Risk assessment and risk management in the medical device industry typically start with a brainstorming session. Members of the product development team sit down together, start randomly rattling off risks as they come to mind, and write them all down on a piece of paper. I call this the "cherry-picking" approach to risk, because it is an almost haphazard process. Regardless of whether you spend an hour or a year brainstorming on risk, in the end you can never be certain you have captured all the potential risks.
To help offset the inherent shortcomings of brainstorming sessions, I recommend a more systematic, engineering-minded approach. Start by breaking risk down into three main types —or buckets — similar to the medical device classification system, where we have Class I, II, and III.
The first category of risk is what I call the “probability of direct harm.” This is the most obvious connotation of risk and the one most people think of first. What is the likelihood that somebody — usually the patient, although sometimes it is a caregiver — experiences harm caused directly by the use of your medical device?
Bucket number two is the “probability of harm caused by not using your device.” In other words, what other options does the patient have if they don’t use your device? Are there other devices that could be used instead? Are there drugs or surgical procedures that could be used? Or perhaps there are no alternatives at all.
Evaluating the probability of harm caused by not using the device is actually a requirement of FDA’s premarket approval (PMA) process, but not the premarket notification, or 510(k), process – although there has been some discussion about adding it to the 510(k) pathway, as well. In the PMA world, this form of risk is what the regulation calls “alternative practices or procedures.” Since PMA devices are, by their nature, more complicated — often life-sustaining or life-supporting kinds of devices — it makes sense to take into account other options the patient might have.
From the manufacturer’s perspective, the least burdensome path is if you are working in an area where the patient is in eminent danger of demise and there are no other options. At that point, you can argue that your device is better than nothing. In this case, the bar for safety is set at its lowest level – as it should be in these types of situations – but this is not usually the case in the 510(k) world.
The third risk bucket is the “probability of providing the wrong information.” This type of risk is endemic in all diagnostic devices (patient monitors, imaging systems, and in vitro diagnostics, including companion diagnostics, just to name a few). Any time your device is providing actionable information, especially diagnostic or treatment information, to either the physician or the patient, you must consider "What is the probability that your device is providing inaccurate or wrong information?"
For example, in an in vitro diagnostic (IVD) device for cancer, what is the likelihood that your device says the patient has cancer when, in fact, they do not (i.e., a false positive)? Alternatively, what is the likelihood that your device says the patient does not have cancer when, in fact, they do (i.e., a false negative)? Of course, in this example, the risk of a false negative is much more problematic than a false positive. Nonetheless, there are ways to mitigate both of these risks – something that a savvy regulatory professional should always do.
These three types of risks are important in a regulatory sense, because you have to mitigate all of them in your submission, regardless of your regulatory pathway (e.g., 510(k), PMA, de novo). However, risk is also important from a design control perspective.
Regulatory Risk vs. Design Control Risk
While there is certainly some overlap between risk presented in a regulatory submission and risk in the context of design controls, these risks are not carbon copies of one another. Unfortunately, I have seen companies literally copy and paste the risk management plan from their design controls into their regulatory submission.
Such submissions are destined to fail, because the design control connotation of risk is narrower than the regulatory connotation of risk. In a design control context, the risk management plan is pretty much limited to the first bucket of risk, the probability of direct harm. However, on the regulatory side, the risk mitigation strategy is a vital component of all regulatory submissions, especially 510(k) and de novo.
The two most important parts of a 510(k) are the substantial equivalence argument and the risk mitigation strategy. Quite frankly, it doesn’t matter if you fill out all the forms properly: Without a rock-solid substantial equivalent argument and a bulletproof risk mitigation strategy, you probably will not be successful with your 510(k), and certainly not your first attempt.
The de novo is even more straightforward than the 510(k) because, in the de novo, there is no substantial equivalence argument – if there were, you would not be in the de novo pathway. So, a successful de novo submission comes down to only one thing: risk mitigation strategy. You have to mitigate all three categories of risk in order to be successful with the de novo.
How To Address Risks You’d Rather Not Draw Attention To (In Your Submission)
In my opinion, there is a big difference between writing a regulatory submission and designing a submission. As an engineer, it doesn’t matter if I’m designing a medical device, designing a clinical trial, or designing a regulatory submission — design is design. But, when it comes to regulatory submission design, the way you present your information — not just what you say and how you say it, but what you don’t say and how you don’t say it — is critically important.
This is especially true of risks to which you might not want to draw attention. Take, for example, a very simple medical device, like a hypodermic syringe. This device can be very useful for injecting drugs, taking blood samples, etc. But, without much imagination, you can imagine it causing a lot of harm, as well.
