Risk management, risk analysis and ISO 14971

CHAPTER

Risk management, risk analysis and ISO 14971

9

9.1 Introduction Why have I created a new chapter for risk management and analysis alone? Simply for one reason ISO13485:2016 and the new MDR have moved toward risk management and associated minimising of risk as a fundamental ethos. IN the words of ISO 13485:2016. The organisation shall . apply a risk based approach to the control of the appropriate processes needed for the quality management system ISO (2016).

Whether this is due to high profile failures of medical devices in recent history (for the sake of the publisher’s lawyers’ nerves I will not name them) that has scared the regulators silly, or whether the timing was coincidental is debatable. However, there has been an acknowledgment that the assessment of risk at all stages of the process has been lacking, and some people left risk analysis to the very end, and then just made it work. This is no longer the case, one should be doing a risk analysis throughout the whole process of the life of a medical devices company. Will your products be implicated if one of your suppliers’ factories is suddenly subject to a catastrophic fire? What is the risk to a patient if a courier company fails to deliver a device on time e or even loses it? Risk analysis and risk management is no longer simply assessing the device itself. However, the actual process is exactly the same e once you get used to doing it, it is no different from remembering to brush your teeth every morning and before you go to bed. Hopefully the next few, scarily long, sections will help you.

Medical Device Design. https://doi.org/10.1016/B978-0-12-814962-1.00009-0 Copyright © 2020 Elsevier Ltd. All rights reserved.

287

288

CHAPTER 9 Risk management, risk analysis and ISO 14971

9.2 Risk management The first lesson here is to adopt ISO14971, and its latest version, with immediate effect.1 It is not hard, it is a process and one which is completely obvious. Fig. 9.1 is extracted direct from the standard and illustrates a basic risk management process. It is pretty simple in concept. When you start to do a task in your company’s process (in our case designing a device) you should start. At every opportunity you should look at potential hazards, you should assess the risk of the hazard and assess if its acceptable; if it is not you should put in controls (i.e. do some design work) and then reassess your hazard. If it is now acceptable your work is done, if not e well some more design work is required.

Intended Use, Identify characterstics

START

Identify Hazards

Estimate Risks

Risk Reduction Required?

NO

YES

Do clinical bene fits outweigh residual risk(s)?

YES

NO

Identify control(s) Unacceptable

NO

All hazards ?

NO

YES Prepare risk management file

Review post production

Re-assessment required?

YES

FIG. 9.1 Risk management process. Adapted from ISO 14971.

1

Note, those of you producing software need to refer to the Software specific guidance given in PD IEC- TR 8002.

9.2 Risk management

If you are finding Fig. 9.1 a little daunting then there is an alternative, such as that of Fig. 9.2. Now this is where previous Risk Management texts no longer apply. There was a tendency to only do this exercise once a device was ready to go forward for either CE mark of FDA application; commonly with an inspection of the file with the comment “have you done the risk analysis?”. This is NOT risk management; it is fudging.2 If you are conducting risk management correctly you can simply assemble all of the individual risk assessment you conduct, along the whole process, and put them together in the end as one document. After all, if all assessments state that there

(Identify Hazards)

Risk Assessment

RIsk Analysis

Risk Evaluation

Risk Control

Residual Risk acceptable?

Risk Management

(FMCA or equivalent)

Risk Management Report

Post Production review and implementation

FIG. 9.2 Alternative risk management depiction.

2

Fudging is a term used in the UK when someone is making it look like they have done something right, but when in fact that is far from the truth.

289

290

CHAPTER 9 Risk management, risk analysis and ISO 14971

is little risk (there can NEVER be NO risk), then the culmination of all of them should be the simple conclusion “risk is outweighed by the clinical benefit”. One further point; it is quite common to see, in a Technical File, a risk analysis that is some years old. This is just not the done thing. You will note, from Figs. 9.1 and. 9.2, that there is a loop. This loop is to allow for events such as design changes, changes in staff, changes in material properties, changes in suppliers, new knowledge from the Post Market Surveillance, customer complaints, Non-conforming productsetc. It is cyclic and is not STATIC. You should be reviewing the risk analysis for a given device at least annually, and at every design change (no matter how small). There is no excuse for having a complete risk analysis that is more than 2 years old! The first step on the path, however, is to be able to perform a risk analysis.

9.3 Risk analysis This is the ‘daddy’ of them all. It is the pre-cursor to all that follows. In essence a clinical evaluation follows an overall risk analysis e however in practical terms they are so interlinked that it is impossible to separate them. Hence I am introducing Risk Analysis as a tool to be used in your overall evaluation of your device. In fact, an overall risk analysis is essential for all medical devices, be that in the USA or in the EC. So this is the right time to think about it. Unlike many other disciplines we do not have any choice about risk analysis; we must use the ISO standard “medical device risk management and risk analysis ISO 14971:2012”.3 The first, and largest portion of the document, concerns risk management. You must have a risk management procedure, and this standard actually gives it to you e so there can be no mistake. A sub-section concerns risk assessment, again this process is almost handed to you. The only thing you can change is how you present your findings. All else is legislated. You avoid using this standard at your peril. Indeed if you avoid it in the EC you will lose your CE mark and your right to be a medical device manufacturer; do not think the FDA will be any less stringent! Indeed ISO14971 is so embedded in medical devices that even purchasers, such as the NHS, ask if you are using it! The other thing to remember is that it is an ISO, hence it is international; but also EC, FDA and just about every other regulatory body accept it e so just learn to do it. As I stated earlier, it does not, now, just cover the device itself but everything you do as a medical devices.

3

Note that in the first edition this was the 2009 version, since publication this new version has been published.

