Case Study - Risk Management for Medical Devices (Based on ISO 14971)

Vaishali Hegde, Philips Respironics

Key Words: risk, ISO 14971, medical devices, CPAP

SUMMARY

Medical device manufacturers are responsible for ensuring that their medical products are safe. However, safe does not mean zero risk. A safe product is one that has reasonable risks, given the magnitude of the benefit expected and the alternatives available. Medical device manufacturers, the Food and Drug Administration (FDA) and medical device users have an important role to play in maintaining this risk-benefit balance, by making sure that products are developed, tested, manufactured, labeled, prescribed, dispensed, and used in a way that maximizes benefit and minimizes risk.

The FDA approved ISO14971 standard specifies a risk management process by which a manufacturer can identify the hazards associated with their medical device, estimate and evaluate the risks, control these risks, and monitor effectiveness of the controls, through-out the lifecycle of the product. The main elements of the risk management process, i.e. risk analysis, risk evaluation, risk control and post-production information, are generally documented in a risk management file.

This risk management file is required to get FDA approval to market a medical device (prior to product launch). It is also useful after product launch to perform post-market risk assessments and make decisions on whether field action is needed in case of the occurrence of an adverse event.

This paper describes a risk management process, an overview of risk management activities (13 steps) outlined in ISO14971, and an example of a risk management program for a Continuous Positive Airway Pressure (CPAP) medical device used to treat Obstructive Sleep Apnea (OSA).

1 INTRODUCTION

The international standard, “ANSI/AAMI/ISO 14971:2007 Medical devices-Application of risk management to medical devices”, specifies a process for a medical device manufacturer to identify the hazards associated with medical devices, to estimate and evaluate the associated risks, to control these risks, and to monitor the effectiveness of the control [1]. A schematic representation of the risk management process is given in Fig 1 [2].

2 OVERVIEW OF RISK MANAGEMENT ACTIVITIES (13 STEPS)

An overview of risk management activities (13 steps

outlined in ISO14971 standard), performed in the different phases of the risk management process (i.e. risk analysis, risk evaluation, risk control and post-production information phase), is given below [2]. Results/output of all these activities is documented in the risk management file.

Fig1 – Schematic representation of risk management process

2.1 Risk Analysis (Step 1, 2 and 3)

• Intended use/intended purpose and identification of characteristics related to the safety of the medical device (Step 1)

For the particular medical device or accessory being considered, the manufacturer shall describe the intended use/intended purpose and any reasonably foreseeable misuse. The manufacturer shall list all those qualitative and quantitative characteristics that could affect the safety of the medical device and, where appropriate, their defined limits. One way of doing this is to ask a series of questions concerning the manufacture, use, and ultimate disposal of the medical device. A list of questions that can aid the reader in identifying all the potential hazards of the medical device being analyzed is given in Annex A of the standard.

978-1-4244-8856-8/11/$26.00 ©2011 IEEE

• Identification of known or foreseeable hazards (Step 2) The manufacturer shall compile a list of known or foreseeable hazards associated with the medical device in both normal and fault conditions. Previously recognized hazards shall be identified. • Estimation of the risk(s) for each hazard (Step 3) For each identified hazard, the risk(s) in both normal and fault conditions shall be estimated using available information or data. Any system used for qualitative or quantitative categorization of probability estimates or severity levels shall be recorded in the risk management file.

2.2 Risk evaluation (Step 4)

For each identified hazard, the manufacturer shall decide, using the criteria defined in the risk management plan, if risk reduction is required. The results of this risk evaluation shall be recorded in the risk management file.

2.3 Risk control (Steps 5 to 10)

When risk reduction is required, the manufacturer shall follow the process specified in Step 5 to Step 10 to control the risk(s) so that the residual risk(s) associated with each hazard is judged acceptable. • Option analysis (Step 5) The manufacturer shall identify risk control measure(s) that are appropriate for reducing the risk(s) to an acceptable level. Risk control shall consist of an integrated approach in which the manufacturer shall use one or more of the following in the priority order listed:

a) inherent safety by design; b) protective measures in the medical device itself or in

the manufacturing process; c) information for safety.

• Implementation of risk control measure(s) (Step 6) The manufacturer shall implement the risk control measure(s) selected in step 5. The measure(s) used to control the risks shall be recorded in the risk management file. The effectiveness of the risk control measures shall be verified and the results of the verification shall be recorded in the risk management file. Implementation of the risk control measures shall be verified. This verification shall also be recorded in the risk management file. • Residual risk evaluation (Step 7) Any residual risk that remains after the risk control measure(s) are applied shall be evaluated using the criteria defined in the risk management plan. The results of this evaluation shall be recorded in the risk management file.