Which raises the question: hypodermic syringes have been around for a long time but, if you were developing the first hypodermic syringe today, would it get on the market? This is the medical device equivalent of asking “if Aspirin was new today, would it get on the market?” This is not a simple question!
Most people present risks in some sort of order in a submission, either by frequency (from most frequent to least frequent) or severity (from most severe to least severe). But presenting risks in this manner draws attention to them — something you may not wish to do.
So, take a different approach. The regulation does not tell you how to present risks in a submission. It doesn’t stipulate that you list them in any particular order. It doesn’t specify how many risks to include. That’s up to you.
Why not present the risks in random order, rather than by frequency or severity? And why not include a lot more risks than you otherwise might, so as to not draw attention to certain other risks? This approach dilutes the pool, so to speak. It is not dishonest, as the information is in the submission — you just aren’t drawing attention to it. This is just one way regulatory professionals can design a regulatory submission, rather than merely write one.
Conflicting Positions On Risk
Often, what we want to accomplish from a regulatory perspective is diametrically opposed to what we want to achieve from another perspective. For example, consider the tension between risk mitigation and product liability. The underlying assumption, in both regulatory submissions and design controls, is that the scope of the conversation is limited to risks associated with on-label use of the product.
Not long ago, a large medical device company invited me to help facilitate a brainstorming session to develop a risk management plan, as required by the design controls for their new device. We were going through the different buckets of risk, and people were coming up with all the different risks they could imagine associated with the on-label use of this device. Then, the topic of risk associated with off-label use came up. As soon as that happened, the ranking person in the room, a senior VP at this medical device company, said “this meeting is over.” Why? Because of product liability.
If a device causes harm to a patient, the manufacturer will undoubtedly get sued (I’ve been involved in several of these kinds of cases). And, if opposing counsel can show that the company knew, should have known, or even was thinking about risks associated with off-label use of its device that were not sufficiently mitigated, the company can be held to a higher level of liability.
Massachusetts politician Martin Lomasney famously said, “Never write when you can speak; never speak when you can nod; never nod when you can wink.” A more modern twist on this saying came from Elliot Spitzer, the former governor of New York, when he said, “Never talk when you can nod, never nod when you can wink, and never write an email, because it’s death. You're giving prosecutors all the evidence they need!” The same discretion is necessary in medical device product liability.
Documenting risks associated with the off-label use of your device — which is basic engineering (common sense, one might say) — can be the kiss of death if your device causes harm and you get sued. Opposing counsel simply will subpoena the email or meeting notes and say, “Back in August 2015, you had this brainstorming meeting and talked about this particular form of risk….”
From a regulatory perspective, you want to document everything but, from a product liability perspective, you want to document nothing! My advice to you, tongue in cheek, is to document everything and then, as soon as you do, shred everything. Pragmatically speaking, though, after years of playing this game, here is my advice: At the beginning of your risk brainstorming meeting, agree to limit the discussion to risks associated with the on-label use of the device — but that should never go into your meeting notes!
In a related example, the CEO of a company I recently worked with was presenting at a medical conference. He started going a little bit off-script, discussing off-label uses for the company’s new medical device. To make a long story short, there were a couple of FDA staffers sitting in the audience. Talk about getting your hand caught in the cookie jar.
But here’s the thing: Every single person in the room, including the folks from FDA, knew that, in reality, the device was going to be used in the off-label ways described. Unfortunately, this tension between regulatory and other priorities is incentivizing medical device companies to avoid asking important questions and addressing important issues. We have become like ostriches sticking their heads in the sand, pretending these things don’t happen. From a humanitarian perspective, how does this make the world a better place?
Including Off-Label Uses In Risk Management — Without The Product Liability Headaches
Avoid creating product liability issues when developing your risk management plan by following this simple advice: Don’t design your regulatory strategy in isolation. You need to design your regulatory strategy in conjunction with your product liability strategy, your reimbursement strategy, your intellectual property strategy, and everything else. Just like the human body, nothing in regulatory strategy exists in isolation — every part is in constant communication with everything other part.
In addition, I would recommend designing your labeling, especially the high-level labeling — which includes label claims and indications for use — just like you would design your physical device. Again, to me, design is design.
For example, during a recent project, we designed the product labeling at the same time we designed the device. We designed them to be in sync with one another. Just like in product development, where we may come up with five or six different prototype designs and evaluate the merits of each, we came up with five or six potential indication-for-use statements for the same device, and we did a regulatory burden assessment on each one. In other words, if we say this, we must prove that; if we say that, we must prove this, and so on.
We presented the different indication-for-use statements to the senior management team, along with the regulatory burden assessment. Representatives from regulatory, reimbursement, marketing, legal, and other departments participated in the discussion. We were able to decide, as a company, where the labelling “sweet spot” was for that particular company and that particular device. This process formed what the company would say from a regulatory perspective, from a marketing perspective, from a product liability perspective, etc.