9.4 Identifying risks/hazards

The important thing to consider with risk analysis is the simple scientific principle of cause and effect. In risk analysis we do this backwards; we think of the effect(s) and then determine the root causes(s). However, unlike the design FMEA presented earlier, we look at the problem the other way round. In essence we imagine what could “happen” and then see what could lead to that “happening” and then see if we can “control it” to “stop it happening”. Thus we imagine horrible things that could happen as a result of your device being used and then determine the associated risk. But we do need to start thinking of ‘nasty things’ that can happen. However, these “nasty things” are not limited to the patient or the end user e there can be nasty things that can happen to your company (these we will meet later). To introduce the subject we shall start by simply looking at the device itself, later we shall look at the company and its processes. The essence of ISO14971 is that you must have a risk management procedure in place.. It is a nice standard. It, not only, gives you the procedure (so there is no need to develop your own, all you need do is make it work for your company) it gives you sample risk analysis forms too. So I, now, intend to present these to you; but they should not be a surprise as they are very similar to those we saw in FMEA.

9.4 Identifying risks/hazards This aspect of the clinical evaluation process is to ascertain risks and hazards. The first port of call is Annex C of ISO 14971 (see Appendix D for a full table). Table 9.1 illustrates one small sub-section of Annex C. The whole table, if worked through, helps you to identify risks pertaining to your device.

Table 9.1 Sub-section of Annex C ISO 14971. Sub section c.2.8 Is the medical device supplied sterile or intended to be sterilized by the user, or are other microbiological controls applicable? Factors that should be considered include 2.8.1. Whether the medical device is intended for single use or re-use packaging; 2.8.2. Shelf-life issues; 2.8.3. Limitation on the number of re-use cycles 2.8.5. Method of product sterilization. 2.8.6. The impact of other sterilization methods not intended by the manufacturer

Applicable/Not applicable

Comment

291

292

CHAPTER 9 Risk management, risk analysis and ISO 14971

Please note this is only an extract from ISO 14971; if you are creating software then you need to look at PD IEC- TR 800200 Medical device software, Part 1: Guidance on the application of ISO 14971 to medical device software”. The title itself tells you what it is about, but it also contains standard hazards (in another appendix of course) that you should consider. However we shall look at this more closely in the application of ISO14971 to software section. The whole aim of Annex C is to get you thinking about risks when the device is in the real world, as opposed to your design office. You should consider all aspects related to your device. You should put yourself in the place of use. If you are unable to imagine this then you need to gain some experience of the place of use or get someone who has.

Case study 9.1 Consider a single use device that is supplied non-sterile and relies in the end user using steam sterilization process before use. Using Table 9.1 consider any potential hazards. Sub section

Applicable/Not applicable Comment

c.2.8 Is the medical device U supplied sterile or intended to be sterilized by the user, or are other microbiological controls applicable? Factors that should be considered include 2.8.1. Whether the medical U device is intended for single use or re-use packaging; 2.8.2. Shelf-life issues;

U

2.8.3. Limitation on the number of re-use cycles

U

2.8.5. Method of product sterilization

U

Single use device to be steam sterilized before use.

Can it be, mistakenly, used non-sterile? Can it be mistakenly re-used? Does the packaging make its sterility status obvious. Will the device deteriorate over time on stock shelf, in transit, or in hospital? Once sterile how long will the device remain sterile and in what conditions? Will re-sterilisation (due to not being used) cause issues? How many times can it be re-sterilised without having detrimental effects? Can the device be washed/cleaned in normal clinical machines? Do we have a certificate stating it is sterilisable? Have we checked that it can be sterilized using normal clinical methods? Have we checked that the sterility conforms to standard procedures in all states it is being sold? Will the device store heat and hence can burn/scald patient end-users?

9.4 Identifying risks/hazards

Case study 9.1 dcont’d Sub section 2.8.6. The impact of other sterilization methods not intended by the manufacturer

Applicable/Not applicable Comment U

What happens if the device is ETO sterilized? What happens if it is irradiated? Do either have detrimental effects? Do either cause any issues related to usability?

Some of the questions posed by Annex C will not be related to your device. If so, simply state N/A and then state in the comments why. Also you will find that some sections repeat themselves. This is perfectly reasonable, the repetition may have occurred to make sure you look at all angles. When completing this table consider issues at the hospital, at your suppliers, and in your warehouses. You need to use these questions to think of any potential risk e no matter how negligible it may seem. It is only when we come to do the analysis that we consider the level of risk. Once you have identified related areas (using Annex C) you will also need to think of the appropriate hazards to be inserted in the comments column. In most cases this is like asking ‘how long is a piece of string’. However, ISO 14971 comes to the rescue again. Annex E helps us to imagine particular issues. Although Table E2 is useful; for the first-time user it is meaningless. Hence I have taken this table and converted it into questions you should ask yourself Table 9.2. This table is by no means complete; it is only a starter and you can use this to build your own, more detailed, list of hazards. As with earlier aspects of quality in design, it is worth using the following W questions. Whom: Hazardous to Whom? The patient? The end user? Other Devices! What: What makes this a hazard? Why: Why is it hazardous? Where: Does the local environment cause an issue? (If not obvious, you may have to describe in more detail. Things like electric shock, scalding need no expansion e apart from potential degree.)

293

294

CHAPTER 9 Risk management, risk analysis and ISO 14971

Table 9.2 Examples of hazards. Examples of operational hazards

Examples of information hazards

Biological Bio-burden? Bacteria? Viruses? Other agents (e.g. prions) Re-infectione or crossinfection? Animal based products? Any of the above due to re-use?

