62
6
2.9 Exploring Unanswered Questions ................................................................ 64
2.9.1 Research Frameworks Provided by Risk Theory ........................... 65
2.9.1.1 Guldenmund’s Holistic Approach to Risk Management ... 65
2.9.1.2 The Conceptual Model of Sullivan and Beach .................. 67
2.9.1.3 The Integrated Guldenmund / Sullivan and Beach
Model of Chan ................................................................... 71
2.10 Proposed Research ....................................................................................... 72
CHAPTER 3. METHODOLOGY ............................................................................ 74
3.1 Introduction .................................................................................................. 74
3.2 Development of the Survey Instrument: Stage II ......................................... 74
3.3 Critique of Survey Instrument by Focus Groups: Stage III ......................... 76
3.4 Administration of the Survey Instrument—Data Collection and
Analysis: Stage IV ....................................................................................... 77
CHAPTER 4. RESULTS .......................................................................................... 79
4.1 Responses of Respondents ........................................................................... 79
4.2 Profiles and Background of Respondents .................................................... 79
4.3 Functional Roles .......................................................................................... 80
4.4 Profile of Organizational Affiliations .......................................................... 82
4.5 Organizational Culture and Change ............................................................. 84
4.6 Organizational Viewpoints Related to Risk Management ........................... 91
4.7 Views on Risk Management Competency ................................................... 94
7
4.8 Organizational Competence of Risk Management Tools ............................ 99
4.9 Risk Management and Organizational Structure ....................................... 101
4.10 Risk Management and Organizational Processes ...................................... 104
4.11 Hazard and Risk Assessment Capabilities ................................................. 112
4.12 Risk Management and Memory after Negative Events ............................. 116
4.13 Communication of Risk Issues .................................................................. 119
4.14 Organizational Resource Allocation .......................................................... 122
4.15 Future Survey Participation ....................................................................... 124
4.16 Cross Tabulations ....................................................................................... 125
CHAPTER 5. DISCUSSION .................................................................................. 129
5.1 Risk Management and Medical Device Recalls ......................................... 129
5.2 Consideration of the Methodology ............................................................ 129
5.2.1 Use of Electronic Survey Methods ............................................... 129
5.2.2 Composition of the Respondent Pool ........................................... 131
5.3 The Current State of Risk Management and Recalls ................................. 134
5.3.1 Culture .......................................................................................... 134
5.3.2 Competency .................................................................................. 137
5.3.3 Process .......................................................................................... 140
5.3.4 Memory ........................................................................................ 142
5.3.5 Resources ...................................................................................... 143
5.4 Conclusions and Future Directions ............................................................ 144
8
REFERENCES ............................................................................................................... 146
APPENDIX A. FINAL VERSION OF QUALTRICS SURVEY ............................. 152
9
LIST OF TABLES
Table 1: Risk Assessment Process ................................................................................55
Table 2: Attributes of a Selection of Risk Assessment Tools .......................................56
Table 3: Research Question Categories ........................................................................75
Table 4: Focus Group Participants ................................................................................77
Table 5: “Other” Functional Roles ...............................................................................81
Table 6: Product Risk Management (n= 88) .................................................................86
Table 7: “Other” comments related to responses in Figure 20 .....................................88
Table 8: Drivers of Changes to Risk Management Systems (n= 73, 72, & 71)............90
Table 9: Organizational Viewpoints Related to Risk Management (n= 84) .................93
Table 10: “Other” Risk Management Training noted in Text Boxes .............................95
Table 11: Top Three Risk Management Tools (n=75, 73, & 71) .................................101
Table 12: “Other” Risk Management and the Development Lifecycle ........................104
Table 13: Risk Management Processes (n=82) .............................................................107
Table 14: The “Other” Frequency of Hazard and Hazardous Situation Updates
Post Product Launch ................................................................................112
Table 15: The “Other” Number of New Hazards or Hazardous Situations
Identified Post Product Release (Past 24 Months) (n=81) .......................114
Table 16: “Other” Viewpoints of New Hazards or Hazardous Situations
Identified Post Product Release (Past 24 Months) ...................................116
Table 17: “Other” Risk Management Viewpoints After Product Recalls,
Unanticipated Product Complaints, or Agency Finding ..........................117
Table 18: The “Other” Fading of Risk Awareness .......................................................118
10
LIST OF FIGURES
Figure 1: Design Control Process Waterfall View .........................................................32
Figure 2: Risk Management Process ..............................................................................39
Figure 3: Risk Estimation ...............................................................................................42
Figure 4: FMEA/FMECA ..............................................................................................46
Figure 5: Fault Tree Analysis .........................................................................................48
Figure 6: Safety Assurance Case ....................................................................................50
Figure 7: HACCP Overview ..........................................................................................51
Figure 8: HAZOP ...........................................................................................................53
Figure 9: Risk Management Tools Timeline ..................................................................58
Figure 10: Guldenmund’s Organizational Triangle .........................................................67
Figure 11: The Conceptual Model ...................................................................................68
Figure 12: The Modified Organizational Model ..............................................................72
Figure 13: Size of Organizations with which Respondents were affiliated (n=99) .........80
Figure 14: Functional Roles (n=97) .................................................................................81
Figure 15: Background Experience of Respondents (n=92 & 91) ...................................82
Figure 16: Types and Distribution of Marketed Products (n=95) ....................................83
Figure 17: Regions Where Medical Devices were Sold (n=94) .......................................83
Figure 18: Classification of Medical Devices marketed in the U. S. (n=94) ...................84
Figure 19: Product Risk Management Viewpoints (n=89 & 87) .....................................87
Figure 20: Activities related to quality related problems (n=81) .....................................88
Figure 21: Changes to the Risk Management System (Past 24-Months) (n=76) .............89
Figure 22: Organizational Support of Risk Management Training (n= 84) .....................94
11
Figure 23: Internal Risk Management Training (Annually) (n=80, 41, 22, & 19) ..........96
Figure 24: Organizational Knowledge of Standards and Regulations (n=85) .................99
Figure 25: Organizational Competence of Risk Management Tools (n=83, 82,
81, 80, 79, and 77) ...................................................................................100
Figure 26: Functions participating in Risk Management Activities (n=84)...................102
Figure 27: Risk Management Phase of the Development Lifecycle (n=83) ..................103
Figure 28: Risk Management and the Development Lifecycle (n=83) ..........................104
Figure 29: Hazard and Hazardous Situation Source Information Prior to New
Product Launch (n=81 & 80) ...................................................................109
Figure 30: Hazard and Hazardous Situation Source Information Post New
Product Launch (n=82, 81, & 80) ............................................................111
Figure 31: The Frequency of Hazard and Hazardous Situation Updates Post
Product Launch (n=82) ............................................................................112
Figure 32: The Frequency of Hazard and Hazardous Situation Updates Post
Product Launch (n=82) ............................................................................113
Figure 33: The Number of New Hazards or Hazardous Situations Identified Post
Product Release (Past 24 Months) (n=81) ...............................................114
Figure 34: Viewpoints of New Hazards or Hazardous Situations Identified Post
Product Release (Past 24- Months) (n=81) ..............................................115
Figure 35: Risk Management Viewpoints After Product Recalls, Unanticipated
Product Complaints, or Agency Finding (n=82) .....................................116
Figure 36: The Gradual Fading of Risk Awareness (n=71) ...........................................117
Figure 37: Retention of Identifiable Risks (n=81 and 80) .............................................119
12
Figure 38: Communication Mechanism of Risk Issues (n=82)......................................120
Figure 39: Communication of Risk Related Issues (n=81, 80, 79) ................................122
Figure 40: Resource Allocation (n=82) ..........................................................................123
Figure 41: Time Allocation for Risk Management Activities (n=76) ............................124
Figure 42: Preferences with Regard to Further Discussions (n=82) ..............................125
Figure 43: Cross Tabulation of Organization Size and Product Type (n=95) ...............126
Figure 44: Cross Tabulation of Organization Size and Regional Sales and
Distribution (n=94) ..................................................................................127
Figure 45: Cross Tabulation of Organization Size and Risk Management
Activities (n=84 & 83) .............................................................................128
13
ABSTRACT
Medical device manufacturers must anticipate product failures that could pose safety risks
for patients through the use of systematized risk management methods. However, product
recalls and safety problems continue to increase, so that the effectiveness of risk
management implementation is brought into question. In a 2011 survey, Chan (2012)
reported that many individuals involved with risk management had a relatively shallow
understanding of the tools and techniques that might help to improve their risk management
initiatives and were in companies that viewed risk management as a “necessary evil”. Since
that time, much has happened to increase the scrutiny on risk management, but it is not
clear whether these efforts have improved the state of risk management.
This study surveys the risk managers of U.S. medical device enterprises to identify their
views regarding current practices of risk management and its effectiveness at mitigating
quality problems and recalls. Results suggest that most organizations invest insufficient
resources to support risk management activities, and these resources are focused
predominately at early stages of product management. It further suggests that risk
management teams and participants could profit from deeper education with regard to
different types of tools and a wider appreciation of enterprise risk management approaches.
Most respondents appeared to believe that their organization had an adequate risk
management system in place, but this belief is challenged by the repeated problems seen
with industry recalls.
14
CHAPTER 1. OVERVIEW
1.1 Introduction
Unfortunately, the nature of unexpected events means that they can, and
often do, happen. [Niccolo Machiavelli, as cited in (Burns, 2015)]
There is no question that medical devices have significantly improved the quality of
countless lives. At the same time, however, those benefits often cannot be achieved without
risk, and the $350 billion medical-device industry (USD) bears much of the responsibility
for managing those risks (Kramer, Xu, & Kesselheim, 2012; Shepherd, 2011). Individual
risks that contribute to the overall risk profile of the product can originate from the inherent
risks posed by the device or from its misuse by healthcare professionals or consumers.
Together, these risks can lead to patient or caregiver injury and even death. For this reason,
medical devices have come under increased scrutiny from regulators, as they attempt to
respond legislatively to tragedies such as those associated with defective heart valves,
breast implants, and, more recently, defective hip implants (Higson, 2001; Marcus, 2015;
Stewart & Paine, 2012).
One particular burden for manufacturers has been the requirement to anticipate product
failures that could pose safety risks for patients. Problems with intrauterine devices and
pacemakers more than 50 years ago produced laws and regulations to control the
manufacture and testing of such devices. The Medical Device Amendments of 1976
acknowledged the importance of risks related to medical devices by establishing a three-
class system for devices based on their risks to patients (Rados, 2010). The amendments
further established requirements for “Good Manufacturing Practices,” which were revised
15
in 1990 under a system that came to be called Quality Systems Regulations. These later
regulations recognized the importance of controlling device design as well as production
in order to reduce the risks associated with the inherent features of the product (Flannery,
1991; Raubicheck, 1991). Formalized risk assessment and management were required to
be implemented as part of these new regulations. Guidance on how to carry out appropriate
risk management activities came to be seen as important, and this need was met to some
extent by the development of several standards, including the International Organization
for Standardization (ISO) 9001:1994 and the proposed draft of ISO 13485 (Martínez-
Costa, Choi, Martínez, & Martínez-Lorente, 2009). These standards began to harmonize
the key concepts of quality systems and risk management that later served as a baseline for
future regulatory guidance.
Nevertheless, more recent problems with hip implants, infusion pumps and surgical mesh
serve as evidence that current risk management measures have not improved safety to the
extent that regulators and consumers have come to expect (Cohen, 2013; Moore, 2011).
Stakeholders ranging from regulators, healthcare professionals, and consumers often
express frustration with the way that hazardous products continue to cause problems. One
example of such concerns are those associated with infusion pumps, which have been
associated with hundreds of product recalls and, in some cases, have caused deaths or
serious injuries to patients (Brady, 2010; Traynor, 2010). When the Food and Drug
Administration (FDA) evaluated infusion pumps from various manufacturers in 2010, they
found defects in multiple areas including software error messages, usability problems,
defective components, battery failures, alarm failures, and errors in infusion volumes
16
(Phelps, 2011; Traynor, 2010). The FDA concluded that improvements in the verification
and validation processes associated with the design phase of these devices might have
helped in mitigating the associated adverse events (Traynor, 2010).
The problems with infusion pumps have been particularly influential in focusing attention
on the way that risks have been managed and on the tools on which these activities are
based. In 2010, the failure of companies to resolve the problematic issues became the
driving force behind the FDA’s creation of the “Infusion Pump Improvement Initiative”
(Phelps, 2011; Traynor, 2010). This initiative has placed infusion pump manufacturers
under heightened scrutiny and more rigorous requirements for risk assessment and
management. The FDA outlined a three-pronged approach, focusing on 1) establishing
additional requirements for infusion pump manufacturers, 2) proactively facilitating device
improvements, and 3) increasing user awareness.
The approach outlined by the FDA was unusually swift and comprehensive when
compared to typical FDA responses expressing dissatisfaction through letters and
enforcement actions. The agency also notified the device manufacturers that they would
issue a new guidance document that would identify new approaches to manage the total
product life cycle of infusion pumps. This guidance document, published in 2014, provided
36 pages of suggestions regarding design and risk management expectations, as well as
testing, labeling, and reporting requirements (FDA, 2014a). The FDA also reserved the
right to conduct a facility inspection prior to clearance, an oversight action normally
reserved for novel technologies and Class III high risk devices, and they requested that
17
additional risk information regarding risk mitigation methods throughout the product life
cycle be included in the 510(k) submission.
Although infusion pump manufacturers appear to be have been singled out for the
additional controls described above, the messages and suggested methodologies that were
proposed by the FDA are relevant for the manufacturers of all medical devices. The events
that led to the Infusion Pump Improvement Initiative should be a wake-up call for all
medical device manufacturers to evaluate how their risk management programs are
performing, particularly with regard to the lessons learned from experienced medical
device manufacturers. It is clear that companies manufacturing all kinds of devices are not
immune to product problems, as reflected by the number and range of recalls that have
been reported in the last decade. For example, in 2006, the FDA identified that medical
devices were responsible for 116,000 device-related injuries, 96,000 device malfunctions,
and 4,500 deaths (Johnson, 2012). Further, an analysis conducted by the FDA in 2012
reported a 97% increase in recalls from fiscal year (FY) 2003 to FY 2012 (FDA, 2012),
from 604 in FY 2003 to 1,190 in FY 2012 (Caceres, 2014). My analysis of the more recent
entries into the FDA Center for Device Evaluation and Radiological Health (CDRH) recall
database from January 1, 2010, to December 31, 2015, shows an average of approximately
2,600 recalls annually (Oppenheimer, 2015). These data suggest that the situation is not
improving over time. Trends point to a progressive year-after-year repetition of problems
related to device design, component controls, and production controls (Oppenheimer,
2015).
18
1.2 Statement of the Problem
The continuing numbers of issues identified in these retrospective analyses support the
assumption that risk management is insufficient in many companies. This assumption is
consistent with the information released in the 2014 Infusion Pumps Total Product Life
Cycle Final Guidance document; its analyses of problems, trends, and impacts further
suggest that problems are not only associated with infusion pumps but with all medical
devices across different classes and product types. The common thread of the issues
described above seems to be a continuing probem with the risk control measures used
during the life cycle of medical products. As noted FDA in their 2014 Infusion Pump
Guidance document,
The recommendations in this guidance are intended to improve the quality of
infusion pumps in order to reduce the number of recalls and adverse events
associated with their use. The FDA believes that these recommendations will help
mitigate current risk and reduce future risk associated with infusion pumps.
(FDA, 2014a)
It is apparent that the FDA is investing considerable time and effort in trying to reduce
device problems and recalls. It is also clear that regulations for manufacturers have
requirements for risk management that have been in place for several years. What is not
clear is how device manufacturers are implementing these requirements. In a 2011 survey
of risk management professionals, Chan (2012) reported that many individuals involved
with risk management had a relatively shallow understanding of many of the tools and
techniques that might help to improve their risk management initiatives. The survey also
found that risk management was viewed as a necessary evil. A significant group of
participants (16/46) even suggested that organizations do not know how to tie risk
19
management into the elements of a quality system. However, it was not clear from that
survey how companies were actually using tools and data to carry out risk management.
Furthermore, since 2011, much has happened to increase the scrutiny on risk management,
and more guidance has been given to manufacturers in an attempt to improve effective risk
management. It is not clear whether these messages have been heard and whether, for
example, medical device companies generally are using tools such as the newly
recommended “safety assurance case” methods (described in Chapter 2). Thus, we have an
incomplete understanding of the ways in which companies are dealing with risk
management and how they view it in connection with their recall history.
1.3 Purpose of the Study
The purpose of this study is to gain insight into the approaches and tools used for risk
management by medical device manufacturers who have experienced at least one recall in
the past five years. The research begins with a literature analysis to understand the
evolution of risk management systems with particular attention to the applicable standards,
regulations, and tools that are used to develop risk management systems. A survey
instrument was then created, based on a framework developed by Chan (2012), to explore
the organizational behavior and competencies that surround the use of risk management
tools and the perceived linkage of those activities to recalls. The survey was distributed to
appropriate risk management practitioners in various functional roles within the target
medical device organizations.
20
1.4 Importance of the Study
Despite the efforts to develop risk management systems to improve device safety and to
decrease product recalls, problems persist. The results of this survey will potentially shed
light on whether risk management systems are sufficiently broad and deep, particularly in
the way that manufacturers use tools and methods to manage risk. These insights are
important, because they can help companies to understand areas in which they are deficient
by allowing them to benchmark their practices compared to those of others in the sector.
The results are also useful to regulators as they try to understand what additional steps can
or should be taken to improve the effectiveness of risk management. Regulators may also
use this information to understand whether an expanded role for regulators would be
valuable in encouraging better outcomes. The information is also important for regulatory
science educators who are trying to develop effective curricula for individuals who seek
advanced training in risk management. Having knowledge regarding where gaps might
exist makes it possible to address those gaps more specifically and effectively. The current
research can open the door to future studies to understand how to transform organizational
behavior in ways that would be more effective at mitigating risk and decreasing recalls of
medical devices.
1.5 Limitations, Delimitations, Assumptions
This study focuses on risk management practices as carried out by medical device
manufacturers. The study does not include evaluations of pharmaceutical or other related
industries, so the results may not be generalizable to their practices. The respondents were
located in the US, but some worked for multinational organizations. Thus, it is unclear
21
whether the views that they present are typical for all companies worldwide or represent a
uniquely US-centric view. The recall information referenced herein derives from the
Center for Devices and Radiological Health database and does not account for other related
databases residing outside the United States.
Several factors may also limit the study. It is not feasible to identify all the individuals who
would be appropriate for such a survey. Thus, the survey will provide a sampling of
appropriate individuals and therefore has the inherent risk of capturing the views of a
skewed subpopulation compared to the population as a whole. Surveys are typically limited
by the fact that respondents are often too busy or disinterested in the topic and decline to
participate. Further, individuals in risk management companies are often difficult to reach
electronically, because they change jobs frequently, and their companies have filters to
restrict their access to certain types of email messaging. This can restrict the number of
respondents and thus the power of the results. The survey was also limited by my skills in
asking a sufficient number of key questions that would allow me to paint a comprehensive
picture of the risk management environment related to the use of risk management tools.
1.6 Organization of Thesis
The outlined research contains five (5) chapters. Chapter 1 provides an overview of the
background leading to the research question. Chapter 2 reviews the literature that traces
the history and present state of risk management in medical device companies and
examines how these illustrate the challenges and questions related to company
approaches to risk management and medical device recalls. Chapter 3 outlines the
22
methods used to evaluate the organizational behavior and methods associated with risk
management and recalls in the medical device industry. Chapter 4 analyzes the research
conducted using the issued survey instrument. Chapter 5 contains a discussion of the
research results, conclusions, and suggestions for a path forward.
1.7 Definitions
Term Definition
510(k) Premarket Notification Submission
AAMI
Association for the Advancement of
Medical Instrumentation
CDRH
Center for Device Evaluation and
Radiological Health
CEN Comité Européen de Normalisation
CGMP Current Good Manufacturing Practice
FDA Food and Drug Administration
FD&C Act Food, Drug, & Cosmetic Act
FMEA Failure Mode Effects Analysis
FMECA Failure Mode Effects Criticality Analysis
FTA Fault Tree Analysis
FY Fiscal Year
GMP Good Manufacturing Practices
HACCP Hazard Analysis and Critical Control
Point
HAZOP Hazard and Operability
IEC International Electrotechnical
Commission
IUD Intrauterine Device
ISO International Organization for
Standardization
PHA Preliminary Hazard Analysis
PMA Premarket Approval
QS Quality System
US United States
23
CHAPTER 2. LITERATURE REVIEW
2.1 Evolution of a US Risk Culture
It has been more than 75 years since US lawmakers explicitly recognized the safety
challenges posed by medical devices and included them as a distinct category of products
regulated by the Food, Drug, and Cosmetic (FD&C) Act of 1938. At that time, however,
the regulation of medical device safety was not a high priority for regulators. Instead, drug
safety dominated the agenda, driven by a tragedy in which more than 107 deaths resulted
from the ingestion of sulfanilamide elixir formulated with the toxic solvent diethylene
glycol (known today as antifreeze) (Carpenter & Sin, 2007).
