Click now to watch Regulatory Compliance Associates® Dr. Stephen Coulter explain how design controls and risk management play an intricate role in the Waterfall methodology:
The Waterfall methodology incorporates the usage of FDA design controls into the medical device design process. It serves as the primary connection between quality system requirements (QSR) and current good manufacturing practices (CGMP).
Waterfall Method
Conceptually, the FDA Waterfall model is designed to provide engineers with the flexibility to mitigate product risk, meet regulatory compliance and satisfy customer needs. It is a sequential process based on the quality assurance and medical device engineering principles listed in 21 CFR 820. The methodology itself is conceptualized in the image below from the Medical Device Bureau of Health Canada.
Waterfall Development
To increase risk mitigation during the Waterfall methodology, both risk management & design controls are considered. They often become integrated processes during Waterfall product development. Many unique tools that medical device engineers use to define requirements & meet user needs are shared across these processes, even though each is based on a separate standard.
While design controls for FDA approval are referred to in 21 CFR 820, medical device risk management is internationally associated with ISO 14971. Three critical elements of risk mitigation strategies clearly focus on avoiding risk during product development:
- Evaluating an associated risk
- Controlling an evaluated risk
- Monitoring risk control effectiveness overall
Input Requirements
The success of the Waterfall development method depends on early research & assessments conducted about input requirements that include strategic risk. Further, spending time documenting the inputs of user interface, user stories and product epics can help increase positive outcomes and reduce requirement risk overall. Finally, any inconsistencies during the waterfall methodology between the proposed design & input requirements can be corrected across stages. This aligns with one of the primary motivations behind FDA originally developing 21 CFR 820 (e.g. helping medical device manufacturers find design deficiencies earlier in the process).
Risk Management
By starting the Waterfall process with this end state in mind, design inputs are more likely to pass failure testing & become a manufacturing output. This risk management strategy during a Waterfall project can begin with identifying the publicly known risks of competitive products. Second, the team is challenged to investigate if similar hazards could be associated with your medical device. When working with a Regulatory Compliance Associates risk management consultant, our clients are reassured that Waterfall development should detail how hazards can impact user needs & potential customers.
For example, design inputs should consider current regulations and global standards early in the waterfall process. This helps incorporate a risk management perspective even before verification and validation testing begins. Intended uses should consider predicate devices and if any causes for recalls are related to design, materials, or software.
Waterfall Approach
So, does this mean risk management & design controls are connected in the waterfall approach? And if they are, how important is one over the other when leading to marketing approval or regulatory compliance? This process is often measured against a combination of factors, including:
- Regulations & standards for clinical approval
- Risk class of medical device being manufactured
- Regulatory body reviewing the marketing submission
Enterprise risk management would consider all three of these factors individually and in combination when considering how to eliminate systemic risk. The Waterfall project management team can also use various tools and techniques while developing the risk management plan. These risk identification tools include conducting a risk analysis, performing an FMEA, and charting risk tolerance.
Risk Analysis
Existing regulations & standards offer various types of risk tools that can be incorporated into design controls. This can include identifying risk levels and creating severity charts during the user needs & design inputs stages. Additionally, each new product will have different hazards and risk tolerance levels associated with the target patient. Being able to analyze the problem, control the problem, and mitigate the risk is essential to define in your risk analysis. Challenge yourself to reduce and identify hazards by analyzing the known data as much as possible.
FMEA
Failure Mode and Effects Analysis (FMEA) is a controlled technique to detect & concentrate on budding trouble. Each failure is commonly assigned a rating based on the negative effect it may cause. The Waterfall process would then take each rating and project how the marketplace, healthcare systems, or patients can be impacted. FMEAs are one of many risk mitigation tools that can help your team identify the hazards of your severity chart. Each charted hazard is established based on the severe nature of the hazard to the user and project requirements for design control.
Risk Tolerance
Further, after the severity is defined, all known or projected hazards can be developed into a risk tolerance chart. The risk tolerance chart can then be shared cross-functionally across the team to help everyone understand which design steps can increase user risk. One of the benefits of a risk tolerance chart is being able to show data visualization. The design team should consider how design controls and user needs can reduce the hazard’s impact. Finally, a waterfall chart could also project the negative consequences of adverse events and what the estimated cumulative impact might be during a product crisis scenario.
Risk Management Summary
Finally, once your team has evaluated the risks and decided on precautions, a risk management summary is developed. It may include involves multiple failure mode analysis types (e.g. product, process, etc.) and risk ratings. These initial ratings are typically based on the types of failures and the severity of the failure itself. Ranges can also be given to determine the risk management strategy and what is the acceptable level of product risk (e.g. high, medium, low).