risk management - tœv sœd uk
TRANSCRIPT
Risk Managementin IEC 60601-1 3rd Edition
Presented by Alberto PaduanelliMedical Devices Lead Auditor, MHS-UK, TÜV SÜD Product Service
–Time of presentation: 50-60 min.
–Questions & answers time at the end: 10 min.
–Entire webinar will be available for download from our
website www.tuvps.co.uk. You will also find it on
YouTube.
General Information
– Understanding the importance of Risk Management
– Understanding the RM requirements from the 60601-
1:2006 point of view
– Provide a clear picture of what is required
– Basic view on the creation and content of a RMF
Goals
What is risk management?
Risk Management in 60601-1 3rd edition
Methods for the visualization and identification of harms
and hazards
Creating a RMF – Minimal Documentation
Common errors when creating a RMF
Content: Modules
What is Risk Management?
MODULE 1
• BS EN ISO 14971:2009 definition:
• Risk Management:
systematic application of management policies, procedures
and practices to the tasks of analysing, evaluating,
controlling and monitoring risk
• Risk:
combination of the probability of occurrence of harm and the
severity of that harm
Definition
Risks and associated measures are called in:
43 sections in the MDD
14 sections in the AIMDD
34 sections in the IVD
4 sections in the ISO 13485
35 sections in the CMDR
3 sections in the J-GMP
153 sections in 60601-1 3rd Edition
Risk in the centre of attention
Results of risk management:
• serve the definition and dimension of goods control
• influence the supplier evaluation activities
• deliver important inputs for the design process
• serve as criteria for the evaluation of design output
• show the necessity for design modifications
• serve the definition of process controls and the assigned
acceptance criteria
Why Risk Management ?
• Standards often define only the most important, absolutely
necessary measures.
• Standards are rarely up to date on technology.
• Standards have "typical" implementations in mind. Exotic concepts
may not be covered.
• Standards (often implicitly) assume a certain environment and
method of use.
• Standards often do not cover optional components of a product.
• Potential manufacturing problems are not covered by most safety
standards.
• Potential manufacturing failures are not covered in the safety
standards for active devices.
a risk analysis is necessary in any case!
But there are standards !!
• Standards
• Existing risk analyses of similar products
• Interviews with the design engineers
• Interviews with users of similar products
• Experience of the sales people
• Brainstorming in RA team
• Analysis of FDA Medical Device Reports and Incident Reports
(MAUDE database)
• Examination of existing risk mitigation measures; they assume often
implicitly the presence of a hazard.
• Information from the field for similar products, e.g. service statistics,
complaints, incidents
• Annex C and E of ISO 14971
How to find the hazards:
Where to Start ?
Examples from ISO 14971:2009 annex E:
Electromagnetic energy: line voltage, leakage current, electric fields,
magnetic fields
Thermal energy: high temperature, low temperature
Mechanical energy: gravity, vibration, stored energy
Chemical: Exposure of airway, tissues, environment or property
Biocompatibility: Toxicity of chemical constituents
Use error: Attentional failure, memory failure, rule-based failure, knowledge-
based failure, routine violation
Annex E can help !
risk analysis risk evaluation
risk control
production and
post production
information
All included in the Risk Management File.
Risk Management Process
Risk Management in 60601-1 3rd edition
MODULE 2
WHAT IS THE 3rd EDITION ?
• Introduction of risk management as an alternative method to
meet individual requirements of the standard and covering
risks not subject to a standard
• There are 1422 single requirements in the standard. 153
have a direct link to RM (key-words such as RMF,
unacceptable risk, etc.).
One of the Major Changes
• in specifying minimum safety requirements, provision is made for assessing the adequacy of the design PROCESS when this is the only practical method of assessing the safety of certain technologies such as programmable electronic systems.
