We are a small medical device company and recently we had a management review meeting and our CEO mentioned that he heard about a new risk approach - "risk-based design". Basically, that risk assessment is done over the requirements of a medical device - you identify a risk, show mitigation for each requirement and/or design feature. And according to which you determine the level of concern, which further determines how complex risk assessment should be.
I was wondering if anybody heard about this?
We are doing our risk assessment as hazard-based (according to ISO 14971 guidance). And I am aware that FDA has guidance for premarket submissions for software contained in medical devices where is stated that you need to determine LOC (but, that is just related to software).
You can perform the risk analysis part of the risk management process in several ways. ISO 14971 does take a step-by-step approach, but it does not mean that you need to follow it all the time. For example, I usually suggest to my clients that they do the process backwards, beginning with the harm and/or hazardous situations, because that's the information they usually know (I also suggest creating a list of harms/hazardous situation to facilitate the analysis, this way you can cross-check with the hazards).
Regarding requirements, yes, that's another way that I always suggest doing. It's something like this:
- Define patient/user needs
- Define input requirements
- Perform an iteration of the risk management process based on the requirements (which hazards, hazardous situations and harm can come from the requirements? For the unacceptable ones, which possible risk control measures can be applied? )
- For the possible risk control measures identified above, create more requirements for those, then iteration the process again.
- You can do the iteration ay time a new requirement or set of requirements is introduced.
This way you can systematically analyze risks.
It's a fancy name for
DFMEA.
Unfortunately, it has nothing to do with
FMEA.
And once I read that FMEA it's not equal to ISO 14971.
Yes, FMEA (or any other reliability or hazard identification tool) can be used as part of the risk management process, but only a very small part (part of the risk analysis, but even then no tool includes all the information the risk management process require). So you need to understand each tool limitation and how you can use them in the risk management process (and have a way to identify the missing information).
But, I still don't get it how that "determines" level of complexity of risk assessment which needs to be conducted?
The level of concern, which is a term the FDA uses, is not related to risk management per se, but to determine the "level" of design documentation the manufacturer has to show the FDA (meaning, the regulatory burden). You use risk management to determine the level of concern.