Function Effects due to: Incorrect or inappropriate use? Incorrect measurement? Erroneous data transfer? Loss or deterioration of function? Misuse? Ignoring a warning or error message? Not checking functionality before starting?

Labeling Instructions for use adequate? Are the indications clear? Contraindications clear? Are the performance criteria clear? Are the above written for all endusers?

Chemical Any acids or alkalis? Any processing residues? Any contaminates Any additives or

User error Effects of: Lack of attention? Forgetfulness? Lack of

Operating instructions Written with the end user in mind? Inadequate specification of

Examples of energy hazards

Examples of biological and chemical hazards

Electromagnetic energy Electricity Line voltage - is it connected to mains supply? Leakage current • enclosure leakage current • earth leakage current • patient leakage current Is it DC or AC? Is it single phase or three phase? Electric fields Will it produce a magnetic field? Can it be affected by magnetic fields? Data contamination through interference? EMC compatibility? Light Does it emit light? Can it cause damage to eyes? Will it cause temporary blindness (flash)? Does it need to be used in dark or light environement? Is it a Laser? Radiation energy Ionizing radiation - is there any? - Is it directional? - How much?

9.4 Identifying risks/hazards

Table 9.2 Examples of hazards.dcont’d Examples of energy hazards

Examples of biological and chemical hazards

Non-ionizing radiation - UV sunburn?

processing aids? Any cleaning, disinfecting or testing agents? Can any of the above cause degradation? Will it use, transmit any life threatening chemicals, e,g:medical gasses; anesthetic products What effects can any of the above have on the device itself? Biocompatibility Toxicity of chemical constituents, e.g Y allergenicity/irritancy Y pyrogenicity

Thermal energy Ductile-brittle transition? Burning/scalding? Radiated, conductive or convective heat? Freezing? Will it act as a heat sink? Will it excessively heat or cool the environment? Mechanical energy Gravity Y can it fall? Y can it topple? - can suspension fail? Vibration - can it affect the user? - can bits become loose? - will it produce excessive noise?

Examples of operational hazards

Examples of information hazards

training? Ignoring the rules? Lack of knowledge? Is there any assembly that could go wrong?

pre-use checks? Over-complicated operating instructions? The effects on the device if any of the above occur?

Warnings Any side effects? Anyhazards likely with re-use?

Specification of service and maintenance Any special service instructions before re-use? Anything needs disposal before re-use? Any pre-use checks?

Stored energy - Can it spring back? Continued

295

296

CHAPTER 9 Risk management, risk analysis and ISO 14971

Table 9.2 Examples of hazards.dcont’d Examples of energy hazards

Examples of biological and chemical hazards

Examples of operational hazards

Examples of information hazards

- are there clips that can pinch? Moving parts - can clothing get caught? - Can fingers get caught? Torsion, shear and tensile force - have you considered excessive loading? Moving and positioning of patient - Will the patient need to be moved? Acoustic energy • ultrasonic energy • infrasound energy • sound High pressure fluid injection - Will it ‘inject’ - Can it cut? - Will it overinflate? Modified from ISO 14971:2012.

Case study 9.2 A single use device is to be steam sterilized at the point of use using a desk-top sterilization unit. This unit also performs washing. Using Table 9.2 determine any potential hazards that may be part of your risk analysis. Potential Hazard

Whom?

What?

Why?

Staff

Electric shock

Death? Burn?

Electricity Line voltage

9.4 Identifying risks/hazards

Potential Hazard

Whom?

What?

Why?

Staff Staff Patient Other devices Device

Electric shock Death? Electric shock Potential for injury? Abrupt end of treatmentPotential for injury? Abrupt shutdown Breakdown No sterilsation thereafter Breakdown Electric shock

Leakage current • enclosure leakage current • earth leakage current

Is it DC or AC?

Is it single phase or three phase? Device Staff

Electric fields Will it produce a magnetic field?

Other Devices E-Mag field effects Patient E-Mag Field Effcts

Other Devices E-Mag Field Effcts

Interference? Attracting metals? Affecting Pace-makers? Interference? Attracting metals? Interference

Can it be affected by magnetic fields? Data contamination through interference? EMC compatibility?

The devices

Other Devices E-Mag Field Effcts

Need for EMC test?

E-Mag Field Effcts

Thermal energy Ductile-brittle transition? Burning/scalding? Radiated, conductive or convective heat? Freezing? Will it act as a heat sink? Will it excessively heat or cool the environment?

Biological Bio-burden? Bacteria? Viruses? Other agents (e.g. prions) Re-infectione or crossinfection? Animal based products? Any of the above due to re-use?

Labeling Instructions for use adequate? Are the indications clear? Contraindications clear? Are the performance criteria clear? Are the above written for all endusers? I have not completed the table, perhaps you would care to complete it?

297

298

CHAPTER 9 Risk management, risk analysis and ISO 14971

You should foresee that this will be a lengthy process. It is very time consuming and results in loads of paperwork. But, by the end you will have thought of, just about, any stupid thing that could be done by every possible end user. When you consider that you are about to release a medical device onto an unsuspecting world e that may just kill someone e then this exercise is highly worth it. In my experience it only takes a few days; but it is a few days worth using. Remember risk analysis is a mandatory exercise, so you may as well do it right! The other thing to remember that if you have written your PDS in the first instance, then all of these risks will have, already, been mitigated!