• Application of this principle is one of the factors leading to introduction of a general requirement to carry out a RISK MANAGEMENT PROCESS. In parallel with the development of the third edition of IEC 60601-1, a joint project with ISO/TC 210 resulted in the publication of a general standard for RISK MANAGEMENT of medical devices. Compliance with this edition of IEC 60601-1 requires that the MANUFACTURER have a RISK MANAGEMENT PROCESS complying with ISO 14971 in place (see 4.2).
Also:
• Alternative method to meet individual requirements of the standard and covering risks not subjects to a standard.
Why this major change?
3.107 RISK MANAGEMENT
systematic application of management policies,
PROCEDURES and practices to the tasks of analyzing,
evaluating and controlling RISK
4.2 RISK MANAGEMENT PROCESS for ME EQUIPMENT
or ME SYSTEMS
A RISK MANAGEMENT PROCESS complying with ISO
14971 shall be performed. (That’s the requirement!!)
Clause and Definition
• A RISK MANAGEMENT PROCESS complying with ISO 14971 shall be
performed.
• Compliance is checked by inspection of the RISK MANAGEMENT FILE.
The requirements of this clause and all requirements of this standard
referring to inspection of the RISK MANAGEMENT FILE are considered
to be satisfied if the MANUFACTURER has:
– established a RISK MANAGEMENT PROCESS;
– established acceptable levels of RISK; and
– demonstrated that the RESIDUAL RISK(S) is acceptable (in
accordance with the policy for determining acceptable RISK).
Important To Remember
NOTE:
Where requirements of this standard refer to
freedom from unacceptable RISK, acceptability
or unacceptability of this RISK is determined by
the MANUFACTURER in accordance with the
MANUFACTURER’S policy for determining
acceptable RISK.
Important To Remember
• The RMP shall be performed by a team of different experts (e.g.
physicians, hardware experts, software experts,…..).
• The RMP must be conducted at start of designing the product for
new products. Retrospective RMP is NOT the correct method.
• The RMP is an ongoing process over the whole life cycle (think
Environment / Recycle as end of life?)
• The initial risk is evaluated without any safety means used.
Remember the Rule of 10: Costs to correct failures increase by 10
between different stages of product realization: Idea // design //
planning production // production // end tests // On the market.
FACTS !
• The standard itself can already be regarded as a generic risk analysis including counter measures. If the standard specifies for certain clauses concrete limits, then care shall be taken if RMP is used to tailoring (adjust) these standard limits.
• The overall residual risk shall be evaluated and documented in the RMF. The overall residual risk is the risk for all combined single risks. It might be, that each single risk evaluated alone is accepted, but based on the fact that to much single risks are at the borderline to the intolerable area the overall residual risk can not be accepted.
FACTS !
In applying ISO 14971:
– The term “fault conditions” referred to in ISO 14971 shall include,
but shall not be limited to, SINGLE FAULT CONDITIONS identified in
this standard.
– The policy for determining acceptable RISK and the acceptability of
the RESIDUAL RISK(S) shall be established by the MANUFACTURER
.
– Where this standard or any of its collateral or particular standards
specify verifiable requirements addressing particular RISKS, and
these requirements are complied with, the RESIDUAL RISKS
addressed by these requirements shall be presumed to be
acceptable unless there is OBJECTIVE EVIDENCE to the contrary.
Risk Management within the 60601-1:2006
Compliance is checked by inspection of the RISK
MANAGEMENT FILE. The requirements of this clause and all
requirements of this standard referring to inspection of the
RISK MANAGEMENT FILE are considered to be satisfied if
the MANUFACTURER has:
– established a RISK MANAGEMENT PROCESS;
– established acceptable levels of RISK;
– demonstrated that the RESIDUAL RISK(S) is acceptable
(in accordance with the policy for determining acceptable
RISK).
Compliance
• The IEC 60601-1:2006 requires RMP in the following 3
situations:
1. A complete new hazard is identified, which is not
addressed in the standard:
- In such a case RMP is a MUST.