If the residual risk does not meet these criteria, further risk control measures shall be applied (see step 5). If the residual risk is judged acceptable, then all relevant information necessary to explain the residual risk(s) shall be placed in the appropriate accompanying documents supplied by the manufacturer. • Risk/benefit analysis (Step 8) If the residual risk is judged unacceptable using the criteria established in the risk management plan, and further risk control is impractical, the manufacturer shall gather and

review data and literature on the medical benefits of the intended use/intended purpose to determine if they outweigh the residual risk. If this evidence does not support the conclusion that the medical benefits outweigh the residual risk, then the risk remains unacceptable. If the medical benefits outweigh the residual risk, then proceed to Step 9. Relevant information necessary to explain the residual risk shall be placed in the appropriate accompanying documents supplied by the manufacturer. The results of this evaluation shall be recorded in the risk management file. • Other generated hazards (Step 9) The risk control measures shall be reviewed to identify if other hazards are introduced. If any new hazards are introduced by any risk control measures, the associated risk(s) shall be assessed. The results of this review shall be recorded in the risk management file. • Completeness of risk evaluation (Step 10) The manufacturer shall assure that the risk(s) from all identified hazards have been evaluated. The results of this assessment shall be recorded in the risk management file.

2.4 Overall residual risk evaluation (Step 11)

After all risk control measures have been implemented and verified, the manufacturer shall decide if the overall residual risk posed by the medical device is acceptable using the criteria defined in the risk management plan. If the overall residual risk is judged unacceptable using the criteria established in the risk management plan, the manufacturer shall gather and review data and literature on the medical benefits of the intended use/intended purpose to determine if they outweigh the overall residual risk. If this evidence does not support the conclusion that the medical benefits outweigh the overall residual risk, then the risk remains unacceptable. The results of the overall residual risk evaluation shall be recorded in the risk management file.

2.5 Risk management report (Step 12)

The results of the risk management process shall be recorded in a risk management report. The risk management report shall provide traceability for each hazard to the risk analysis, the risk evaluation, the implementation and verification of the risk control measures, and the assessment that the residual risk(s) is acceptable. The risk management report shall form part of the risk management file.

2.6 Post-production information (Step 13)

The manufacturer shall establish and maintain a systematic procedure to review information gained about the medical device or similar devices in the post-production phase. The information shall be evaluated for possible relevance to safety, especially the following:

a) if previously unrecognized hazards are present; b) if the estimated risk(s) arising from a hazard is no

longer acceptable; c) if the original assessment is otherwise invalidated.

If any of the above conditions are met, the results of the evaluation shall be fed back as an input to the risk

management process. In the light of this safety relevant information, a review of the appropriate steps of risk management process for the medical device shall be considered. If there is a potential that the residual risk(s) or its acceptability has changed, the impact on previously implemented risk control measures shall be evaluated.

3 CASE STUDY

An example of a robust risk management program, based on ISO14971, for a Continuous Positive Airway Pressure (CPAP) medical device used to treat Obstructive Sleep Apnea (OSA) is discussed below.

3.1 What are OSA and a CPAP device?

Obstructive sleep apnea (OSA) occurs when the upper airway becomes narrow as the muscles relax naturally during sleep and the airway collapses causing repeated arousal from sleep. Airway collapse may be due to such factors as a large tongue, extra tissue in the airway, or decreased muscle tone holding the airway open. As a result, air is prevented from getting into the lungs. This reduces oxygen in the blood and causes arousal from sleep. The CPAP (continuous positive airway pressure) machine stops this phenomenon by delivering a stream of compressed air via a hose to a nasal mask, splinting the airway (keeping it open under air pressure) so that unobstructed breathing becomes possible. This results in reducing and/or preventing apneas and hypopneas resulting in a good night’s sleep for the user. OSA afflicts 20 million adult men and women in the United States. Fig 2 below shows a CPAP device in use.

Fig 2 – CPAP device in use

3.2 Risk Management Program (based on ISO14971)

The first task in the risk management program was to write a risk management plan that spanned the life of the product from the design and development phase to the disposal phase. The plan included: • Risk acceptability criteria for determining acceptable risk • The scope of the planned risk management activities, and

the life-cycle phases for which each element of the plan was applicable

• Assignment of responsibilities and authorities • Requirements for review of the risk management

activities • Verification activities for risk control measures • Activities related to collection and review of relevant

production and post-production information

3.2.1 Risk Acceptability Criteria

ISO14971 does not define acceptable risk levels or acceptability criteria. The device manufacturer is expected to define it, based on the type of device. Fig 3 below is an example of the risk acceptability criteria used in this program. Descriptions, definitions, criteria and acceptability explanations are located directly below the figure.