9.5 Assessing level of risk The similarity between FMEA and the 14971 risk analysis form is no coincidence. However they depart in one major aspect: FMEA was used to design out risk; the risk analysis is to assess the level of residual risk and to state how you are controlling the risk. If you designed your device using a well constructed PDS then this analysis should return a “safe to use” result. What does “safe to use” mean? It simply means that any risk of use is outweighed by the clinical benefits. For example, we all know that x-rays are an ionizing radiation and hence pretty dangerous things. After all if Marie Curie had the benefit of hindsight she may not have carried isotopes around in her pocket! However, how would modern medicine get along without the x-ray machine? How would your dentist examine your roots without this device? Whilst it is impossible to remove all of the risk, we are able to reduce them to levels where the benefits outweigh the risk. As such all hospitals, all dentists and all veterinary practices have an x-ray machine. The same argument must be applied to your medical device. You must be able to prove, using the risk analysis, that the medical benefits outweigh the (residual) risk.

In order to make this statement we must consider the risks/hazards presented in the previous section; and then for each one identify the root cause or (if applicable) the root causes. To illustrate this Fig. 9.3 is a typical FMCA pro forma: this has been modified from the ISO 14971 to coincide with terms we have already met. Use of Annex C will identify potential failures/hazards. The relevant section number of Annex C is entered into box 1 of Fig. 9.3. You may have a number of different failure modes for a particular hazard; a single failure mode is entered into box 2. Each failure mode/hazard will have a particular effect (note this is related to the patient, the end user or the surrounding environment e box 5) this is explained in box 3. Now you have to identify the root cause, or the root causes (box 4); it is very likely that each hazard/failure will have a number of potential root causes.

Patient = relevant

Root Cause(s)

4 5

Example risk analysis proforma. 7 8

Estimation of residual risk at the end of this life cycle phase

9 10 Additional hazards introduced by risk control measures? If so, what action taken?

Design, Manufacture, and Supply

Action proposed to protect from residual risk, implementation and verification of efficacy?

Can the risk be reduced further? (gray)

RPN

S

L

Risk reduction activities (gray/black zones) (if practical): Comment if required (white only)

Life Cycle Phase

11

9.5 Assessing level of risk

FIG. 9.3 6 RPN

Hazard Relevance

Estimation of risk: Likelihood x Severity at start of life cycle phase L x S = RPN

3

S

Effect

L

2

Environment

Failure/Hazard

Bystander

1

User

Characteristic

RISK ANALYSIS Comment

299

300

CHAPTER 9 Risk management, risk analysis and ISO 14971

This is where our Ishikawa diagrams and our reliability calculations come into force (Chapter 7)! Table 9.3 is a summary of the potential root causes as stated in ISO14971. It is by no means comprehensive but it gives you some ideas. As stated earlier, and continuously throughout this text, a comprehensive PDS and design procedure will have anticipated all of these root causes and designed them out! For each cause we now assess the risk (box 6). Similar to that we examined in FMEA we determine a level of severity (S) and a likelihood of occurrence (L)4. But unlike FMEA we DO NOT include delectability. Our assessment of RISK level (RPN) is RPN ¼ S  L

(9.1)

As with FMEA we need guidelines on setting values of L and S. ISO 14971 suggests values but also lets the company to allocate their own appropriate levels; those given in Table 9.4 are commonplace: Note that severity is based on potential for injury; company embarrassment is no longer a consideration! Table 9.5 illustrates a severity and likelihood table for hazards unrelated to injury; in here company embarrassment is a consideration. To ensure you do not have a variety of FMCA forms dependent on its application it is worth having a thought on the term “bystander” and “environment” in relation to Table 9.5. Clearly the company’s hazards can have an effect on the patient or the end-user (for example using the wrong material!); what we need, however, is a definition where “the company” can sit e I would suggest this is the “bystander” column. Once the FMCA table is complete to the first RPN column we assess if the risk is acceptable or not. Table 9.6 illustrates a typical risk evaluation table. ISO14971 allows you to devise your own threshold values, but it is very common to have three zones. A low risk zone (no controls required); a medium risk zone (controls should be examined); a high-risk zone (controls need to be implemented to reduce risk). Key: Dark: Unacceptable (>10)e Risk must be controlled and RPN reduced. Gray: Significant (>4 & <11) e Risk controls to be investigated to reduce RPN. White: Insignificant (<5) e RPN need not be investigated further.

4

In many texts people use O instead of L, I just think L for likelihood is neater - but if you want to use O for occurrence then that is fine by me.

9.5 Assessing level of risk

Table 9.3 Example of root causes. General category

Examples of causes

Incomplete requirements

Inadequate specification of: Y design parameters Y operating parameters Y performance requirements Y in-service requirements (e.g. maintenance, reprocessing) Y end of life Insufficient control of changes to manufacturing processes Insufficient control of materials/materials compatibility information Insufficient control of manufacturing processes Insufficient control of subcontractors Inadequate packaging Contamination or deterioration Inappropriate environmental conditions Physical (e.g. heat, pressure, time) Chemical (e.g. corrosions, degradation, contamination) Electromagnetic fields (e.g. susceptibility to electromagnetic disturbance) Inadequate supply of power Inadequate supply of coolant Lack of, or inadequate specification for, validated procedures for cleaning, disinfection and sterilization Inadequate conduct of cleaning, disinfection and sterilization No or inadequate information provided Use error Biodegration Biocompatibility No information or inadequate specification provided Inadequate warning of hazards associated with incorrect formulations Use error Potential for use errors triggered by design flaws, such as Y confusing or missing instructions for use Y complex or confusing control system Y ambiguous or unclear device state Y ambiguous or unclear presentation of settings, measurements or other information Y misrepresentation of results Y insufficient visibility, audibility or tactility Y poor mapping of controls to actions, or of displayed information to actual state

Manufacturing processes

Transport and storage

Environmental factors

Cleaning, disinfection and sterilization Disposal and scrapping Formulation

Human factors

Continued

301

302

CHAPTER 9 Risk management, risk analysis and ISO 14971

Table 9.3 Example of root causes.dcont’d General category

Failure modes

Examples of causes Y controversial modes or mapping as compared to existing equipment Y use by unskilled/untrained personnel Y insufficient warning of side effects Y inadequate warning of hazards associated with re-use of single-use medical devices Y incorrect measurement and other metrological aspects Y incompatibility with consumables/accessories/other medical devices Y slips, laps and mistakes Unexpected loss of electrical/mechanical integrity Deterioration in function (e.g. gradual occlusion of fluid/gas path, or change in resistance to flow, electrical conductivity) as a result of aging, wear and repeated use Fatigue failure

Source: ISO 14971.

