Blog Layout
Risk Control Verification - Part 7 of 8
Michael Heald • Dec 23, 2019
To misquote Edwin R. Fisher, “In god we trust, all others must provide documented evidence”. Just like a list of new year’s resolutions, a list full of risk controls does not mean anything unless they are acted upon. Fortunately, we don’t have to provide documented evidence that we have stuck to our new year’s resolutions.
An important part of any risk assessment are the risk controls. Most, if not all, risks will probably have some sort of risk control (aka risk mitigation) proposed within the assessment. I say ‘proposed’ because that is all they are, documenting a risk control in your risk assessment is no guarantee that it will be implemented. In fact, it may not be the right or best risk control, but it is what seemed right when the risk assessment team was ‘in the zone’.
Therefore, we need a way of ensuring that ‘proposed’ risk controls are actually implemented. If your residual risk levels are based on risk controls that never made it off paper, you are in a bad place. Documented verification of risk control implementation is required, and this does not need to be onerous. If each risk control proposed in an assessment is traceable to a design input (or URS) requirement, the design verification/validation/qualification processes will complete the implementation audit trail and provide evidence that your proposed design controls actually made it into the final design.
But that is not all. What if a risk control is not as effective as the risk assessment team anticipated? Instead of guessing at the effectiveness of risk controls during risk assessment, it makes sense to set the occurrence of harm at the highest probability until you have evidence that it is reduced. Again, design verification/validation/qualification can then provide a traceable means of verifying the effectiveness of your risk controls. Of course, once effectiveness is proven, the associated risk analysis and evaluation should be modified accordingly.
As ever, it’s not enough to say you are going to do something. You have to do it and then be able to prove that it’s been done, and done properly.
Part 8 – Not Doing Risk Management is Not an Option.
While the FDA’s Office of Combination Products is working on a formal definition of Essential Performance Requirements behind closed doors, Industry is busy second-guessing. There are some clues to be had, and this is how I think it can work…
It’s hard to argue with safety as a reason for doing, or not doing, something; unacceptable risk is, well, unacceptable. This is the last article on risk management from me for a while – thanks for reading.
Keep your friends close and your enemies closer. While all aspects of design and manufacture of a medical device should be carefully controlled, special attention should be given to those elements that have the potential to cause the most harm.
Pressing deeper into safety risk management we look at two tools for performing risk assessment and evaluation: the ubiquitous FMEA and the exotic FTA.
Imagine a band performing a piece in which every musician played a different tune. In my fourth article I’m looking at how to coordinate the disparate groups that have to work under one risk management plan. How can they be helped to assess risk consistently?
I admire the achievements of free solo climbers, but I do question their notion of acceptable risk. Modern office health and safety culture operates at the other end of the scale; with carefully sealed hot drinks containers and the mandatory use of handrails on stairs. So, what level of risk is going to be acceptable to the users of your medical device?
Risk Mañana (noun): The temptation to leave risk management until is it impossible to ignore. Invest in an early dry run and enjoy the benefits.
This is the first of a short series of articles written to share my insights into the bit of medical device development that is always last to get picked for the team.
Medical devices designed to inject sterile liquid typically contain a cartridge or pre-filled syringe, usually made from glass, and its job is to contain and protect the sterile drug solution. These glass containers, or primary packs, also have plungers and seals made from rubbery elastomeric materials. As long as the glass and rubbery bits form a hermetically sealed environment, nothing nasty can get in, and nothing precious can escape. For those in the industry this simple concept is lovingly referred to as Container Closure Integrity, or CCI. Consider the life of a primary pack. Once it has been proven that a filling process is reliably producing sterile primary packs, they can be sent to be assembled into their host drug delivery devices. Device assembly is no pampering session for the primary packs; they are slid down tracks, bump into each other, get gripped and handled by machinery, pushed into some sort of holder, and then they get squeezed and bumped some more during other assembly processes. After all this, are they still safe to use? Then there is the shipping process as the devices are moved around the world. Happily, they are not usually subject to the professional ministrations of ordinary airport baggage handlers, nonetheless temperature changes, pressure changes and impact forces must all be endured en-route to their new home. Still safe? Eventually the devices will be stashed somewhere, during which time the primary packs age gracefully inside their host device and packaging. Even now they can fall victim to environmental conditions, or even long term stresses placed on them by the device. Filling and sterility testing is but a distant memory. It’s pretty obvious that we need to look after CCI right up until the patient gets their jab, and there is some common sense regulation on the subject. With device assembly, shipping and ageing in mind, try these for size: 21cfr211.87 “… drug product containers, and closures shall be retested … after exposure to … conditions that might adversely affect the … drug product container, or closure.” 