Risk Mitigation, an Important aspect in Software used in Medical device Industry

1. Risk Mitigation, an Important aspect in Software used in Medical device Industry. In medical device industry risk assessment has played very important role and it is not a matter of choice but also a regulatory requirement and proper methodology and documentation is necessary in support of justification. Risk assessment with severity and probability is well defined and has been used by industry since the concept came into practice and risk ranking of critical, major, medium and minor are being assigned and used as regular practice. For medical device to be approved, risk mitigation factor and its use is very important for each device. This must be defined well. Described and justified well and in critical risk cases it must be proven through validation. One of the most common risk mitigation measure is on data entry. In pharmaceutical world there are various operations where people have to make data entry (including batch records). This is one of the most common area of risk. So as mitigation measure most of the places all critical data entry or critical setting on machine for setup and mandatorily to be verified by second person. This must be built up in system like SOP. Second person entry is completely independent of first person and finally both should become identical. System to be available to cover, 1.SOP 2.Audit trail 3.User training. 4.Recording and investigating and learning from Incident. 5.System security and back up. 6.Business continuity. 7.In case where validation is involved risk mitigation part need to be included as part of validation. As there are specific owners for Risk management process, each must contribute very specifically like, Quality must ensure, process complies to regulatory requirement, Technical content must be owned by experts in the field they developed, and Business process owner must ensure interest of customer and user and evaluate risk assessment with respect to identification, evaluation and mitigation measure. There are other parallel actions of mitigations are frequent audits, data integrity check and back up check in areas where risk category is critical or major. There should be a robust system to cover the risk assessment and mitigation in case where design change is done for improvement. Entire process of change must be evaluated if new risk is evolved or not? Present mitigation measures will work or not. There is clear guideline available for software by US FDA. Part 11 is quite strong and well accepted. In case you are sourcing partly or fully software, vendor audit and assessment is must. Like any other vendor approval system this vendor should also be included. While evaluating vendor, it must be assessed whether vendor’s work on risk assessment and mitigation is satisfactory or not.

2. As mentioned above, during validation verification of risk mitigation can be done through testing. Another very important data source apart form our own field incident reports, is warning letters issued by US FDA. Study of three-year data will throw lot of data which may be useful in noticing missed out risk and even failure of mitigation measures.