Table 9.4 Example table of severity levels. L 5

4

3

2

1

frequent 1/100 uses or once per day probable 1/1000 uses or once per week occasionally 1/10,000 uses or once per quarter remote 1/1,100,000 uses or once per year improbable 1/1,000,0000 uses or once every 3e5 years

S 5

catastrophic Death

4

critical Major injury (loss of limb etc): life threatening injury

3

serious Minor injury requiring treatment

2

minor Minor injury NOT requiring treatment.

1

negligible Minor irritance to patient or end user

If the value of RPN falls into any of the white areas then your risk is adequately controlled. In the following comments section (Box 7) simply add a statement stating what your control method is/methods are. However, it is very likely that at the first round you will have a value that is in the gray or black sections of Table 9.6. Hence Box 7 is reserved for any description of

9.5 Assessing level of risk

Table 9.5 Example table of severity levels related to non-personal injury hazards. L 5

4

3

2

1

S

frequent 1/100 uses or once per day probable 1/1000 uses or once per week occasionally 1/10,000 uses or once per quarter remote 1/1,100,000 uses or once per year improbable 1/1,000,0000 uses or once every 3 e5 years

5

catastrophic Litigation

4

critical Loss of CE mark/FDA clearance to market/recall of device serious Receipt of formal complaint

3

2

minor Non-conforming product/failure to meet order/item lost in post

1

negligible e.g. typing errors on delivery note

Table 9.6 A typical risk evaluation table. S/L

Negligible:1

Minor:2

Serious:3

Critical:4

Catastrophic:5

Frequent: 5 Probable: 4 Occasional: 3 Remote: 2 Improbable:1

5 4 3 2 1

10 8 6 4 2

15 12 9 6 3

20 16 12 8 4

25 20 15 10 5

remedial action you have undertaken to control the risk. A new level of RPN should be determined and entered into Box 8 (Note that S will not change, only L does). Do not bother completing this section unless your controls take the value of RPN to a value you recognise as being acceptable e As Far as Possible (or As Far As Practicable). Hence Box 7 should contain a complete description of the control measures in place. In some cases a simple statement that an international standard is being used is enough; in others you may need to put in some more text.

303

304

CHAPTER 9 Risk management, risk analysis and ISO 14971

If all is fine, then in Box 9 you enter the acronym “AFAP”. This does not mean you cannot afford to reduce the risk anymore because it would cost too much (which was an old get out clause); it literally means it CANNOT be reduced any further with current knowledge. Somewhere in these boxes you must make the statement that the risk is outweighed by the clinical benefit, so why not write it in box 9 using the phrase. AFAP: residual risk is outweighed by the clinical benefit. Simply speaking, if the residual risk is unacceptable then you must go back to the drawing board e but if you have a good PDS this eventuality should not happen. If the risk is significant you must assess if the residual risk is outweighed by clinical benefit and you may need to instigate further controls. Box 10 is simple, if there is any residual risk can anything be done further? Well if you’ve done your job properly then hopefully not. But sometimes there are little things that are not directly in your control but which can be used to increase safety. For example, consider the window cleaner on a ladder. The window cleaner can tie himself to the ladder to avoid falling off, and this will reduce the risk of falling off. However it does not stop someone walking into the ladder and causing them to become unsteady and fall ehow can we reduce this e put up warning signs around the ladder! Note this has not changed the design of the ladder, nor of the safety harness e but it has, potentially, reduced the risk a bit further. Personally I find this argument too obtuse, as far as I am concerned this is another root cause, and hence should have its own line in the table: so maybe the better entry into this column is either “NONE” or, if pertinent, “None, all potential root causes contributing to residual risk have been assessed in this table”. Box 11 is less simple, changes you have made to reduce risk may have a knock-on effect. You may have, inadvertently, introduced new risks. This box forces you to look at that outcome. So using the ladder example above, we have just introduced a trip hazard for the pedestrian! Hence we have another table. I have to be honest with you, at first sight this form and its associated processes look like a nightmare. It is not the case. They have been established to make you think of the effects of your choices and to let others question your choices in a stable, coherent and internationally accepted manner. However, I do warn you that a full and thorough examination of the most simple of devices can end up with a folder containing at least 50 of these forms/tables with at least 3 root causes on each page. But I promise you, once you get into the swing it gets a lot easier, and quicker.

9.5 Assessing level of risk

9.5.1 Other ways of assessing risk There are numerous forms one can adopt to assess risk rather than that I have presented above. All have their pros and cons. There are even software solutions (based on spreadsheets) that can do the assessment for you. However they all, in the end, come down to the same issues: identify the hazard, identify the severity, and identify the likelihood. It is the order in which they are undertaken. In some cases I have seen the hazard described, then the control and then the assessment of RPN post control. I have presented you with a system that I think works, and in many circumstances; if you have another system you would like to adopt (or one which has been suggested you use) then that is fine e just make sure you are consistent; and make sure you analyze the risk against a set criteria and against clinical benefit. One simple version (which, I would suggest, is to not be used above a class I device) is presented in Table 9.7. In this case no numbers are used just degrees of hazard and degrees of likelihood. To complete Table 9.7 one simply circles the relevant box. One cannot get away without using the “AFAP” statement in the assessment, nor the use of the statement “risk is outweighed by clinical benefit”. Furthermore, one still needs to analyze any residual risk. Personally, I cannot see the need for a more simple method than that I presented earlier, however I also recognise that sometimes a full FMCA form is a little over-the-top.