The relatively simple and intuitive medical devices of the early to mid-1900s typically
posed low risks to public health. Thus, the FD&C Act imposed fewer regulatory restrictions
on medical devices for many years after they had been imposed for drugs. The Act gave
the FDA limited authority to pursue actions against marketed medical devices found to be
adulterated or misbranded (Estrin, 1990; Johnson, 2012; Young, 1989). It did not, however,
impose requirements for premarket review or safety testing. As a result, many products
existed as unregulated technologies marketed to the public with little or no oversight
(Monsein, 1997). A shift in perspective emerged in the 1950s and 60s, as reflected by the
technological advancements of medical devices. Newly introduced devices such as heart-
lung and dialysis machines were more complex and thus posed a greater risk than the
simpler and more intuitive devices of the past. These devices compelled legislators to
reconsider the regulations governing medical devices (Abdul-Majid, 2015).
24
In the 1960s, initiatives to regulate devices more stringently had begun but were derailed
when a greater crisis presented itself. This crisis developed after the sedative, Thalidomide
(Contergan®), was promoted in Europe for symptoms of morning sickness in pregnant
women. The numerous birth defects reported from 1958 to 1960 not only exposed the now
well-known teratogenicity of the drug but also drew attention to gaps in the regulations
governing drug development (Abdul-Majid, 2015). These gaps caused legislators to
reevaluate the legislative control of drug safety and efficacy in order to place tighter
controls on clinical trials and manufacturing. In 1962, President John F. Kennedy urged
Congress to amend the FD&C Act. The resulting drug efficacy amendments to the FD&C
Act (known as the Kefauver-Harris Amendments) added a number of new rules to the
control of pharmaceutical products, such as the requirement for good manufacturing
practices for drugs and for submission of investigational new drug applications before
initiating a clinical trial. However, the legislation failed to provide new rules that would
improve the oversight of medical devices. This created a difficult situation in which the
FDA was forced to define devices such as contact lenses and pregnancy test kits as “drugs”
in order to use the provisions of the amendments to review and approve the devices before
marketing and to monitor them after commercialization (IOM, 2011).
In time, the use of drug regulations for devices became progressively more problematic.
Newer, more sophisticated devices such as heart valves, pacemakers, and intrauterine
devices (IUDs) clearly posed greater risks than the simpler devices that came before them.
These potential dangers were made vividly apparent by the news media when they reported
on the serious safety issues linked to certain medical devices. The public health threats
25
posed by dangerous devices, combined with the challenges of using the “drug” pathway as
the sole regulatory tool, led the Secretary of the Department of Health, Education, and
Welfare to charge Theodore Cooper, the Director of the National Heart and Lung Institute,
to form a specialized group called the “Cooper Committee” in 1970 to review the
management of medical devices under the then-current regulatory framework (Rogers,
1996). The Committee was tasked with two key objectives: to evaluate the extent of safety
problems linked to medical devices and to recommend appropriate areas for new legislation
(IOM, 2011; Leflar, 1989). As part of its work, the Cooper Committee found that at least
10,000 injuries and 751 deaths over a 10-year span could be ascribed to problems with
various medical devices, including pacemakers and IUDs (Mesner, 1993; Rogers, 1996).
Their observations led them to advocate new regulations specific to devices, which they
recognized as having safety challenges different from those of drugs. Specifically, the
committee suggested that a new classification system be established that would match
regulatory controls to the types of risks associated with different medical devices. The FDA
followed the Committee’s suggestions by developing a new classification system in which
medical devices were categorized according to differences in risk (Rados, 2010).
However, the FDA was still limited in the controls that they could impose without being
accused of regulatory overreach. Thus, the simple measures put in place by the FDA did
little to control the escalating number of device failures and adverse events in the 1970s
(IOM, 2011). Congress felt the pressure of public indignation over the increasingly
publicized pacemaker failures and injuries resulting from the Dalkon Shield IUD. These
reports heightened public perception that the laws were inadequate and drove Congress to
26
recognize the need for change (Leflar, 1989). As they revisited the regulatory approaches,
politicians commended the FDA for trying to develop better regulations but recognized the
importance of addressing the situation authoritatively, through new legislation (Johnson,
2012; Merrill, 1994; Rados, 2010).
2.2 The Medical Device Amendments of 1976
In 1976, Congress amended the FD&C Act to increase the legislative oversight of medical
devices, including diagnostic products. This set of amendments, known as the “Medical
Device Amendments,” is perhaps the most influential piece of legislation in the medical
device sector introduced to date (Abdul-Majid, 2015). The legislation granted the FDA the
authority to implement a comprehensive regulatory framework for medical devices. This
framework was based on a three-tier risk classification in which products considered to be
low-risk devices were placed in Class I, moderate-risk devices were placed in Class II, and
high-risk devices were placed in Class III. These tiered categories had different sets of
rules, whose rigor and depth escalated according to their progressively higher risks. The
amendment required a device manufacturer to notify the FDA of its intent to market a
medical device. For Class II devices, this notification was to be provided at least 90 days
in advance through a premarket notification submission 510(k); for Class III devices, it
was to be provided through a Premarket Approval (PMA) application. The newly
established review period allowed the FDA to evaluate whether the device was reasonably
safe and effective or substantially equivalent for the purposes for which it was being
promoted and intended before its placement on the market.
27
The development of the Medical Device Amendments was met with some level of hostility
from the industry. The emerging bills were unpopular with both the manufacturers of
marketed products and the developers of new products; each group expressed concerns
about disproportionate advantages that might accrue to the other (IOM, 2011). The
manufacturers of marketed products wanted to be excused, or “grandfathered,” from
proposed requirements to submit marketing applications for their already marketed
devices. Companies with products in the developmental pipeline felt that they would be
treated unfairly if they were required to submit an extensive marketing application when
the grandfathered products were exempt. Thus, for Class II products requiring premarket
notification, a unique approach was adopted in which products on the market were
grandfathered, and products similar to those already on the market could claim “substantial
equivalence” to a predicate marketed product. This approach (also called the 510k
regulatory pathway after the relevant clause of the legislation) required a relatively short
application that would reduce the amount of work that both the company and the FDA
reviewer would need to do (see (DeMarco, 2011) for a detailed review). Devices lacking
the ability to claim substantial equivalence to an already marketed device would be placed
in the Class III category, where they would be subject to a higher level of scrutiny, as they
had not yet been “market-tested” (IOM, 2011; Jyothi, Venkatesh, & Pramod Kumar, 2013;
Rogers, 1996).
The Medical Device Amendments of 1976 were a valuable starting-point for introducing
the need for risk assessment and management for medical device companies. They helped
28
to establish the importance of risk as a central concept in assessing the marketability of a
product. However, risk was evaluated in a prescriptive way. Regulators assigned risk based
on the performance of devices already placed on the market rather than on systematic
assessments of the risks from an engineering and scientific viewpoint (IOM, 2011; Rogers,
1996). The amendments therefore did not establish ways to deal effectively with the unique
risks associated with different types of products that were assigned to the same risk class.
2.3 The Safe Medical Device Act of 1990
The device-specific regulatory framework established in 1976 was a key step in improving
device safety, but the legislation and associated regulations were far from perfect. Further,
the underresourced agency was heavily criticized throughout the ensuing 15 years for
failing to sufficiently execute on its expanded roles and responsibilities under the new law.
Its position was not helped by certain highly publicized device failures (IOM, 2011).
Concerned about these issues, Congress responded by conducting several investigational
hearings that pointed out vulnerabilities in the 1976 amendments. One such vulnerability
raised throughout the Congressional hearings was the relatively weak oversight exercised
after the premarket clearance or approval of a device. Congress felt that additional controls
and monitoring were needed in the post-market phase (IOM, 2011). Another concern was
the lack of a clear definition regarding substantial equivalence, which was the cornerstone
of the regulatory framework established in 1976 (Johnson, 2012).
29
The Safe Medical Devices Act of 1990 attempted to satisfy at least two goals relevant to
this dissertation. First, it sought to address concerns about the way in which device safety
had been assessed and reviewed by the FDA. On the premarket side, it required
manufacturers of Class II devices to carry out better performance testing using animal,
clinical, or bench data to ensure device safety and to provide proof of substantial
equivalence to a currently marketed predicate device (Alder, 1993; Silver, 1994). The
legislation also enacted the addition of “special controls” to specific devices that appeared
to need more oversight than was provided by the general controls that the 1976
amendments created. In these instances, “special controls” varied according to what
regulators felt would be appropriate for the device and its risks and could also include
additional labeling requirements or the development of patient registries to support the
safety and effectiveness of the device (Johnson, 2012; Raubicheck, 1991; Samuel, 1991).
On the post-market side, manufacturers of life sustaining/supporting and implantable
devices were required to develop tracking systems to capture comprehensive information
on product distribution so that problem products could be identified in the event of a public
health risk. Further, additional controls were introduced to respond to criticisms that the
FDA had not monitored adverse events effectively (Alder, 1993). Medical device reporting
requirements for device-related deaths, injuries, and life-threatening illnesses were
expanded to apply to entities such as healthcare facilities rather than just to manufacturers
(which had already been required to report these events) (Harty-Golder, 2002). Facilities
using a medical device now had to report such injuries to both the FDA and manufacturer
within 10 days and to submit semi-annual reports of device-related deaths to the FDA
30
(Silver, 1994). The Act also required all distributors of medical devices to report adverse
reactions and deaths each year to the manufacturer and the FDA (Silver, 1994).
2.4 The Evolution of Design Control Related to Risk Management
When laws and regulations are enacted, it is important to recognize that the regulations
may not always solve the problem that spurred their enactment in the first place. Although
regulations during this period required good manufacturing practices similar to those
controlling the manufacture of drugs, such rules typically came into effect after device
approval. They did not extend to the control of the product design. However, it was in the
design phase where many of the safety problems originated. In two of the most significant
medical device problems, the Dalkon Shield IUD and the Bjork-Shiley heart valve cases,
it seemed clear that quality practices to manage device design in the 1980s were inadequate.
In the case of the Dalkon Shield, design issues originated in the multifilament string that
formed the tail of the device. This string deteriorated with time after implantation and also
served as a wick for bacteria to enter the uterus and cause infections (Mumford & Kessel,
1992; Sivin, 1993). In the case of the Bjork-Shiley heart valve, problems appeared when
its design was changed in order to reduce issues of thrombosis and damage to red blood
cells attributed to the bulky disc-and-strut valve structure of the previous iteration
(Blackstone, 2005). The component revision was intended to improve the strut design to
reduce damage to blood cells passing through the valve. However, the design of the struts
and welds did not take into account the propensity of those mechanical elements to fatigue
and fracture over time. Valve breakage caused the sudden catastrophic deaths of 386
31
individuals and the near-death of many others between 1979 and 1986 (Fielder, 1995;
Harrison et al., 2013).
Systematic approaches to risk evaluation for problems such as those described above were
not addressed well by the principles of the Good Manufacturing Practices (CGMP) under
section 520(f) of the Act or its enabling regulations under Part 820 (FDA, 2014b).
However, between 1983 and 1988, 44% of all recalls were attributed to device design rather
than manufacturing problems (IOM, 2011). To address this limitation, the FDA, in 1997,
revised their regulations to add what eventually came to be known as “design controls”
(FDA, 2014b), which were described in subpart 820.30 of the Code of Federal Regulations,
Title 21. This section required all manufacturers of Class II and Class III devices as well
as certain Class I medical devices to establish procedures ensuring that designs were
“controlled.” This control meant that a standardized set of procedures had to be
implemented to assure that design requirements related to the device’s intended use (called
“inputs” in the language of the regulation) were documented and reviewed early in the
design process (FDA, 2014b). Those design inputs then served as a framework for the
specification of the product that ultimately became an implementation or prototype,
described in a “design output” document or set of documents, to describe all the design
features in the device needed to assure its safe and efficacious function ("Code of Federal
Regulations," 2015). Systematic testing activities were required to verify that all “input”
requirements would be satisfied by the final “output.” Design validation, including
software validation, was also required to assure that the product performed as expected in
real-use environments and was to be carried out on the initial production units ("Code of
32
Federal Regulations," 2015). At each design stage, formal design reviews had to be
conducted by an individual or team without design responsibility ("Code of Federal
Regulations," 2015). Finally, all manufacturers had to maintain this documentation in a
design history file, showing how the design was being developed according to its approved
plan. In 1997, the FDA published a “Guidance for Industry: Design Control Guidance for
Medical Device Manufacturers” to expand on its expectations regarding design controls.
The steps of design control were illustrated in a graphic, shown in Figure 1 below, which
depicts design control as a waterfall-type process that could be restarted whenever design
needs changed (FDA, 1997).
Figure 1: Design Control Process Waterfall View
from (FDA, 1997)
The implementation of quality system regulations and design controls substantially
changed the way that the FDA approached product life cycle management. The agency
stated its belief that “design controls increase the likelihood the design transferred to
33
production will translate into a device that is appropriate for its intended use” ("Code of
Federal Regulations," 2015). The new “quality system regulations” also made it clear that
risk considerations must be a part of design activities. Specifically, §820.30(g) required
that risk evaluation be carried out as part of the validation process before the product was
marketed. This section of the regulation has subsequently become the cornerstone for the
regulatory oversight of risk management.
Design validation shall ensure that devices conform to defined user needs
and intended uses and shall include testing of production units under actual
or simulated use conditions. Design validation shall include software
validation and risk analysis, where appropriate. The results of the design
validation, including identification of the design, method(s), the date, and
the individual(s) performing the validation, shall be documented in the
DHF (21CFR820.30g)
2.5 The FDA Recall Authority and Overview
The requirements to control product quality through good manufacturing practices and
design were necessary measures to assure a safe medical device. However, no system, no
matter how well-designed, can be reasonably expected to yield a perfect product 100% of
the time. Device defects and other problems are still likely to reach the consumer at least
occasionally. Before 1990, manufacturers had the discretion to recall problem products
voluntarily, motivated either by their sensitivities regarding product safety or performance
or by indirect pressure exerted by the FDA when unacceptable health hazards were
associated with a device. The Safe Medical Device Act of 1990 strengthened the FDA’s
authority to initiate a recall in situations where the product seriously injured the patient or
violated the law (Caceres, 2014). In the subsequent 25 years since the law was enacted, the
FDA has only rarely used its mandatory recall authority, but its ability to do so provides a
34
less cumbersome process to obtain the cooperation of manufacturers when a recall becomes
necessary.
The FDA assigns a three-tier classification to recalls based on its assessment of the health
hazard posed by the problem product. Class I recalls are the most serious; they include
those in which the recalled product has a reasonable possibility to cause a severe adverse
health consequence or death. Class II recalls are those in which a product may cause a
temporary or medically reversible adverse health consequence or where the probability of
a severe adverse health consequence is remote. Class III recalls involve situations in which
the use of or exposure to the device is not likely to cause any adverse health consequences
(Caceres, 2014). The classification of an individual recall by the agency relies on the
assessment of several factors, including not only its potential consequences but also the
particulars of the situation and the scope of distribution of the product.
The recall of a product is not a rare occurrence. The imposition of quality systems and
design controls was supposed to reduce the incidence of problems warranting a recall.
However, my retrospective analysis of the recall database held by the Center for Device
Evaluation and Radiological Health (CDRH) from January 1, 2010, to December 31, 2015,
showed an average of approximately 2,600 recalls annually (Oppenheimer, 2015).
Moreover, the same types of problems device design, component controls, and production
controls were seen to be the greatest sources of product failure year after year
(Oppenheimer, 2015). The data clearly indicate that current approaches to design and
manufacturing are not working as well as anticipated, and more attention is required to
35
manage risks for such products. Thus, over the last two decades, attention has focused on
implementing strategies for risk management that can predict where products are most
likely to fail.
2.6 Risk Management for Medical Devices
2.6.1 Early Evolution of Risk Theory
The success of regulations promulgated in the 1990s depended on the evaluation and
mitigation of risk, a direction that was relatively new to medical device manufacturers.
However, the methods that were available to help device manufacturers with such analyses
were not new. The roots of European risk-management theory can be recognized as early
as the Renaissance period, when Chevalier de Méré established the theory of probability
by challenging fellow mathematician Blaise Pascal to develop a way to predict gambling
success with the help of fellow mathematician Pierre de Fermat, Pascal was able to develop
a system to assist gamblers based on theoretical principles of probability. This system
evolved into an approach easily leveraged as a basis for modern risk management
(Bernstein, 1996).
The 18
th
century was a fertile period of scientific thinking. This time of scientific
progression produced a number of intellectuals who helped to develop the theoretical base
for risk assessment. In 1703, Jakob Bernoulli developed the law of large numbers and the
principles underlying statistical inference. In 1730, Abraham de Moivre formalized the
principles underlying normal distribution and standard deviation that became important to
36
quantify risk (Bernstein, 1996). His book, The Doctrine of Chances, extended probability
theory. Eight years later, his nephew, Daniel Bernoulli, furthered the theory by defining a
concept known as “expected utility.” He proposed that “the utility resulting from any small
increase in wealth will be inversely proportional to the quality of goods previously
possessed” (Bernstein, 1996). This area of thought led to a better understanding of risk
aversion and was foundational to modern approaches of portfolio management (Bernstein,
1996). In the 1750s, Thomas Bayes developed Bayes’ Theorem, a fundamental addition
for the practitioner’s quantitative toolbox that used previous information regarding
probability patterns to mathematically project the likelihood of similar future events. These
discoveries are the basic underpinnings on which most statistical enhancements were later
based (Bernstein, 1996).
Most of the early work that provided a methodological substrate for risk management took
place in Europe when the US was still a colony. The practice of risk management in
America appeared to become significant for business much later, after World War II. It
appeared first to be applied in the insurance business, where it became critical for
determinations of rates. However, its value was soon recognized in different types of
industries, ranging from those centered on high-risk activities such as aviation and nuclear
power production to those concerned with financial transactions, such as investment
banking (Dionne, 2013; Flouris & Yilmaz, 2011; Moss, 2012; Perkins, 2014). As more
applications for risk management developed, the use of the term appeared to become
blurred. Initially, it was used to denote activities undertaken to limit the odds of accidental
loss or damage but gradually came to be seen as a more holistic process of analyzing and
37
then mitigating a greater variety of risks through different types of interventions
(Crockford, 1982).
In 1981, Kaplan and Garrick initiated a method to define risk more broadly. The method,
later known as the Kaplan Garrick Quantitative Definition of Risk, utilized three
components, reflected by posing three questions: What could happen? How likely is the
given event to take place? If the event does occur, what are the consequences? In their
work, Kaplan and Garrick emphasized certain essential features of risk, including its
multiple sources with different relative probabilities and severities and its acceptability
based on the cumulative risks associated with those variables. While they acknowledged
that Bayesian approaches were useful for risk quantitation, they advanced the view that
risk could not be given a single number that would capture risk comprehensively
(Johansen, 2010; Kaplan & Garrick, 1981).
In the second half of the 20
th
century, the focus on the usefulness of risk management for
the improvement of manufacturing intensified. Genichi Taguchi developed one well-
known set of methodologies, the Taguchi method, to reduce production losses. Taguchi
theorized that manufacturing problems and inefficiencies were responsible for scrap and
increased production costs and could be quantified when products did not meet their target
performance. In his view, excursions from expected performance were unlikely to be
eliminated, but losses would be reduced if the risks were well-controlled (Badiru, 2013).
This concept of performance and quality metrics as part of risk management is a subject of
much discussion of current regulators today (Gadotti Martins, Pinheiro de Lima, & Gouvea
38
da Costa, 2015). A number of other models and theories were also developed that are
beyond the scope of this discussion but that have provided a rich body of literature from
which lessons could be learned (Badiru, 2013; Basu, Bose, & Ghosh, 2014).
It is not surprising the medical device models of risk management drew heavily from the
risk management principles of other business sectors in their attempts to respond to the
Safe Medical Devices Act of 1990. However, still missing were clear instructions for the
medical device industry about the right way to implement risk assessment and risk
management logistically for their particular types of operations. Thus, in the latter part of
the 1990s, regulators, industry trade associations, and standards-setting bodies expended
much effort to decide how best to systematize approaches to risk management for medical
device applications.
An initial step in helping medical device companies to understand risk management was
provided in 1997 by the publication of standard EN 1441, titled “Medical Devices: Risk
Analysis,” by Comité Européen de Normalisation (CEN). The document attempted to
define methods by which companies could identify and assess hazards associated with a
medical device. The standard introduced a number of important concepts to the general
medical device audience. For example, it identified that the evaluation of risk required
attention to two elements: the probability that harm could occur and the severity of the
consequences (Lander, 2007). However, its scope was limited to only early stages of risk
management—specifically, risk identification, analysis, and estimation—and failed to
provide sufficient guidance to go further and intervene to control the risks. Thus, EN 1441
was superseded in 2000 by the seminal standard ISO 14971: Application of Risk
39
Management to Medical Devices, developed by the International Organization for
Standardization (ISO). Its implementation framework is shown in Figure 2.
Figure 2: Risk Management Process
Reproduced from (ISO, 2007)
40
2.6.2 ISO 14971 Risk Management - Application of Risk Management to Medical
Devices
As explained in ISO 14971, risk management is a series of activities directed at reducing
the potential for harm caused by hazardous situations. It has four main activities: Risk
Analysis, Risk Evaluation, Risk Control, and Monitoring. Risk Analysis refers to the
identification of potential hazards associated with medical device use and misuse. For each,
the risk of harm is estimated based on best estimates of the frequency and severity with
which that particular hazard will occur (Daniel & Kimmelman, 2008; ISO, 2007). Risk
Evaluation, the second activity, requires that the estimated likelihood of harm be judged
against the amount of acceptable risk that a company is willing to bear; the company’s
view of its risk tolerance should be predetermined during the planning phases of risk
management (Daniel & Kimmelman, 2008). Risk Control describes strategies and control
measures to reduce or remove the risks (Daniel & Kimmelman, 2008). The control strategy
calls out ways to monitor pre- and post-production activities that will be carried out
throughout the life cycle of the device. The information obtained in the Monitoring stage
is used to check the validity of the assumptions made about the seriousness of the risk and
the effectiveness of implemented controls (Daniel & Kimmelman, 2008).
