As medical device manufacturers scramble to meet Unique Device Identification (UDI) deadlines, a risk-based approach to UDI compliance will help ensure continuity within the quality system, consistency in UDI practice and application, accuracy of the associated data and sustainability of the UDI process. But what is a risk-based approach and how does it apply to UDI?
While risk management has long been applied to medical devices and healthcare and is critical enough to warrant its own ISO standards (e.g., ISO 31000, ISO/IEC 31010, ISO 14971), the application of risk throughout all processes as a quality system requirement is now heavily embedded in the new ISO 13485: 2016.
The concept of “risk-based approach” requires constant and proactive review and vigilance of processes, with the intent of identifying potential fault points (hazards) and making changes before the chance of occurrence rises to a level of concern (preventive action). This allows a business to focus on constant, sustainable progress rather than spending time in a reactive, corrective state.
Once the “risk-based approach” is understood, applying it the UDI process seems rather natural. When ingrained in the UDI project team’s mindsight, it will result in a cleaner, more cohesive, thorough and ultimately timely and cost-effective UDI implementation.
To begin applying a “risk-based approach,” it is important to understand that UDI implementation is a project, but UDI compliance is a process. This means that while the initial implementation has clear action items with a hard deadline of 24 Sept 201x (depending on the product class), the ongoing maintenance, support and sustainability of UDI is a continuous activity requiring dedicated personnel, structure and review. Understanding this will help the Project Team consider long-term implications rather than focusing solely on project tasks with immediate results.
Next, include personnel with a variety of expertise from all critical business functions on the project team. This will give the project diversity in perspective, experience and ideas, which will prove especially beneficial when conducting the overall risk analysis.
After the project team has been put together and everyone understands the scope, critical milestones, and end goal of the project, conduct a high level project risk analysis. This helps the team to start thinking about risk at the project level, begin making connections between potential fault points and existing processes, and laying the foundations for application of the “risk-based approach” to the long-term UDI process.
The risks identified at the project level can then be aligned with the five critical parts of UDI compliance:
- GUDID Data Submission
- Product Labeling
- Barcode Verification
- Direct Marking
- Quality Management System Integration
This alignment makes the risk-based approach more manageable, narrowing the review of risks to specific process areas. It also allows an independent, focused review of process risk to occur as project tasks are being completed and, most importantly, incorporates quality checks and risk reviews within the UDI processes as they are being defined.
To help you get started with applying this risk-based approach to UDI, here are some practical examples for consideration:
Process: Creating and Assigning UDIs During New Product Development
Risk #1 – UDI is not assigned at the right time in the product development process
- If assigned too soon, what are the risks that the product information will be changed?
- If assigned too late, will design control be compromised?
Risk #2 – Part numbers and UDIs are assigned by different departments
- What is the risk that the part number or device description will change during the development process?
- How is inconsistency in data prevented?
- Is there potential for duplication of work?
Risk #3 – A department needs the UDI information but did not receive it
- Were all departments included in the UDI project?
- Was training included in the UDI workflow?
- Was a gap analysis and/or document flow diagram created to prevent documentation inconsistencies?
Process: Change Control of GUDID and Label Data:
Risk #4 – Device description is changed on the label but not updated in the GUDID
- Does the change control process include the order that changes should happen in?
- Has responsibility for final approval of data been assigned and communicated?
- Are there automated controls that can be implemented to prevent data from getting out of sync?
Risk #5 – Different labels are printed for the same product manufactured at different facilities
- Were all labeling facilities and functions included in the UDI project?
- Is an enterprise labeling system needed to coordinate multi-site labeling?
These are just a few examples of areas in which device companies can expose themselves to unnecessary risk while implementing UDI. It always helps to talk with an expert. To get started reviewing your UDI compliance plans, especially those related to GUDID submission, I recommend contacting the team at Reed Tech.
Lena Cordie is the founder of Qualitas Professional Services, LLC. She works with global medical device manufacturers needing consulting resources for implementing quality management systems, UDI compliance programs, documentation and project management. She can be reached at firstname.lastname@example.org.