Risk management for medical devices shall ensure the safety of the respective product. From this several questions are arising:
- What is safety?
- How can you accomplish “adequate safety”?
- How do you proof that you made your product “safe”?
- What exactly is risk management?
Read this article to get some insights.
- Severity Describes the Impact
- Safety and Security are two Perceptions
- Likelihood Means the Chance of Risk Occurrence
- Risk is a Combination of Severity and Likelihood
- Risk Acceptance
- What Does Safety Mean?
- Risk Management Step by Step
- Our Recommendations
Severity Describes the Impact
The first aspect when talking about risks and safety is “severity“.
By using a device, (physical) effects occur, especially when using therapeutic devices.
You cannot eliminate such effects because they belong to the nature of the device during its intended use. Realize that a scalpel cannot be dull – it will lose its intended use!
But also (side-)effects will occur when using a device. Such effects are not desired, but inherently bound to the intended use and occur because of the mode of operation. For example: positioning a patient in a patient bed leads to the desired result (suitable position for treatment) but may also lead to undesired reddening of the skin, depending on the case history of the patient.
Further, in case something unexpected happens when using a device, this may also lead to undesired results.
Evaluate these effects and assign a level of severity being one part of the risk.
But be aware – such effects emerge in two very different flavors: safety and security!
Safety and Security are two Perceptions
Operational safety (short: “safety“) focuses on the protection of life, health, property, and the environment against possible injury and / or damage. Do not mistake it with reliability (describes the ability of software to execute its functions as planned) or availability (making available of functions, if required, in defined time periods).
Cyber security (short: “security“), on the other hand, deals with the protection against unauthorized access, use, change, destruction and publication of data. Obviously, security can contribute to safety as a security breach may allow access to dangerous functions of a device. However, awareness is rising that uncontrolled access to personal or medical data may also result in harm, though no direct life-threatening harm is present.
Assess both aspects during risk management as both may contribute to hazardous situations which may cause harm.
And to make things even more complicated: both aspects are not independent, they influence each other!
Likelihood Means the Chance of Risk Occurrence
The second parameter in risk management is “likelihood“. Several Parameters influence likelihood:
- probability of a hazardous situation occurring and
- probability of a hazardous situation leading to harm.
Because of this combination, we recommend to use the term “likelihood” to make a distinction to “probability”.
We give you an example! Without exposition, there is no chance that a dangerous part of a device (like a rotating engine shaft) will hurt a person. Simply, because no one can touch this dangerous part. To harm someone, such part must be present, it must be possible to get into contact with this part (e.g. because no safeguard is in place) and finally, one must reach this area.
Apply comparable thinking when considering security. However, the parameter of probability occurs in a different manner as security breaches typically do not happen by accident.
For example: some attacker tries to get confidential information. The probability in this case embraces the following (non-exhaustive list):
- vulnerability being present
- exploit being available, including the maturity of such exploit
- benefit of exercising the exploit
In case the device contains such critical data (such as patient information), this data may be of interest for an attacker. Encrypting such data does not reduce the likelihood for stealing the information. But encryption reduces the likelihood that the attacker can read the information. Another possibility is blocking the access to the internals of the device.
Make it as burdensome as possible and reduce the probability to access the data without authorization.
Risk is a Combination of Severity and Likelihood
Now comes the easy part: the combination of the above-mentioned parameters, the severity of harm and the probability that this harm will become manifest, is called “risk”.
Risk = Severity x Likelihood
But keep in mind: do not multiply the numbers. This “formula” correlates the parameters, but does not apply a mathematical function.
You should understand the obvious connection between both: The higher the severity of the occurring harm is rated and the more likely the hazardous situation will lead to this harm, the higher is the resulting risk.
Hazardous situations are always present. A medical device, providing only benefits without any side-effects, the so-called “residual risks”, is far from reality.
Evaluate these residual risks and compare them against the benefits. Consider the device “adequately safe” only in case the benefits are greater. Otherwise, the device is not adequately safe and must not be introduced into the market.
The risk acceptance matrix as shown in the following figure documents the risks:
The green area shows the acceptable risk whereas the red area reflects unacceptable risks.
The higher the severity and the higher the likelihood, the higher the risk. Define acceptance based on the intended purpose and the possible benefit of the product.
Note, not a single individual, e.g. a developer, shall compile this definition!
This definition is so important that the top management shall be involved in the decision. And we highly recommend to also involve some medical expertise here.