Table 9.7 Simple risk analysis table. Hazard: Control: Frequency Severity High (likely to cause death or severe injury) Medium (likely to lead to a complaint) Low (cosmetic defect) Assessment: Residual Risk:

Rarely (possible, but unlikely) MODERATE

Occasional

Frequent (likely to occur)

MAJOR

CRITICAL

MINOR

MODERATE

MAJOR

NIL

MINOR

MODERATE

305

Table 9.8 Completed FMCA for case study 9.3 RISK ANALYSIS

Esmaon of Risk: Likelihood x Severity at start of lifecycle phase RPN

L x S = RPN

FDA request letter ref x.y.z

Wrien confirmaon obtained from all suppliers that no materials originate from or passed through Japan.

No addional hazard.

306

Bystander

Comment

AFAP: clinical benefit outweighs the residual risk

Addional hazards introduced by risk control measures? If so, what acon taken?

Design, Manufacture and Supply

4

Acon proposed to protect from residual risk; implementaon and verificaon of efficacy?

Lifecycle Phase

4

( Grey)

Supply of radioacve components due to potenal contaminaon in Japan

1

Can the risk be reduced further?

2.4.3

Contacted all subcontractors to check providence of all materials

RPN

Characterisc

S

Ionizaon injury to paent

4

Risk reducon acvies (Grey Black Zones) (if praccal): Comment if required (White Only)

Failure /Hazard

Environment

Hazard Relevance

L

2 0 5

S

Esmaon of residual risk at the end of this lifecycle phase L

 = relevant

User

Effect

Root Cause(s)

Suppliers inadvertently use material(s) that have passed through Japan post April 2011

Paent

CHAPTER 9 Risk management, risk analysis and ISO 14971

9.6 Risk management procedure document

Case study 9.3 During the manufacture of a hypodermic syringe it was identified that some material may have originated from a warehouse in Japan. Assess the risk of this potential hazard. _ Any FDA registered organization would have received an official letter from the FDA in 2011. This letter requested to check that no materials had been sourced from Japan; this letter was specifically concerned with the nuclear reactor failure that followed the 2011 tsunami and hence potential radioactive contagion of any materials. What is the potential hazard? From Annex C, though this is debatable, the potential issues is 2.4.3: 2.4 What materials or components are utilized in the medical device or are used with, or are in contact with, the medical device? Factors that should be considered include: 2.4.3. Whether characteristics relevant to safety are known From Table 9.8 the hazard is clearly ionizing radiation. The effect is injury to the patient, to the end user and, possibly, to the environment. Hence there are two potential effects: 1. Injury to the patient and/or end user. 2. Contamination of storage environment, which, in turn, can lead to injury to end user(s). This case study has demonstrated how, even after a device has been placed on the market, a thorough risk analysis can be used to check if anything needs to be done. In this case the analysis showed that we could not be sure that the materials were not contaminated, hence a likelihood of 5. However after contacting all suppliers for their materials’ providence it was apparent that only a random mishap would mean the use of contaminated materials, hence L ¼ 1. Notice the action to ensure that the risk is controlled, requesting letters of providence from the suppliers will ensure they keep their eyes on the ball too! Once completed you need to produce a risk analysis report, one that contains each and every completed FMCA table e and you will have many. These individual forms are collated and together they define whether your device has any residual risk that is not acceptable. The front page of this report summarises this statement, but someone competent must sign it of and the ‘sign off’ must contain a statement confirming that the clinical benefits of the device outweigh any risks due to its use.

9.6 Risk management procedure document You will need to encapsulate your process within a single document. As we are using ISO 14971 the basic format is given. Page 1: A copy of the ISO 14971 risk management process flow chart (as given in Fig. 9.1).

307

308

CHAPTER 9 Risk management, risk analysis and ISO 14971

Page 2: A statement on how hazards are ascertained (annexe C, PD IEC-TR8002 etc) Page 3: A copy of the FMCA form you use Page 4: A copy of the Risk Assessment chart you use (example given in Table 9.6) Page 5: A statement on: (a) “risks whose probability cannot be estimated” and (b) “post production” risk management The answer to (a) is difficult, it is impossible to judge something if the data is not there. So a simple statement such as: There are some occasions when quantitative estimates of probability cannot be accurately judged but changes in technology are reviewed periodically by Company-Name

At least suggests you have recognised the issue. But this does not give you license to ignore it, it just means some estimates of RPN may be incorrect and are liable to change. The standard states: In such cases, the risk estimate should be made on the basis of a reasonable worst-case estimate of probability. ISO (2012).

The answer to (b) is a little easier. It simply requires you to say you will check the Risk Analysis periodically, and, as I said earlier, if you have a risk analysis that is more than 2 years old you are not doing very well. A simple statement such as: Data is proactively sought from users regarding products in the post production stage as per the requirements of ISO 13485:2016. This information is fed into the “Company’s” monitoring and analysis process and the risk analysis is revised and reviewed according to the ISO 14971:2012 standard.