To follow the staging framed by ISO 14971, risk management activities conducted by
company personnel must be aligned with the sequencing of the risk management exercise.
The risk management process begins by assigning responsibilities for various activities to
specific individuals who must be knowledgeable and competent in risk management. The
team then develops a documented risk management plan for the medical device (Perez,
41
2012). At this point, some of the tools that will be used for the risk management exercise
are identified. During the identification phase described above, the risk management team
decides on the intended use of the device and any characteristics that might pose safety
concerns. When the known and theoretical hazards are identified, the estimation phase then
requires that staff, consultants, or other relevant stakeholders estimate the risk of each
hazard, typically by assigning each risk to an appropriate box on a risk matrix, as shown in
Figure 3. Knowledgeable individuals with different backgrounds are needed to be able to
predict the severity and frequency of the risk at the design stage when relatively little
quantitative data may be available on the ultimate performance of the device (Niamh,
2015). They will also use certain identified and task-specific tools to organize and
investigate data to support risk assignments. During the evaluation phase, the team consults
with senior management to ensure that the current level of risk is acceptable or whether a
reduction in risk is necessary (Perez, 2012). If the team decides that risk reduction is
warranted, it must identify appropriate risk control measures. Once the risk interventions
have been implemented, residual risks must be considered and documented. If the risk
cannot be reduced to an acceptable level, the team must decide if the medical benefits
outweigh any residual risks A product whose medical benefits do not outweigh its residual
risk is usually deemed to be unacceptable and is not distributed (Perez, 2012).
42
Figure 3: Risk Estimation
Risk Matrix Reproduced from (Bartoo, 2003).
The risk management process does not end with the initial risk assessment and control
cycle. The medical device is monitored throughout the production and post-production
processes, and the risk management team determines if the risks should be reassessed at
any point (Perez, 2012). A reevaluation of risk may be warranted if the design or
43
manufacture of the device is changed or if unexpected problems are identified after the
product has been commercialized. The team, often configured as a “change control board,”
would then consider the way in which the change could impact the safety and performance
of the product. This return to the initial risk management cycle helps to prevent problems
from arising in other aspects of design and manufacture because of poorly considered
change reviews (Perez, 2012).
Risk management is essential in the medical device industry, because it provides greater
predictive capability regarding device outcomes. By using a formal risk management
framework and appropriate tools, companies are led to analyze product failures and to
develop improvements in a thoughtful and systematic way. Further, it can encourage the
manufacturer to consider not only how the device will be used but also how it could be
misused (Rudolph, 2003). This may lead the team to identify new hazards and drive the
manufacturer to explore ways to prevent these hazards from occurring
2.6.3 Risk Management Tools
The risk management framework has been critical in establishing a common methodology
and vocabulary. However, in any risk management exercise, “the devil is in the details.”
The effectiveness of the exercise will depend on the abilities of the responsible individuals
to conduct the risk analysis using a range of risk management tools, some of which are
detailed in Annex G.6 of ISO 14971 and reviewed briefly in Table 1 (ISO, 2007). Because
different tools are useful for various types of analysis, many have suggested that an
44
effective risk management program should be built on a combination of tools with
complementary capabilities. Notably, the FDA has advocated for the use of multiple tools
to create a full picture of risks. For example, Kim Trautman, former Associate Director for
International Affairs at the Center for Devices and Radiological Health, has been quoted
as saying,
Are FMEA or FMECA… good tools? Yes. They are very good tools that
can be utilized. Are they in and of themselves a risk management system?
Absolutely not. I can’t tell you how many manufacturers I have seen that
have tried to present their risk management system by simply presenting a
FMEA—that is not a risk management system. Do not make the mistake of
presenting FMEAs as your whole risk management system. (Trautman,
2012)
If the tools are not tailored to the situation, the use of a single or inappropriate tool may
give a false sense of security that a risk has been investigated or controlled adequately.
Without a thorough analysis, one or more potential hazards may not be identified and
managed at the design stage and then may result in an expensive recall or field corrective
action (ISO, 2009). The most commonly used risk management tools in the medical device
industry include Preliminary Hazard Analysis (PHA), Failure Mode Effects Analysis
(FMEA), Fault Tree Analysis (FTA), Assurance Cases, Hazard Analysis & Critical Control
Point (HACCP), and Hazard and Operability (HAZOP). These are detailed below in
section 2.2.3. However, several other tools can also be useful, and some of these will be
identified as well. The reader is referred to IEC/ISO 31010 for a more detailed review of
many of these tools (ISO, 2009).
45
2.6.3.1 Preliminary Hazard Analysis
Preliminary Hazard Analysis (PHA) is a semi-quantitative analysis tool frequently used in
early stages of the risk management cycle. Because relatively little specific information
may be available to quantify certain risks at the initial stages of design, a well-constructed
PHA relies on the expertise of the team members and the availability of prior information
of hazards or failures in similar systems to presage the probability of future situations that
may cause (FDA, 2006). Like many such tools, the analysis is directed at four main
aspects—the likelihood that particular risk event will occur, the extent of the injury that
would be associated with that event, the relative risk of the event on others, and the
prevention or mitigation strategies that might be taken. Medical device organizations
typically use PHA in conjunction with a variety of other risk management tools that are
more suited to later stages in the product design and production to ensure all potential risks
are adequately mitigated (Dumbrique, 2010). The PHA shares some characteristics with
the Failure Modes Effects Analysis tool, described below.
2.6.3.2 Failure Mode Effects Analysis (FMEA) / FMECA
The Failure Mode Effects Analysis (FMEA) is perhaps the most common tool employed
by medical device companies to analyze risk. It is a bottom-up, matrix-driven procedure
used to measure and prioritize individual risks so that the risks can be isolated and
considered systematically (Morrow, 2012). The methodology relies on a relatively
standardized procedure to assess the severity of the consequences of a failure mode, the
likelihood of occurrence of the failure mode, and the potential causes of the failure mode
that can be detected and eliminated from the design as shown in Figure 4 (Liu, Shuai,
Wang, & Li, 2012). If it were to be used alone, it would have to make the assumptions that
46
all the ways in which the medical device would fail (failure modes) could be identified and
that the effects of the failure on the operation of the device can be estimated (effects
analysis). Although FMEA does not involve testing in actual operating conditions, it
provides a systematic framework that points to needed testing when insufficient
information is available to understand the risks fully. Medical device manufacturers may
utilize a slightly modified version of the FMEA methodology to include criticality. This
additional element can be assessed qualitatively, semi-quantitatively, or quantitatively as
part of what is called the Failure Modes, Effects and Criticality tool (FMECA) (ISO, 2009).
Figure 4: FMEA/FMECA
Reproduced from the http://www.six-sigma-material.com/FMEA.html
47
2.6.3.3 Fault Tree Analysis
Frequently described as a “systems engineering” tool, the top-down Fault Tree Analysis
approach can use either a quantitative or a qualitative approach to model the
interrelationships between parts of the system that could cause the system to fail or perform
poorly. Its primary goal is to identify all combinations of events that can cause a system
failure (Santiago, Faure, & Papadopoulos, 2006). The use of FTA fundamentally requires
that problems anticipated with the device or system (i.e., patient injury, loss of power) be
organized in a top-down fashion to identify all the possible ways that the fault could have
occurred given the context and operating environment of the device or system (Haimes,
2009). To do this, it depicts the failure modes of successively lower subassemblies or
processes using a logic diagram, such as that shown in Figure 5. The method is not
structured to provide remedies for the identified risks but is very useful to guide root cause
analysis and appropriate mitigation.
48
Figure 5: Fault Tree Analysis
Reproduced from (ISO, 2009)
FTA can help a team to identify possible flaws in the design of medical devices early in
the development process. In such cases, the FTA exercise may have to be conducted
theoretically by assessing potential faults in a device or system before it is placed in
operation (Flaus, 2013; Fries, 2013). However, at early stages, limited data may exist to
guide the direction of the analysis. It can also be used for more mature products, when
quantitative analysis can be performed based on the previous history of components and
process reliability data (Flaus, 2013). The approach also considers interactions among
components and between the device and the human operator as possible sources of device
failure.
49
2.6.3.4 Safety Assurance Cases
The safety “assurance case” method is also a top-down approach to risk management for
medical devices that is often used in conjunction with other approaches such as FTA or
FMEA. It is designed to show whether the evidence concerning hazard identification and
risk control can logically support the claim that the medical device is reasonably safe for
its intended purpose and in its specified environment. The assurance case begins by making
a high-level claim: for example, my cochlear implant is reasonably safe. It then cascades
into a hierarchical tree in which the various branches represent sub-claims: for example,
the speech processor is reasonably safe; the implanted electrode is reasonably safe. The
subordinate material to each sub-claim contains objective evidence that the sub-claim is
valid and ultimately that the high-level claim of safety is valid (Ray, 2012). Much like the
methods described above, it typically requires the identification of multiple, often
interacting, hazards associated with production and use of the device. It must present
arguments concerning the effectiveness of controls to reduce the risk of occurrence of the
adverse event and the evidence to support the determination that the control will be
effective. The presentation of material in the safety assurance case involves three steps: 1)
making a claim, 2) making an argument as to why the claim is valid, and 3) providing
evidence to support the claim (Figure 6). To support the claims with evidence, the team
often will rely on complementary hazard analysis techniques such as FTA or FMEA
(Arney, Venkatasubramanian, Sokolsky, & Lee, 2011), which can become part of the
argument. The goal of this systematic delineation of claims and evidence is to explain how
risks have been controlled (Ray, 2012).
50
Figure 6: Safety Assurance Case
Reproduced from (Ray, 2012)
2.6.3.5 Hazard Analysis and Critical Control Points
Hazard Analysis and Critical Control Points (HACCP) is a methodology to assure product
safety in the manufacturing stage, by analyzing the chemical, biological, and physical
hazards at all stages of production, from the acquisition of raw materials through to the
distribution of the finished product (Baird, Hodges, & Denyer, 2003). It begins with a
systematic study of the product and its manufacturing environment to identify risks at
various stages of the manufacturing process that can compromise safety or effectiveness of
the product. It has a particular focus on “critical control points,” where some form of
control step can be introduced and monitored (Figure 7) (Mortimore & Wallace, 2013).
51
These interventions link to ongoing assessments designed to assure that the hazard has been
managed effectively; if not, controls must change to protect the safety of the final product.
Figure 7: HACCP Overview
Reproduced from (Mortimore & Wallace, 2013)
52
2.6.3.6 Hazard Analysis and Critical Control Points
The Hazard and Operability (HAZOP) method is another approach, which was first
developed for the chemicals industry, by which industry and company experts determine
how well production and servicing processes assure that a product adheres to its original
design. Historically, the method was applied to processes used in the manufacture or
service of medical products but now is often extended to ancillary activities involving
suppliers, equipment, and facilities related to the products (Pokrop, 2013). Through a series
of brainstorming activities and a subsequently structured approach, analysts characterize a
process and then ask questions about each part of that process to uncover how it can cause
the product to deviate from its original design intent (Hurford, 2012). The further analysis
explores whether corrective actions to change the process could have unintended negative
consequences for the safety and efficiency of operations and seen in Figure 8. If needed,
actions are proposed and taken to fix any unwanted deviations (Hurford, 2012). Situations
may exist where a change in one component does not lead to an immediate effect but rather
an effect that occurs far downstream of that process.
53
Figure 8: HAZOP
Reproduced from (Crawley & Tyler, 2015)
2.6.3.7 Using Multiple Tools
Each of the several tools identified above is more or less suited for particular parts of a
comprehensive risk management program (see the summary of tools in Tables 1 and 2).
54
Some tools are best suited for early development, whereas others are best used after
products have been manufactured and data on outcomes from those processes are available,
as shown in Figure 9. This array of tools can provide the manufacturer with considerable
flexibility to focus on aspects of the product deemed riskiest. For some products, this may
be in areas such as software development and validation known from previous experience
to present design challenges (Lindholm, Notander, & Höst, 2013). For others, it may be on
the challenges of a particular manufacturing or distributional step such as damage in
shipping. However, regardless of their roles, all risk management activities will become
part of the more comprehensive quality systems of the company.
55
Table 1: Risk Assessment Process
Reproduced and modified from (ISO, 2009)
Tools and
Techniques
Risk Identification Risk Analysis Risk Evaluation
Consequence Probability Level of Risk
Failure Mode
Effect Analysis
(FMEA)
Strongly
Applicable
Strongly
Applicable
Strongly
Applicable
Strongly
Applicable
Strongly
Applicable
Hazard and
Operability
Studies
(HAZOP)
Strongly
Applicable
Strongly
Applicable
Applicable Applicable Applicable
Hazard
Analysis and
Critical
Control Points
(HACCP)
Strongly
Applicable
Strongly
Applicable
Not
Applicable
Not
Applicable
Strongly
Applicable
Primary
Hazard
Analysis (PHA)
Strongly
Applicable
Not
Applicable
Not
Applicable
Not
Applicable
Not Applicable
Fault Tree
Analysis (FTA)
Applicable Not
Applicable
Strongly
Applicable
Applicable Applicable
Safety
Assurance
Cases
Strongly
Applicable
Strongly
Applicable
Strongly
Applicable
Strongly
Applicable
Strongly
Applicable
56
Table 2: Attributes of a Selection of Risk Assessment Tools
Reproduced and modified from (ISO, 2009)
Types of
Risk
Management
Techniques
Description Relevance of Influencing Factors Can
Provide
Quantitativ
e Output
Resources
and
Capability
Nature and
Degree of
Uncertainty
Complexity
FMEA and
FMECA
FMEA (Failure Mode and Effect Analysis) is a technique
which identifies failure modes and mechanisms, and their
effects. There are several types of FMEA Design (or
product) FMEA which is used for components and
products. System FMEA which is used for the systems.
Process FMEA which is used for manufacturing and
assembly processes. Service FMEA and Software FMEA.
FMEA may be followed by a criticality analysis which
defines the significance of each failure mode, qualitatively,
semi-qualitatively, or quantitatively (FMECA). The
criticality analysis may be based on the probability that the
failure mode will result in system failure, or the level of risk
associated with the failure mode, or a risk priority number.
Medium Medium Medium Yes
HAZOP
Hazard and
Operability
Studies
A general process of risk identification to define possible
deviations from the expected or intended performance. It
uses a guideword-based system. The criticalities of the
deviations are assessed.
Medium High High No
HACCP
Hazard
Analysis and
Critical
A systematic, proactive and preventive system for assuring
product quality, reliability, and safety of processes by
measuring and monitoring specific characteristics which
are required to be within defined limits.
Medium Medium Medium No
57
Table 2: Attributes of a Selection of Risk Assessment Tools
Reproduced and modified from (ISO, 2009)
Types of
Risk
Management
Techniques
Description Relevance of Influencing Factors Can
Provide
Quantitativ
e Output
Resources
and
Capability
Nature and
Degree of
Uncertainty
Complexity
Control
Points
Preliminary
Hazards
Analysis
(PHA)
Preliminary Hazards Analysis (PHA)
Low High Medium No
Fault Tree
Analysis
(FTA)
A technique which starts with the undesired event (top
event) and determines all the ways in which it could occur.
These are displayed graphically in a logical tree diagram.
Once the fault tree has been developed, consideration
should be given to ways of reducing or eliminating potential
causes/sources.
High High Medium Yes
Safety
Assurance
Cases
The safety “assurance case” method is also a top-down
approach to risk management for medical devices that is
often prepared after using other approaches such as FTA or
FMEA. The approach helps to determine if the evidence
concerning hazard identification and risk control can
logically support the claim that the medical device is
reasonably safe for use for the intended purpose in the
specified environment.
High High High Yes
58
Figure 9: Risk Management Tools Timeline
2.7 Integration of Risk Management Activities into Quality Activities
Risk management is only one part of an overall system aimed at assisting manufacturers in
producing high-quality products. Thus, it must be integrated into the company’s overall
quality system. The FDA’s expectations for achieving this goal are outlined in codified
regulations and applicable standards, most importantly its Quality Systems Regulations (21
CFR 820). The provisions described in 21 CFR 820 and those employed by other
constituencies, such as ISO 13485 in Europe, were developed to help medical device
manufacturers create and implement a management system to comply with regulatory
requirements and to decrease risk throughout the life cycle of a medical device (Masters &
Lupo, 2009; Ward, 2007). Other countries have developed their own regulations for quality
59
systems more recently. These are often organized and worded differently but still appear
to embrace at least the basic tenets of ISO 14971 Risk Management—Application of Risk
Management to Medical Devices, described above (Bartoo, 2003; Lincoln, 2012;
Schmuland, 2005).
Regardless of its legislative basis, all quality management systems assume that
manufacturers cannot test the quality of every device that is produced and, therefore, must
reduce the risk of a defect by assuring the quality of the design and processes by which the
devices are made (Fries, 2013). Thus, the regulations adopt an umbrella approach that
provides a procedural framework for manufacturers to follow rather than specific
requirements for the production of devices. Their value derives from their systematic
inclusivity. For example, the US QMS (̕21CFR 820.1) covers all processes used in the
“…design, manufacture, packaging, labeling, storage, installation, and servicing of devices
intended for human use.” Its high-level view gives a manufacturer considerable flexibility
to determine the specific nature of the quality system and its subordinate risk management
strategy in a way that meets the manufacturer’s particular needs.
At the same time, however, the absence of prescriptive rules may provide too much latitude
for some manufacturers. In the FDA’s QMS, the crucial nature of risk management as a
core activity is not stated but is rather implied. In fact, only in one subpart of the regulation
concerning validation activities related to design controls (21CFR 820.30 [g]) are the words
risk management used: “Design validation shall include software validation and risk
analysis, where appropriate.” It is left to the guidance document on Design Controls to
60
flesh out this message. Even then, however, the extent of the discussion of risk management
is relatively modest, perhaps because the guidance was released in 1997 before risk
management had become such central concept for the medical device sector. Inexperienced
companies thus may not know whether they have achieved an adequate level of
performance with regard to their risk management activities. The relatively hands-off
approach of the FDA may be in part responsible for the failure of companies to design risk
management systems that are capable of managing the risks of their products and thus
prevent the significant numbers of recalls that have plagued the industry. Throughout the
past decade, several notable device failures have served as instructive case studies that can
illustrate some of the major reasons for recalls. A few of these are described briefly below
as examples of the kinds of problems that seem to indicate a failure of risk management in
some way.
2.7.1 Illustrative Failures in Risk Management
2.7.1.1 Johnson & Johnson – Acuvue True Eye Contact Lenses
In 2010, Johnson & Johnson recalled approximately half a million contact lenses after
receiving complaints from customers who experienced ocular irritation and pain with their
use. Subsequent investigation concluded that the lenses had “higher-than-expected levels
of a type of acid used in the manufacturing process that was not fully removed in the rinsing
process,” according to Johnson & Johnson Spokesmen Gary Esterow (as cited in (Berkrot
& Pierson, 2010; Stewart & Paine, 2012).
61
2.7.1.2 Johnson & Johnson – DePuy Orthopaedics Inc.—ASR Hip System
Johnson & Johnson’s DePuy Orthopaedics unit issued a recall for the ASR XL Acetabular
System and DePuy ASR Hip Resurfacing System in 2010 after patients reported pain and
tissue damage in the months subsequent to their implants. Of about 93,000 patients with
one of the two recalled implants, more than 10% required corrective surgery within five
years of their first procedures (Cohen, 2013; Racine, 2013). During the surgery, metal
“debris” was found at the implantation site. It was ascribed to mechanical wear and erosion
between the ball and cup of the implant. Metal micro shavings were also suggested to enter
the blood and could ultimately be deposited in other organs (Marcus, 2015; Stewart &
Paine, 2012).
2.7.1.3 Baxter Healthcare Corporation – Colleague Infusion Pump
In 2006, Baxter Healthcare signed a consent decree of permanent injunction resulting from
their continued problems with the Colleague Volumetric Infusion Pump. The FDA had
been working with Baxter since 1999 to ensure that Baxter corrected numerous device
flaws, such as battery swelling, inadvertent powering shutdown, service data errors, and
other issues that resulted in 42 more specific recalls. The FDA then instructed Baxter to
stop manufacturing and distributing the devices within the United States until
manufacturing deficiencies were corrected and the devices were made compliant with the
FDA’s current good manufacturing practice (CGMP) and Quality System (QS)
requirements. The recall affected approximately 260,000 infusion pumps and was
estimated to cost USD $400–600 million. In 2010, the FDA urged Baxter to destroy all
62
pumps after correction and remediation efforts had failed (Greb, 2006; Japsen, 2010;
Schaeffer, 2012)
2.7.1.4 Customed Surgical Inc. Surgical kits
Customed has had the dubious honor of having the largest number of recalls ever initiated
by a medical device company. In one day, the company posted 233 Class I recalls.
Customed confirmed that those devices were recalled because of concerns that convenience
surgical packs might not be sterile as a result of manufacturing and storage conditions
(Gaffney, 2014).
