Risk Management for Drug Delivery Systems [Part Two]

Tips for executing combination product risk management

In the previous part to this article, we defined risk management for combination products and the process and deliverables for execution. In this article, we will dig deeper into cross-organizational/functional implementation best practices for success.

How do you develop your risk assessment estimation criteria?

Jumping back to the beginning of the process and our first deliverable, the Risk Management Plan, let’s dig into the crucial tools for assessing risk and assigning risk scores. Your risk priority levels will be based on designated definitions of severities of harm and scales of probability of harm. See example tables below.

ISO 14971 does NOT prescribe a certain way of doing this, though it gives suggestions and industry recognized means of these establishing these criteria do exist. This lack of criteria prescription is designed to allow flexibility for the different types of products being developed and each company’s comfort zone for acceptable risk.

Once the scales are set, traditionally anything in a medium or high category would be considered above an acceptable risk level and areas that need implementation of risk control. Reaching this decision for risk acceptability requires a partnership approach between all stakeholders, because not every organization has the same comfort zone. It is possible, for example, that the Pharma company has more of a conservative approach to their models and what the OEM called “low “risk is actually “medium” in their books. Coming to a joint agreement on the scales for risk acceptability up front during the finalization of the risk management plan is critical to avoiding butting heads down the road about whether implementing, or not implementing, a particular risk control is justified…especially as launch timelines and bottom lines are concerned.

Who does what in a combination product hazard analysis?

This is a document for which both drug and device teams/organizations provide input. A device has inherent hazards and potential failure modes, so the device team (primarily the OEM) needs to define the scope of these hazards. Both drug and device teams will have knowledge about users and use cases, which means that both teams should provide inputs on hazardous situations and the probability of those hazardous situations occurring. All of these inputs will bring you to a point where you can answer, for example, “What’s the probability that this needle protection feature will fail?” and define that this hazard can create the hazardous situation that now I have an exposed needle.

This example’s harm is whatever potentially comes from an exposed needle (the hazardous situation), along with each harm’s severity and probability of manifesting from the hazardous situation. That information is derived from the drug team, who has the deepest knowledge on the pharmaceutical constituent and the medical ramifications for their user groups of getting stuck by an exposed needle.

Who does what for risk assessments (e.g. FMEAs)?

When you have the risk prerequisites defined in your hazard analysis, you can start to get into your risk assessment documentation. As previously mentioned, these generally take the form of an FMEA, but it’s not required that you use this tool.

FMEA’s can come in different scopes, so the device team will typically own what’s called a Design FMEA (dFMEA) that’s focused on just inherent issues related to the device design  as well as a Process FMEA (pFMEA), which is based on issues that can result from the manufacturing of the device. The drug team may own versions of the dFMEA or pFMEA as well, such as for the primary packaging (i.e., drug container), the combination product / system, or secondary packaging and labeling. Typically, the pharma team would also own a Use FMEA in which they evaluate the foreseeable use errors that are related to using the combination product.

In the above risk assessment FMEA table (a very boiled down version) we’ve scoped example failure modes. In the first line, a safety cap can’t be removed due to some warping of the safety cap material and based on the device developers knowledge this happens “frequently” according to the scale in the risk management plan. The resulting hazardous situation is that the patient dosing is delayed until the user can obtain a replacement product. Potential harm in the case of a non-emergency drug product is a “low” severity, listed in the table as an inconvenience. If delays in accessing a drug dose reduce benefit of taking the drug significantly enough to cause harm, then the drug team would scale the severity level higher. If the product is something like an EpiPen, where if they can’t use the product right away, the patient will progress into their anaphylactic shock, then the drug team would assign potential harm level to be even higher.

Who does what in a combination product risk control? 

After we’ve calculated our risk and evaluated it compared to our acceptability criteria, we can start to talk about risk control for the hazards that we deem require risk control action. The first priority in risk control is inherent safety by design and manufacture, for which you do something about the design to try and eliminate or reduce the probability for the undesired issue from happening. The next step down in risk control is protective measures. If the sharp end of a needle of an needle-based autoinjector presents a hazard, it’s not like you can remove the needle. But you can put some sort of a safety device around that needle to try and protect the user from any incidental needle sticks. The final means of risk control is information for safety through labeling or training.
This measure is not as desirable as design or protective measures. As they say, you can lead a horse to water, but you can’t make it drink. It is much more reliable to remove or reduce potential risk than explain to a user how to avoid it themselves.