Such definition is sometimes cumbersome and difficult. The society and their expectations provide many influences. And such estimations are changing over time! Acceptable risks of the past are no longer acceptable today. For instance, around the 1960’s, X-raying your feet was offered and appreciated when buying new shoes!
Take the following points as basis for the evaluation whether a risk may be acceptable (without claiming completeness):
- consideration of product-relevant safety standards (assume a safety-standard as risk analysis, already done by experts)
- comparison with existing products
- analysis of data based on a clinical evaluation
- consideration of the state of the art
What Does Safety Mean?
The ISO 14971 definition of “safety” is “freedom from unacceptable risk”.
Obviously, the definition of acceptance (see above) determines if a product is safe.
Some considerations do not require the manufacturer to act. For example: safety standards define an acceptable safety level in specific areas, such as electrical safety.
But considerations, related to the intended use of the device, often depend on the judgment of the manufacturer, often in consultation with his notified body.
Risk Management Step by Step
Risk management is the systematic approach to recognize, analyze, assess, control and monitor these product risks. ISO 14971 describes such risk management approach for medical devices and is broadly accepted as fundamental standard for medical device development.
Many other standards for medical products refer to ISO 14971 and demand to use the described risk management process.
ISO 14971 requires a risk management process for the entire product life cycle. Plan and perform the tasks, activities, procedures and responsibilities. Therefore, the risk management process includes activities during product design and during the market phase as shown in the following figure.
Do not misunderstand risk management as a static process! During the single steps, it may become necessary to step back because you may encounter issues needing correction. And even in case the product is in the market for several years, new risks may occur, requiring action.
The first part is to identify the hazards and the hazardous situations.
The definition of intended purpose and identification of the characteristics related to safety (see ISO 14971 and ISO TR 24971) is the foundation.
However, these checklists are only a starting-point. They do not include all safety related characteristics of a medical device.
You can find further input through safety-standards, such as (for medical electrical equipment) IEC 60601-x-x or ISO 80601-x-x), standards on usability (IEC 62366, IEC 62366-1) and other specifications and technical reports.
Again, this is not the end-point of your considerations.
The considerations must not only regard fault conditions alone. The device or the desired function alone (in the understanding of the intended purpose) may contribute to a hazardous situation, just by their mere existence.
Hazards arising from medical devices are often correlated to the physical, chemical, biological, and functional characteristics of the device.
Medical software products (software as medical device) often correlate risks with their functional characteristics. In these cases, additional hazards result from the nature of such software products, e.g. performance, availability, integrity of data, etc.
And besides (erroneous) functions, all scenarios should also include incorrect operation, misjudgments of displayed values, unforeseen external events, etc.
Investigate the identified hazards and hazardous situations, with respect to the probability (likelihood) of occurrence.
Depending on the way in which a hazardous situation arises, several factors influence the probability of occurrence. Therefore, answer the following questions:
- How often is the functionality used?
- How likely is the occurrence of a malfunction?
- What mechanism supports the occurrence of the estimated damage?
- Is there poor compliance with a development process? Do poor specifications exist?
- Is prevention of harm possible? How likely is that?
- Which training or knowledge level does the user have?
The analysis of the sequence of events as systematic process plays an important role in this context, though such analysis can become extremely complex in software-driven or software-only-products.
And in software-only-products, hazardous situations are most often the result of systematic errors, user errors or inadequate usability. Harm occurs indirectly. Hence, clinical data to assess the probability of occurrence of harm is rarely available. Documenting the sequence of events is in such cases the only reliable basis on which to assess the probability of occurrence of harm.
Risk analysis and risk evaluation together are called risk assessment.
Analyze and evaluate identified hazardous situations. Therefore, you should:
- connect the hazardous situations with the according likelihood, derived during risk estimation, to determine the risk and
- compare each risk with the defined risk acceptance and determine if the risk is acceptable and / or requiring further action.
Apply risk control activities in case the risk is not acceptable. Otherwise, treat this hazardous situation as residual risk.
As soon as the acceptance of a risk is “not acceptable” you need risk control.
However, consider even with “acceptable” risks if further risk reduction is possible by appropriate measures.
In such case, possible options must be analyzed. Chosen means of mitigation (or: measures), including combinations of them, shall minimize the identified risks as much as possible.
Do not choose the measures at will! They are subject to an order in the selection (in descending “value rating”):
- inherently safe design,
- protective measures and
- safety by information.
