What is Risk-based Design?

[Timothea]

We are a small medical device company and recently we had a management review meeting and our CEO mentioned that he heard about a new risk approach - "risk-based design". Basically, that risk assessment is done over the requirements of a medical device - you identify a risk, show mitigation for each requirement and/or design feature. And according to which you determine the level of concern, which further determines how complex risk assessment should be.

I was wondering if anybody heard about this?

We are doing our risk assessment as hazard-based (according to ISO 14971 guidance). And I am aware that FDA has guidance for premarket submissions for software contained in medical devices where is stated that you need to determine LOC (but, that is just related to software).

 

[AndyN]

We are a small medical device company and recently we had a management review meeting and our CEO mentioned that he heard about a new risk approach - "risk-based design". Basically, that risk assessment is done over the requirements of a medical device - you identify a risk, show mitigation for each requirement and/or design feature. And according to which you determine the level of concern, which further determines how complex risk assessment should be.

I was wondering if anybody heard about this?

We are doing our risk assessment as hazard-based (according to ISO 14971 guidance). And I am aware that FDA has guidance for premarket submissions for software contained in medical devices where is stated that you need to determine LOC (but, that is just related to software).

It's a fancy name for DFMEA.

 

[Timothea]

Thanks, I read about DFMEA. But, I still don't get it how that "determines" level of complexity of risk assessment which needs to be conducted?

And once I read that FMEA it's not equal to ISO 14971.

 

[Marcelo]

We are a small medical device company and recently we had a management review meeting and our CEO mentioned that he heard about a new risk approach - "risk-based design". Basically, that risk assessment is done over the requirements of a medical device - you identify a risk, show mitigation for each requirement and/or design feature. And according to which you determine the level of concern, which further determines how complex risk assessment should be.

I was wondering if anybody heard about this?

We are doing our risk assessment as hazard-based (according to ISO 14971 guidance). And I am aware that FDA has guidance for premarket submissions for software contained in medical devices where is stated that you need to determine LOC (but, that is just related to software).

You can perform the risk analysis part of the risk management process in several ways. ISO 14971 does take a step-by-step approach, but it does not mean that you need to follow it all the time. For example, I usually suggest to my clients that they do the process backwards, beginning with the harm and/or hazardous situations, because that's the information they usually know (I also suggest creating a list of harms/hazardous situation to facilitate the analysis, this way you can cross-check with the hazards).

Regarding requirements, yes, that's another way that I always suggest doing. It's something like this:

- Define patient/user needs
- Define input requirements
- Perform an iteration of the risk management process based on the requirements (which hazards, hazardous situations and harm can come from the requirements? For the unacceptable ones, which possible risk control measures can be applied? )
- For the possible risk control measures identified above, create more requirements for those, then iteration the process again.
- You can do the iteration ay time a new requirement or set of requirements is introduced.

This way you can systematically analyze risks.

It's a fancy name for DFMEA.

Unfortunately, it has nothing to do with FMEA.

And once I read that FMEA it's not equal to ISO 14971.

Yes, FMEA (or any other reliability or hazard identification tool) can be used as part of the risk management process, but only a very small part (part of the risk analysis, but even then no tool includes all the information the risk management process require). So you need to understand each tool limitation and how you can use them in the risk management process (and have a way to identify the missing information).

But, I still don't get it how that "determines" level of complexity of risk assessment which needs to be conducted?

The level of concern, which is a term the FDA uses, is not related to risk management per se, but to determine the "level" of design documentation the manufacturer has to show the FDA (meaning, the regulatory burden). You use risk management to determine the level of concern.

 

[AndyN]

Given the OP's comments "Basically, that risk assessment is done over the requirements of a medical device - you identify a risk, show mitigation for each requirement and/or design feature.", how is doing a DFMEA NOT the same - or very very close to the same as described?

 

[Marcelo]

Given the OP's comments "Basically, that risk assessment is done over the requirements of a medical device - you identify a risk, show mitigation for each requirement and/or design feature.", how is doing a DFMEA NOT the same - or very very close to the same as described?

A DFMEA, as with any FMEA, is based on the identification of failure mode for components.

A requirement is before you define a component. The component, or components, are solutions to one or more requirements.

So you cannot use a DFMEA if you do not have the solutions to the requirements. However, you can do a risk analysis for anything, you do not need a complete solution, you can do a risk analysis even before requirements (for example, based on the patient/user needs).

That's what I tried to say when I mentioned you need to understand any reliability/hazard analysis tool you want to use, and their limitations, and how you can use them in the risk management process.

 

[AndyN]

A DFMEA, as with any FMEA, is based on the identification of failure mode for components.

A requirement is before you define a component. The component, or components, are solutions to one or more requirements.

So you cannot use a DFMEA if you do not have the solutions to the requirements. However, you can do a risk analysis for anything, you do not need a complete solution, you can do a risk analysis even before requirements (for example, based on the patient/user needs).

That's what I tried to say when I mentioned you need to understand any reliability/hazard analysis tool you want to use, and their limitations, and how you can use them in the risk management process.

How can that be "risk-based design" if you are looking ONLY at requirements? If you don't HAVE a design? I fully understand looking at (customer, regulatory, user etc) requirements, factoring risk, but the OP asked about "design"?

 

[Marcelo]

How can that be "risk-based design" if you are looking ONLY at requirements?

The OP used the word "Risk-based Design", I did not (although it's not really incorrect, see below). The OP asked about requirements, and I tried to show how to do it with the requirements.

If you don't HAVE a design?

The design process include both input requirements and the solutions to them. Design is not only the solutions.

 

[Timothea]

But still, no matter in which phase risk assessment is conducted, needs to be conducted according to steps which ISO 14971 recommends?

 

[Marcelo]

But still, no matter in which phase risk assessment is conducted, needs to be conducted according to steps which ISO 14971 recommends?

As I mentioned, I do conduct the risk analysis in different ways, but the other steps (risk evaluation, risk control, etc.) I conduct in the order.