2.8 A Risk Complacent Industry
As medical device manufacturers develop new products to expand their portfolios,
companies often ask the question of their development teams, “Have we identified all the
risks?” While the tempting answer is “yes,” previous experience suggests otherwise. Even
when good teams try enthusiastically to identify and mitigate risks, unpredictable design
or production problems or unpredicted ways of using the products may result in product
failures or adverse events. Thus, new risks should be anticipated as a device proceeds
through its life cycle. As pointed out in Dubrique’s text, Implementation of Risk
Management in the Medical Device Industry, medical device manufacturers will need to
employ several different risk management tools throughout the product life cycle to ensure
that their risk management programs are operating successfully (Dumbrique, 2010).
63
Not all manufacturers, however, appear to embrace risk management as an opportunity to
improve products and systems rather than to satisfy a checklist. For example, the recent
survey of medical device companies by Chan (2012) identified that many manufacturers
viewed risk management primarily as a requirement to be satisfied in order to prevent
charges of regulatory non-compliance. As one survey respondent noted in that survey, risk
management “is often thought of as a file you go to, not an activity.” Chan also concluded
that manufacturers often focused their activities on design stages rather than on later post-
market stages of the product life cycle (Chan, 2012). Even when problems occur, the initial
attention to risk management in the wake of a disaster can fade gradually over time
(Polidoro, 2016). Additionally, the research conducted by Chan and Dumbrique suggests
that medical device organizations are not applying the concepts and tools of risk
management fully or appropriately (Chan, 2012; Dumbrique, 2010). In the work of Chan,
some respondents in that survey were found to be relatively naïve about the different types
of tools that might be used for risk management. It is therefore unclear whether the groups
to which they belong are using minimal risk management approaches, perhaps by using
only a single risk management tool (Jones & Taylor, 2015).
The challenges of risk management are particularly vexing in certain subsectors of medical
device manufacture. As mentioned, one device type that has been particularly challenging
has been infusion pumps. In section 2.7.1.3, a single issue with infusion pumps was
described, but more generally, drug infusion pumps from different manufacturers have
been plagued by multiple recalls for issues such as software defects, reliability failures, and
usability issues that have contributed to serious injuries and even fatalities in patients.
64
Clearly, important causes of some frequently reported infusion pump problems are related
to elements of design: software error messages, human factors, defective components,
battery failure, alarm failure, over-infusion, and under infusion (FDA, 2014a; Phelps,
2011). The agency hypothesized that the incidence of these issues could be reduced through
appropriate design evaluation and risk mitigation (Traynor, 2010).
In response, the FDA created a new precedent in its approach to risk management oversight
by creating the Infusion Pump Initiative in 2010 (FDA, 2014a). It added controls including
a pre-approval inspection and the use of specified risk tools such as Safety Assurance
Cases. This initiative appears to mark a change in direction for the FDA, in that it began to
consider a more prescriptive approach to the use of risk tools. This message may presage
a more assertive regulatory approach to risk mitigation for all manufacturers of medical
devices. The events that led to the infusion pump initiative and the FDA’s response to it
may serve as a warning to companies that a reevaluation of their risk management
programs may be in order.
2.9 Exploring Unanswered Questions
From the literature review, above, it seems clear that current approaches to risk
management methods are insufficient to prevent many recalls that, in principle, did not
have to happen. However, relatively little is known about the way that companies are using
the risk management tools available to them to carry out their activities. What is evident
from the work of Chan (2012) is that many individuals in risk management roles have one
65
or two favorite risk management tools but seem unfamiliar with most other tools that might
also offer advantages. These limitations seemed to be recognized by at least some of the
risk management professionals who were surveyed in Chan’s study. As Chan points out,
“The most commonly selected challenge (32/74, 43%) was the availability of tools and
techniques to meet their needs.”
In this study, we wish to drill down to understand in more detail how risk management is
being applied through the use of multiple tools and at varying stages of the product life
cycle. It would seem to be instructive to begin where Chan left off, in order to understand
in more detail how risk management is conducted using the tools that are available. A
survey directed at the professionals who implement risk management would be a relatively
direct way to gather such information. However, it is important to structure that survey in
a systematic way. To guide this exploration, appropriate frameworks were therefore sought
that could help to assure a balanced, comprehensive approach to the questions of interest.
Relatively few specific frameworks have addressed risk management systematically to
date, but those that do offer promise are outlined below. From these frameworks, most of
which have emerged over the last decade, a model is chosen that will be used to facilitate
a systematic approach suitable to the goals of the present research.
2.9.1 Research Frameworks Provided by Risk Theory
2.9.1.1 Guldenmund’s Holistic Approach to Risk Management
Perhaps one of the earliest approaches to looking at risk management in a systematic way
was that published by Guldenmund to describe essential elements in a “safety culture.”
66
Guldenmund suggested that organizations use three approaches—the academic approach,
the analytical approach, and the pragmatic, evidence-based approach—that in some ways
represent past, present, and future views, respectively, regarding how to establish a safety
culture in the organization (Guldenmund, 2010). Guldenmund then extended these
approaches by suggesting a comprehensive framework, called an “Organizational
Triangle,” to illustrate the essential elements of a safety culture.
Guldenmund’s Organizational Triangle is based on the view that behaviors are produced
by the combined factors of structure, culture, and process. Structure influences behavior
when it dictates whether individual employees are able, or not able, to take action or make
decisions as shown in Figure 10 (Guldenmund, 2010). Culture influences behavior when
it determines the norms and rules established within the organization. Processes influence
behavior when they determine patterns of individual, group, and organizational actions.
When examining a particular behavior, Guldenmund suggested that all these factors
operate simultaneously. Thus, their influences over outcomes could not be decomposed
(Guldenmund, 2010).
Guldenmund’s focus on an organization’s safety culture underscores an important but
perhaps underappreciated role of culture, which is its ability to reduce uncertainty.
Guldenmund states that “An important function of culture is related to the reduction of
uncertainty, which, consequently, leads to more continuity because less time is spent on
mutual adjustments within a group” (Guldenmund, 2010). Guldenmund goes on to argue
that culture leads to patterns of adaptation and habituation that can produce more aligned,
more effective teams. Thus, one might question whether the element of culture in the
67
triangle is more of a foundational component on which the other elements are based and
thus suggests a hierarchy amongst the three elements. In contrast, some authors advocate
for a reciprocal view of culture and structure in which structure dictates culture (Campbell
& Göritz, 2013).
Figure 10: Guldenmund’s Organizational Triangle
Reproduced from (Guldenmund, 2010)
2.9.1.2 The Conceptual Model of Sullivan and Beach
A model that focuses more specifically on risk management is that of Sullivan and Beach
(Sullivan & Beach, 2009). This model derives from an analysis of High-Reliability
Organizations (HROs), such as aerospace or nuclear plant organizations that must treat risk
management as an integral component of operations. In fact, Sullivan and Beach argue that
risk is such an important part of transactions in HROs that risk reduction is often
emphasized over profit in those companies. Their conceptual model of operational
reliability describes effective outcomes to be a product of competing forces. Two factors
relating to the nature of risk and expectations around its control are balanced by two factors
that together affect the capability to control the risks, as shown in Figure 11 (Sullivan &
68
Beach, 2009). Sullivan and Beach argue that if capability (dictated by resources and
competency) is kept in balance with risk (dictated by expectations and risk factors), an
effective program of risk management will result.
Figure 11: The Conceptual Model
Reproduced from (Sullivan & Beach, 2009)
The conceptual model developed by Sullivan and Beach (Sullivan & Beach, 2009)
emphasizes different facets of risk management than those proposed by Guldenmund. In
part the differences may exist because Sullivan and Beach had a more specific focus on
risk management rather than on safety culture more generally. Additionally, their
observations originate from a particular subsector of industry where risk management is a
critical activity. Nevertheless, Sullivan and Beach seem to suggest that their model could
provide a useful conceptual framework for studying risk management operations in a range
69
of risk-sensitive companies. At the same time, they note that the model may be less useful
for companies such as non-profit or service enterprises where risk is not such a major focus.
Sulllivan and Beach have two elements that define risk. The first is the nature of the risks
themselves; these include not only real risks but also imagined and unknown risks. The
size and nature of these risks will affect how strongly the system will be focused on their
control. Sullivan and Beach emphasize safety risks, but there is no reason why risks could
not be considered more broadly to include enterprise risks of all kinds, as suggested by
Robbins, Connors, Sheehan, and Vaughan (Robbins, Connors, Sheehan, & Vaughan,
2005). In such a broader approach, Robbins and colleagues contend that risk factors must
be addressed not only in the individual departments but also cumulatively across the entire
organization. Although Robbins and colleagues argue that it may not be possible to identify
all risk factors, particular areas that should be usefully studied are operations, financing,
and culture (Robbins et al., 2005).
The second element relates to the expectations of stakeholders with regard to the level of
threat posed by the risks. For organizations, whose products must be reliable, stakeholders
can have very little risk tolerance, and product failures can create anxiety and distrust. For
many of the external stakeholders, expectations may be focused on outcomes such as the
complete prevention of risks (e.g., no nuclear meltdowns) or the appropriate control of
more minor risks so that they are held at an acceptable level. However, for employees,
expectations with respect to risk acceptability may relate not only to outcomes but also to
the internal processes and environment in which those outcomes are produced. Problems
with these internal factors can also create conflict and mistrust. By defining and articulating
70
expectations, barriers to communication can be avoided, and conflict can be reduced
(Atkinson, 2010).
On the other side of the balance are factors that define the capability of the organization.
A key element is the adequacy of resources. As stated by Sullivan and Beach (2009),
“…carrying higher operational costs than conventional organizations appear to be the price
that must be paid for exceptional system reliability.”. Competence factors, including skills,
knowledge and experience, also represent a key element. Sullivan and Beach acknowledge
that these attributes can be difficult to evaluate because they fluctuate with time and staff
turnover. They posit that “Organizations headed for failure cannot be turned around by
throwing money at the problem… how…competencies are nurtured and deployed within
an organization will impact on the effectiveness of the system.”
An extensive body of literature related to the importance of capabilities is available to
expand on the concerns of Sullivan and Beach (2009) with regard to competence. For
example, Krzakiewicz and Cyfert (2015) argue that different types of capabilities exist.
These can include, for example, operational capabilities that permit an organization to
modify its processes to meet changing demands or dynamic capabilities of individuals that
allow the group to respond flexibly when the external environment changes (Krzakiewicz
& Cyfert, 2015).
71
2.9.1.3 The Integrated Guldenmund / Sullivan and Beach Model of Chan
Each model described above brings some fundamental elements that affect risk
management culture and performance. Perhaps most aligned to the goals of this research is
that of Sullivan and Beach, because a focus on the use of tools will necessarily focus on
capabilities including resources and competencies. However, each model by itself may fail
to capture all the key elements, as suggested by Chan when he related the root causes of
several risk failures that he studied to the elements of both models. To capture all the
elements he felt were important, Chan meshed these two models and added a final element,
Memory, as shown in Figure 12 (Chan, 2012). His effort to highlight memory as an
important and perhaps underappreciated element stemmed from analyses suggesting that
the “lessons learned” from a crisis must be incorporated into the fabric of risk management
thinking so that serious or common problems will not be repeated. This approach may serve
as a strong foundation for the types of studies undertaken here, where the way that risk
management systems are organized can be evaluated in terms of some of these elements.
72
Figure 12: The Modified Organizational Model
Reproduced from (Chan, 2012)
2.10 Proposed Research
It seems clear from the literature review above that much remains to do if recall rates are
to decrease. Furthermore, it seems apparent that risk management is a key part of this effort.
However, it is difficult to understand how risk management methods can be improved
unless there is a good basic understanding of the areas in which practices might be
insufficient. One area that seems to be evident from the survey by Chan was the need for
better training with respect to tools so that risk management approaches may be more
systematic and multifaceted. However, even in those cases where tools are used effectively
at the design phase, it is further unclear whether this attention to risk management is
73
effectively continued throughout the product life cycle. It is my belief that many medical
device recalls are preventable as recalls are typically associated with post market issues
where risk management becomes anemic. This research has therefore explored the ways in
which tool usage and other risk management methodologies are currently being employed
and whether industry feels that it could do better. It repeats the use of a framework proposed
by Chan to evaluate areas of risk management in which attitudes and approaches may vary.
From this work, it explores whether experienced individuals working in risk management
believe that their risk management systems are effective and if they could be improved in
order to reduce or prevent recalls in their organizations.
74
CHAPTER 3. METHODOLOGY
3.1 Introduction
The study has four stages. Stage I is a literature review and analysis, presented in Chapter
2, that examined the evolution and current thinking of risk management and recalls in the
medical device industry. Stage II focused on the development of the survey instrument that
was used to answer the research questions. Stage III utilized a focus group methodology to
assess the validity and clarity of the survey instrument. Stage IV involved the dissemination
of the survey instrument to identified participants from representative organizations and
the analysis of the collected results.
3.2 Development of the Survey Instrument: Stage II
The purpose of the survey instrument was to explore the manner in which risk management
tools were used and integrated into risk management processes in order to reduce problems
such as product recalls. Using the framework of Chan (2012), some preliminary questions
were chosen to match those of the earlier survey to assess whether changes in trends could
be detected from the previous five-year review of the industry. The remaining section of
the survey focused more specifically on the methods and views of participants with regard
to specifics of their risk management programs. Some areas of focus included the degree
of training offered to the individuals within an organization, the gaps that individuals feel
should be filled, the resources available to support training, their familiarity and use of
different tools, and the presence or absence of a culture to support that use.
75
The survey was developed using a web-based survey application tool, Qualtrics
(www.Qualtrics.com), which is a respected provider of enterprise survey solutions. It was
composed of approximately 36 questions, divided into three groups: (A) demographic
information about the participant and organization, (B) approaches that shape a medical
device company’s behavior towards risk management practices, and (C) approaches that
enable a medical device company’s capability with respect to risk management
implementation and execution and in particular its selection and use of specific tools.
Question formats varied to include scales measuring agreement or preference, multiple
choice selections, preference ranking, and open-ended questions where respondents
provided text responses. The responses to the questionnaire are analyzed in the outlined
research categories as identified in Table 3.
Table 3: Research Question Categories
Research Category Question Number
Survey Objective Question 1
Background Questions 2, 3, 4, 5, 6, and 7
Organizational Culture Questions 8, 9, 10, 11, 12, and 13
Competency Questions 14,15, 16, 17, and 18
Process Questions 19, 20, 21, 22, 23 ,24, and 25
Memory Questions 26, 27, 28, 29, 30, 31, and 32
Resources Questions 33, 34, and 35
Additional Survey Participation Questions 36 and 37
76
3.3 Critique of Survey Instrument by Focus Groups: Stage III
Before the survey was administered, the questions were reviewed both by a pair of faculty
members on my supervisory committee and by a 9-person focus group composed of
industry professionals working for medical device manufacturers, academics and respected
subject matter experts in different risk management capacities as shown in Table 4. The
major objective of the focus group was to critique the quality and relevance of the information
that might be expected from the use of the survey instrument. Prior to its meeting on August 31,
2016 from 1-2:30 EST, the survey was circulated so that participants had time to consider
the questions. The focus group was held at the University of Southern California, but a
videoconference link was arranged for those who had scheduling conflicts or geographic
constraints. During the meeting, the participants discussed each question in a collaborative
manner to assess the intention, phraseology, subjectivity, and specificity of the question.
The final version of the survey is shown in Appendix A.
77
Table 4: Focus Group Participants
Name Title Institution
Gerald Loeb Professor and Director, Medical
Device Development
Laboratory
University of Southern
California
Frances Richmond Professor and Director, USC
International Center for
Regulatory Science
University of Southern
California
Michael Jamieson Assistant Professor, USC
International Center for
Regulatory Science
University of Southern
California
Suraj Ramachandran Regulatory Affairs Manager Baxter Healthcare
Aimee Greco USC Doctoral Student Shire
John Hartigan USC Doctoral Student Illumina
Keith Morel VP Regulatory Compliance Qserve Group
Richard DeRisio VP Medical Health Services TUV SUD
Curtis Truesdale USC Doctoral Student Independent Consultant
3.4 Administration of the Survey Instrument—Data Collection and Analysis:
Stage IV
Stage IV had several key activities. First it was necessary to identify organizations
representing small, medium and large medical device manufacturers who have been subject
to a medical device recall since 2010. Key individuals in the organization who are part of
risk management were contacted and invited personally to participate in the survey either
by telephone or email letter. The invitation described the purpose of the research and
stressed that their responses would be held anonymously. After the respondent answered
in the affirmative, he or she was added to the panel of individuals to whom the survey was
disseminated through the web-based interface supported by Qualtrics
(www.qualtrics.com). Follow-up email reminders from Qualtrics were generated
78
automatically on October, 10, 12, 14, 16, 18, 20, 22, 24, and 26
th
to survey participants
who had not yet completed the survey.
The collected data was analyzed using various statistical methods to identify patterns,
trends and correlations between the research questions and the demographic information
describing the participant’s organization and skill set. The data was then displayed in a
tabular or graphical format.
79
CHAPTER 4. RESULTS
4.1 Responses of Respondents
Invitations to participate in the survey were sent in mid-August, 2016, to an initial cohort
of 224 potential participants who appeared to meet established inclusion criteria. Of this
group, 50% (112/224) responded with expressions of interest. To this initial group were
added 7 individuals known to the investigator or to the initial respondents. Thus, 119
Qualtrics survey links were disseminated between 5-30 October 2016, from which 101
responses, equating to an 85% response rate, were obtained. Approximately 82/101 surveys
were started and 80 were completed. An additional 21 survey links were sent to referrals
by individual participants totaling the 101 participants.
4.2 Profiles and Background of Respondents
The majority (56%, 55/99) of individuals who responded to an initial question regarding
the size of their employer worked at large companies with over 1,001 employees. Of the
remaining 44% (44 /99), 27% (27/99) described their company as small, ranging from 1-
200 employees, and 17% (17/99) as medium-sized, from 201-1,000 employees as shown
in Figure 13.
80
Figure 13: Size of Organizations with which Respondents were affiliated (n=99)
4.3 Functional Roles
When respondents were asked to specify their functional role in the organization, most self-
identified with Regulatory Affairs (40% 39/97), followed by Quality (29%, 28/97),
Consulting (9%, 9/97), and Development, R&D, or Engineering (8%, 8/97). A smaller
number of respondents were affiliated with Medical or Clinical Affairs (2%, 2/97), Product
Safety or Surveillance (2%, 2/97), or General Management (2%, 2/97) as shown in Figure
14. A few (7%, 7/97) described their functional role as “other”, and specified roles in
Operations, Auditor-Assessor, Quality Engineering, Quality and Regulatory, Quality
Engineering, or IT Quality and Compliance (Table 5).
81
Figure 14: Functional Roles (n=97)
Table 5: “Other” Functional Roles
When asked more specifically about their amount of work experience, respondents (41%,
40/97) most commonly reported that they had been employed in the medical products
industry for 11-20 years. The second most common duration of service was identified as
more than 20 years (31%, 30/97). Relatively few respondents served only 6-10 years (14%,
14/97), or less than 5 years (13%, 13/97). Employment was not typically confined to a
single company. Most respondents had worked in their current organization for less than
5 years (67%, 62/92), or 6-10 years (21%, 19/92). Long service of 11-20 years (8%, 7/92),
or more than 20 years (4% 4/92) was atypical.
Survey respondents varied more evenly in the number of years of experience in their
current organizational roles, with 29% (27/92) in that role for less than 5 years, 28% (26/92)
82
for 6-10 years and 32% (29/92) for 11-20 years. Only a few (11%, 10/92) had been
employed for more than 20 years in their current functional role. Most respondents
possessed either 6-10 years (27%, 25/91) or 11-20 years (29%, 26/91) of risk management
experience. About a quarter, however, had less than 5 years (25%, 23/91), and only about
10% (9/91) had more than 20 years. Nine percent (8/91) of respondents had no risk
management responsibilities in their profiles as shown in Figure 15.
Figure 15: Background Experience of Respondents (n=92 & 91)
4.4 Profile of Organizational Affiliations
Survey respondents were asked to describe the types of products marketed by their
organization. The majority were employed by organizations that market medical devices
(91%, 86/95). Some respondents worked for companies that marketed combination
products, (32%, 30/95), pharmaceuticals (20%, 19/95), or biotechnology products (13%,
12/95). The least commonly marketed products were biologics (12%, 11/95) as shown in
Figure 16. The number of responses exceeded the number of respondents suggesting that
some respondents worked for companies that marketed more than one type of product line.
83
Figure 16: Types and Distribution of Marketed Products (n=95)
Survey respondents were also asked to identify the different regions of the world in which
their medical products were sold. Of those survey respondents in medical device
companies, the most commonly targeted regions were the United States and Canada (96%,
90/94) and Europe (83%, 78/94). Other regions in which medical devices were sold
included the Asia Pacific Region (71%, 67/94), Latin America (64%, 60/94), and the
Middle East (57%, 54/94). Of the regions represented in the survey, the least common
region in which medical devices were sold was Africa (52%, 49/94) as shown in Figure
17.
Figure 17: Regions Where Medical Devices were Sold (n=94)
84
Survey respondents were asked to indicate the class(es) of medical device sold by their
organization in the United States. Of those respondents, whose companies sell devices,
most marketed one or more Class II medical devices (88%, 83/94). Other classes of devices
sold within the United States included Class I devices (57%, 54/94) and Class III devices
(49%, 46/94) (Figure 18). The number of responses greatly exceeded the number of
participants suggesting that many companies had more than one Class of product in their
catalogues. Approximately (4%, 4/94) participants did not work with medical devices or
combination products. These individuals were considered to violate the inclusion criteria
and were directed to the end of the survey where they were thanked for their participation.