Page 6: This is a blank pro-forma for the risk management folder title page (Part 1 of the technical file’s risk management file described in a later chapter, or of the company’s risk register as described in the next section). This pro-forma is, basically, laid down by ISO14971 and should look like Fig. 9.4. Note the last sentence e the person signing off the risk analysis MUST BE QUALIFIED TO DO SO: hence we are looking for staff with formal, professional qualifications such as Chartered Engineers, Licensed Engineers, Professional Risk Assessors, persons with an ISO14971 training certificate, persons with postgraduate qualifications in medical devices design. The person signing it off cannot be the managing director or CEO just because of their position e they have to be qualified

9.7 Risk management folder in the technical file

FIG. 9.4 Sample risk management file title page.

to do so. If you wish to avoid this sentence you can add another line to signature: “qualifications". Please do not forget this is a controlled document, so the whole document requires a title e such as Risk Management Procedure, it needs approval, a version number, and a date of approval e yep document control! It does not hurt to keep this document brief so that EVERYONE in the company has one on their desk or workstation! Making sure everyone is trained and updated on the company’s risk management procedure(s) is essential!

9.7 Risk management folder in the technical file An essential element of the Technical File (for CE marking) or the Design History File (for FDA 510(k) and clinical assessment approval) is a risk management folder (or you may hear the term risk register). In essence it is simple. Before you apply for a CE mark or for an FDA 510(k) this document must be in place. As virtually all regulatory bodies accept ISO14971 as the basis for risk management then the file will always contain the following: 1. Statement of clinical benefit outweighing residual risk (title page Fig 9.4)

309

310

CHAPTER 9 Risk management, risk analysis and ISO 14971

2. (optional) Pre-assessment of hazards on which risk analysis is performed (e.g. appendix C as presented earlier) 1. Complete dossier of all individual risk assessments 2. (optional) Company risk management procedure Although I have highlighted 2 as optional, it is a good idea to document this step as it points your auditors to the concept of “they have done it properly”. Without this section you can be asked “where did this hazard come from?” Again, I have suggested 4 is optional, bit as every company has its own rules on what is an unacceptable level of risk RPN, or not, means that any auditor will have their own opinion of what is acceptable or not. None of that matters if you present this document in your folder as all the information by which you make decisions on RPN is given within. But note, if you have more than one technical file/DHF then each time you update your risk management procedure you will need to update this section of EACH technical file. Personally I believe it to be more efficient to simply have a statement on the title page that states this risk analysis was conducted using the risk management procedure XXX

9.8 Risk management and internal procedures As a part of compliance with ISO13485, MDR and the FDA CFR21 one needs to risk manage the whole of your process, not just the products themselves. They are interlinked, of course, but it is much easier to claim in your product’s risk analysis that they have been manufactured to minimise risk if you have already analyzed your procedures. The best way to evidence this is through a company risk register. The best way to think about a risk register is a simple folder structure as illustrated in Fig. 9.5. The basic tenet of the risk register is that you analyze the hazards associated with each of your procedures. For example, let us assume one of your procedures concerns ordering components from a supplier. What hazards are involved and who will they affect? Let us look at the groups that may be affected: the patient e of course; your company’s reputation e definitely; the safety of the product itself e quite clearly. What sort of hazards could be associated with a supplier? They could make the component out of specification; that is not to drawing. They could use the wrong materials e we all know the effects of that particular hazard! They could deliver the component late, and that could delay an operation. In the case of suppliers you should have a supply agreement in place (this we shall meet later); that is your risk control mechanism but you still should assess the risk.

9.8 Risk management and internal procedures

Rsik Register Risk

Procedure 1

Procedure 2

Sub-Procedure 1.1

Sub-Procedure 1.2

Risk Analysis 1.1.1

Hazard 1.1.1

Hazard 1.2.1

Risk Analysis 1.2.1

Risk Analysis 1.1.2

Hazard 1.1.2

Hazard 1.2.2

Risk Analysis 1.2.2

Risk Analysis 1.1.3

Hazard 1.1.3

Hazard 1.2.3

Risk Analysis 1.2.3

Procedure 3

FIG. 9.5 Example risk register structure.

Why is this important? Is it not overkill? The whole point of the process is to find out where your processes have risk pinch-points and then concentrate on those. If you know where the risks are you can do something about them, if you do not that risk will come and bite you one day. If you are worried about what to look for then the main sub-groupings to which you should address your investigations (lifecycle phase) are: • • • •

Design Manufacture Supply Use

It is probably wise to divide your risk register into these sub-sections.

Case study 9.4 A small company conducts a risk analysis of the delivery procedure. A hazard identified is that their device may not have been identified as delivered; this has the effect that they may receive a complaint that would require investigation. The risk analysis result is as presented in Table 9.9. Firstly notice that another column has been added to the table “company” - this I have done for clarity. As stated earlier, you can simply use the “bystander” column to represent the company as the “effect” clearly states the hazard is related to the company (not being paid is an issue for

311

312

CHAPTER 9 Risk management, risk analysis and ISO 14971

Table 9.9 Example FMCA for case study 9.4

9.8 Risk management and internal procedures

Case study 9.4 dcont’d the company). Also, note that your values of L and S will have different interpretations. You just need to associate S with the table as given before e so Death, for example, could be closure of the company, or loss of clearance to market. Table 9.5 may be the better table to use.

Case Study 9.4 illustrates that risk is a relative thing. When dealing with human beings it is associated with injury and death, when dealing with companies we can see that it is more to do with critical outcomes. Hence it is no surprise that one would have two assessment tables in the risk management handbook e one for the assessment of risk of injury to patients and others; one for the risk of detrimental effects on anything else. It is NOT advisable to have two different handbooks. Please be aware that it is possible for a potential hazard to have an effect that is both liable to cause physical injury to a patient, and end user or a bystander; but also cause harm to a company’s reputation, bank balance, and registration status. The title page for the company’s risk register will be slightly different from that of the device itself, but to be honest I would just use the same title page as described earlier (Fig 9.3) as at the end of the day, it is all about patient safety and clinical benefit.

