This fourth article in our series on risk management for medical devices focusses on a practical aspect: the identification of risks. We can quickly think of obvious risks for most devices, and sometimes perhaps not. But how do we make sure that we haven’t forgotten any significant risks and still don’t get too small-minded? This much in advance: there is room for manoeuvre.
Risk identification is a multi-stage process based on guidance that is given to us by standards. Some of these are long lists, which are fun because usually only a small part of them apply.
Introduction and delimitation
We basically follow the process as described in DIN EN ISO 14971:2022-02.
This blog post covers the chain up to the determination of damage, but does not yet take into account the probability of occurrence and severity of damage. This will be the subject of a future post on risk assessment.
Let’s first look at the terms as defined in the standard:
- Harm: Injury or harm to human health or damage to property or the environment
- Hazard: potential source of harm
- Hazardous situation: circumstances in which people, property or the environment are exposed to one or more hazards
Consequently, the aim is to link sources of damage via possible sequences of events with possible hazardous situations and subsequent damage.
Risk identification according to DIN EN ISO 14971
The first step in risk identification is therefore to determine the hazards (sources of damage). But where do these come from and how can we identify them in a meaningful way? The standard offers a selection of hazards (more on this later), but which of them apply? This is where a systematic examination of the product from different angles can help.
Hazard
There are various approaches for determining or categorising hazards. ISO 14971 (Table C.1) follows the approach of starting from a (simplified) physical quantity and then identifying circumstances through which it can develop its effect into damage. This physically based risk analysis is usually easier for developers to handle than other approaches. Measures generated from this, which have an effect via the physical variables, are usually easier to control and easier to prove than user-related measures.
However, you should remain consistent in your categorisation: If the insulation of a cable is damaged by continued vibration at a sharp edge and the user or patient subsequently experiences an electric shock, then the danger is not vibration or shear forces, but the mains voltage, as this is the potential source of damage (see definitions).
A preselection of potential hazards can be derived from the functionality of a medical device.
Clinical functions, essential performance features, safety-relevant characteristics
In order to gain an overview of the hazardous situations, it is useful to look at the functions and characteristics of the medical device. They are usually located in the middle of the chain of events: they are neither the cause or hazard, nor the actual hazardous situation. But they do give us strong indications:
- Where to look for hazards. The following key questions help us to do this:
- What could lead to the functional failure?
- Which physical variable could have a dangerous effect?
- What hazardous situations are lurking? This can be well supported by
Evaluating the product life cycle phases (e.g. construction, shipping, operation, service, disposal)
step-by-step walkthrough of the intended use (e.g. device preparation, use on patients, dismantling, disposal of consumables)
Perspectives of persons involved (e.g. user, patient, service technician)
Firstly, it makes sense to start from the clinical functions of a medical device when identifying event sequences. Exceptionally, there is no real definition of ‘clinical function’ in the standards. In purely practical terms, the question must be asked and answered: Which functions of the medical device are required to fulfil the (medical) intended purpose?
For example, a display that is automatically dimmed when not in use for a longer period of time may not be necessary – but it is certainly necessary for it to display all relevant values clearly and legibly on request, i.e. for the dimming to be cancelled.
The part of the clinical functions whose loss or deterioration leads to an unacceptable risk thus becomes the ‘essential performance feature’ to which special attention must be paid in the subsequent risk mitigation process.
This brings us to the second source of functions to be considered, which are explicitly named as essential performance characteristics in particular standards. They can be found in the standards of the IEC 60601-2-xy and IEC/ISO 80601-2-xy series in chapter 201.4.3 or reference is made there to the corresponding chapters.
Thirdly, the applicable standards also often contain explicit references to topics that should be assessed in risk management. Almost every time risk management is mentioned there, the context provides a more or less specific reason to identify risks for your own product.
The fourth source of event sequences is the analysis of reasonably foreseeable misuse. It takes a more comprehensive look at the entire application process of the medical device and the misuse that can be derived from typical human behaviour. For an initial risk analysis, it is usually sufficient to consciously run through the product life cycle. At a later stage, the analysis should be supplemented by the results of the usability process with regard to use errors and use difficulties.
Last but not least, ISO/TR 24971 provides a list of questions in Annex A.2 that help us to analyse the medical device and its safety-relevant characteristics. They are largely complementary to the purely clinical functions and help to gain a reasonably comprehensive picture of the risks. The list is best processed in tabular form, supplemented by at least one comment or explanation column.
Sequence of events and hazardous situation
Now that possible malfunctions have been identified, they can be linked to hazards and hazardous situations via event sequences. We therefore construct causal chains of events that lead from a hazard as an effect variable to hazardous situations.
It may be the case that no hazardous situation can be determined for certain malfunctions/event sequences. This should nevertheless be explicitly documented so that there is proof that this case was considered.