Figure 18: Classification of Medical Devices marketed in the U. S. (n=94)
4.5 Organizational Culture and Change
To explore the views and practices of respondents that might reflect the current cultures at
their organizations, a number of questions were asked whose answers are summarized in
Figures 19-21 and Tables 6-8. One observation noted was that certain questions seemed
to generate a lower number of participant responses.
85
First, respondents were asked to indicate their level of agreement with six statements
describing possible views of their organization with respect to product risk management
using a four-point scale as shown in Table 6. More respondents strongly or somewhat
agreed (15%, 13/88; 35%, 31/88 respectively) with the statement, “My organization
regards risk management activities as a burdensome task”, than respondents who strongly
or somewhat disagreed (20%, 18/88; 23%, 20/88 respectively), and 7% neither agreed or
disagreed (6/88). Most respondents also agreed (strongly: 19%, 17/88; somewhat: 38%,
33/88) with the statement that “My organization’s current approach to risk management is
adequate”, whereas a smaller number strongly or somewhat disagreed (9% 8/88; 28%
25/88 respectively), and 6% neither agreed or disagreed (5/88). Most respondents agreed
(strongly: 84%, 75/89; somewhat: 9%, 8/89) that risk management activities add value to
the organization, with very few respondents who strongly or somewhat disagreed (1% 1/89;
3% 3/89 respectively), or neither agreed or disagreed (2%, 2/89). The majority of
respondents also agreed (strongly: 22%, 19/88; somewhat: 27%, 24/88) that risk
management activities are embedded in their organization’s goals and objectives, but a
significant minority of respondents strongly or somewhat disagreed (19% 17/88; 19%
17/88 respectively); 11% neither agreed or disagreed (10/88), and 1% (1/88) declined to
answer. Two additional statements addressed the state of the organization’s preparedness
to carry out risk management. Most respondents agreed (strongly: 20%, 18/88; somewhat:
41%, 36/88) that their organization has enough tools to perform effective risk management.
Of the remaining respondents, (3%, 3/88) neither agreed nor disagreed with this statement
and about a third strongly or somewhat disagreed (26%, 23/88; 9%, 8/88 respectively).
Most also agreed (strongly: 15%, 13/89; somewhat: 19%, 17/89) that their organization
86
provides adequate risk management training in order to understand the strengths and
weaknesses of various risk tools. However, at least one-third strongly disagreed (26%,
23/66) or disagreed 26% (23/66) with this statement. Of the other respondents 15% (13/89)
neither agreed nor disagreed with this statement (Table 6).
Table 6: Product Risk Management (n= 88)
87
Survey respondents were asked to rate their level of agreement with three statements
pertaining to their views on product risk management using a five-point scale ranging from
strongly agree to strongly disagree. The majority of respondents strongly (90%, 80/89) or
somewhat agreed (8%, 7/89) with the statement, “I support and promote risk management”.
Only (2%, 2/89) neither agreed nor disagreed and no respondent disagreed. However,
responses to the statement, “I tolerate risk management as a regulatory requirement”, were
split. About 38% strongly (28%, 24/87) or somewhat agreed (9%, 8/87) whereas a similar
number strongly (29%, 25/87) or somewhat disagreed (11%, 10/87). A notable percentage
of respondents neither agreed nor disagreed (21%, 18/87) or were unable to comment (2%,
2/87) on this statement. A third statement, “I do not consider risk management beneficial”
evoked disagreement amongst almost all respondents (strongly: 93%, 81/87; somewhat:
6%, 5/87) with only one expressing that he or she neither agreed, as shown in Figure 19.
.
Figure 19: Product Risk Management Viewpoints (n=89 & 87)
Survey respondents were asked to identify the types of activities related to product and
quality problems with which their organization had to deal during the last 24 months. The
88
most common activities included responses to audit observations (69%, 56/81), voluntary
or mandated product recalls (64%, 52/81) or field corrections (57%, 46/81), and actions to
hold products or stop shipments (56%, 45/81). Other activities were related to the
unanticipated patient events (33%, 27/81), warning letters (32%, 26/81), or consent decrees
(4%, 3/81) as shown in Figure 20. A number of survey respondents indicated that their
organizations participated in activities not specified in the options that were provided or
declined to comment (9%, 7/81) (Table 7).
Figure 20: Activities related to quality related problems (n=81)
Table 7: “Other” comments related to responses in Figure 20
89
Survey respondents were asked to indicate whether their risk management systems had
undergone changes during the past 24 months. The majority of respondents (83%, 63/76)
indicated that their company did undergo such changes (Figure 21).
Figure 21: Changes to the Risk Management System (Past 24-Months) (n=76)
The reasons driving those changes were explored by offering a range of possible
explanations, with which respondents were asked to rate their level of agreement on a five-
point scale. Most respondents strongly (38%, 27/72) or somewhat (47%, 34/72) agreed that
changes were driven by new regulations and standards. A few neither agreed nor disagreed
(7%, 5/72) or disagreed (strongly: 3%, 2/72; somewhat: 1%, 1/72) and 4% (3/72) declined
to comment. Most also agreed (strongly: 40%, 29/72; somewhat: 38%, 27/72) that changes
were driven by the identification of risk management system deficiencies. A smaller
majority agreed (strongly:18%, 13/72; somewhat: 41%, 29/71) that changes were driven
by agency or health authority feedback, but a notable percentage neither agreed nor
disagreed (18%, 13/71) or disagreed (somewhat 10%, 7/71; strongly: 8%, 6/71) with this
statement. A few (4%, 3/71) declined to comment.
Agreement with the remaining three statements was not as strong as that to the preceding
three statements. When asked to rank their level of agreement with the statement that
changes were driven by activities such as recalls, unanticipated patient events, stop
shipments, or product holds, an approximately similar percentage of respondents either
agreed (strongly: 18%, 13/72; somewhat: 26%, 19/72) or disagreed (strongly: 21%, 15/72;
90
somewhat: 15%, 11/72). Seventeen percent of the respondents (12/72) neither agreed nor
disagreed and 3% (2/72) declined to comment. When asked to rate level of agreement that
changes were driven by organizational initiatives, about half agreed (strongly: 16%, 12/73;
somewhat: 34%, 25/73) whereas about one-third disagreed (strongly: 27%, 20/73;
somewhat: 5%, 4/73). Fourteen percent (10/73) neither agreed nor disagreed, and 3%
(2/73) declined to comment. Interestingly, the statement, “changes were driven by new
management”, drew an unusually high proportion of neutral responses (24%, 17/72).
Further the remaining respondents were split in their answers. About 40% of respondents
disagreed (strongly: 31%, 22/72; somewhat: 10%, 7/72) compared to about 32% who
agreed (strongly: 8%, 6/72; somewhat: 24%, 17/72) as shown in Table 8.
Table 8: Drivers of Changes to Risk Management Systems (n= 73, 72, & 71)
91
4.6 Organizational Viewpoints Related to Risk Management
Survey respondents were asked about their views on the preparedness and effectiveness of
risk management approaches in their organizations, by presenting them with a series of
statements that might or might not be appropriate descriptors with which they could express
agreement using a five-point scale. The statement, “my organization would benefit from
using more updated standards and risk management tools” elicited the strongest agreement
from most respondents (strongly agreed: 37%, 31/84; somewhat agreed: 36%, 30/84). Only
a small minority disagreed (strongly: 4%, 3/84; somewhat: 4%, 3/84) and 17% (14/84)
neither disagreed nor agreed. Four percent (3/84) of respondents could not comment. The
statement, “my organization relies on obsolete approaches to risk management instead of
modern standards or guidance” elicited a more mixed response. About 40% of respondents
disagreed (strongly: 15%, 13/84; somewhat, 24%, 20/84) whereas about 33% agreed
(strongly agreed: 10%, 8/84; somewhat: 23%, 19/84). However, almost one-quarter of
respondents (24%, 20/84) neither agreed nor disagreed and 5% (4/84) could not comment.
The statement, “the utilization of risk management tools is a strength of my organization”,
provoked disagreement in nearly 50% of respondents (strongly:19%, 16/83; somewhat:
27%, 22/83) but agreement in only about 35 % (strongly: 16%, 13/83; somewhat: 19%,
16/83). About 17% (14/83) of respondents had a neutral view and 2% (2/83) could not
comment.
Two statements pertained to the effects of risk management activities on product recalls or
complaints. The majority agreed (strongly: 30%, 25/83; somewhat: 35%, 29/83) and only
4% disagreed (somewhat: 3/83) with the statement, “risk management activities have
reduced product recalls”. Nearly one-quarter (24%, 20/83) neither agreed nor disagreed
92
and 7% (6/83) could not comment. Similarly, most agreed (strongly: 30%, 25/84;
somewhat: 44%, 37/84) and only a few disagreed (2%, 2/84) that “risk management
activities have reduced unanticipated product complaints, and 15% (13/84) remained
neutral. Eight percent (7/84) could not comment.
The final two statements addressed the effects of business imperatives and approaches to
hazardous situations. When asked to rate the level of agreement with the statement, “my
organization’s project time lines impact its ability to identify or mitigate hazardous
situations”, most respondents agreed (strongly: 31%, 26/84; somewhat: 30%, 25/84), while
a smaller percentage disagreed (strongly: 11%, 9/84; somewhat: 17%, 14/84), remained
neutral (10%, 8/84), or 2% (2/84) could not comment. With the statement, “my
organization uses risk management tools appropriately to identify hazardous situations”,
more also agreed (strongly: 17% 14/84: somewhat: 36%, 30/84) or) than disagreed
(strongly: 5%, 4/84: somewhat: 27%, 23/84), remained neutral (13%, 11/84) or could not
comment (2%, 2/84) as shown in Table 9.
93
Table 9: Organizational Viewpoints Related to Risk Management (n= 84)
94
4.7 Views on Risk Management Competency
Survey respondents were asked to indicate the types of risk management training that
would be supported financially each year by those responsible for risk management
activities. The types of activities most often supported were Read and Understand
Procedure-Based Training (82%, 69/84), Internal Classroom Training Courses (56%,
47/84), Conferences or Seminars (42%, 35/84), and External Training Courses (40%,
34/84). Other activities including Certifications (29%, 24/84), Graduate Courses (13%,
11/84) and Undergraduate Courses (7%, 6/84) were supported much less frequently
(Figure 22). “Other” support was identified in text box options were travel to company
sites to perform intensive training or refresher sessions for new staff or support to teach
risk management at local graduate programs (Table 10).
Figure 22: Organizational Support of Risk Management Training (n= 84)
95
Table 10: “Other” Risk Management Training noted in Text Boxes
Survey respondents were asked to identify the number of hours of risk management
training provided annually in the classroom, with and without testing, and through reading
assignments with and without testing. A range of classroom exposure was identified with
more hours untested than tested. Without testing, respondents received 0 – 8 hours (30%,
24/80), 9-16 hours (32%, 13/41), 17-24 hours (23%, 5/22), or more than 24 hours (21%,
4/19) of classroom training. With testing, respondents received 0 – 8 hours (13%, 10/80),
9-16 hours (27%, 11/41), 17-24 hours (23%, 5/22), or more than 24 hours (16%, 3/19). A
somewhat smaller difference was apparent when comparing the number of hours of reading
assignments with and without testing. Without testing, respondents received 0 – 8 hours
(36%, 29/80), 9-16 hours (24%, 10/80), 17-24 hours (18% ,4/22), or more than 24 hours
(32%, 6/19); With testing, respondents received 0 – 8 hours (21%, 17/80), 9-16 hours (17%,
7/80), 17-24 hours (18%, 4/22), or more than 24 hours (32%, 6/19) as shown in Figure 23.
96
Figure 23: Internal Risk Management Training (Annually) (n=80, 41, 22, & 19)
Survey respondents were asked to rate the level of knowledge of nine different standards
and regulations within their organization using a five-point scale ranging from extremely
knowledgeable to not knowledgeable at all. These standards included four IEC standards,
three EN ISO standards, and two additional regulations. Knowledge of the IEC standards,
varied considerably across respondents but was generally quite low. Knowledge pertaining
to IEC 31010 Risk Management Risk Assessment Techniques was ranked at or above
“moderately knowledgeable” by only 40% of respondents [extremely knowledgeable (6%,
5/83), very knowledgeable (10%, 8/83), moderately knowledgeable (24%, 20/83)] The
remainder considered their organizations to be slightly knowledgeable (17%, 14/83) or not
knowledgeable at all (34%, 28/83), and about 10% could not comment (10%, 8/83)]. A
higher level of knowledge was associated with IEC 62366: Application of Usability
97
Engineering to Medical Devices, where about two- thirds of respondents ranked their
organization as at least moderately knowledgeable [extremely knowledgeable (13%,
11/85), very knowledgeable (25%, 21/85), moderately knowledgeable (28%, 24/85),
slightly knowledgeable (12% 10/85), not knowledgeable at all (16% 14/85), cannot
comment (6%,5/85)]. About half of the respondents ranked their organization’s level of
knowledge pertaining to IEC 8002-1 Guidance on the Applications of ISO 14971 to
Medical Device Software at or above “moderately knowledgeable” [extremely
knowledgeable (10%, 8/83), very knowledgeable (18%, 15/83), moderately knowledgeable
(23%, 19/83), slightly knowledgeable (16%, 13/83), not knowledgeable at all (29%, 24/83),
cannot answer (5%, 4/83)]. Respondents ranked their organization’s level of knowledge
pertaining to IEC 8001 Application of Risk Management for IT Networks Incorporating
Medical Devices as extremely knowledgeable (4%, 3/84), very knowledgeable (10%,
8/84), moderately knowledgeable (20%, 17/84), slightly knowledgeable (23%, 19/84), not
knowledgeable at all (36%, 30/84), and 8% (7/84) could not comment.
The majority of respondents rated their organization as knowledgeable about the three
quality and risk management standards that were introduced. Most respondents ranked
their organization’s level of knowledge pertaining to EN ISO 13485 Quality Management
System for Medical Devices at or above the very knowledgeable level [extremely
knowledgeable (41%, 35/85), very knowledgeable (29%, 25/85)]. The others ranked their
organizations as moderately knowledgeable (19%, 16/85), slightly knowledgeable (9%,
8/85) or not knowledgeable at all (1%, 1/85), and 1% (1/85) could not comment. A narrow
majority of the respondents ranked their organization’s level of knowledge pertaining to
EN ISO 14971 Application of Risk Management to Medical Devices as extremely (27%,
98
23/85) or very knowledgeable (31%, 26/85). Most of the others felt it to be moderately
knowledgeable (25% 21/85), but about 15% ranked it as slightly knowledgeable (13%
11/85) or not knowledgeable at all (4% 3/85), and 1% (1/85) could not comment.
Respondents ranked their organization’s level of knowledge pertaining to EN ISO 31000
Risk Management Principles and Guidelines as extremely knowledgeable (5% 4/84), very
knowledgeable (11% 9/84), moderately knowledgeable (25% 21/84), slightly
knowledgeable (15% 13/84), not knowledgeable at all (35% 29/84), and 10% (8/84) could
not comment.
Respondents also rated their organizations as highly knowledgeable about the remaining
two standard and regulations. For 21 CFR 820 Quality System Regulations, 70% ranked
the organization at or above highly knowledgeable [extremely knowledgeable (35%,
30/85), very knowledgeable (35%, 30/85)] with the others ranking at moderately
knowledgeable (19%, 16/85), slightly knowledgeable (8%, 7/85) or not knowledgeable at
all (1%, 1/85); 1% (1/85) could not comment. Respondents ranked their organization’s
level of knowledge pertaining to the European Medical Device Directive (MDD) as
extremely knowledgeable (32%, 27/85), very knowledgeable (26%, 22/85), moderately
knowledgeable (31%, 26/85), slightly knowledgeable (5%, 4/85), not knowledgeable at all
(6%, 5/85), and 1% of respondents could not comment as shown in Figure 24.
99
Figure 24: Organizational Knowledge of Standards and Regulations (n=85)
4.8 Organizational Competence of Risk Management Tools
Survey respondents were asked to rate their organization’s level of competence with 16
different risk management tools using a five-point scale ranging from extremely effective
to ineffective. A majority of respondents ranked their organization’s competence with the
following tools as either extremely effective or very effective (indicated in parentheses,
respectively): Failure Mode and Effects Analysis (20%, 17/83) and (39%, 32/83); Fish
Bone Analysis (16%, 13/82) and (33%, 27/82); Pareto Analysis (17%, 14/81) and (23%,
24/81); and the 5 Why S Technique (23%, 19/81) and (28%, 23/81). Respondents most
commonly ranked their organization’s competence with the following tools as relatively
ineffective (in parentheses, respectively): Hazard and Operability Study (HAZOP) (37%,
30/81); Markov Analysis (56%, 44/79); Monte Carlo Analysis (52%, 43/80); Wei Bull
Analysis (53%, 42/80); Bayesian Analysis (47%, 37/79); and Delphi Technique (47%,
36/77). Competence with two relatively well-promoted and applicable techniques were
also ranked often as ineffective: Safety Assurance Cases (35%, 28/81), Hazard Analysis
100
and Critical Control Points (HACCP) (35%, 28/81). Respondents most commonly rated
the following tools with respect to competence as moderately effective: Preliminary Hazard
Analysis (32%, 26/82); Functional Analysis (31%, 25/80); and Fault Tree Analysis (32%,
26/82) as shown in Figure 25.
Figure 25: Organizational Competence of Risk Management Tools (n=83, 82, 81,
80, 79, and 77)
Survey respondents were asked to rank their use of seventeen different risk management
tools by choosing three options ranked as Primary, Secondary and Tertiary. A majority of
respondents ranked their organization’s primary risk management tool as Failure Mode and
Effects Analysis (69%, 52/75). The most popular secondary risk management tool was the
5 Why(s) Technique (18%, 13/73), and the tertiary tool was Preliminary Hazard Analysis
101
(18%, 13/71). Several respondents indicated that their organizations do not use a secondary
(8%, 6/73), or a tertiary risk management tool (14%, 10/71) as shown in Table 11.
Table 11: Top Three Risk Management Tools (n=75, 73, & 71)
Choice Primary
Tool
Secondary
Tool
Tertiary
Tool
Total
Tool
Failure Mode Effects Analysis (FMEA) 52 9 5 66
Assurance Cases 1 3 2 6
Hazard and Operability Study (HAZOP) 0 0 1 1
Hazard Analysis and Critical Control Points
(HACCP)
1 6 3 10
Preliminary Hazard Analysis 5 8 13 26
Functional Analysis 3 6 7 16
Markov Analysis 0 0 0 0
Monte Carlo Analysis 0 1 1 2
Wei Bull Analysis 0 0 1 1
Bayesian Analysis 0 0 0 0
Delphi Technique 0 0 0 0
Fault Tree Analysis (FTA) 3 6 7 16
Fish Bone Analysis 2 6 7 15
Pareto Analysis 2 5 2 9
5 Why (Technique) 3 13 12 28
No Secondary Tool Used 1 6 0 7
No Tertiary Tool Used 2 4 10 16
4.9 Risk Management and Organizational Structure
Respondents were asked three questions related to the way that risk management activities
fit into their organizational structures and processes. First, they were asked to indicate
which of the five functional groups within their organizations participated in risk
management activities and which had ownership of those activities. The majority of
respondents indicated that the Development/R&D/Engineering (93%, 78/84), Quality
102
(88%, 74/84), Regulatory (74%, 62/84), and Medical/Clinical (61%, 51/84) groups
participated in risk management activities. The much larger number of responses than
respondents suggested that risk management teams were cross-functional in most
organizations. However, only 42% (35/84) of respondents indicated that the Product
Surveillance group participated in these activities.
The majority of respondents indicated that the Quality (69%, 58/84) and
Development/R&D/Engineering (56%, 47/84) groups had ownership of risk management
activities. Ownership was given to a lesser degree to the Regulatory (23%, 19/84),
Medical/Clinical (14%, 12/84), and Product Surveillance (10%, 8/84) groups as shown in
Figure 26.
Figure 26: Functions participating in Risk Management Activities (n=84)
Respondents were asked to indicate the stage at which risk management occurs during
the development life cycle in their organization. Most indicated that it began during the
Development phase (72%, 60/83), while others indicated that it began during
Feasibility/Early Research (18%, 15/83), Design Transfer (7%, 6/83), or Post-Market
Release (2%, 2/83). These results differed from answers given when respondents were
103
asked when they felt that risk management activities should actually start. The majority
indicated that such activities should start during the Feasibility phase (76%, 63/83) or the
Development phase (24%, 24/83) as shown in Figure 27.
Figure 27: Risk Management Phase of the Development Lifecycle (n=83)
Respondents were asked to indicate how often hazards or hazardous situations are
evaluated and incorporated into revised risk assessments during the different stages in the
life of the product. Most respondents indicated that hazards or hazardous situations are
evaluated and incorporated throughout the entire lifecycle as issues arise (43%, 36/83) or
at defined phases (31%, 26/83). Fewer respondents indicated that hazards and hazardous
situations are evaluated and incorporated into risk assessments during Post-Market only
104
(8%, 7/83), and at timed intervals (11%, 9/83) as shown in Figure 28. Several respondents
indicated “other” time points (6%, 5/83) as shown in Table 12.