- Examples: New techniques are developed (innovation).
When is Risk Management required?
2. If a clause refer to RMP, then it is justified by the standard
to use RMP to tailoring (adjust) concerned standard
requirements to the DUT (device under test). This means in
clear words: The RMP shall be conducted OR the defined
technical standard requirements must be exactly fulfilled.
- Example: Clause 8.4.2.c (2Ed.: 16.e), here accessible
voltages, e.g. 24Vdc could maybe be justified by RMP for
home use (e.g. At a ceiling host – accessible current bus-
bar), where it is ensured that the PATIENT has no catheters
(intact skin) and can be regarded comparable to an
OPERATOR.
When is Risk Management required?
3. The clause does NOT refer to RMP:
- Example: Clause 8.6.6: PE-contact in a detachable socket
shall made contact before and interrupted after the supply
connections are contacted or interrupted.
On the first view it appears as RMP would NOT be possible,
because RMP is not mentioned in this subclause 8.6.6.
However clause 4.5 (Equivalent safety) is always possible !!!
When is Risk Management required?
4.5 Equivalent safety for ME EQUIPMENT or ME SYSTEMS
Where this standard specifies requirements addressing particular
RISKS, alternative means of addressing these RISKS are acceptable
provided that the MANUFACTURER can justify that the RESIDUAL
RISKS that result from applying the alternative means are equal to or
less than the RESIDUAL RISKS that result from applying the
requirements of this standard.
Compliance is checked by inspection of the RISK MANAGEMENT
FILE.
(It must be pointed out that verification of compliance is as well here
linked to RMP, but additional evidence about equivalent safety is
required).
Equivalent Safety Concept
4.5 Equivalent safety for ME EQUIPMENT or ME SYSTEMS
If the RESIDUAL RISK is greater than the RESIDUAL RISK achieved
by applying the requirements of this standard, the ME EQUIPMENT or
ME SYSTEM cannot be regarded as complying with this standard,
even if the RESIDUAL RISK is fully justified by other considerations
such as the clinical benefit to the PATIENT.
In such a case standard compliance is only given if:
- The RMP is done adequately and additional
- Equivalent safety is reached.
That means: It is permitted to deviate from given standard limits (e.g.
certain creepage distance values), but it is forbidden to deviate the
RESIDUAL RISK level of the standard in the more risky direction.
Equivalent Safety Concept
Changes of the defined pass/fail criteria of certain standard
requirements can NOT be solely justified by RMP alone, but
need as well be supported by equivalent safety.
• Example: To show objective evidence that the RESIDUAL RISK of the
standard is not tailored if e.g. 7,5 mm creep is accepted instead of 8,0
mm, is maybe difficult, because of the 7,5 mm . However objective
evidence could be supported by:
- Performing additional specific tests
- Using alternative safety features for risk reduction.
- Other methods.
This indeed mean that a comparison of RISK levels must be
done additional to RMP. To compare the RISK levels is only
possible by evaluation of the RMF!
Equivalent Safety Concept
That means in clear words:
The manufacturer can NOT determine the RESIDUAL RISK level as
he like, rather the manufacturer is at least bound to the current
Values of society. In case of a defined pass/fail criteria in the 60601-1
and no link to RMP, the manufacturer is even bound to the RISK level
predefined in the standard itself (equivalent safety).
Current values of society = the state of the art !
The state of the art = how the majority of the world wide experts
(not a view article writers or a few test houses only!) would judge
the case!
The state of the art is how the majority of user handle it
(Example EMC of medical systems configured in hospitals).
Equivalent Safety Concept
• Checking projects for compliance with EN 60601-1:2006 (incl. applicable
collateral and particular standards) requires a 100% verification of all
applicable clauses of that standard. This includes all those clauses
which refer to RM.
• If the manufacturer deviates from any of the verifiable requirements of
the standard, he must demonstrate equivalent safety (see clause 4.5),
usually the outcome of the risk management process, to be verified by
the test house.