The event sequences are best written in list form and numbered so that the sequence is easily recognisable. Risk control measures to be defined later can thus also be assigned to individual steps in the sequence of events.
The following can serve as a guide: if a prerequisite must first be fulfilled in a sequence of events for the hazard to take effect, this prerequisite should often be addressed as the first step in the sequence of events. To return to the previous example: Laying cables over a sharp edge is such a prerequisite and should therefore be at the very beginning of the sequence of events. This is followed by vibrations, which then lead to the hazardous situation of exposed live conductors.
The sequence of events should be formulated in such a way that
the circumstances that lead to the hazardous situation become clear and
probabilities for the occurrence of the hazardous situation can be derived.
Concrete formulation and comprehensibly small individual steps are therefore useful.
The hazardous situations can be regarded as the last (separately named) step in the sequence of events before damage actually occurs. This is recommended:
Formulate hazardous situations so specifically that the transition to actual harm is logical. This is also against the background that the probabilities of occurrence can then be better defined.
Trying to get by with as few hazardous situations as possible is understandable, but not advantageous.
The use of rather generic designations of hazardous situations (e.g. ‘fire’) is not recommended. It is better to specify what exactly is meant: e.g. burning of a component without further effects, appliance burns and ignites objects in the vicinity, …).
Different sequences of events can certainly lead to the same hazardous situation, just as several hazardous situations can arise from one sequence of events. However, this occurs more frequently between hazardous situations and damage.
We like to use the transition from the technical to the medical field as a mental aid for differentiating between hazardous situations and damage. At least in the case of basic risks, it can be said that the sequence of events leading up to the hazardous situation primarily takes place in a technical area, i.e. the failure of components or functions means that a person (patient, user) may be exposed to the hazard (e.g. mains voltage). The damage is then of a medical nature (heart failure, pain, etc.).
The advantage of this approach is that the development teams can work well up to the hazardous situation and medical experts only need to be called in for the final step.
This applies in a modified form to environmental risks, for example.
There are limitations to this method in the case of indirect risks, e.g. diagnostic systems. Here you have to consider carefully in advance whether you want to regard the incorrect measured value or the doctor’s incorrect decision based on it as a hazardous situation.
Damage
Damage should be formulated in such a way that it can be assigned to the damage classes (see previous blog post ‘Risk management for medical devices according to ISO 14971:2019 – Risk acceptance criteria’). For example, it is difficult to assign a damage class to a ‘cut injury’. A subdivision into, for example, ‘superficial cut’, ‘deep cut into the muscle’, ‘cut with loss of a finger’ is much more meaningful. Such differentiated damage patterns also make the causal chains easier to understand and the subsequent assessment of probabilities of occurrence simpler.
- Formulate each damage precisely and differentiated! A superficial cut on the finger and a deep cut on the inner thigh occur with different frequencies and represent different degrees of damage!
- A hazardous situation can lead to multiple injuries: include all significant injuries separately.
- Make sure you really name the damage! The electric shock is the hazardous situation, the damage is the superficial burn, cardiac arrest or tingling.
Beispiele
|
example Nr. |
Hazard |
Event sequence |
Risk situation |
Damage |
|
1 |
High voltage |
1. Cable runs over sharp edge 2. Cable insulation is chafed by vibration 3. Mains voltage is applied to the housing 4. User touches housing |
User experiences electric shock with mains voltage |
2nd degree burns at the current entry and exit points |
|
Short-term painful muscle spasm |
||||
|
Ventricular fibrillation |
||||
|
2 |
Vibration |
1. Balancing weight on rotating component loosens 2. Device vibrates |
Application of force to the patient’s hand |
Wrist sprain |
|
3 |
Vibration |
1. Vehicle drives on paved road 2. Vibrations are transmitted to the appliance handles |
Application of force to the patient’s hand |
Wrist sprain |
|
4 |
Vibration |
1. Intensive mechanical pulse operation 2. Transmission as vibration to the handles |
Application of force to the patient’s hand |
Wrist sprain |
|
5 |
Bacteria |
1. Bacteria adhere to the tube 2. User touches hose with hand 3. User brings hand to mouth |
User comes into oral contact with bacteria |
schwere Magenerkrankung |
|
Inflammation of the oral mucosa |
And now what?
This article has covered basic procedures for identifying risks in medical devices. Depending on the development phase, the progress of product development, the system architecture level under consideration and the thematic focus, further methods are used. These simplify the identification of risks and help to fully process this important risk management activity. We will look at all of this in the next blog post on risk management.
Please note that all details and lists are not intended to be exhaustive, are not guaranteed and are provided purely for information purposes.Application of force to the patient’s handSevere stomach disease