Figure 28: Risk Management and the Development Lifecycle (n=83)
Table 12: “Other” Risk Management and the Development Lifecycle
4.10 Risk Management and Organizational Processes
Respondents were asked to indicate their level of agreement with eight statements
pertaining to their organization’s risk management system using a seven-point scale
ranging from strongly agree to strongly disagree, with a second option of identifying if the
105
policy or process was not present. When asked if their organization has policies and criteria
for risk acceptance, most agreed at some level (strongly:29%, 24/82; agreed: 33%, 27/82;
somewhat: 21%, 17/82). Only a few neither agreed nor disagreed (4%, 3/82) or disagreed
at some level (disagreed: 5%, 4/82, somewhat: disagreed: 5%, 4/82). Several identified that
such polices were not present (4%, 3/82).
When asked if their organization analyzes intended use, the majority also agreed (strongly:
28%, 23/82, agreed: 34%, 28/82, somewhat:17%, 14/82). Again, only a few neither agreed
nor disagreed (5%, 4/82) or somewhat disagreed (4%, 3/82), but several identified that such
analyses were not done (12%, 10/82). When respondents were asked if their organization
analyzes risk/benefit, most agreed (strongly: 26%, 21/82, agreed: 28%, 23/82, somewhat:
34%, 28/82). The other respondents neither agreed nor disagreed (7%, 6/82), disagreed
(disagreed:1%, 1/82; somewhat: 1%, 1/82),) or identified that it was not done (2%, 2/82).
When asked if their organization analyzes intended use, most agreed (strongly: 28%, 23/82;
agreed: 34%, 28/82; somewhat: 17%, 14/82), and a few neither agreed nor disagreed (5%,
4/82), somewhat disagreed (4%, 3/82), or found this not to be present (12%, 10/82). When
respondents were asked if their organization links results of initial risk assessments to
CAPA(s), most agreed (strongly:20%, 16/82; agreed: 24%, 20/82; somewhat: 18%, 15/82),
and a minority neither agreed nor disagreed (11%, 9/82), disagreed (disagreed: 1%, 5/82,
somewhat: 6%, 5/82) or reported that it was not done (20%, 16/82). When asked if their
organization has formal activities to manage the risks associated with design transfer, most
agreed (strongly: 20%, 16/82, agreed: 33%, 27/82, or somewhat: 18%, 15/82), whereas a
minority neither agreed nor disagreed (7%, 6/82), disagreed (disagreed: 5%, 4/82:
somewhat: 7%, 6/82),) or identified that these were not present (15%, 12/82). When asked,
106
their organization manages the risk of outsourcing suppliers, a smaller majority agreed
(strongly: 11%, 9/82, agreed: 30%, 25/82, somewhat: 27%, 22/82) whereas other
respondents neither agreed nor disagreed (7%, 6/82), disagreed (disagreed: 5%, 4/82;
somewhat: 7%, 6/82) or reported that it was not done (12%, 10/82).
When asked if their organization use risk the results of risk assessments for verification
and validation activities, most agreed (strongly: 24%, 20/82: agreed: 26%, 21/82:
somewhat: 26%, 21/82). The remaining respondents neither agreed nor disagreed (13%,
11/82), disagreed (disagreed: 1%, 1/82: somewhat:4%, 3/82) or reported that this was not
done (6%, 5/82). Finally, when asked if their organization has a formal process to accept
or reject risk, most also agreed (strongly: 27%, 22/82; agreed: 26%, 21/82; somewhat: 15%,
12/82). The remaining respondents neither agreed nor disagreed (13%, 11/82), disagreed
(disagreed: (2%, 2/82; somewhat: 4%, 3/82) or reported it not to be done (13%, 11/82), as
shown in Table 13.
107
Table 13: Risk Management Processes (n=82)
108
Respondents were asked to indicate how effectively their organization uses different
sources of information to identify hazards or hazardous situations prior to new product
launches based on five different tools using a five-point scale ranging from extremely
effective to not effective at all with a sixth choice of “not applicable”. With respect to the
use of engineering or product analysis testing, the majority reported at least a moderate
degree of effectiveness [extremely effective (17%, 14/81), very effective (36%, 29/81),
moderately effective (33%, 27/81)]. The other respondents identified that the use was
slightly effective (11%, 9/81) or not effective at all (1%, 1/81), and one (1%,1/81) found
this to be not applicable. With respect to the use of competitive product information and/or
testing, the majority found reported at least a moderate degree of effectiveness [extremely
effective (9%, 7/80), very effective (24%, 19/80), moderately effective (30%, 24/80)]. The
other respondents identified that the use was slightly effective (15%, 12/80), not effective
at all (11%, 9/80), or not applicable (11%, 9/81). With respect to the use of complaint
databases, the majority reported at least a moderate degree of effectiveness [extremely
effective (17%, 14/81), very effective (26%, 21/81), moderately effective (21%, 17/81)].
The other respondents identified that the use was slightly effective (11%, 9/81), not
effective at all (6%, 5/81), or not applicable (19%, 15/81). With respect to the use of recall
databases, the majority found reported at least a moderate degree of effectiveness
[extremely effective (12%, 10/81), very effective (21%, 17/81), moderately effective (26%,
21/81)]. The other respondents identified that the use was slightly effective (12%, 9/81),
not effective at all (9%, 7/81), or not applicable (20%, 16/81). With respect to the use of
standards and guidance documents, the majority found reported at least a moderate degree
of effectiveness [extremely effective (16%, 13/80), very effective (23%, 18/80),
109
moderately effective (43%, 34/81)]. The other respondents identified that the use was
slightly effective (11%, 9/81), not effective at all (1%, 7/81), or not applicable (6%, 5/81)
as shown in Figure 29
Figure 29: Hazard and Hazardous Situation Source Information Prior to New
Product Launch (n=81 & 80)
Respondents were asked to indicate how effectively their organization uses different
sources of information to identify hazards or hazardous situations after new product have
been launched based on five sources using a five-point scale ranging from extremely
effective to not effective at all, with a sixth choice of not applicable. With regard to the use
of information from engineering or product analysis testing, most reported that their
organizations were at least moderately effective [extremely effective (14%, 11/80), very
effective (25%, 20/80), moderately effective (26%, 21/80)] The other respondents
110
identified that the use was slightly effective (20%, 16/80), not effective at all (8%, 6/80),
or not applicable (8%, 6/80). With regard to the use of information from competitive
product information and/or testing, most reported that their organizations were at least
moderately effective [extremely effective (12%, 10/82), very effective (15%, 12/82),
moderately effective (27%, 24/82)] The other respondents identified that the use was
slightly effective (18%, 12/82), not effective at all (15%, 9/82), or not applicable (13%,
11/82). With regard to the use of information from complaint databases, most reported that
their organizations were at least moderately effective [extremely effective (28%, 23/82),
very effective (21%, 17/82), moderately effective (20%, 16/82)] The other respondents
identified that the use was slightly effective (12%, 10/82), not effective at all (4%, 3/82),
or not applicable (16%, 11/82). With regard to the use of information from recall databases,
most reported that their organizations were at least moderately effective [extremely
effective (25%, 20/81), very effective (17%, 14/81), moderately effective (12%, 10/81)]
The other respondents identified that the use was slightly effective (17%, 14/81), not
effective at all (7%, 6/81), or not applicable (21%, 17/81). With regard to the use of
information from standards and guidance documents, most reported that their organizations
were at least moderately effective [extremely effective (16%, 13/80), very effective (23%,
18/80), moderately effective (43%, 34/80)]. The other respondents identified that the use
was slightly effective (11%, 9/80), not effective at all (1%, 1/80), or not applicable (6%,
5/80) as shown in Figure 30.
111
Figure 30: Hazard and Hazardous Situation Source Information Post New
Product Launch (n=82, 81, & 80)
Respondents were asked to indicate the frequency with which information on hazards and
hazardous situations is updated after a product launch. The majority indicated that this
occurs when new information warrants it (61% 50/82). Others indicated annually (33%
27/82), quarterly (10% 10/82), monthly (6% 5/82), weekly (5% 4/82), semi-annually (5%
4/82), or never (2% 2/82) as shown in Figure 31. Respondents who provided “Other”
choices (7% 6/82) are shown in Table 14.
112
Figure 31: The Frequency of Hazard and Hazardous Situation Updates Post
Product Launch (n=82)
Table 14: The “Other” Frequency of Hazard and Hazardous Situation Updates
Post Product Launch
4.11 Hazard and Risk Assessment Capabilities
Respondents were asked to grade the effectiveness of their organizations with respect to
their abilities to identify risks at four different stages in the product development life cycle
using a five-point scale ranging from extremely effective to not effective at all. With
respect to risk management activities such as analysis and evaluation, the large majority
identified that the organization was at least moderately effective [extremely effective (18%,
15/82), very effective (34%, 28/82), moderately effective (37%, 30/82)]. The other
respondents identified that their organization was slightly effective (9%, 7/82) or not
113
effective at all (2%, 2/82). With regard to risk management activities within verification
and validation, a slightly smaller majority identified that the organization was at least
moderately effective [extremely effective (17%, 14/82), very effective (33%, 27/82), or
moderately effective (28%, 23/82)]. The other respondents found their companies to be
slightly effective (18%, 15/82), or not effective at all (4%, 3/82). With respect to risk
management activities within manufacturing, most identified that the organization was at
least moderately effective [extremely effective (13%, 11/82), very effective (28%, 23/82),
or moderately effective (32%, 26/82)]. The other respondents identified their organizations
to be slightly effective (22%, 18/82), or not effective at all (5%, 4/82). With respect to
production data analysis, the majority identified that the organization was at least
moderately effective [extremely effective (15%, 12/82), very effective (23%, 19/82), or
moderately effective (34%, 28/82)]. The other respondents identified their organizations to
be slightly effective (20%, 16/82), or not effective at all (9%, 7/82) as shown in Figure 32.
Figure 32: The Frequency of Hazard and Hazardous Situation Updates Post
Product Launch (n=82)
114
Respondents were asked to indicate the number of new hazards or hazardous situations
identified that occurred post product release during the past 24 months. Results indicated
that the majority identified 1-3 new risks (51%, 41/81), followed by 4-7 new risks (20%,
16/81), more than 7 new risks (11%, 9/81), and zero new risks (9%, 7/81) as shown in
Figure 33. In addition, 10%, (8/81) of respondents chose “other” as their choice was not
listed as shown in Table 15.
Figure 33: The Number of New Hazards or Hazardous Situations Identified Post
Product Release (Past 24 Months) (n=81)
Table 15: The “Other” Number of New Hazards or Hazardous Situations
Identified Post Product Release (Past 24 Months) (n=81)
115
They were also then asked to indicate which of four statements describes their opinion
regarding hazards or hazardous situations that were identified during post-market
surveillance, as noted in Figure 34. Results indicated that the two most frequent responses
were, “The majority of risks could have been mitigated prior to release,” (58%, 47/81),
and, “The use of additional risk management tools may have helped identify new risks”
(59%, 48/81). Fewer respondents identified with the statements, “The risks could not have
been predicted or foreseen,” (25%, 20/81). Various “other” statements (6%, 5/81),
including, “Project timeline is what causes short cuts and ‘C’ work to be acceptable,” “If
management hadn’t rushed the release schedule, the majority of these could have been
found prior to release,” and, “Largely due to unforeseen use cases” are shown in Table 16.
Figure 34: Viewpoints of New Hazards or Hazardous Situations Identified Post
Product Release (Past 24- Months) (n=81)
116
Table 16: “Other” Viewpoints of New Hazards or Hazardous Situations
Identified Post Product Release (Past 24 Months)
4.12 Risk Management and Memory after Negative Events
Respondents were asked to identify how events such as a product recall, unanticipated
product complaint, or agency finding have previously changed their company’s perspective
of risk management. The majority of respondents indicated that such events led to a
heightened sense of awareness pertaining to risk management (63%, 52/82) or an increase
in activities related to risk management (51%, 42/82). Fewer respondents indicated that
such events led to no change (13%, 11/82), or a decrease in activities related to risk
management (0 %, 0/82) as shown in Figure 35. “Other” responses, which comprised 4%,
(3/82) of the overall answers are shown in Table 17.
Figure 35: Risk Management Viewpoints After Product Recalls, Unanticipated
Product Complaints, or Agency Finding (n=82)
117
Table 17: “Other” Risk Management Viewpoints After Product Recalls,
Unanticipated Product Complaints, or Agency Finding
Respondents were asked to indicate the length of time that it takes for an increased sense
of risk awareness to fade over time. Responses, ranked in order of popularity, were 6-9
months (25%, 18/71), followed by 3-6 months (23%, 16/71), 0-3 months (15%, 11/71), 9-
12 months (10%, 7/71), more than 12 months (10%, 7/71), and never, a complete culture
change (7%, 5/71) as shown in Figure 36. “Other” responses to this prompt, which
comprised 10% (7/71) of the overall responses, included “that it never really fades”, “it
depends on the amount of revenue at stake, as there could be a selective lack of
acknowledgement of risks for some products”, and “until the next incident” as shown in
Table 18. One observation noted was that certain questions seemed to generate a lower
number of participant responses presumed to be based on the sensitivity of the question to
the respondents.
Figure 36: The Gradual Fading of Risk Awareness (n=71)
118
Table 18: The “Other” Fading of Risk Awareness
Respondents were asked to rank the effectiveness of their organizations at retaining
identifiable risks based on a five-point scale ranging from extremely effective to not
effective at all. The majority identified that the organization was at least moderately
effective [extremely effective (13%, 10/80), very effective (18%, 14/80), moderately
effective (39%, 31/80)] at developing a repository for risks identified through development.
The other respondents identified this effort to be slightly effective (16%, 13/80), or not
effective at all (15%, 12/80). Most also identified that the organization was at least
moderately effective [extremely effective (12%, 10/81), very effective (12%, 10/81),
moderately effective (37%, 30/81)] at managing a repository for risks identified through
design transfer. The other respondents considered these efforts to be slightly effective
(17%, 14/81), or not effective at all (21%, 17/81). The majority identified that the
organization was at least moderately effective [extremely effective (15%, 12/81), very
effective (17%, 14/81), or moderately effective (31%, 25/81)] at managing a repository for
119
risks identified through post market analysis. The other respondents considered these
efforts to be slightly effective (17%, 14/81), or not effective at all (20%, 16/81) as shown
in Figure 37.
Figure 37: Retention of Identifiable Risks (n=81 and 80)
4.13 Communication of Risk Issues
Respondents were asked to indicate how their organizations communicate risk
management-related issues, including product recalls, unanticipated complaints, and
agency feedback, to other members of the organization. The majority of respondents
indicated that they preferred to communicate with small groups directly involved in the
issue (71%, 58/82). Others identified meetings (40%, 33/82), and emails to members of
the organization (30%, 25/82). An additional 20%, (16/82) indicated that such issues were
not communicated at all in the organization as shown in Figure 38.
120
Figure 38: Communication Mechanism of Risk Issues (n=82)
They were then asked to rank the effectiveness of their organizations at communicating
risk-related issues to the broader organization according to the type of issue that occurred
based on a six-point scale ranging from extremely effective to “information not broadly
shared”. Somewhat more than half reported that their organization was at least moderately
effective [extremely effective (16%, 13/79), very effective (20%, 16/79), moderately
effective (18%, 14/79)] with organizational communications regarding recalls. The other
respondents identified that their organizations were slightly effective (6%, 5/79) or
ineffective (9%, 7/79), and 30% (24/79) indicated that information was not shared broadly.
Similarly, slightly more than half graded communications about agency findings or
feedback as at least moderately effective [extremely effective (12%, 10/81), very effective
(20%, 16/81), or moderately effective (21%, 17/81)]. The others graded these
communications as slightly effective (11%, 9/81), ineffective (4%, 3/81), or not shared
broadly (32%, 26/81).
121
Companies were graded even lower in effectiveness when asked about communications
related to other types of activities. Less than half identified that their organizations were at
least moderately effective [extremely effective (10%, 8/80), very effective (14%, 11/80),
or moderately effective (16%, 13/80)] at communicating information about unanticipated
product complaints. The other respondents found such communications to be slightly
effective (14%, 11/80) or ineffective (14%, 11/80), and 33% (26/80) identified that
information was not shared broadly. A minority also considered organizational
communications regarding product holds or stop shipments to be at least moderately
effective [extremely effective (10%, 8/79), very effective (22%, 17/79), moderately
effective (16%, 13/79)]. The other respondents considered the communications to be
slightly effective (13%, 10/79), ineffective (6%, 6/79), or not shared broadly (32%, 25/79).
A minority judged their organizational communications regarding agency communications
to be at least moderately effective [extremely effective (12%, 10/81), very effective (16%,
13/81), moderately effective (17%, 14/81)] while the others judged those communications
to be only slightly effective (14%, 11/81), ineffective (6%, 5/81), or not shared broadly
(35%, 28/81). Somewhat less than half considered that organizational communications
regarding manufacturing issues were at least moderately effective [extremely effective
(7%, 6/81), very effective (20%, 16/81), moderately effective (16%, 13/81)]. The other
respondents were found such communications to be slightly effective (14%, 11/81),
ineffective (6%, 5/81), or not shared broadly (37%, (30/81) as shown in Figure 39.
122
Figure 39: Communication of Risk Related Issues (n=81, 80, 79)
4.14 Organizational Resource Allocation
Respondents were asked to identify the most appropriate statement pertaining to resource
allocation for risk management activities at their companies from a choice of three. Most
(71%, 58/82) indicated that their organization needs additional resources to support risk
management activities. Fewer respondents indicated that their organization is adequately
staffed to support risk management activities (26%, 21/82) or that their organization
outsourced risk management activities to an outside entity (4%, 3/82) as shown in Figure
40.
123
Figure 40: Resource Allocation (n=82)
Respondents were also asked to rank five activities, from the most time spent to the least
time spent, on different aspects of risk management. The majority identified that most time
was spent on risk management analysis and evaluation (46%, 35/76) followed by post
production analysis (28% 21/76), activities related to manufacturing (36%, 27/76), non-
conformance and defect disposition (32%, 24/76), and post production analysis (30%,
23/76) as shown in Figure 41. One observation noted was that certain questions seemed to
generate a lower number of participant responses presumed to be based on the sensitivity
of the question to the respondents.
124
Figure 41: Time Allocation for Risk Management Activities (n=76)
4.15 Future Survey Participation
Respondents were asked to identify if they would be willing to discuss their risk
management system further. About half of respondents were willing to participate in an
interview or survey as shown in Figure 42A. The respondents preferred only marginally a
survey (51%, 27/53) to an interview (49%, 26/53) as shown in Figure 42B.
125
Figure 42: Preferences with Regard to Further Discussions (n=82)
A: Willing to Discuss Further
B. Preference for Survey or Interview
4.16 Cross Tabulations
Some questions regarding respondent attributes were used to sub stratify the survey so that
differences in the views of different subgroups could be identified. Given the relatively
modest numbers for categorical analysis, the most showed relatively little correlation but a
few of the more interesting analyses are presented below.
The cross tabulation below sub stratifies the organizations by the types of products that
they market as correlated with organizational size. These results indicate that 91% (86/95)
of the organizations that product drug products of some type are predominately large in
126
size. Medical device companies range considerably in size. However, the third (32%,
30/95) of respondents with combination produces are much more likely to be large.
Figure 43: Cross Tabulation of Organization Size and Product Type (n=95)
Of some interest was the degree of globalization in the organizations that were described
by the respondents. The cross tabulation below relates the regions in which marketing is
occurring with organizational size. These results indicate that 96% (90/94) of the
organizations market and distribute products within the USA and Canada, followed by
Europe at 83% (78/94). Organizations that distributed products in the USA and Canada
varied in size. Somewhat more than half were large organizations (56%, 53/94) followed
by small (23%, 22/94), and medium organizations (16%, 15/94). However, when
companies distributing to less represented counties such as the Middle East were compared,
the participants were skewed toward roles in large organizations.
127
Figure 44: Cross Tabulation of Organization Size and Regional Sales and
Distribution (n=94)
However, sub stratifying answers by company size did not typically produce clear-cut
differences on other questions. One such example, in which the views of risk management
activities regarding unanticipated product complaints and product recalls were sub
stratified by company size. The majority of respondents representing large, medium, and
small organizations believed in similar proportions that risk management activities have
reduced recalls. There is a subtle difference in the number of respondents from large
companies compared to small companies who had a less enthusiastic opinion about the
importance of risk management activities have reduced unanticipated product complaints.
128
Figure 45: Cross Tabulation of Organization Size and Risk Management
Activities (n=84 & 83)
129
CHAPTER 5. DISCUSSION
5.1 Risk Management and Medical Device Recalls
This study had two main goals. First, it attempted to gain a clearer picture of how medical
device manufacturers are implementing risk management requirements. Second, it
attempted to expand upon the previously reported findings of Chan (2012) suggesting that
many individuals have a relatively shallow understanding of tools and techniques that
might help to improve their risk management initiatives, and may not know how to
integrate risk management elements into their quality system. As part of this effort, I used
the framework suggested by Chan (2012) to explore organizational structure and behavior
related to the use of risk management tools and the perceived linkage of those activities to
recalls.
5.2 Consideration of the Methodology
5.2.1 Use of Electronic Survey Methods
Electronic web-based surveys are used as tools for research across various industries
(Crawford, McCabe, & Pope, 2005). This survey design is often preferred because of its
convenience and its ability to access a larger and more diverse grouping of individuals by
using the Internet. However, these types of surveys also present unique challenges for
survey design and presentation, some of which are not typical for paper-based surveys
(Crawford et al., 2005). Thus, care must be taken to evaluate elements such as the way in
which a survey is displayed on a device screen, the functionality of embedded logics to
130
allow questions to be skipped if irrelevant for some respondents, and the integrity of the
data collection and statistical displays. In this study, I attempted to catch small problems
with the display, structure and clarity of the questions by using a focus group to critique
the survey, and then by introducing a preliminary testing step in which the survey was
completed by a small group of experienced users. This approach was found to be very
helpful in reducing the unclear or badly worded questions.