• For new hazards, e.g. associated with innovative technology, the
manufacturer has the duty to include them in his risk management
process and also has to work with the test house for proper verification.
Clause 4.5 is not applicable for such hazards.
Your RMF under scrutiny
• Tailoring (adjust) the requirements of the standard to the
specific device is possible as long the RMP is done
according the rules required from ISO 14971 and IEC
60601-1.
Initial Conclusion
“Product certification (testing) according the 3rd Edition means that
the product needs to be tested in a test laboratory and additional an
audit according ISO 14971 must be conducted at the manufacturer
facility.”
Answer:
The concerned standard clause is 4.2 “RISK MANAGEMENT
PROCESS”. Within the “compliance” section it is written:
“Compliance is checked by inspection of the RISK MANAGEMENT
FILE.”
It is NOT allowed to substitute the standards words:
- inspection audit and
- FILE PROCESS.
That means: According to the standard the outcome of a RM-PROCESS
(= this is solely the RM-FILE) will be evaluated only.
RESULT: NO on-site audit required!!!
Confusion on the market
• RMP alone can be used, where a clause in 60601-1 refer to RM or a
totally new hazard is handled.
• The RMP must be conducted according ISO 14971. Risk Evaluation must be
based on the current values of society. Which means that the manufacturer
is not free to lower the safety level by increasing the level of acceptable
Risk so much that the current values of society are violated. See 3.2, 3.3 of
ISO 14971.
• In case of using the ALARP concept: If a Risk is in the ALARP region, then
the Risk must be reduced to a level as low as reasonably practicable
(ALARP) and additional the Risk/Benefit ratio must be evaluated.
• In case of Equivalent Safety in addition of fulfilling the current values of
society (1) and fulfilling the Risk/Benefit ratio (2) the remaining Residual
Risk level must be equal or less (3) to the Residual Risk level of applying
the specific requirement 60601-1.
Final Conclusion
Evaluating the RMF is required for:
- the MDD (CE commission)
- CB-scheme (IECEE).
The 3rd Edition does NOT change the role of
Notified Bodies, because they are bounded to EU law
more than to a standard !
Also Don’t Forget...
Methods for the visualization and
identification of harms and hazards
MODULE 3
system
sub-system element 1.1
sub-system element 1.2
system element 1
system element 2
system element 3
System elements:
function negated function
description of the functions:
System elements can be replaced by requirements or features of the device!
Additonal information IEC 61025
why could this
function
fail? E.g. by
systematic
HAZOP
approach
System Analysis - HAZOP
loss of blood
air infusion
damage of
vascular system
wrong blood
temperature
hemolysis
Harm Analysis
Failure blood
heating
Temperature sensor
defect
Short circuit
Cold solderingpoint
Heating does not
workHeating wire
broken
No energy
ADC delivers
wrong values
High noise
Wrong reference
voltage
Additional information in IEC 61025
Fault Tree Analysis
main cause
sub cause
measurements materials
machines
personnel
methodsenvironment
problem
Ishikawa – Fishbone Diagram
black box
inputs outputs
keyboard
mouse
command to device
screen output
Possible hazards:
• outputs not generated
• false outputs generated
Black Box
stress panic
patient
confusion
weather
Use a team to find impulsive words:
Other sources:
• ISO 14971 Annex C/D
• IEC 60601-1-6
Impulsive Words
Interface Analysis
Question: What can be done to disable the system or harm the patient and how?