Inherently safe design usually requires a profound intervention in the design. You can implement measures of this type relatively easily at the beginning of a development.
Note, that taking measures at the end of development will become nearly impossible.
Protective measures do typically not change the basic design of a product as such measures implement protection against the threat. This can happen, for example, through a barrier (access protection, protective grid, etc.).
Safety by information, such as statements in the instructions for use, seems attractive as such measures are easy to implement. However, especially in terms of this indicative security, a fierce debate has erupted in the past (see Annexes ZA, ZB and ZC to EN ISO 14971 2. edition), as far as their “usefulness” is concerned. This goes all the way to the statement that safety by information does not contribute further to risk reduction.
Choose Risk Control Measures in the Correct Order
Implement the measures in the order given. Only when the options in the highest level are exhausted, use measures of the following (lower) level.
When adopting such measures, a chosen and implemented measure may again contribute to a hazardous situation. For example: folding a protective grid down could cause a squeezing point for fingers.
But only defining risk control measures is not enough! Provide evidence that measures are present (implemented) and function as required (verification).
Verification activities provide evidence of the presence and the effectivity of each single risk control measure and of all measures in the device context.
Keep in mind that some measures may adversely influence other measures and / or device functionality.
Verification activities may also comprise validation activities, e.g. when you mitigate risks due to inadequate usability.
After implementing such measures, assess the residual risk again to be able to decide if you have achieved an acceptable level or if you need to find further measures to bring the residual risk to an acceptable level.
Evaluation of Overall Residual Risk
The evaluation of the overall residual risk contributes to the assessment of the residual risk of the product from a general perspective. Perform this evaluation after implementation and verification of all risk control measures.
This final assessment determines if the risk of the product is in the acceptable range since the risk management process looks at individual risks in isolation. But consider the following: Individually examined risks which are adequately mitigated and do not contribute to harm, may – in a possible sequence of events and in combination with product functions and / or mitigations – lead to a new risk.
Even at this late stage, there is the possibility that the overall residual risk of a product may be too high and, taking the intended purpose definition of the product into account, the product cannot be placed on the market.
Risk Management Review
But before introducing the device into the market, ensure completeness of all risk management activities. Typically, an independent entity, such as the quality department performs such review. Also a Notified Body may deliver support here.
In the risk management plan you describe all activities and all documentation. The review should demonstrate that you followed this plan during development of the product.
Another important part of this risk management review is to ensure that the overall residual risk of the device is acceptable.
And last, but not least, the course to gather post-production-information (see below) must be set. The review ensures that this is the fact.
Production and Post-Production Activities
Extend the efforts beyond development for controlling the entire product life cycle! The production and the post-production (marketing, usage, decommissioning) phases need specific attention.
ISO 14971 requires establishing, maintaining and documenting a system for collecting relevant information on the medical product and similar products (!) in the market.
Note, that collecting such information is a proactive activity!
In most cases it is not enough to analyze reported information only, e.g. error reports and nonconformities from customers.
Consider collecting information through (examples):
- evaluation of information in public databases on similar products, e.g. German Institute of Medical Documentation and Information (DIMDI), list of recalls by the FDA, and the European Database on Medical Devices (EUDAMED)
- customer surveys
- surveys of the sales representatives
- feedback and information from customer training
- post-market surveillance
Assess the safety relevance of the collected information. Take necessary actions if the collected information is determined to be relevant to safety.
Monitoring of standardization activities is also part of the post-production phase as risk management is a key element of the medical device standardization (see above). Changes in standards may impact risk management activities or provide new insight into the consideration of specific hazards.
We have given you an introduction to the risk management process. Of course, besides implementing the process you also must document it with all major activities. So we recommend you collecting all documents and records produced during the process in the so-called “Risk Management File” (RMF).
Note, that this RMF is not necessarily built as one self-contained set of documents. It is possible to include required content by reference to other documents.
However, it is highly advisable to have some of the documentation, mentioned in ISO 14971, in place:
- risk management plan, as all activities shall be planned
- risk analysis, containing the hazards, risk evaluation, option analysis, risk control measures, evaluation of the individual residual risk (related to the assessed hazardous situation) after measures
- verification documentation that the chosen risk control measures are implemented and effective
- risk management report, including the evaluation of the overall residual risks, a statement that risk management activities have been done as planned in the risk management plan and further evidence of the performed risk management review