QUALITY & COMPLIANCE
Health Hazard Evaluation: A Useful Tool for Risk Escalation
By Thomas Morrissey, MD
Early in my career as a medical director in the medical device industry, a young engineer approached
me with a corrective and preventive action (CAPA)
file and asked me to perform a health hazard
evaluation (HHE) regarding a product issue. In
reviewing the file, I noticed that a decision on
whether an HHE was required was part of the
CAPA process and one of the many boxes on the
checklist required for closing this CAPA. This decision was his to make, I thanked him for getting
me involved. Realizing that the CAPA was already
three months old, I had a few questions:
• Why are we now evaluating patient risk
on an issue this old?
• Why do we expect an engineer to make
a clinical determination on patient risk?
• Do we have a process that helps us to
identify and escalate the right issues to
the right people?
• Shouldn’t patient risk drive decisions
such as CAPA and not the other way
around?
Role of Health Hazard Evaluations
When I began to examine how to better incorporate patient safety into our decision-making
process in 2004, there was not much direction or
consistency regarding HHEs in the emerging field
of risk management in the medical device industry. The US Food and Drug Administration (FDA)
has utilized the HHE for years to categorize the
risk of an issue and classify recalls. Many device
companies utilize the HHE only when a recall
is being considered. I sought the opinion of several industry colleagues about HHE utilization;
it seemed that standard practice was utilizing
HHEs on an ad hoc, somewhat random basis.
It was also the “perfect storm” time to
examine how healthcare companies evaluate
and escalate postmarket risk. Merck was questioned about its response to Vioxx data, Guidant
had problems with its defibrillators, and several major medical device companies received
Warning Letters, many of which cited inadequate
postmarket surveillance and medical input into
their decision-making process. Companies with
otherwise excellent reputations were under
fire for what some considered unethical decisions. Guidant responded to the criticism by
34
May 2010
establishing the Guidant Safety Advisory Panel1
of physicians, engineers, statisticians and ethicists. The panel offered guidance to medical
device companies on how to evaluate safety
issues and potentially avoid common mistakes.
Among its findings and recommendations:
• Designate or hire an in-house physician
whose primary responsibility is patient
safety and who will participate in product performance analysis, health hazard
analysis, internal communications and
external communication policies and
procedures.
• Enforce the primacy of patient safety
by better integrating patient safety
concerns into the factual and statistical
analysis of product performance and
failures and safety event trends.
• Develop processes to identify and act
on even a single event when it is associated with risk of death or serious injury,
has a suspected or defined basis for
malfunction or failure and is likely to be
systemic and to occur in other patients.
• Strengthen oversight by corporate
management and develop specific processes to quickly identify and act on
potentially life-threatening product performance problems.
Develop a Process
One of the speakers at a May 2005 risk management meeting sponsored by the Advanced
Medical Technology Association (AdvaMed) was
Dr. Dan Schultz, then director of FDA’s Center
for Devices and Radiological Health (CDRH).
The meeting was informative but only provided
a high-level look at risk management. Specific
recommendations on techniques to improve
corporate risk management and postmarket
surveillance processes were not provided. When
questioned about ways companies could perform
solid postmarket surveillance, Schultz replied
with three specifics:
• a robust electronic system to capture
and analyze events, with data mining
capabilities a big plus
• the right mix of people looking at the
data
• a well-thought-out plan on what to do
with the data and an escalation decision
Figure 1. HHE as Cornerstone of Postmarket Surveillance
Ongoing monitoring of nonconformances, complaints, vigilance, MDR’s
Product
nonconformance
process
No
Issue affects
product in
the field?
Yes
No
CAPA
Yes
Product risk
assessment
(HHE)
Escalation
required?
CAPA
required?
Yes
No
Field
action?
Document
action
Yes
Quality
board
Yes
tree, encompassing actions all the way
from continue to trend to recall
Schultz reinforced the Guidant panel’s recommendation that companies should have a process
for identifying, evaluating and escalating potential field safety issues. The industry norm is to
identify product related issues through field
complaints or manufacturing nonconformances.
Companies also trend complaints and monitor
adverse events. However, once potential safety
issues are identified, what is the next step? How
do companies get from event to recall?