One of the challenges associated with electronic surveys is also the need to assure the
representativeness and sampling of those that respond. If an uncontrolled anonymous link
is disseminated, it is very difficult to know who is participating in the survey. One way to
address this challenge is to make the survey accessible only to those that have been invited
to take it (Wyatt, 2000), so that the researcher can assure the inclusion of only those
participants with appropriate attributes and affiliations. This labor-intensive approach, used
here, can result in a smaller sample, but can assure that representativeness is similar to that
which would be obtained with traditional survey methods (Gosling, Vazire, Srivastava, &
John, 2004). Nevertheless, both traditional and electronic anonymous surveys have the
potential challenge that an anonymous survey cannot guarantee that the responses are
honest and originate from the individuals presumed to have been recruited into the survey.
Web-based surveys have, however, many advantages. These include their cost
effectiveness, wider access to hard-to-find subgroups and the ability to update the survey
rapidly to reflect the needs of the project or research approach (Duffy, 2002). In this study,
the electronic survey offered the opportunity to obtain responses from the targeted
131
subpopulation very quickly so that results could be collected in a narrow window of time.
Because there is a risk that some confounding event might occur in the time when a survey
is being taken, it is important that the period of data collection be as short as possible to
avoid distortions that might occur if the collection activities were to overlap with related
new policy announcements of rule changes. It was also my impression that the response
rate was higher because the electronic survey was easier to access immediately in a format
that was comfortable for the types of respondents sought in this study. It also allowed for
targeted follow-up messages to those who had not yet responded that helped to increase
the responses rate, in a way that would not be easy to assure with traditional methods.
5.2.2 Composition of the Respondent Pool
Because this study primarily focused on the risk management practices of medical device
manufacturers, it did not attempt to solicit respondents from other product areas such as
pharmaceutical or biotechnology industries specifically as a primary goal. This
delimitation will thus restrict the conclusions that can be made with respect to the practices
reported here. The pharmaceutical industry also has risk management practices. These are
typically framed by the guidance, ICH Q9, that is quite similar to the standard, ISO 14971,
that typically bases the practices of the medical device industry (Torbeck, 2012). However,
risk management appears to have entered the thinking of the pharmaceutical industry
somewhat later than it did in the medical devices industry. The Q9 guidance was only
published in 2005, so it is possible that the risk management systems in the pharmaceutical
industry may be less mature. This is not to say that pharmaceutical industries do not take
risk management seriously, but they may implement the approaches differently and use
different tools.
132
The delimitation that excluded pharmaceutical companies was deliberate in order to reduce
the variability that might relate to the implementation of somewhat different standards in
different product environments. Nonetheless, it is not always possible to know where the
respondents might have gained their experience or even be employed. Thus a few
respondents identified that they worked for organizations that market pharmaceuticals,
biotechnology products, combination products, or biologics. This, however, does not mean
that they have no experience with medical device development or production. Larger
organizations can have several divisions, some of which market medical devices or
combination products, such as sophisticated drug-delivery devices (Crotti, 2015). Thus, it
was not surprising that the cross-tabulations carried out in this study identified that
combination products and pharmaceuticals were primarily in the domain of large
companies.
In addition, the initial intent was to draw respondents from US companies, to reduce the
likelihood that results would be more difficult to interpret if they were gathered from a
broad range of individuals from other countries whose practices might differ. However,
larger organizations are typically multinational, so that it is not possible to say that the
study only represents those with primary experience in the US; many of the products that
such companies sell are introduced into global markets. This was clearly reflected when
individuals were asked about the constituencies into which their products were being sold,
and a majority reported sales in many regions. It is possible that U.S. based respondents
from multinational organizations may have perspectives slanted toward a US-centric view
based on local practices regardless of international standards and similar regulations.
However, there still may be individuals whose responses represent a mix of international
133
experiences that affect their views. It would be interesting in future to explore whether the
risk management responses seen through the eyes of US respondents differ from those
headquartered in other countries.
Another limitation that must be acknowledged in the selection of participants was the
challenge of assuring that the sampled population reflects accurately the practices of the
medical device industry as a whole. Clearly it was not possible to identify all of the
individuals who would be appropriate for such a survey. Qualified individuals are often
difficult to reach electronically, because they change jobs frequently, and their companies
have filters to restrict their access to certain types of email messaging. This can reduce the
potential size of the respondent pool and thus the power of the results. Thus, the survey has
the inherent risk of capturing a skewed subpopulation (Chan, 2012).
Low survey response rates can also be responsible for some degree of skewing in the
response patterns of respondents (Chan, 2012). Potential respondents can be too busy or
disinterested in the topic and decline to participate. Thus, the responses that are obtained
may be slanted toward the views of individuals who are most actively engaged and
interested in the topic of risk management practices. Further, many respondents may fail
to answer all of the questions, because they feel that the information that they provide
would be too proprietary, or because they lose interest in the survey. It certainly seemed
to be the case that the number of responses to questions declined from the first to last
questions in the survey described here. The medical products industries are often careful
to avoid expressing views or disclosing information that may be perceived to have legal
implications despite assurances of confidentiality.
134
5.3 The Current State of Risk Management and Recalls
The results of this study suggest that many organizations struggle with risk management
for multiple reasons that together may contribute to the continuing high rate of medical
device recalls, as indicated by the data presented in chapter 2. Because the study was
delimited to the US, the recall information referenced therein derives from the Center for
Devices and Radiological Health database and does not account for other related databases
residing outside the United States. For multinational companies, it is common that a recall
could affect a product line distributed to many countries, but the recall announcements and
logistics are organized at the national level.
The primary goal of this study, to examine the potential vulnerabilities of risk management
systems that might lead to recalls, was spurred by the previous observations that risk
management can have several weaknesses that can be captured by dividing the concerns
into six areas (Chan, 2012). The results confirmed and extended observations that the
problems in risk management are multifaceted, as suggested by Chan more than five years
ago. Further it suggested that rather little progress has been made in changing some of the
key challenges associated with risk management culture, competence, memory, processes,
and resources.
5.3.1 Culture
Much has been written recently about the importance of a “quality culture” to assure that
companies focus on improving their abilities to produce devices without risks and defects
(FDA, 2011). In 2011 the Food and Drug Administration highlighted the concerns related
to quality systems that they collected by surveying their databases and then conducting
135
interviews with industry stakeholders (FDA, 2011). The study specifically highlighted
several areas that reflected concerns about the “quality culture” of some companies, and
noted that quality was often segregated as an activity rather than being integrated
throughout the organization. Some interviewees noted, for example, that their companies
“typically did not track quality metrics at the executive level, and quality was considered
the domain of a specific organization rather than a CEO-level agenda item”. Further, the
use of incentive structures based on time-to-market without concurrent incentives related
to the assurance of good product quality was seen as damaging to the development of a
quality culture (FDA, 2011). Such concerns undoubtedly account for a recent emphasis at
the international level to require that risk management be embedded throughout the quality
system in the latest revision of ISO 13485:2016; this revision reflects a shift in thinking
from risk management as a siloed activity to a more integrated part of the culture (Lowe,
2016; TUV-SUD, 2016).
The report of the FDA highlighted many concerns related to a quality culture but could not
quantify the extent to which these were shared across the industry. In this study, however,
it was possible to provide some degree of quantitation with respect to the frequency with
which different views were held, at least by a relatively large subset of risk practitioners.
The fact that a majority of respondents believed that risk management activities can reduce
recalls and unanticipated product complaints indicates that risk management practitioners
are well aware of the importance of risk management activities. However, is such an
appreciation enough? In concordance with the FDA report, respondents identified that risk
management initiatives were often viewed as subordinate to other priorities. For example,
136
short project timelines were recognized by most respondents to impact their ability to
identify and mitigate hazardous situations. It is inevitable that organizations will face
competing priorities, resource allocation pressures and timeline challenges. The challenges
of maintaining a quality culture in the face of pressure to release products rapidly is neither
new nor unique to the medical device industry. A Culture of Quality survey of senior
executives in manufacturing companies by Forbes Insights and the American Society of
Quality revealed that only 59% expressed the view that their organization exhibited a
culture of quality. More significantly, when the respondents were sub stratified by job title,
75% of senior executives, but only 47% of quality professionals, agreed that their
organization exhibited a culture of quality (ASQ, 2014).
Immediate gains associated with an early-to-market approach will sometimes be
responsible for a later product recall (White, 2003). A recall is a burdensome and costly
process with serious negative consequences for company reputation that companies should
want to avoid. Nevertheless, this concern may not always be translated into a healthy
respect for risk management activities. Of particular significance, may be the view
expressed by 50% of respondents believe that risk management was considered to be
“burdensome” by their companies. Further 37% of respondents identified that they
“tolerated” risk management. Because most of the respondents were engaged in risk
management activities, one might have predicted that they would have been more
enthusiastic proponents. However, these observations seem consistent with views
expressed in the literature.
137
Regulatory approval sets a baseline and is often the only objective measure of
product quality. Executives also say that the pressure to launch products quickly at
low cost tends to reward innovation over quality (Ted Fuhr, 2013).
Polidoro, in his recent article, “Why Organizations Forget What They Learn from Failure”,
suggests that many organizations view risk management activities as designed to avoid
problems rather than improving quality (Polidoro, 2016). Together this and other work may
suggest that while organizations appreciate the value of risk management activities, they
may not yet embrace a culture of proactive, engaged, risk management.
5.3.2 Competency
A key area that has been emphasized by most who have written about the implementation
of risk management is the need for appropriate training of those engaged in risk
management activities (Eagles & Wu, 2014). However, an interesting observation by Chan
in precursor survey was the finding that respondents had a relatively restricted knowledge
of risk management tools; instead they relied on only a few tools with well-known
limitations. Additionally, a majority (43%, 32/74) of those respondents identified a future
challenge as the availability of tools and techniques to meet their needs (Chan, 2012).
In this study, one might have expected improvement in the state of knowledge with regard
to risk management tools, given that five years has passed and more feedback from
regulators and experts has been given to organizations with regard to their risk management
systems. Further, most respondents in this study reported that their risk management
systems have changed in the last few years and that these changes were often driven by the
138
introduction of new regulations, identification of previous deficiencies or even the
feedback of regulatory agencies. Nonetheless, not much seems to have changed with
regard to the risk management tools with which respondents were familiar. Most risk
managers are still relying on FMEA methods as a primary tool, despite the fact that this
tool has several limitations, including an inability to identify normal condition-related
hazards and multiple-fault conditions. The inherent limitations of FMEA, when used as the
primary tool, do not satisfy the regulatory requirements of 21CFR 820 as identified below
(Bills, Mastrangelo, & Wu, 2015).
According to comment 83 of the FDA’s Preamble to the Quality System Regulation,
21 CFR 820: “When conducting a risk analysis, manufacturers are expected to
identify potential hazards associated with the design in both normal and fault
conditions.”
Further, some respondents identified that they do not use secondary tools, and many others
are adding simple approaches such as the 5 Why Technique or Preliminary Hazard
Analysis. Missing from the repertoire of most risk managers appear to be the more analytic
tools that might be effective in detecting and even predicting problems using trend analysis.
Further, many suggested that their organizations were using outmoded tools and standards.
Given that the majority of respondents felt that their risk management systems are
adequate, results suggest that organizations may not fully understand the limitations of
their tools, and therefore make the assumption that all risks are identified or adequately
mitigated.
At the same time as many respondents seemed satisfied that their risk management system
is reasonably effective, most also expressed the view that they would be helped by
139
additional risk management tools, and at least a third felt that the current tools were being
used inappropriately. These statements seem the question the adequacy of the training that
the risk management practitioners are receiving. When asked about the numbers of hours
and types of materials that are being given on risk management subjects, a spectrum of
opportunities appears to be provided. Most commonly, however, training seems to be
based on simply reading materials or attending internal training sessions whose quality will
depend on the skill and depth of domain knowledge of the educators. This approach may
not be sufficient to assure that practitioners are trained in some of the techniques that
involve statistical or analytical approaches and might not be easily learned without a
specialized instructor with a well-designed curriculum. An important question, not
explored in this study, is the more detailed curriculum of the training at different
companies. Is it simply an overview of basic standards and simple methods aimed at
onboarding new employees, or is there a serious attempt to deepen the knowledge of the
more experienced individuals who are leading the risk management activities?
Questions regarding the knowledge of participants about different standards and
regulations also helped to paint a picture of the quality and risk management culture of
medical device companies. It is perhaps not surprising that most respondents identified
that they were very knowledgeable about quality standards and regulations, including
ISO13485, 21 CFR 820 and the European Medical Device Directives. This result is
consistent with earlier responses indicating that most companies were marketing globally
and most individuals responsible for risk management are part of quality or regulatory
departments where these quality requirements would be foundational. Also, interesting
and not surprising was the finding that many respondents were modestly or not
140
knowledgeable at all about 8001 and 8002. These standards relate to software and IT
networks respectively, and not all companies may market products with a software
component. What was perhaps a little more unexpected was the finding that respondents
were not quite so knowledgeable about the harmonized standard ISO 14971 on which their
risk management activities, both national and global, should be based. In addition, the
relatively low knowledge of ISO 31000, a standard with broad applicability to the whole
company, would seem to be an important deficiency to rectify if the risk management
system is ever to be viewed as part of an overall risk management strategy for the company.
Furthermore, most respondents were not knowledgeable about ISO 31010, a standard that
outlines risk management tools and techniques. These results further support the idea that
while organizations are familiar with the needs for risk management as part of a quality
system, understanding deeper knowledge regarding the tools and techniques is a significant
weakness.
5.3.3 Process
A highly organized activity such as risk management relies on a well-developed set of
processes. It is often recommended that these activities begin as soon as possible in the
development cycle. According to Prutrow and Naryan (Narayan, 2010),
When initiated early and employed frequently throughout the product life cycle,
risk management can promote innovation, leading to a reduction in the number of
customer complaints, lowered service and support costs, fewer disruptions from
field actions, and improved execution against program expectations. Resources
141
once spent on such non-value-added activities can instead be used to fuel growth
and shareholder value.
The results here seem to support the conclusion that most risk managers have heard this
message, at least as reflected by their agreement that risk activities should begin in the
feasibility stages of research and development. The reality seems however to be different.
Most respondents reported that they were actually beginning such activities later in the
development stage. An interesting question for further investigation is why the risk
management activities are not being initiated as early as the risk managers believe to be
optimal.
An important aspect of the risk management process is the use of new information obtained
prior and post product commercialization to update and fine-tune the often-shallow
information upon which early stages of risk analysis are based. It was therefore surprising
to find that most organizations did not have processes to take advantage of two important
potential sources of information, the FDA’s complaints and recalls databases. This
information may suggest not only that companies may not be focusing to the extent that
would be optimal on the monitoring functions that are called out in risk management
standards such as ISO 14971, but also that they may not be using valuable tools that could
inform on potential risks that have been associated with similar products.
The medical device industry is approaching a tipping point where the
increasing likelihood of a quality event, the rising costs of such events,
and the public nature of quality performance will force companies to focus
on quality and reliability throughout product design, manufacturing, and
marketing (Ted Fuhr, 2013).
142
5.3.4 Memory
The memory of organizations with regard to previous safety issues often tends to be short
lived. As stated by Polidoro (Polidoro, 2016).
Failures of prospective memory typically occur when we form an intention
to do something later, become engaged with various other tasks, and lose
focus on the thing we originally intended to do ("When we forget to
remember -- failures in prospective memory range from annoying to
lethal,"
The element of memory was added to the consolidated framework of Chan (2012) because
the previous research on disasters suggested that the memory/learning element is a key tool
to avoid repeating previous disasters. As other studies suggest, an event such as a product
recall, unanticipated product complaint or agency finding was identified by many
respondents to stimulate a heightened sense of awareness regarding risk management
activities and subsequent increase in the intensity of those activities. The respondents also
noted that this reactive awareness is not typically embedded in a way that has a
transformational effect for a majority of organizations. Rather, they predicted a shift back
to the normal previous state of reduced awareness between 0-9 months later. This pattern
is similar to that reported by others (Chan, 2012; Polidoro, 2016). As memory fades, it
might be expected that risk assessment activities lose intensity. Most respondents
expressed the belief that risks could have been mitigated prior to release for their products
and that the use of additional risk management tools may have helped them to identify new
risks, but it is not clear whether these risks could have been managed better if they occurred
in close temporal proximity to an earlier incident.
The problems of using past knowledge to inform future actions is made more difficult today
by the transient nature of career progression in quality and regulatory fields. Findings here,
143
that most respondents were in their positions for less than 5 years, corroborate other reports
suggesting that moving from one job to another every few years is not unusual (IOM,
2012). What remains to be understood is how to ensure that the memory of a past problem
becomes embedded in the culture as a key driver of better performance. This may involve
the collection of a curated archive holding documentation related to previous issues, that is
consulted whenever a risk analysis is undertaken.
5.3.5 Resources
A recurring challenge with a preventive system such as risk management is the difficulty
of assuring the allocation of sufficient resources, particularly for companies with many
competing pressures. Regardless of company size, more than two-thirds of survey
respondents believed that their organization needed to devote additional resources to
support risk management activities. The results are unsurprising considering that the most
respondents identified that their organizations saw risk management as a burden. It was
also quite clear that most time and resources were spent on risk management at early stages
of product development, and became less of a focus as the product matured. This may occur
because regulatory agencies such as the FDA put considerable emphasis on having a risk
management file in place at the time of clinical trials or market registration, but have
relatively little follow-up regarding the quality of the risk management system after market
launch. A recent report issued by the FDA highlights this challenge.
Many companies recognize a need to move beyond mere complaint
handling mechanisms for feedback, especially since the “quality of
complaints data often depends on what questions your customer interfaces
are asking” (FDA, 2011).
144
The fact that risk management activities related to activities such as non-conformances,
defect disposition and complaint handling were ranked lower than other risk activities
related to analysis and evaluation, verification and validation, and manufacturing creates
the perception that respondents may view earlier activities to be more important than post
market surveillance. Activities such as complaint handling and non-conformance defect
disposition are the precursors to early identification of problem products that will need to
be recalled, in order to prevent the distribution of multiple defective lots.
5.4 Conclusions and Future Directions
Several pieces of information reported here shed light on the contributing factors that are
impeding risk management from being as useful as intended. These responses suggest that
many organizations do not have adequate resources for the optimal support of risk
management activities, and that the resources that do exist are focused on the early stages
of product management. They also suggest that the risk management teams could profit
from better education concerning the different types of tools available to inform risk
management and a wider appreciation of enterprise risk management approaches. The
individuals typically assigned to risk management teams are paid relatively high salaries,
so that expectations of deep domain competence should be part of their performance
expectations. The repeated problems with recalls that are seen in many companies do not
seem to support the contention by most respondents that companies have an adequate risk
management system in place.
The evolution of medical devices and combination products continues, and new
technologies in areas such as regenerative medicine, biomaterials, in silico methods and
145
nanotechnology will pose novel and perhaps more challenging risks. Thus, the risk profiles
of products may become more challenging in future. Without careful attention to risk
management, we can likely anticipate that the threat of safety problems associated with
medical devices will not diminish. The results from the survey coupled with the increased
sensitivity of health agencies with regard to the stubbornly high rate of recalls suggests that
industry should be driven to improve its risk management methods but there is a long way
to go. By dissociating different aspects of organizational structure and behavior, it is
possible to identify areas in which risk management activities may be particularly
vulnerable, and where better guidance might assist companies to develop a more proactive
and effective system. One would hope that the results from this study as well as the
practical examples associated with safety problems in the past would stimulate a greater
attention in this industry to its risk management practices, that could reduce the likelihood
of repeated problems and recalls. In so doing it would help to reduce the financial costs of
recalls and safety issues that are often not appreciated by the organization from a business
perspective.
146
REFERENCES
Abdul-Majid, M. (2015). Fundamentals of US Regulatory Affairs (9th ed., pp. 17-25).
Rockville, MD: Regulatory Affairs Professionals Society.
Alder, H. C. (1993). Safe Medical Devices Act: Management Guidance for Hospital
Compliance with the New FDA Requirements. Hospital Technolgy Series, 12(11),
1-27.
Arney, D., Venkatasubramanian, K. K., Sokolsky, O., & Lee, I. (2011, August).
Biomedical Devices and Systems Security. Paper presented at the 2011 Annual
International Conference of the IEEE Engineering in Medicine and Biology
Society, Boston, MA.
Atkinson, P. (2010). Reality Testing: Strategies for Transforming Organisations.
Management Services, 54(4), 42.
Badiru, A. B. (2013). Handbook of Industrial and Systems Engineering (2nd ed.). Boca
Raton, FL: CRC Press.
Baird, R. M., Hodges, N. A., & Denyer, S. P. (2003). Handbook of Microbiological
Quality Control in Pharmaceuticals and Medical Devices (1st ed.). Boca Raton,
FL: CRC Press.
Bartoo, G. (2003). Risk Management. IEEE Engineering in Medicine and Biology
Magazine, 22(4), 166-172. doi:10.1109/memb.2003.1237528
Basu, S., Bose, I., & Ghosh, S. (2014). Lessons in Risk Management, Resource
Allocation, Operations Planning, and Stakeholder Engagement: The Case of the
Kolkata Police Force and Durga Puja. DECISION, 40(3), 249-266.
doi:10.1007/s40622-013-0022-0
Berkrot, B., & Pierson, R. (2010). J&J Confirms Widely Expanded Contact Lens Recall.