Frequency Harm Outcomes

Catastrophic Severe Marginal Minor Negligible Frequent

5 5 4 3 2

Probable 5 4 3 3 2

Occasional 4 3 3 2 1

Remote 3 3 1 1 1

Unlikely 3 2 1 1 1

Fig 3 – Risk Acceptability Criteria

• Risk Acceptability Criteria: 1 – Risk can be accepted by project team even in the

absence of control measures 2 – Risk can be accepted by project team upon

verification of implementation of control measures 3 – Risk can be accepted with the approval of top

management needed on the basis of risk benefit justification

4 – Risk cannot be accepted for this type of device 5 – Risk cannot be accepted for this type of device

• Harm Outcome Descriptions: Harm is defined as physical injury or damage to the health

of people, or damage to property or the environment. Catastrophic – Death or serious injury despite the

availability of any intervention by the user or any others

Severe – Death or serious injury, only if intervention by the user or any others fails

Marginal – Therapy is ineffective for an extended period of time and the user or any others are not aware of it; reversible injury

Minor – Minor injury; first aid or doctor office visit Negligible -- Therapy is not effective, but the user is

immediately aware. Condition is not worse than going undiagnosed.

• Frequency of Occurrence Definitions: Frequent – Reported or anticipated to occur as frequently

as once or more per day per unit based on normal usage.

Probable – Reported or anticipated to occur no more than 100-500 times per month

Activity Project Phase Input Output

1 Identify product use, requirements and characteristics

Requirements and Planning

Product Requirements Document (PRD)

Initial Hazards Analysis

2

Complete answers to questions contained in ISO 14971:2007

Medical devices-Application of risk management to medical

Devices, Annex C

System Design

ISO 14971:2007 Annex C question set

Use/Misuse model,

IEC62366 – Medical devices-Application of usability engineering to

medical devices [3]

Use/misuse scenarios and device information

3 Identify product hazards/harm, causes of hazards/harm and misuse System Design

Functional Failure Analysis(dFMEA and Fault

Tree analysis); Complaint Information; Medical Device Records

(MDR); Corrective Action and Preventative Actions (CAPA); ISO 14971:2007

Annex C question set

Detailed Hazards Analysis and initial risk assessment

4 Research and document field

events and recalls on “similar” CPAP devices

System Design www.fda.gov

“MAUDE database”

Field Failures similar to the CPAP

5 Estimate and assign risk levels for each hazard System Design Panel of risk experts Harm outcomes table in risk

assessment document

6 Identify the control measures to be implemented in the design System Design Design engineers, risk

experts

Control Measures (CM) Section of risk assessment

7 Create detailed failure analysis of device hardware, if needed Detailed Design dFMEA (component level)

Detailed Failure Analysis

8 Monitor testing of control measures Detailed Design

Verification & Validation (V&V) Test Plans, Control

Measures Trace Matrix

Updated “Control Measures (CM) Section” in risk

assessment (List of all software and hardware controls and

completed test reports of all CM’s that required testing)

9 Create production, supplier and service risk control plans Detailed Design

Production, supply-chain and service related CM’s

from RA

PFMEA, Final Test Equipment Qualification

Report

Validation reports

10 Verification of control

measures(make adjustments, if necessary)

Verification

V & V test reports, Quality Center data, Post production

support groups(supplier quality, service, global

sourcing, customer support) Risk control outputs

Control Measures (CM) verification table

11 Produce Final Risk Assessment

Document

Validation All previous phases of the Risk Management Program Final Risk Assessment

12

Periodic quality reviews (post launch) of devices in the field, to

verify/validate data in risk assessment

Post Transfer (Final Design

Review)

Field Complaints, Post Market Risk Assessments

CAPA’s

Identification of quality and risk associated items that are

showing early trends of higher than expected frequencies.

Updated risk assessment file

Table 4 – Risk Management related activities performed in different phases of the project

Occasional – Reported or anticipated to occur no more than 500-1000 times per year

Remote – Reported or anticipated to occur no more than 100 times over the life of the product

Unlikely – Plausible but without any reports of ever occurring and not anticipated to occur

Note: Rates of occurrence are based on having at least one million units being used in the field. Complaint rates will be extrapolated based on field population at the time, to equate to a population of 1 million units.

3.2.2 Risk Management Activities

A list of risk management related activities (based on 13 steps outlined in ISO14971) that were performed in the different phases of the CPAP device development project is given below in Table 4. These activities were useful in identifying hazards, estimating and evaluating the associated risks, controlling these risks, and monitoring the effectiveness of the controls during the entire life cycle of the product.

