In this blog, we’ll recap our whitepaper, “Understanding Integrated Risk Management for Medical Devices” – To read the entire paper, click HERE.
Understanding Integrated Risk Management for Medical Devices
Knowledge on best practices, how to integrate risk-based thinking into product development cycles, and the importance of having end-to-end traceability to improve risk management, shared by industry and solution experts.
A level of risk exists with all medical devices, no matter how simple they are.Companies developing medical devices are constantly considering who (or what environment, facility, etc.) could potentially be hurt by a device so they can help reduce risk and meet regulatory requirements. Risk management in the context of ISO 14971 is designed to support medical device manufacturers with these tasks — but not all approaches are equal.
The amount of time it takes to manage risks, connect specific risks to specific requirement tasks, and pull together required documents to respond to an audit varies slightly depending on the approach. The risk management process is an integrated process that not only includes teams in product development, quality, but also many other parts of an organization.
This whitepaper taps into the knowledge of industry and solution experts to uncover best practices, how to integrate risk-based thinking into product development cycles, and the importance of having end-to end traceability to improve risk management. Before we dig into integrated risk management, let’s first define some key terms.
RELATED: Jama Connect® Features in Five: Risk Management for Medical Device
Risk Management Terms According to ISO 14971
Harm – Harm occurs when people are injured physically or their health is compromised or when property or the environment is damaged.
Hazard – A hazard is a potential source of harm. Annex E.2 categorizes hazards in the following way: energy hazards, chemical hazards, biological hazards, operationalhazards, and informational hazards.
Hazardous – A hazardous situation occurs when people are exposed to a hazard or when property or the environment is threatened. A hazardous situation exists when a vulnerable entity is exposed to a hazard.
Situation – According to ISO 14971, the concept of risk combines two variables: the probability of harm and the severity of harm.
Risk – For example, if a particular hazardous situation is very likely to cause harm and would be very harmful if it actually occurred, then it would be a high risk situation. Conversely, if it’s very unlikely to cause harm and would be only slightly harmful if it actually occurred, then it would be a trivial risk.
Risk Analysis – Risk analysis is a systematic process that is used to identify hazards and to estimate risk. It includes an examination of every reasonably foreseeable sequence or combination of events that could produce a hazardous situation and cause harm.
Risk Assessment – Risk assessment is a process that is, in turn, made up of two interconnected processes: risk analysis and risk evaluation.
Risk Evaluation – Risk evaluation is a process that is used to examine the estimated risk for each hazardous situation and then to use risk acceptability criteria to determine whether
or not the estimated risk is acceptable and to decide if risk reduction is required.
Risk Control – Risk control is a process that is used to consider risk control options and to select and implement risk control measures that will reduce risk or maintain risk within
specified levels. ISO 14971 expects you to consider the following risk control options and, if possible, to apply them in the following order:
- Design safety into the product.
- Establish protective measures.
- Provide safety information.
Risk Estimation – Risk estimation is a process that is used to assign qualitative or quantitative probability values and severity values to each hazardous situation. These values are then used to estimate risk.
Risk Management – Risk management uses policies, procedures, and practices to systematically analyze, evaluate, control, and monitor risk.
Safety – Safety is freedom from unacceptable risk. Risk acceptability criteria are used to help decide whether or not a risk is unacceptable.
Severity – Severity is a measure of the possible harmful consequences that a hazard could potentially cause.
RELATED: Download our whitepaper, Application of Risk Analysis
Techniques in Jama Connect® to Satisfy ISO 14971
The Risk Management Process
During risk management — after one defines a device’s intended use(s) — risk analysis can begin with identifying all potential hazards, and hazardous situations. Once this is defined, risk can be estimated and can determine the type of appropriate risk control required. Once the risk controls are implemented, residual risk needs to be analyzed to ensure that the benefits outweigh the risks. Let’s take a look at what’s involved in the risk management process.
“Risk” is defined as the severity and probability that harm will occur. Defining the severity of harm requires you to identify all the known and foreseeable hazards for both intended and unintended uses.
For example, let’s say you have an infusion pump, and that pump has air in the line, which creates a hazardous situation for the patient. Different levels of patient harm can occur, so it’s about uncovering the possible scenarios and the likelihood of a situation’s occurring.
Understanding harm includes both people and property. A medical device that catches fire might threaten property, while an infusion pump with air in the line might threaten human life. Think about what could cause harm to people, like a shark swimming in the water. A shark that attacks a person could create different levels of harm. A few examples include loss of a limb, an infection from getting bitten and loss of life. The various levels of harm result from the hazardous situation, which is the shark in the water.
Risk evaluation involves comparing an estimated risk against a specific criterion to determine if a risk is acceptable. Five different levels to evaluate risk are common practice, but you can use as many as you’d like. The most severe risk (level five) might include death or impairment. Level one might include no risk to a patient or operator. The levels inbetween include all the other varying
degrees of risk.
Sequence of Events
A hazardous event includes a number of steps, which is the sequence of events. A risk situation might have two, three, or more steps that, when aligned, create a hazardous event. Risk management tools such as fault trees and failure modes and effects analysis (FMEA) help identify these steps.
Previous version of ISO 14971 used terms like “acceptable” and “unacceptable” to describe risks, but that language has since been removed and the most current version maintains as low as possible (ALAP). The goal of every manufacturer is to lower the risk as much as possible and rethinking how to prioritize risk controls can help.