The top event is an injury resulting from installation or operation of the device. Below the top event are two sub events labeled operator injury and patient injury. Since either could produce the top event, they are combined using an or gate. Under the operator injury branch, one potential scenario has been identified that involves having the device contaminated with a biohazard such as blood (the initiating event) and the operator not wearing gloves (contributing event). Since both the initiating and contributing events must occur for an injury to take place, these events are combined using an and gate.
If failure rates for each event on a fault tree are available or can be estimated from generic data, the top-event frequency can be calculated and compared to a company's internal risk-acceptability criteria. A fault tree is a powerful risk-analysis tool, but its greatest limitation is the availability of relevant failure data. Therefore, fault trees are generally best used to compare risks of various alternatives. The greatest benefit of a fault tree is that events that contribute most frequently to the top event can readily be identified, and mitigating measures can be focused on reducing the frequency of these events.
4. Procedure Analysis
Although HAZOP, FMEA, and FTA allow evaluation of human errors in design, operation, and maintenance of medical devices, it is often desirable to conduct a separate analysis focused on procedures. Typically, a what-if approach is used for this type of analysis. Procedures are grouped into process steps similar to those study sections used with HAZOP. Each process step is evaluated to determine if an undesirable consequence could result from incorrect procedures.
Checklists are the simplest tools for conducting design reviews but are generally not sufficient. The true benefit of checklists is to support the other techniques described previously. For example, a checklist of potential hazards identified in previous reviews or from incidents associated with similar devices would be useful during a design review. After completion of the review, the checklist can be examined to ensure that the study evaluated all previously identified potential hazards. For example, during a HAZOP, possible human errors are evaluated; however, as a final check, a human-factors checklist is often used.
The risk analysis should include any risks associated with the manufacture and delivery of the device to its intended location. For devices that involve solutions or components that can be degraded by environmental factors (e.g., heat, humidity, cold, or light), storage and transportation methods need to be reviewed. Identified problems could lead to changes in packaging or warnings on storage or packaging containers.
It is important that any changes made during the design process be reviewed to ensure that safety hazards are not being introduced into the design. Small changes are generally reviewed using a what-if approach, whereas larger changes may require a HAZOP or FMEA.
A final design or prestart-up review should be conducted before starting production. Extensive checklists ensure that all design specifications have been met and all previous design review recommendations have been addressed. The final design review should also include a physical inspection of the device in its intended workspace (e.g., laboratory, hospital, doctor's office) to identify any issues not readily apparent from looking at drawings, such as location of vents and drains, accessibility for maintenance, pinch points, and sharp edges. A punchlist (findings or observations developed during a safety or design review) of final action items is typically generated and prioritized into items that need to be completed prior to start of production and others that can be incorporated into the next model.
Software used to control or monitor a medical device also needs to be reviewed. Software can be grouped into its primary functions (e.g., start-up, treatment, diagnostics, and maintenance) just as procedures can be grouped into process steps. Three generic sub functions are evaluated for each primary function:
- Function the software component does not perform its intended function correctly per its original design intent.
- Timing the software component performs its function at the wrong time.
- Data the software component performs its function using incorrect or corrupt data.
Software errors can produce unexpected consequences, particularly those that involve corrupt data or false alarms. It is important to have a means of detecting software errors or a means to detect the effects of software errors on a device. For example, a software error resulting in a failure of the alarm notification system would disable all alarm systems. Separate redundant alarms or interlocks on critical aspects of a device need to be considered.
5. ISO 14971:2007
It is the specified standard for risk management used to demonstrate compliance with the Risk Management requirements of the Medical Devices Directive (MDD).
The standard addresses risk management to patient, operator, other parties, external equipment and/or the environment. Risk Management Process ISO 14971 requires the manufacturer to establish, document and maintain a risk management process for:
- Reviewing the intended use (intended purpose) of the medical device
- Identification of hazards (known and foreseeable)
- Estimation of the probability of occurrence of harm
- Estimation of the severity of each hazard and its harm
- Evaluation of associated risks (decision making)
- Control of these risks
- Monitoring of the effectiveness of these controls throughout the whole life-cycle of a medical device.
The risk management process does not end with the design and manufacturing process but also includes applicable sterilization, packaging, labeling, storage, handling/ transport, distribution and market surveillance. The manufacturer shall apply risk management from the initial conception until the ultimate decommissioning and disposal of the product. Therefore, the gathering of post- production information is a required part of the process.
The latest version of ISO 14971:2007 (“Medical devices – Application of risk management to medical devices”) was approved on 5 December 2006 by the Association for the Advancement of Medical Instrumentation (AAMI) and on 1 February 2007 by the American National Standards Institute (ANSI). Finally published in May 2007 as ANSI/AAMI/ISO 14971:2007
All of the techniques described above have been successfully used in design reviews of medical devices. FTA is being used by pacemaker manufacturers based on FDA guidance for software aspects of 510(k) notification submissions for medical devices. Other computer-controlled medical devices will also need to be reviewed using FTA as a primary risk analysis tool.
For mechanical devices that are used away from the patient, such as plasma and blood viral inactivation devices, as well as devices for preparing intravenous solutions, an FMEA is a reasonable choice. However, for associated activities such as preparation of disposables, which are manual operations, a what-if approach is preferred.
The key to successful risk management in medical device design is to start early. As soon as conceptual designs are available, the risk management process can begin. A preliminary hazard analysis can be useful in selecting the concept with the highest level of inherent safety. Later, as the design is developed, design reviews at key points in the development process will allow changes to be made without significantly affecting the project schedule. The further along in the design process that changes are identified, the fewer choices are available to mitigate hazards without significant schedule implications.
Generally, risk management activities will identify opportunities to improve device performance. The benefits of conducting risk analysis during medical device design can be significant and can be used to offset some or all of the cost of implementing risk-mitigating measures. There is always a trade-off in how to manage risk. Hardware or software controls are generally viewed as more effective since they are more reliable than humans. However, since there is need for human interaction in the operation of all medical devices, the element of risk needs to be adequately evaluated. Minimizing the level of routine human intervention will reduce risk and improve efficiency. Such risk reduction must be weighed against the cost of automating tasks that can be performed by individuals.
- Mosenkis, R., in Grutting, C., Medical devices: international perspectives on health and safety. Amsterdam: Elsevier; 1994.
- Sawyer, C., Do It By Design: An Introduction to Human Factors in Medical Devices. FDA; 1997.
- Julian H. Braybook (ed.). Biocompatibility assessment of medical devices and materials. John Wiley & Sons, 1997.