9.8.1 Risk management and the company’s risk register In essence it is simple, your risk register will always contain the following: 1. Statement of clinical benefit outweighing residual risk (title page Fig 9.3) 2. (optional) Pre-assessment of hazards on which risk analysis is performed (e.g. appendix C as presented earlier and those for software etc.) 3. Complete dossier of all individual risk assessments (cataloged with a contents section containing all hazards identified. 4. (optional) Company risk management procedure As earlier 2 as optional, but it is a good idea to document this step as it points your auditors to the concept of “they have done it properly”. Without this section you can be asked “where did this hazard come from?” Again, as earlier, 4 is optional, but the same argument applies as earlier. In this case it is easier as there will only be ONE company risk register and hence only ONE needs updating. This risk register needs to be kept safe, and you need to ensure that anyone involved with a process has access to the relevant risk assessment table(s).

313

314

CHAPTER 9 Risk management, risk analysis and ISO 14971

9.9 Software You knew this was coming! I cannot stress enough how important it is to recognise that software is not immune from risk. I have already mentioned the two further standards you need to look at those being BS EN 60601 annexe H (British Standards, 2011), and PD ISO/TR 80002-1 (ISO 2009). You really need to look at 80002-1! This technical report (yep that is what the TR stands for) does not re-write ISO 14971 it simply points you to the hazards and risks associated with software development. The same can be said for BS EN 60601-1 (and its equivalents), but for medical devices powered with electricity. In both cases you should be using these documents to inform your hazard identification; just as we did using Annexe C of ISO 14971. You should produce a tick list of common hazards associated with software (and some of these will make your software developers scream with agony). You should then force yourself, and your software, developers to go through this tick list and answer every point in turn; I am afraid the usual statement “that will never happen” is not a suitable response and will get a short reply from an auditor. One such issue is that of SOUPs (Software Of Unknown Provenance). Most modern software developers are very happy to download coding libraries from web sources believing them to be reliable. But if I can give you an apocryphal lesson: - A device hade been developed which had a piece of software that had been written using a code library. Unfortunately all od these devices became unusable on exactly the same day. This, of course, caused no end of headache for the company concerned, but it did not leave the patients in a state of euphoria either. The reason for the sudden stoppage was because the software developer had used a library that was open source, but which had a time limited license. On the day the license ended, the software stopped working and so did the devices. The developer had actually long since left the company concerned, hence nobody knew about this potential issue. However, a detailed risk analysis including the potential of the use of SOUPs and time-limited licenses would have highlighted the issue before it even arose. Do I need to go into any further detail? But I do need to illustrate the level of detail that PD ISO/TR 80002 goes into. In the standard’s appendices there are a plethora of hazards, but not only that it even gives typical solutions/control measures for said hazards. Table 9.10 is an extract to demonstrate this fact: I cannot tell you how many times I have heard “divide by zero error, that never happens”; my answer is “prove it” using the three verification types given in the

9.10 Standards, courses and certification

Table 9.10 An extract from PD ISO/TR 80002 illustrating potential hazards (BSI, 2009).

last three columns. Hence if you do develop software, to not have a copy of this addendum to ISO14971 is simply - not logical.

9.10 Standards, courses and certification 9.10.1 A copy of the standard? It should come to little surprise that ISO14971 is something you should have on your shelf; simply stating you saw it once upon a time in a library does not really cut it. The good news is, it is NOT that expensive; at the time of writing this it is about £270 (c $200) for a copy e and there is no need for you to have more than one copy to refer to! Please do note that standards bodies have strict copyright laws e not surprisingly; please do not copy these documents and then share them with your friends, family and casual acquaintances. If you really need more help, then a guidance document is available PD ISO/TR 24971: 2013. This is a guidance document e and again not expensive (c £170); but it is only a few pages in total. One document you must not be without (as it is free) is the EC guidance on clinical evaluation MEDDEV 2.7/1 (EC,2016). This document illustrates how you incorporate and link risk management with the essential clinical evaluation (verification and validation in FDA speak) for your device.

315

316

CHAPTER 9 Risk management, risk analysis and ISO 14971

9.10.2 Courses and certification It will do you no harm, whatsoever, to attend on an ISO14971 course. The two major benefits are that you will be able to put the certificate in your training manual but you will also sign off the risk analysis front sheets as you are now qualified to do so. However, do your homework diligently; some courses are literally not worth the paper the certificate is printed on; and some are so expensive your eyes will water!

9.11 Summary This chapter attempted to pass on my experience of risk management in medical devices. You have been shown how to undertake a risk management process and how to perform a risk analysis for both a device and for your company’s procedures. The important thing to remember is that the risk management file is an essential element of a CE Technical File, or an FDA Design History File; without it you are either asking for trouble or are simply not wishing your device to get the appropriate clearance to market.

References BS, 2011. BS EN 60601-1, Medical Electrical Equipment. General Requirements for Basic Safety and Essential Performance. EC, 2016. Meddev 2.7/1 (4) Clinical Evaluation: A Guide for Manufacturers and Notified Bodies under Directives 93/42/Eec and 90/385/Eec. ISO, 2012. ISO 14971, Medical Devices. Application of Risk Management to Medical Devices. ISO, 2009. PD ISO/TR 80002-1, Medical Device Software. Guidance on the Application of ISO 14971 to Medical Device Software. ISO, 2016. ISO 13485, Medical Devices - Quality Management Systems - Requirements for Regulatory Purposes.