That sweet spot — that fulcrum, or balance point, or whatever you want to call it — will be different for every company. They key to finding it is getting context and input from all the different functional groups within the organization.
Another Form Of Risk To Consider
There is one more form of risk I would like to briefly touch upon: regulatory risk.
Unlike the three buckets of risk we discussed previously, regulatory risk is something I never talk about at FDA or any other regulatory agency because, frankly, it’s not their concern. It is, however, something I talk about a lot with the medical device companies I work with.
Regulatory risk has two connotations. The first is the probability of being unsuccessful when trying to “sell” your regulatory strategy to a particular regulatory agency. Every regulatory strategy holds a certain degree of regulatory risk. You can mitigate it, you can minimize it, but you cannot eliminate it.
When considering different regulatory strategy options, it is important to assess regulatory risk. Potential regulatory strategy one might carry a relatively low regulatory risk. Strategy two might be moderately risky, while strategy three is high-risk. Although regulatory risk is nearly impossible to quantify precisely, you can assign an approximate value (low, medium, or high, in this example).
The second connotation of regulatory risk is what I call “the probability of getting smacked.” For example, what is the likelihood that you make a marketing claim and somebody (FDA or otherwise) comes back to you and says, “Hey, you’re saying this about your product. How do we know that’s true? Prove it.”?
You need to consider both the probability that someone will calls you out on a claim and the likelihood you will be able to defend it. This is more than a regulatory decision — it’s a business decision.
Some companies tend to be a little more aggressive. They push the envelope a little more, and make pretty bold claims (Sometimes, you see these claims being advertised on TV!). On the other end of the spectrum, some companies are very, very conservative.
It’s important to understand the different options and their potential ramifications. If you make one claim, your risk of getting smacked may be pretty high, but it may also be easy to defend. With another claim, your risk may be low, but it may be harder to defend.
To illustrate, consider a binky, also known as an infant pacifier. One manufacturer makes the label claim, displayed prominently on its package, “promotes healthy oral development.” This is a very nebulous label claim but, in the regulatory world, the more vague or non-specific the claim, the better. Why? Such a claim is very difficult to define (What does “promotes healthy oral development” mean?), and therefore the “probably of getting smacked” is low.
Furthermore, if you do get smacked, it is easy to defend yourself. If the manufacturer made a more specific medical claim (i.e., use our binky and reduce the likelihood of gingivitis), that would be a completely different story and its regulatory risk would be much higher.
While publically, FDA is not fond of nebulous label claims, there are many examples of devices that have them. On the flipside, the Centers for Medicare and Medicaid Services (CMS) is not at all fond of nebulous label claims and typically will not reimburse for them. This is another example of how regulatory strategy and reimbursement strategy can sometimes be diametrically opposed, and it’s up to the manufacturer to find a “sweet spot” in between the two.
As an aside, some chuckle when I use very simple examples like pacifiers, but consider this: Albert Einstein said, “If you can’t explain it simply, you don’t understand it well enough.” If we can’t explain the regulatory logic using a pacifier — something that everyone can understand — how can we apply the same logic to a much more complicated medical device, like a vena cava filter?
Consider this: Recently, a manufacturer received an FDA warning letter because it claimed its wheel chair cushion would “reduce causes of skin tissue trauma.” This is a relatively strong claim for a product that was never cleared or approved by FDA and, as a result, the manufacturer got "smacked" with an FDA warning letter.
Like many such manufacturer problems, this situation was totally avoidable! How? There are two choices: Make a more nebulous claim (i.e., “Our cushion makes your rear-end feel better,”), or go through the clearance or approval process and prove the claim so you can use it to your competitive advantage.
Of course, there are advantages and disadvantages to both approaches but the lesson to be learned is this: It is not enough to be careful with what you say – you must also be careful with how you say it!
The most important thing to remember regarding risk is that it is not a simple matter. There are many different connotations of risk: We talked about several important ones in regulatory submissions and design controls, but obviously there are other forms — financial risk, for example.
In addition, medical device manufacturers need to understand the impact of risk mitigation strategy on a regulatory submission. As I said before, that can make or break your regulatory submission, especially if it’s a 510(k) or a de novo.
Your risk management plan is also very important, not just to meet the design control requirements, but in terms of product liability, as well.
Finally, I would urge you to carefully consider not only what you say regarding risk, but also what you don’t say. There are many shades of grey. Some people don’t like shades of grey, but I personally love them in regulations. The ambiguities, the vagueness gives you the wiggle room to do what you think is necessary, as opposed to having regulation that is very specific. Unambiguous regulation makes it more of a challenge (but not impossible) to argue the value of doing something in a new or different way.