World. Retrieved from http://www.reuters.com/article/us-jandj-recall-
idUSTRE6B05G620101201
Bernstein, P. L. (1996). The New Religion of Risk Management. Harvard Business
Review(March-April).
Blackstone, E. H. (2005). Could it Happen Again? the Bjork-Shiley Convexo-Concave
Heart Valve Story. Circulation, 111(21), 2717-2719.
doi:10.1161/CIRCULATIONAHA.105.540518
Brady, J. L. (2010). First, Do No Harm: Making Infusion Pumps Safer. Biomedical
Instrumentation & Technology, 44(5), 372-380. doi:10.2345/0899-8205-44.5.372
Burns, M. G. (2015). Logistics and Transportation Security: A Strategic, Tactical, and
Operational Guide to Resilience. Boca Raton, FL: CRC Press.
Caceres, V. (2014). Clearing the Shelves: Insights on How to Handle Medical Device
Recalls. Biomedical Instrumentation & Technology, 48(6), 414-422.
doi:10.2345/0899-8205-48.6.414
Campbell, J.-L., & Göritz, A. S. (2013). Culture Corrupts! A Qualitative Study of
Organizational Culture in Corrupt Organizations. Journal of Business Ethics,
120(3), 291-311. doi:10.1007/s10551-013-1665-7
147
Carpenter, D., & Sin, G. (2007). Policy Tragedy and the Emergence of Regulation: The
Food, Drug, and Cosmetic Act of 1938. Studies in American Political
Development, 21(02), 149-180. doi:10.1017/s0898588x0700020x
Chan, T. C. (2012). Implementation of Risk Management in Medical Device Companies:
A Survey Analysis of Current Practices. (Doctorate dissertation), University of
Southern California, Los Angeles, CA. (3551457)
Code of Federal Regulations, 21 CFR 820.3, 8 (2015).
Cohen, D. (2013). DePuy Knew About Hip Implant's High Failure Rate Three Years
Before it was Recalled. British Medical Journal, 346, f626. doi:10.1136/bmj.f626
Crawley, F., & Tyler, B. (2015). HAZOP: Guide to Best Practice (3rd ed.). Amsterdam,
Netherlands: Elsevier Science.
Crockford, G. N. (1982). The Bibliography and History of Risk Management: Some
Preliminary Observations. Geneva Papers on Risk & Insurance, 7(2), 169.
doi:10.1057/gpp.1982.10
Daniel, A., & Kimmelman, E. (2008). The FDA and Worldwide Quality System
Requirements Guidebook for Medical Devices (2nd ed.). Milwaukee WI: ASQ
Quality Press.
DeMarco, C. T. (2011). Medical Device Design and Regulation: ASQ Quality Press.
Dionne, G. (2013). Risk Management: History, Definition, and Critique. Risk
Management and Insurance Review, 16(2), 147-166. doi:10.1111/rmir.12016
Dumbrique, R. (2010). Implementation of Risk Management in the Medical Device
Industry. (Master of Science Thesis), San Jose State University. Retrieved from
http://scholarworks.sjsu.edu/etd_theses/3855
Estrin, N. F. (1990). The Medical Device Industry: Science: Technology, and Regulation
in a Competitive Environment. New York, NY: Marcel Dekker.
FDA. (1997). Design Control Guidance for Medical Device Manufactuers. Rockville,
MD: FDA Retrieved from
http://www.fda.gov/downloads/MedicalDevices/DeviceRegulationandGuidance/G
uidanceDocuments/ucm070642.pdf.
FDA. (2006). Guidance for Industry Q9 Quality Risk Management. Rockville, MD: FDA
Retrieved from
http://www.fda.gov/downloads/Drugs/.../Guidances/ucm073511.pdf.
FDA. (2011). Understanding Barriers to Medical Device Quality. Retrieved from
http://www.fda.gov/AboutFDA/CentersOffices/OfficeofMedicalProductsandToba
cco/CDRH/CDRHReports/ucm277272.htm.
FDA. (2012). Medical Device Recall Report FY2003 to FY2012. Rockville, MD: FDA
Retrieved from
http://www.fda.gov/downloads/AboutFDA/CentersOffices/OfficeofMedicalProdu
ctsandTobacco/CDRH/CDRHTransparency/UCM388442.pdf.
FDA. (2014a). Infusion Pumps Total Product Lifecycle Rockville, MD Retrieved from
http://www.fda.gov/downloads/medicaldevices/deviceregulationandguidance/guid
ancedocuments/ucm209337.pdf.
FDA. (2014b). Quality System (QS) Regulation/Medical Device Good Manufacturing
Practices. Rockville, MD Retrieved from
148
http://www.fda.gov/medicaldevices/deviceregulationandguidance/postmarketrequ
irements/qualitysystemsregulations/.
Fielder, J. H. (1995). Defects and Deceptions-the Bjork-Shiley Heart Valve. IEEE
Technology and Society Magazine, 14(3), 17-22. doi:10.1109/44.464628
Flannery, E. J. (1991). The Safe Medical Devices Act of 1990: An Overview. Food Drug
Cosmetic Law Journal, 46(2), 129.
Flaus, J. M. (2013). Fault Tree Analysis Risk Analysis: Socio-technical and Industrial
Systems (pp. 229-251). Hoboken, NJ USA: John Wiley & Sons, Inc.
Flouris, T. G., & Yilmaz, A. K. (2011). Risk Management and Corporate Sustainability
in Aviation. Burlington, VT: Ashgate.
Fries, R. C. (2013). Reliable Design of Medical Devices (3rd ed.). Boca Raton, FL: CRC
Press.
Gadotti Martins, E., Pinheiro de Lima, E., & Gouvea da Costa, S. E. (2015). Developing
a Quality Management System Implementation Process for a Medical Device
Manufacturer. Journal of Manufacturing Technology Management, 26(7), 955-
979. doi:10.1108/jmtm-12-2012-0119
Gaffney, A. (2014). Massive Recall of Medical Devices Largest Ever Recorded by FDA
Regulatory Focus. September 2. Retrieved from http://www.raps.org/Regulatory-
Focus/News/2014/09/02/20197/Massive-Recall-of-Medical-Devices-Largest-
Ever-Recorded-by-FDA/
Greb, E. (2006). Baxter Healthcare Signs Consent Decree. Pharmaceutical Technology,
30(8), 19.
Guldenmund, F. W. (2010). (Mis)understanding Safety Culture and Its Relationship to
Safety Management. Risk Analysis, 30(10), 1466-1480. doi:10.1111/j.1539-
6924.2010.01452.x
Haimes, Y. Y. (2009). Risk Modeling, Assessment, and Management (3rd ed.). Hoboken,
NJ: John Wiley & Sons.
Harrison, D. C., Ibrahim, M. A., Weyman, A. E., Kuller, L. H., Blot, W. J., & Miller, D.
E. (2013). The Björk-Shiley convexo-concave heart valve experience from the
perspective of the supervisory panel. The American journal of cardiology,
112(12), 1921. doi:10.1016/j.amjcard.2013.08.020
Harty-Golder, B. (2002). Should a Lab Report Defective Medical Equipment? (Vol. 34,
pp. 16). United States: NP Communications, LLC.
Higson, G. R. (2001). Medical Device Safety: The Regulation of Medical Devices for
Public Health and Safety. Boca Raton, FL: CRC Press.
Hurford, P. (2012). Intro to Hazard and Operability (HAZOP) studies. DEMM:
Engineering & Manufacturing, 28.
IOM. (2011). Medical Devices and the Public's Health: The FDA 510(k) Clearance
Process at 35 Years. Washington D.C.: National Academies Press.
IOM. (2012). Strengthening a Workforce for Innovative Regulatory Science in
Therapeutics Development: Workshop Summary (A. B. Claiborne & S. Olson
Eds.): National Academies Press.
ISO. (2007). ISO 14971 Medical Devices Application of Risk Management to Medical
Devices. Geneva, Switzerland: International Organization for Standardization.
149
ISO. (2009). IEC/ISO 31010:2009 Risk Management - Risk Assessment Techniques (pp.
188). Geneva, Switzerland: International Organization for Standardization.
Japsen, B. (2010, May 5, 2010). FDA Orders Recall of Baxter's Colleague Infusion
Pump. Chicago Tribune, p. 43.
Johansen, I. L. (2010). Foundations of Risk Assessment. (Masters Thesis), Norwegian
University of Science and Technology. Retrieved from http://www.diva-
portal.org/smash/get/diva2:427587/FULLTEXT01.pdfInger (ROSS (NTNU)
201002)
Johnson, J. A. (2012). FDA Regulation of Medical Devices. (R42130). Congressional
Research Service Retrieved from https://www.fas.org/sgp/crs/misc/R42130.pdf.
Jones, P. L., & Taylor, A. (2015). Medical Device Risk Management and Safety Cases.
Biomed Instrum Technol, Suppl, 45-53. doi:10.2345/0899-8205-49.s1.45
Jyothi, G. V. S. S. N., Venkatesh, M. P., & Pramod Kumar, T. M. (2013). Regulations of
Medical Devices in Regulated Countries: A Comparative Review. Therapeutic
Innovation & Regulatory Science, 47(5), 581-592.
Kaplan, S., & Garrick, B. J. (1981). On The Quantitative Definition of Risk. Risk
Analysis, 1(1), 11-27. doi:10.1111/j.1539-6924.1981.tb01350.x
Kramer, D. B., Xu, S., & Kesselheim, A. S. (2012). How Does Medical Device
Regulation Perform in the United States and the European Union? A Systematic
Review. PLoS Med, 9(7), e1001276. doi:10.1371/journal.pmed.1001276
Krzakiewicz, K., & Cyfert, S. (2015). Organizational Reputation Risk Management as a
Component of the Dynamic Capabilities Management Process. Management,
19(1), 6-18. doi:10.1515/manment-2015-0001
Lander, V. (2007). Achieving Risk Management for FDA Compliance Using ISO 14971.
Journal of GXP Compliance, 11(4), 22-29.
Leflar, R. B. (1989). Public Accountability and Medical Device Regulation. Harvard
Journal of Law and Technology, 2, 1-84.
Lincoln, J. E. (2012). Overview of the US FDA GMPs: Good Manufacturing Practice
(GMP)/Quality System (QS) Regulation (21 CFR Part 820). Journal of Validation
Technology, 18(3), 17.
Lindholm, C., Notander, J. P., & Höst, M. (2013). A Case Study on Software Risk
Analysis and Planning in Medical Device Development. Software Quality
Journal, 22(3), 469-497. doi:10.1007/s11219-013-9222-2
Liu, L., Shuai, M., Wang, Z., & Li, P. (2012). Use-Related Risk Analysis for Medical
Devices Based on Improved FMEA. Work, 41 Suppl 1, 5860-5865.
doi:10.3233/WOR-2012-0976-5860
Marcus, A. A. (2015). The Future of Technology Management and the Business
Environment: Lessons on Innovation, Disruption, and Strategy Execution:
Pearson Education.
Martínez-Costa, M., Choi, T. Y., Martínez, J. A., & Martínez-Lorente, A. R. (2009). ISO
9000/1994, ISO 9001/2000 and TQM: The performance debate revisited. Journal
of Operations Management, 27(6), 495-511. doi:10.1016/j.jom.2009.04.002
Masters, C., & Lupo, C. (2009). ISO 13485: Just the Facts: ISO/IEC 13485: 2003 and
ISO 9001: 2008 Are Similar- But Different (Vol. 48, pp. 65): BNP Media.
150
Merrill, R. A. (1994). Regulation of Drugs and Devices: An Evolution. Health Aff
(Millwood), 13(3), 47-69.
Mesner, S. (1993). Medical Device Technology: Does Federal Regulation of This New
Frontier Preempt the Consumer's State Common Law Claims Arising from
Injuries Related to Defective Medical Devices? Journal of Law and Health, 7,
253.
Monsein, L. H. (1997). Primer on Medical Device Regulation. Part I. History and
Background. Radiology, 205(1), 1-9. doi:10.1148/radiology.205.1.9314952
Moore, J. (2011, August 26, 2011). Recall Surgical Mesh, Consumer Group Says: FDA is
Reviewing the Product, Made by Several Firms with Twin Cities Ties, Newspaper
Article. Star Tribune.
Morrow, R. (2012). Utilizing the 3Ms of Process Improvement in Healthcare: A
Roadmap to High Reliability Using Lean, Six Sigma, and Change Leadership (1st
ed.). Boca Raton, FL: CRC Press.
Mortimore, S., & Wallace, C. (2013). HACCP: A Practical Approach (Vol. 3). New
York, NY: Springer.
Moss, D. A. (2012). A Brief History of Risk Management Policy Shared Responsibility,
Shared Risk: Government, Markets and Social Policy in the Twenty-First Century
(pp. 304). New York, NY: Oxford University Press.
Mumford, S. D., & Kessel, E. (1992). Was the Dalkon Shield a Safe and Effective
Intrauterine Device? The Conflict Between Case-Control and Clinical Trial Study
Findings. Fertility & Sterility, 57(6), 1151-1176.
Niamh, N. (2015). Quality Risk Management-The Medical Device Experience.
Retrieved from http://www.pda.org/docs/default-source/website-document-
library/chapters/presentations/ireland/quality-risk-management---the-medical-
device-experience.pdf?sfvrsn=6
Oppenheimer, D. (2015, July ). Categorizing Hazards to Increase Risk Prevention and
Decrease Liabilities. Paper presented at the Risk Integration and Quality
Management for Medical Device: Effectively Stratifying Risk Throughout the
Product Lifecycle, San Diego, CA.
Perez, J. R. (2012). Quality Risk Management in the FDA-Regulated Industry.
Milwaukee WI: Quality Press.
Perkins, J. H. (2014). Development of Risk Assessment for Nuclear Power: Insights from
History. Journal of Environmental Studies and Sciences, 4(4), 273-287.
doi:10.1007/s13412-014-0186-8
Phelps, P. K. (2011). Smart Infusion Pumps: Implementation, Management, and Drug
Libraries. Bethesda, MD: American Society of Health-System Pharmacists.
Pokrop, F. (2013). Quality Risk Management in the FDA-Regulated Industry (Vol. 46).
Milwaukee, WI.: American Society for Quality
Polidoro, F. (2016). Why Organizations Forget What They Learn from Failures. Harvard
Business Review(February 29).
Racine, J. (2013). Orthopedic Medical Devices: Ethical Questions, Implant Recalls and
Responsibility. Rhode Island Medical Society Journal, 96(6), 16-19.
Rados, C. (2010). Medical Device and Radiological Health Regulations Come of Age.
FDA Consumer Magazine. January. Retrieved from
151
http://www.fda.gov/aboutfda/whatwedo/history/productregulation/medicaldevicea
ndradiologicalhealthregulationscomeofage/default.htm
Raubicheck, C. J. (1991). The FDA's Implementation of the Safe Medical Devices Act of
1990. Food Drug Cosmetic Law Journal, 46(6), 885.
Ray, A. (2012). Assurance Cases: Their Use Today and The Challenges Ahead.
Biomedical Instrumentation & Technology, 46(3), 195-200.
Robbins, C. J., Connors, K. C., Sheehan, T. J., & Vaughan, J. S. (2005). Risk Factors.
Healthcare Financial Management, 59(6), 78-83.
Rogers, P. G. (1996). Remarks by the Honorable Paul Rogers at the Twentieth
Anniversary Celebration of the 1976 Medical Device Amendments. Food and
drug law journal, 51(4), 505.
Rudolph, H. (2003). Do We Need Medical Device Risk Management Certification?
Medical Device & Diagnostic Industry, 24, 44-49.
Samuel, F. E., Jr. (1991). Safe Medical Devices Act of 1990. Health affairs, 10(1), 192-
195. doi:10.1377/hlthaff.10.1.192
Santiago, I. B., Faure, J.-M., & Papadopoulos, Y. (2006, August). Including Systematic
Faults Into Fault Tree Analysis. Paper presented at the 6th IFAC Symposium,
SafeProcess 2006, Beijing, P.R. China.
Schaeffer, N. E. (2012). The Role of Human Factors in the Design and Development of
an Insulin Pump. Journal of Diabetes Science and Technology, 6(2), 260-264.
doi:10.1177/193229681200600208
Schmuland, C. (2005). Value-Added Medical-Device Risk Management. IEEE
Transactions on Device and Materials Reliability, 5(3), 488-493.
doi:10.1109/tdmr.2005.857860
Shepherd, M. (2011). 2011 Medical Device Industry Outlook. Medical Product
Outsourcing: Business Insights: Essentials, 9, 48.
Silver, F. (1994). Biomaterials, Medical Devices and Tissue Engineering: An Integrated
Approach (1st ed.). London, UK: Chapman & Hall
Sivin, I. (1993). Another Look at the Dalkon Shield: Meta-Analysis Underscores its
Problems. Contraception, 48(1), 1-12.
Stewart, K. L., & Paine, W. S. (2012). Johnson & Johnson: An Ethical Analysis of
Broken Trust. Journal of Academic and Business Ethics, 5, 1-11.
Sullivan, J., & Beach, R. (2009). Improving Project Outcomes Through Operational
Reliability: A Conceptual Model. International Journal of Project Management,
27(8), 765-775. doi:10.1016/j.ijproman.2009.02.006
Trautman, K. A. (2012, March 28–29). Two Days of ISO 14971. Paper presented at the
FDA NEWS, Boston, MA.
Traynor, K. (2010). FDA Seeks Improvements in Infusion Pump Safety. American
Journal of Health-System Pharmacy, 67(13), 1048-1049.
doi:10.2146/news100047
Ward, A. (2007). ANSI/AAMI/ISO 13485 Comes of Age. Biomedical Instrumentation
& Technolgy, 41(2), 145-146. doi:10.2345/0899-
8205(2007)41[145:ICOA]2.0.CO;2
Young, F. E. (1989). Food and Drug Law: Where It Came From. Chemtech, 19(1), 22.
152
APPENDIX A. FINAL VERSION OF QUALTRICS SURVEY
153
154
155
156
157
158
159
160
161
162
163
164
Abstract (if available)
Linked assets
University of Southern California Dissertations and Theses
Conceptually similar
PDF
Implementation of risk management in medical device companies: a survey analysis of current practices
PDF
Using telemetry to ensure safe and reliable medical device operation: experience with defibrillators and infusion pumps
PDF
Risk approaches and standards used in hospitals: a survey of industry views
PDF
Implementation of unique device identification in the medical device industry: a survey of the change management experience
PDF
Reprocessing of single-use medical devices: a survey investigation comparing the views of three unheard stakeholders
PDF
Organizational communication of regulatory intelligence: a survey of the medical device industry
PDF
Benefits-risk frameworks: implementation by industry
PDF
FDA influence on advisory committees through documentation: a content analysis and survey of industry views
PDF
Effect of GDUFA legislation on the development and approval of generic drugs: a survey of industry views and experiences
PDF
Incentivizing quality in the manufacture of pharmaceuticals: manufacturers' views on quality ratings
PDF
Continuity management in biobank operations: a survey of biobank professionals
PDF
Challenges in the implementation of Risk Evaluation Mitigation Strategies (REMS): a survey of industry views
PDF
Current practices in biocompatibility assessment of medical devices
PDF
“Regulatory” due diligence: a survey investigation of best practices in the medical products industry
PDF
Validation master plans: progress of implementation within the pharmaceutical industry
PDF
Value based purchasing: decision-making processes underlying hospital acquisitions of orthopedic devices
PDF
Regulatory programs to foster medical product development: user experience in the United States and Japan
PDF
Computerized simulation in clinical trials: a survey analysis of industry progress
PDF
Convergence of United States regulatory and reimbursement policies impacting patient access to humanitarian use devices (HUD)
PDF
The role of universities in the commercialization of medical products: a survey of industry views
Asset Metadata
Creator
Oppenheimer, Darin Seth
(author)
Core Title
Risk management and recalls: a survey of medical device manufacturers
School
School of Pharmacy
Degree
Doctor of Regulatory Science
Degree Program
Regulatory Science
Publication Date
02/10/2017
Defense Date
12/04/2016
Publisher
University of Southern California
(original),
University of Southern California. Libraries
(digital)
Tag
medical devices,OAI-PMH Harvest,recalls,risk management,risk management tools
Language
English
Contributor
Electronically uploaded by the author
(provenance)
Advisor
Richmond, Frances (
committee chair
), Jamieson, Michael (
committee member
), Kuo, Benson (
committee member
), Loeb, Jerry (
committee member
)
Creator Email
doppenh1@gmail.com,doppenhe@usc.edu
Permanent Link (DOI)
https://doi.org/10.25549/usctheses-c40-332552
Unique identifier
UC11257664
Identifier
etd-Oppenheime-5026.pdf (filename),usctheses-c40-332552 (legacy record id)
Legacy Identifier
etd-Oppenheime-5026.pdf
Dmrecord
332552
Document Type
Dissertation
Rights
Oppenheimer, Darin Seth
Type
texts
Source
University of Southern California
(contributing entity),
University of Southern California Dissertations and Theses
(collection)
Access Conditions
The author retains rights to his/her dissertation, thesis or other graduate work according to U.S. copyright law. Electronic access is being provided by the USC Libraries in agreement with the a...
Repository Name
University of Southern California Digital Library
Repository Location
USC Digital Library, University of Southern California, University Park Campus MC 2810, 3434 South Grand Avenue, 2nd Floor, Los Angeles, California 90089-2810, USA
Tags
medical devices
recalls
risk management
risk management tools