At the end of the day, users / patients are the ones holding the device and they’re going to use it however they end up using it. However, we produce labeling with every single product that’s delivered so the warnings in the instructions for use (IFU) can be communicated to support a best case scenario.

Who takes care of these risk control measures? Anything device-specific or device accessories, if any, is typically owned by the device team, while primary-packaging (i.e., drug product containers), secondary / combination product packaging, and labeling would be owned by the drug team. See the below table for the break down.

Both drug and device teams are expected to conduct a review of their risk management process, including the evaluation of residual risk and a benefit risk analysis that contains a rationale as to whether or not the benefits of that product outweigh those residual risks. This can be a separate document or contained in a risk management summary report.

In addition, the  risk management summary report usually includes:

• The risk management process that was performed for the combination product, as compared against the risk management plan
• A summary of how residual risk was determined / calculated and then evaluated against the risk acceptability criteria established in the risk management plan
• A summary of the benefit-risk analysis performed
• Information on how the organization plans to establish, document, and maintain a system to actively collect and review information relative to the medical device in the production and post-production phases

 Preparing for post-market risk management activities after launch

 The risk management process continues for both the drug and device teams as patients are using the combination product in the field and you receive information back about your product. As the stakeholders prepare for commercial launch, the drug and device groups should agree upon how quality and safety information relative to the combination product will be gathered, analyzed, communicated, and escalated (as necessary) between the two groups after commercial launch. Specific topics to agree upon may include:

• The method for collecting and categorizing complaints and adverse events
• The occurrence levels for trend analyses
• The cadence for performing periodic risk reviews (see below) and the topics to be included
• The communication path / mechanism between various functions, both internally and externally (e.g., design, human factors, quality, regulatory, safety/risk management, complaint handling, commercial / marketing).

 In addition, a common gap that occurs is when organizations do not define when periodic risk reviews should occur. These reviews need to be defined per procedure and documented. Items typically evaluated as part of a periodic risk review include safety data (complaints), internal data (manufacturing data, audits), published literature or changes to state-of-the-art, and the organization’s RMF (are changes necessary to risk assessments, risk controls, labeling, etc.).

 Pulling together your risk management documentation for regulatory bodies

 All of the risk management documents created throughout the product’s development are stored and managed within the risk management file (RMF). The Pharma company will likely have their own RMF, and the device vendor will likely have their own, as well. It is critical to reference back to each other where appropriate (note earlier the risk management plan should specify how documents are being leveraged between both organizations), so the goal in this development partnership is to make these documents available between the two parties should Pharma need it for the regulatory submission or either party need it for an audit, as well as keeping these maintained throughout the life cycle of the device.

In summary…

 The Pharma drug team holds the keys and knowledge for defining harms and severities, while the device team (internal experts and external device vendors) holds the keys and knowledge for the hazards and hazardous situations. The two parties must find alignment of risk management processes to create a cohesive and effective risk management program that:

1. Is easy for regulatory bodies to review and understand
2. Demonstrates through objective evidence that the end user will be exposed to as little unacceptable risk as possible.

 See the below chart for a summary of risk management responsibilities you can use as a “cheat sheet.”

Suttons Creek has a pool of risk management experts that support combination product programs at the organizational level (developing risk management strategies and processes and aligning drug and device teams) and at the execution level (performing risk management activities where clients may not have the internal resources). If you would like an assessment of how we can help your company “do it right the first time” and launch faster and more efficiently, reach out by filling out our online contact form or emailing discuss@suttoscreek.com.

AUTHOR

Kelly Wedig, Principal Consultant, Suttons Creek –Kelly is a medical device engineer with 10+ years of experience in combination product research and development, post-market surveillance, and lifecycle management. Over her career, she has supported the development and management of various types of combination products including on-body injectors, prefilled syringes, auto-injectors, and nasal spray systems. She is enthusiastic about improving the lives of patients by delivering state-of-the-art medical products through innovation, collaboration, and quality. Kelly has a proven track record of being a reliable asset with excellent problem-solving skills, all of which lead to delivering results in a fast-paced, competitive, and highly regulated medical device industry.