04/10/23

Risk Management for Medical Devices

Safe and Effective ProductsPaul McDanielASQ CQM/OE

Executive VP Operations and QASicel Technologies

04/10/23

Overview

• Product Life Cycle Model Role

• Process Hints

• In-depth discussion of a Risk Management Analytical Tool: FMEA

04/10/23

Risk Management Defined(a practitioner's definition)

• Risk: probability of harm occurring AND the severity of harm

• Risk Management: Use of relevant information to identify possible harmful events, to assess the event’s acceptability in the eye’s of the at risk population (probability*severity), and exert effective controls of the risk

04/10/23

Risk Analysis-Intended use andId of Char related to safetyof the device-Id hazards-Est risk for eachhazardous situation

Risk evaluation

Risk Control-Option analysis-Implement controls-Residual risk evaluation-Risk/benefit analysis-Risks arising from controlmeasures-Completeness of risk control

Ris

k A

sses

smen

t

Evaluation of overallresidual riskacceptability

Risk ManagementReport

Production andpost-production

information

Risk M

anagement

Adapted from ISO 14971:2007 Figure 1

04/10/23

Product Life Cycle Model Role

• Understand the Regulatory Model– A product life cycle has many phases– Information/Products/Design at the start of a

phase is input; possibly input requirements– Information/Products/Design at the end of each

phase is output– Outputs must be verified against inputs

• The model assumes verification at each phase end

04/10/23

Product Life Cycle Model Role

• The Current State of the Risk Management Standard Assumes the Regulatory model– You may follow the described process and be

confused unless you recognize the phase boundaries

• How can I determine the answer to “is risk acceptable” if I’m just defining design inputs

– The planned mitigation is acceptable, detail design may introduce new information, stay alert in the next phase!

04/10/23

Risk Management by Phase

• Design Input (Hazard Analysis/Fault Tree)– Focus on generating product “shall not do” or

“shall comply with standard...” type of specification requirements

• Detailed Design (Fault Tree/FMEA)– Look to your product architecture and add

architecture interface risks to your analyses– Further on, examine higher risk areas and product

failure risks in detail

04/10/23

Risk Management by Phase

• Design Verification/Validation– Watch for occurrence of anticipated but “intended to

be” mitigated risks• Risk Control failure

– Assess impact of V&V findings for new risks needing analyses

• We didn’t imagine that would happen: Risk?

– Listen to any customer feedback for risk acceptability• “Those safety lock outs are too confusing to work with, can we

disable them?”

04/10/23

Risk Management by Phase

• Commercial Distribution/Disposal– Vigilance Reporting is a Risk Analysis Update

Opportunity

• NEW for 2007!– Production feedback into the Risk Analysis

• Am I seeing higher rates of occurrence?

• Are new failure modes presenting themselves that we haven’t analyzed?

• Are we having control failures or excessive cause failures

04/10/23

Risk Analysis in Production

• Non-conforming material and Material Review Board Processes?– Can they effectively consider risks on each

occurrence?

• Control charts, acceptance data– Are risk controls part of acceptance testing?– Frequency of occurrence suggesting anything

• “Risk of failure was ranked as remote yet we’ve had three catastrophic hot-pot test failures this month!”

04/10/23

Risk Analysis in Production

• Comment period…………

04/10/23

Process Considerations

• Define the scope of your analysis– What systems, what interfaces, who as user...– The records produced will be subject to second

guessing if harm occurs: don’t allow hindsight to change the rules

– Document your information sources!!!!!!!• When you made your risk acceptability decision,

what information was available and used?

• We can only be diligent, not psychic

04/10/23

Analysis Scope

• Intended Use: Use for which the product, process or service is intended according to the specifications, instructions, and information supplied by the manufacturer

• Essential Performance: Performance necessary to achieve freedom from unacceptable risk

• Note: is most easily understood by considering whether its absence or degradation would result in an unacceptable risk

• You must have these two clearly in front of the analysis team.