disconnect the
bubble detector
increase the
pump speed to
maximum
implement
sharp edges to
cause
hemolysis
Sabotage
FMEA: Failure mode and effects analysis
a method to
identify hazardsa method used for structuring
and evaluation risks
(similar to ISO 14971)
here
FMEA
production failure: wrong
glue
key-board not waterproof
water comes in during
cleaning
contact through water
bolus executed
FMEA Example
FMEA in Production
Process step /
component
# Failure Harm Root
cause
A S E RPZ Risk control A S E RPN
packaging Insuffici
ent
steam
penetrati
on
Infection
by insterile
product
Wrong
packagin
g
material
6 1
0
8 480 Packaging
validation
1 1
0
8 80
Temperature
control
Tempera
ture
sensor
defectiv
e
Blood
heating
No
contact
5 1
0
1
0
500 Final testing
+ 100% Visual
inspection
5 1
0
1 50
A: Occurrence; S: Severity; E: Detectability;
RPN: Risk Priority Number
FMEA Example
top
downbottom
up
hazard analysis (PHA)
fault-tree analysis (FTA)
Ishikawa
impulsive words
system analysis
(HAZOP)
system analysis (HAZOP)
black box
interface analysis
FMEA (as defined)
intended use,
function,
patient
realization
Differentiation
With what? With whom?
Input
With what? How?
OutputprocessRequirements Requirements
• Instructions
• Procedures
• Methods
• Training
• Knowledge
• Abilities
• performance
indicators
• Equipment
• Installation
Turtle – For Processes
Material ResourcesWith what (equipment, material)
Process risks Human ressourcesWho (training, knowledge)
- reflow soldering oven- soldering paste
- function of the oven- calibration- paste specs
- no or insufficient instruction - craftsman electrical engineering- special briefing for the oven
Inputs Outputs
- PCB with paste and components- soldering programme
- PCB without paste- missing components- wrong soldering programme
- soldered PCB- protocol of the oven
Performance indicators know howHow (Instructions, procedures, methods)
- wrong soldering points
- Old work instruction- component specification wrong- component specification not available
- Instruction „Soldering with our reflow oven“- component specs
Turtle (for processes)
Creating a RMF - Minimal Documentation
MODULE 4
Intended use
Describe your device such that it is obvious who will use your device
what for and how.
Risk management plan
When, what, how something should be done by whom?
Scope
Describe for which part of the product life cycle the risk management file
is valid.
Definitions
What is…?
Qualification
Who was involved in risk management (development, doctor etc.)?
Minimal File
Severity and probability
Provide categories for severity and probabilities (including examples).
Acceptance matrix
Define the acceptance matrix (severity vs. probability). Include the
acceptable risk in your considerations.
Table
List the risks in a table with the following columns: harm, cause, severity
before measures, probability before measures, risk acceptance before
measures, risk mitigation measures including links to specifications and
verifications, severity after measures, probability after measures and risk
acceptance after measures.
Minimal File
Explanation for exceptional decisions
Exceptional decision have to be explained!
Acceptance matrix before and after mitigations
Fill out the matrix with the number of risks in each field before and after
mitigations.
Assessment of the overall remaining risk
Assess the overall remaining risk using the acceptance matrix after
mitigations. It might be worth to calculate the number of injuries/death
according to your matrix.
Production and post production information
How is the interface to the production ruled and how is the information
from the field (production, service, installation, user etc.) fed back.
Risk management report / approval
Minimal File
Common Errors when Creating a RMF
MODULE 5
• Assess only the risks associated to the BIG issues
• Do a RMF retrospectively
• Not looking at residual risks
• No conclusion
• Associate ALARP to the meaning of “Acceptable” or “no actions involved”
• Thinking that Probability of Occurrence and Severity must always be multiplied
• Not involving experienced/specialists personnel in regards to the
process/product
• Not keeping the RMF a “live” document
• Using the RMF as an “escape route” to product re-design, improvements, CAPA,
etc...
• Not looking at the worst case scenario
• Make the RMF look good so that the auditor is happy !
Common Errors
Alberto Paduanelli
Medical Devices Lead Auditor, MHS-UK
TÜV SÜD Product Service
Tel: +44(0)1489 558219
www.tuvps.co.uk