21cfr211.94 (b) “Container closure systems shall provide adequate protection against foreseeable external factors in storage and use that can cause deterioration or contamination of the drug product.” FDA Guidance - Submission Documentation for Sterilization Process Validation and Applications for Human and Veterinary Drug Products: “Study designs should simulate the stresses of the sterilization process, handling, and storage of the drug and their effects on the container closure system.” Glass can form micro-cracks, or worse, and rubbery bits can fail to seal properly. So the big question is; when manufacturing thousands, or even millions, of drug delivery devices, how do we demonstrate that each and every primary pack will continue to keep the bad stuff out and the good stuff in until it’s used? The answer to our big question lies in a specialist field of testing called Container Closure Integrity Testing (CCIT). The old probabilistic dye ingress techniques are, quite frankly, a bit rubbish. Luckily, a growing number of clever quantitative techniques are available to prove reliable container closure integrity for a range of different applications. Don’t think for a moment that device design is not involved in CCIT. Firstly, the device simply gets in the way and prevents us from checking CCI (think Schrödinger's cat). Secondly, if the device is dismantled to check CCI, the act of dismantling may itself cause a leak path to develop. So, to all those engaged in the design and development of drug delivery devices; don’t design a CCIT nightmare, use Design Controls and Risk Management to both improve CCI performance and pave the way for CCIT friendly device design.
When devices are being developed for the delivery of pharmaceutical drug, two worlds collide. Pharmaceutical regulation meets medical device regulation, and what is at ground zero? The primary pack*. The bit of the device that holds and protects the drug substance. Often the device itself is referred to as secondary packaging, which hardly does justice to the amazing engineering that can go into it. Then there are more ordinal layers of packaging with trays, cartons, sleeves, wraps, multipack boxes etc. Beyond Primary Pack there seem to be no hard and fast rules for packaging nomenclature, so it is a good idea for everyone to agree on packaging terminology early in a project. But I digress. Going back to the Primary Pack, I should point out that containers designed to do no more than hold and protect a drug substance are not regulated as devices, and therefore are not subject to medical device regulation. As soon as a container plays a part in controlling the delivery of a drug, it is moving into medical device territory, and the medical device regulations are invoked. There are, of course, grey areas. Eye dropper bottle design seems to be one. From a regulatory point of view, and the Americans are particularly clear on this, you need to run both drug and device quality systems for drug delivery devices. There are drug constituent parts, and there are device constituent parts. And then there is the Primary Pack, which is both. It is the common interface between device and drug. For the pharma development team, the Primary Pack has to hold the right amount of drug, and it needs to prevent deterioration or undesirable exchange between the drug, primary pack and environment, all for the entirety of its shelf life. The contents may also need to be kept sterile. For the device development team, the Primary Pack has to allow accurate, often metered, delivery of the drug. To do this the Primary Pack becomes an integral part of a precision mechanism, which necessitates tight control over dimensional tolerances and operating forces. There are also shared interests, such as drug visibility, labelling, filling requirements and container closure integrity. Shared interests further extend to compatibility with certain manufacturing processes, so someone from Manufacturing needs to get involved too. Put simply; the pharma development team and the device development team need to collaborate closely on the design of the Primary Pack from the start. It is surprising, especially in parenterals, how often project risk is unwittingly invited by one-sided Primary Pack decision making. So which team should have custody of the Primary Pack specification? I think that the right answer to this question is that it doesn’t matter. As long as the controlling team and the governing processes ensure that collaboration is effective, and that both drug and device regulations are met, then ownership is irrelevant. Traditionally the pharma guys have it. One particularly tricky aspect of developing devices for sterile injection is container closure integrity testing (CCIT). Not very long ago CCIT was subject to a pharmacopeia re-boot with USP <1207> and the industry is upping its game by abandoning old probabilistic methods and moving to deterministic ones. This field of testing is evolving quickly, which is why went along to the Container Closure Integrity Testing workshop run by PDA Europe in March. If you have read this far, maybe you would like to take a look at the CCIT blog that resulted. * Apart from the Primary Pack, other parts of the drug delivery device can demand a similar mode of co-operation. Typically, these are other components that are in direct drug contact, though usually contact duration is transient instead of being measured in months or years.