Edwards Lifesciences has instituted a threestep postmarket surveillance process that uses
the HHE as the centerpiece (Figure 1):
1. Identify issues that impact distributed
product such as complaints, nonconformances that escape containment in the
manufacturing facility when an nonconformance report (NCR) is discovered,
and manufacturing nonconformances
confirmed by the product return lab
on devices associated with complaints
returned by users for evaluation.
36
May 2010
2.
3.
Operational
decision
required?
QB required?
Perform a product risk assessment
(PRA) consisting of an HHE and a compliance evaluation by a quality affairs
(QA) director
Decide whether the issue needs to be
escalated. If not, decide whether to open
a CAPA decision. If the decision is no,
the rationale must be documented.
Tying it all Together
Another benefit of a well-defined, risk-based
approach to issues in the field is overall strengthening of your complaint files. When an external
auditor arrives at a company, these files are
typically the first documents to be reviewed. In
addition to gauging the quality of the complaint
investigations and medical device reporting
(MDR) rationales, auditors like to see that companies evaluate and act on complaints. Linking
the complaint file to your HHE/risk assessment,
which also links to a CAPA decision, allows your
company to tell a story and the auditor to follow
your thought process. Although the auditor may
not ultimately agree with all of your actions, the
linking of documents demonstrating your riskbased decisions will help communicate that your
company makes patient safety a top priority.
Requirements for Success
A Clear, Concise Story
The issue description in the HHE is extremely
important. It should be simple, but clearly
inform the reader about the issue under review.
It should be easily understood by someone unfamiliar with the issue who reviews it one or two
years after the event. If it is complaint driven, a
table summarizing complaint and lot numbers,
dates, MDRs/injuries, product evaluation results,
etc., is helpful. Pictures are extremely valuable.
Timeliness
The goal of any successful postmarket surveillance program is to expeditiously escalate the
right issues to the right people. Dates of issue
identification and decisions must be clearly documented. Metrics and reasonable targets must be
established and monitored.
Consistency Across Documents
Any HHE requires an evaluation of the severity of
a particular failure. Obviously, this severity needs
to be consistent with the corresponding failure
mode and effects analysis (FMEA). If the FMEA
has not been updated for some time and the existing document was created without clinical input,
it should be updated with the correct designation.
information we collect. The days of robotically
filling out forms, checking boxes, filing MDRs
and stamping “continue to trend” in the files
are numbered. Regulatory bodies, customers
and patients expect more from us. Companies
need to develop processes to react to events in
the field with the sole intent of improving their
products and protecting patient safety. An HHE
is the most important document for determining
patients’ risk and should be an integral part of a
company’s postmarket surveillance program.
References
1. Myerburg RJ, Apostolakis GE, Beller GA, et al. “Report of
the Independent Panel of Guidant Corporation.” http://
www.guidant.com/panel/. Published 20 March 2006.
Accessed 8 May 2006.
2.. Morrissey T. Health Hazard Evaluations. Talk presented at
AdvaMed/MLTI Meeting. Washington, DC. April 2006.
Author
Thomas B. Morrissey, MD, is vice president of product safety
at Edwards Lifesciences. He is responsible for the risk management process in both product development and postmarket
surveillance, as well as for providing medical oversight for
worldwide complaint investigations and MDR reporting.
He previously was responsible for risk management activities at Abbott Laboratories and Cordis (Johnson & Johnson)
Corporation. He holds an MD from Oregon Health Sciences
University, completed a General Surgery residency at Louisiana
State University and a fellowship in Cardiothoracic Surgery at
University of Rochester. Morrissey can be reached at Thomas_
Morrissey@Edwards.com.
Revisions as Needed
When developing a postmarket surveillance
process, do not expect perfection from the beginning. Identify bottlenecks and impediments and
revise your forms and process as needed.
Buy-in From Management
It is well known that any risk management
system will fail without support from the executive team. It is imperative to seek their input
when developing the process and after its
implementation.
A Culture of Patient Safety
If you are successful in developing a dedicated
postmarket surveillance risk management process
based on patient risk, this is the most gratifying
result. It is important to educate engineers, complaint handlers and management about when to
identify issues and initiate the process.
Summary
When I was training to be a surgeon, my professor taught me a valuable lesson. He instructed
me to never order a test on a patient without
first having a plan for the results. This lesson
is analogous to what we in the medical device
industry typically do. We set up processes to
monitor complaints and nonconformances,
but often do not have a plan for handling the
Regulatory Focus
37