04/10/23

Process Considerations

• Use a Risk Source List as a Reminder– ISO 14971 has such lists– Add your Industry’s Experience

• If a harmful event has been reported, it has higher mitigation priority than hypothetical risks

– flag real occurrences in your analyses

– Rely on accepted standards• If there is a “test” standard, understand the

underlying reason for the tests

04/10/23

Process Considerations

• Sources of harm should suggest action– electricity is not harmful, electrocution is

• A hazard exists– A sequence of events leads to a hazardous situation

(normal or fault conditions)• The hazardous situation has a probability (P1)

• Harm occurs from the situation– A probability of harm exists (P2)– A severity of outcome can be assigned (S)– Risk = S, P1 x P2

04/10/23

Process Considerations

• While defining the system inputs, what harmful things can occur:– Very early on, a “Preliminary Hazard Analysis”

can screen out higher risk approaches

• What are the harmful things that the system can do considering:– user, patient, environment or property (a

subject)

04/10/23

Process Considerations

• Typically, the Device Design Requirements Are Broken Down Into Smaller Pieces During Detailed Design– focus on interfaces, signal and data path integrity– trace system requirements to sub-system– Use Fault Tree Analysis (top down)– Consider Using Failure Modes and Effects

Analysis (bottoms up)

04/10/23

Process Considerations

• Observe Verification/Validation findings for unanticipated device behavior– the best design analysts miss things

• Initiate a process for V&V findings classification– did harm occur?, or if the behavior re-occurs, could

harm occur?– if I can’t recreate the behavior, I still may have to

mitigate it

04/10/23

Risk Management Process Tools

04/10/23

System Hazard Analysis(design input)

• Draw boundaries between the system and the at risk subject and define harmful events– Energy sent across a boundary– Look for potential to kinetic energy transition

• did you control the transition

– Changes in state may be potentially harmful– Your seed list may leave you with many

“deferred answers”

04/10/23

Probability and Severity Estimates

• Risk management relies on expert judgment so don’t let novices work alone!

• Focus on one device, one device lifetime

• Set Quantitative or Qualitative criteria– high probability is...several times in a device

lifetime???, 1< per million uses– moderate injury is....medical attention to return

to pre-risk exposure state

04/10/23

Probability and Severity(use graphical techniques)

Increasing Severity

Incr

easi

ng p

roba

bili

ty unacceptable

okay

Increasing Severity

Incr

easi

ng p

roba

bili

ty

no risk or too great a risk is easy, what about moderate risks?

Split up the quadrants to refinethe estimates in stages of analysis

04/10/23

Detailed Risk Analyses

• One of the more popular design evaluation tools is the Failure Modes and Effects Analysis (FMEA)– IEC 60812, Analysis techniques for system

reliability - Procedure for failure modes and effects analysis

– FMEA is used more for design evaluation than for design development

– Works for manufacturing processes too!

04/10/23

Detailed Risk Analyses

• Definitions:– FMEA: a structured analytical technique which

determines relationships between basic element failure characteristics and the system failures

– Failure mode is how a failure manifests itself (system shuts down)

– Failure mechanism is why a failure occurs (defect in the transistor silicon)

04/10/23

Process Needs for a FMEA

• Prior risk analysis work to build on if available– System level harmful events will be analyzed to

see how component/assemblies may contribute to the harm cause

– System failure and degraded modes definitions• functional block diagrams may be needed for each

operating/failure mode

04/10/23

FMEA Process Needs

• a design solution, down to the component level, has been identified– failure modes of components are defined

• resistors fail open circuit, shorted, does the analysis include increasing or decreasing resistance?

• Component vendors may provide failure modes– open 30%, shorted 70%

• a complete understanding of the design solution

04/10/23

FMEA FormR

PART NAME FUNCTION FAILURE POTENTIAL CAUSE(S) P POTENTIAL EFFECT(S) S Detectability D P

(PART NUMBER) MODE OF FAILURE OF FAILURE N

RPN is an indicator of the need to take action: Probability*Severity*Detectability

Detectability helps to define if the user will be aware of the failure before the system effectmanifests itself

This form documents system level failure effects. Potential Effect of Failure can be defined atboth the local level and at the system level (would add a local level column).

For greatest utlility, add columns for action taken so problems indicated in the FMEA alsohave a resolution

04/10/23

FMEA Process

• At the appropriate level of system detail consider the first item– How can the item fail (failure modes) and why

• may be more than one cause for each failure mode

– for each mode of failure, what happens at the system level

– Estimate Probability, Severity, Detectability– If necessary, implement corrective measures

04/10/23

Q & A?

04/10/23

Conclusions

• Regulatory Agencies are requiring Risk Management processes

• International standards are being utilized to meet the requirements and standardize processes

• The analytical tools necessary to support a device risk management process exist today