One of the most common deviations found during audits is related to the so-called “post-production phase”.
1. Objectives of the post-production phase
The post-production phase serves several purposes concerning risk management:
- New data should be used to identify previously unidentified hazards.
- Hazards that have already been identified should be re-evaluated regarding the probability and severity of the resulting harm, i.e., risks should be re-assessed.
- The acceptance of risks must be re-evaluated. For example, a change in the state of the art may mean that previously acceptable risks are now unacceptable.
- You have to check whether there are new regulations affecting risk management.
- Measures should be taken to minimize risks in order to eliminate and prevent errors.
In addition, the post-production phase should also help to
- react as quickly as possible to errors in medical devices,
- e.g., to obtain information on the continuous improvement of the QM system and thus of your own processes through trend analyses and to
- review whether they have met their quality requirements.
2. Post-production phase: Regulatory requirements
Several standards and laws define requirements for the “downstream” phase.
a) ISO 14971 Chapter 9 / 10
The third edition of ISO 14971 (ISO 14971:2019) has changed the numbering and renamed this chapter. It is now called “Production and post-production activities” and requires that information from this post-production phase be collected and evaluated with the objectives mentioned above in mind.. Four sub-chapters have been added:
- 10.1 General
- 10.2 Information collection
- 10.3 Information review
- 10.4 Actions
With these additions, the standard further emphasizes the importance of the post-production phase.
b) IEC 62304 Chapter 9.6
The requirements of IEC 62304 do not end with development, either. Rather, manufacturers must “conduct an analysis to identify trends in problem reports”. This also coincides with the objectives already mentioned above.
c) ISO 13485 Chapter 8
Likewise, ISO 13485 requires that the “organization establish documented procedures for the collection, recording, and analysis of data” (e.g., from feedback), intending to improve the QM system and identify vulnerabilities continuously.
d) ISO 24971 and the post-production phase
Chapter 9 of ISO 14971 requires that risk management be continued in the phases following development. ISO 24971, a technical report, provides further information on this “production and post-production feedback loop”. ISO 24971 recommends three steps in the post-production phase:
- Collect information
- Evaluate information
- Take action
The next chapter provides information on how to put these three steps into practice.
3. Post-production phase: Practical implementation
a) Step 1: What information you should consider
The information that manufacturers should collect includes information and feedback from
- the development department or from development partners (for software, this would also include the release notes and bug reports from SOUP manufacturers),
- service, from installation, from training,
- users (e.g., complaints, outputs from surveys, suggestions),
- competitors (e.g., via the error databases of authorities such as the BfArM or the MAUDE database of the FDA),
- clinical investigations, the relevant technical literature, and other publications,
- legislators and standardization organizations (e.g., new or amended standards).
However, ISO 24971 not only mentions the sources but also emphasizes that this information should be collected neutrally and dependable and forwarded to the manufacturer.
b) Step 2: How you should evaluate the information from the post-production phase
When evaluating, manufacturers should answer the following questions:
- Is the observation relevant to safety?
- Do these observations agree with the assumptions in the risk management, or does the risk management file need to be revised accordingly?
- Do measures need to be taken?
In the Auditgarant, you will learn how to write risk management files quickly, comply with ISO 14971, and keep them up to date – in line with the requirements of the post-production phase.
c) Step 3: Taking action in the post-production phase
The actions in the post-production phase relate either to the device or to the organization and/or processes.
Examples of actions related to the device:
- Withdraw device
- Improve device
- Limit the device’s intended purpose
- Improve information about the device
- Train customers in how to use the device
Examples of actions related to the organization and processes:
- Improve processes, modify SOPs
- Gather requirements more systematically
- Develop system and software architecture more consistently and before device realization
- Intensify internal audits and reviews
- Test devices more systematically
- Change production processes
- Train employees
- Check suppliers better or select them more carefully
- Use more suitable tools
- Ensure better infrastructure and working conditions
The post-production phase and post-market surveillance (PMS) go hand in hand. Read more about the PMS plan here.
4. Post-production phase and SOUP
ISO 14971 requires continuous risk management – even after the development and production of medical devices. For us software developers, this includes examining the bug lists of the SOUP manufacturers and evaluating the errors described there. Of course, this requires that you have a list of all SOUPs first.
The Johner Institute recommends a table with the following columns:
- Name of the SOUP
- Version of the SOUP
- Manufacturer
- Links, e.g., to downloads or bug lists
- Safety classification (this is specific for each medical device in every SOUP!)
Roche has shown us nicely that it practices this form of risk management. The BfArM report from 15.02 pointed out a safety problem caused by a faulty component (SOUP) from Oracle. Exemplary!
P.S. When auditors review risk management files, they often look at the date of the last change first. This tells them whether the post-production phase is being followed.