3.2.3 Tools and Templates used in the project

MS Excel, MSWord, IBM DOORS, HP Mercury Quality Center, and SAP were some of the software packages used in the implementation of this risk management program. MS Excel and MS Word were used to document the risk assessment. IBM DOORS software package was used to specify, map and maintain traceability of control measures requirements (from risk assessment). HP Mercury Quality Center was used to run tests to verify control measures (from risk assessment) and track associated defects. The final risk assessment file, submitted to the FDA, which contains records of all the risk management related activities (mentioned in table 4 above), was controlled using SAP. Commercially available software packages were used to perform dFMEA and Fault Tree Analysis.

An example risk assessment worksheet template, used in this program, is given below in Table 5.

Risk Assessment Worksheet

# Function of device

Functional State

Potential Causes

of Failure

Result of Failure

(Description of

hazardous event)

Hazard Tag

Initial Risk Index Level

Safety Control Measures

Final Risk Index Level

1 CPAP Therapy

Pressure delivery

excessively high (outside the range

of the device

settings)

Blower speed too

high

Controls fail

(Software)

Sensors fail

(Hardware)

Potential injury to patient

respiratory system

CO2

buildup in the lungs

due to inability to

exhale against

excessive pressure

OVERPRESSURE

Minor Occasional

2

Identify controls that limit motor speed (i.e., pressure)

• Monitor and adjust blower current every 125 µs (0.125 ms) [CM-01] • If outside the range, over a

monitored period of time, the system is placed in safe state. In safe state, therapy and pressure

control states are disabled. [CM-02]

• If motor current controls fail, system will default into safe state

[CM-03] The design will be constrained by the

limits identified in ISO 17510-1 standard that limits the pressure output

of CPAP [CM-04]

Minor Remote

1

Table 5 – Example of Risk Assessment Worksheet

Table 6 – Control Measures Verification Trace Matrix

An example of the control measures verification trace table template used in this program to test/verify and document the control measures defined in the risk assessment is given below in Table 6

3.2.4 Risk Management File

The risk management file, submitted to the FDA, included the risk management plan, the initial hazard analysis, use/misuse model, detailed hazard analysis, dFMEA, risk assessment, control measures trace matrix, control measures verification report, production-supplier-service risk control plans, post market risk assessment plan and a final risk report. The risk management file is continuously reviewed and updated as necessary, when new risks are identified or the occurrence/severity of the existing risks change. It is also useful after product launch, to perform post-market risk assessments to make decisions on whether field action is needed, in case of the occurrence of an adverse event in the field.

4 CONCLUSION

Using the risk management process outlined in ISO14971 standard as a guideline to manage risk can ensure the design and deployment of a safe product, with an acceptable level of risk. The concepts, processes and risk management activities discussed in this paper can be applied to non-medical fields as well.

REFERENCES

1. “Medical devices - Application of risk management to medical devices”, ANSI/AAMI/ISO 14971:2007,

Association for the Advancement of Medical Instrumentation, 2007.

2. “Medical devices - Application of risk management to medical devices”, ANSI/AAMI/ISO 14971:2000, Association for the Advancement of Medical Instrumentation, 2000.

3. “Medical devices - Application of usability engineering to medical devices”, IEC62366, International Electrotechnical Commision, 2007.

BIOGRAPHIES

Vaishali Hegde Philips Respironics 1740 Golden Mile Highway Monroeville, PA 15146 USA

e-mail: vaishali.hegde@philips.com

Vaishali Hegde is a Sr. Staff Engineer at Philips Respironics. She has sixteen years of engineering and management experience comprising of reliability consulting, reliability application engineering, design and process engineering, testing, risk management and project management in the defense, aerospace, chip manufacturing, and medical industries. She received her BS in Electrical Engineering from West Virginia University. She has published articles, contributed a chapter to the Handbook of Performability book and presented papers at RAMS2006 & RAMS2010. She is a senior member of ASQ and is on the board of the ASQ Pittsburgh Chapter. She is also an ASQ-Certified Reliability Engineer

Control Measure Tag Category Implementation

Reference Verification Reference Verified By Verified Date

Enter control measure tag from Hazard Identification Table.

List goal of control measure: Design, Alarm, Process, Label, Standard.

List references to requirements, specifications, manuals, etc., showing implementation of control measure.

List reference to a test or other record of the verification of design, implementation, showing effectiveness of control measure.

Identify individual who performed the verification.

Identify the date of verification.