Clarification on interpretation of some EN ISO 14971:2012 & IEC 62304:2006 req's

Ronen E

Problem Solver
Moderator
Please don't mention Risk Based Thinking because no ones knows what is this :p

In my opinion it's like The Emperor's New Cloths. Everybody knows in their guts what it is, because humans have biologically evolved to be risk-managing creatures; it's almost like "common sense", in a way. The problem is that everyone is thinking that there's something magical or extra-clever about "risk based thinking" and they're afraid to say that they don't get what exactly it is because others might think that they're stupid...

So here I said it. Now you can call me stupid. :tg:
 
Last edited:

Ronen E

Problem Solver
Moderator
I also just went through IEC 62304:2006/AMD1:2015 and noticed they’ve now replaced section 4.3.a/b to now align with ISO 14971 method and terminology, which clarifies things a bit. I noticed in another post a reference to EN 62304:2006/AC:2008 saying it was a harmonized standard, and found a one-page corrigendum saying annexes ZA and ZZ were added, then underneath it has Annex ZZ listed (3 small paragraphs). Would anyone know how extensive Annex ZA is, and if the Annex ZZ in this corrigendum is all it is on this annex?

Please note that as of the last publication in the EU Official Journal, in May 13, 2016, A1:2015 is not (yet) harmonized. The latest harmonized version is 2006/AC:2008. If you go to https://webshop.ds.dk/en-gb/standard/ds-en-62304-ac2013 and click on "Preview" you'll be able to see annexes ZA and ZZ (in my understanding, in full). The Danish version is tagged 2006/AC:2013, but if you look inside you'll see that's an adoption of the 2006/AC:2008 version (I have no idea what caused the big gap).

I agree that Annex ZZ from the AC:2008 version is a bit enigmatic in describing the coverage extent; this is misaligned with the practice now prevalent in harmonized standards, where coverage of the related ERs is stated much more clearly and specifically.

I would also like to confirm that when determining potential hazard/harm, that this also applies to other people in the vicinity such as the general public, and not just to the user. Is that correct?

Yes.

Lastly, in the many websites I’ve browsed through for ISO 14971 I saw somewhere that said that formal training in ISO 14971 was a requirement, which I found odd. The standard simply says that persons performing risk management shall have appropriate knowledge and experience. I’m trained and quite experienced in doing FMEAs and other types of basic RM activities, and although I would like to go on a course for ISO 14971 to better comprehend it, it’s just not that readily available in Canada or US. Therefore, does anyone know what the expectations are in regards to ‘qualification of personnel’ when it comes to risk management techniques?

I'm not aware of an official requirement for formal qualifications to ISO 14971.
 
Last edited:

blah01

Involved In Discussions
Thanks for your replies Ronen.

In regards to misuse/abnormal use, for clarification, are you saying that intentional improper use of the product (i.e. despite any IFU and training provided) should, or should not be, considered when doing risk analysis?

Thanks again.
 

Ronen E

Problem Solver
Moderator
Thanks for your replies Ronen.

In regards to misuse/abnormal use, for clarification, are you saying that intentional improper use of the product (i.e. despite any IFU and training provided) should, or should not be, considered when doing risk analysis?

Thanks again.

ISO 14971 doesn't specifically address abnormal use.

IEC 62366-1:2015 mentions it. As described on the ISO web store:

IEC 62366-1:2015 specifies a PROCESS for a MANUFACTURER to analyse, specify, develop and evaluate the USABILITY of a MEDICAL DEVICE as it relates to SAFETY. This USABILITY ENGINEERING (HUMAN FACTORS ENGINEERING) PROCESS permits the MANUFACTURER to assess and mitigate RISKS associated with CORRECT USE and USE ERRORS, i.e., NORMAL USE. It can be used to identify but does not assess or mitigate RISKS associated with ABNORMAL USE.

I am not aware of a widely accepted, generic way to handle abnormal use.
 
Last edited:

blah01

Involved In Discussions
I'm still a bit hung-up on interpreting 'foreseeable misuse', which has major implications for us.

IEC Guide 51 (per Marcelo's reply) seems to be clear, but the Consensus Paper provided by Jean_B says the following, in regards to Deviation #2 in Annex ZA:
When determining the criteria for risk acceptability, the manufacturer shall consider whether death or serious deterioration of health is unlikely to occur in normal operation or due to device malfunctions or deterioration of characteristics or performance, or any inadequacy in the labeling or instructions for use. If unlikely to occur the risk shall be considered acceptable.


This definition does not take into account 'abnormal use' or 'readily predictable human behaviour' when assessing risks. I realize the consensus paper is addressing the issue of having an 'acceptability criteria', but in the process seems to be providing a definition of risk not aligning with what else has been written.

I would very much appreciate thoughts on this.

Thanks again.
 

Marcelo

Inactive Registered Visitor
Does anyone know if this “Consensus Paper“ is widely recognized and accepted in interpreting and applying Annex ZA?

Nope. It never passed the draft stage because there were opposition to it (although in general it's a good document).

In regards to misuse/abnormal use, for clarification, are you saying that intentional improper use of the product (i.e. despite any IFU and training provided) should, or should not be, considered when doing risk analysis?

Abnormal use is defined as:

* ABNORMAL USE
conscious, intentional act or intentional omission of an act that is counter to or violates NORMAL USE and is also beyond any further reasonable means of USER INTERFACE-related RISK CONTROL by the MANUFACTURER
EXAMPLES Reckless use or sabotage or intentional disregard of information for SAFETY are such acts

So no, you should not consider it in principle. However, what Iso 14971 mentions )I don't remember where right now) is that, if the abnormal use is a common medical practice, you should probably identify it as misuse, because everyone uses the device that way (the problem may even be that your design is wrong by not taking into consideration how people use the device or designing against it).


When determining the criteria for risk acceptability, the manufacturer shall consider whether death or serious deterioration of health is unlikely to occur in normal operation or due to device malfunctions or deterioration of characteristics or performance, or any inadequacy in the labeling or instructions for use. If unlikely to occur the risk shall be considered acceptable.

This does not make any sense. In fact, acceptability of risk is one of the topics we are heavily discussing in the revision of ISO 14971. We will hopefully make things a lot more clear (unfortunately it does not help the OP now :-().
 

Marcelo

Inactive Registered Visitor
In my opinion it's like The Emperor's New Cloths. Everybody knows in their guts what it is, because humans have biologically evolved to be risk-managing creatures; it's almost like "common sense", in a way. The problem is that everyone is thinking that there's something magical or extra-clever about "risk based thinking" and they're afraid to say that they don't get what exactly it is because others might think that they're stupid...

So here I said it. Now you can call me stupid. :tg:

The problem is that a standard should not have anything new- it should reflect the years of literature, experience and practical implementation of an area. Take ISO 14971. It has nothing new in the field of risk management. Sure, some particularities may be new, but 99 % of the standard reflects risk management practices from the last 50 years.

Risk management can be thought, as mentioned, in a very general way, as common sense. However, humans have difficult to make decisions in complex situations and environments due to limited knowledge and processing power. Thus, the field of risk management is not common sense, it's a systematic approach to common sense.

"Risk-based thinking" does not exist (you really can't find any mention of this in a consistent way in the literature or risk management experience). The "term" was recently created to try to convey an idea that is not really correct. That''s why everybody is struggling with the concept.
 

blah01

Involved In Discussions
Thanks for the informative feedback once again Marcelo. It’s really appreciated.

I really like the “Abnormal use” definition you provided. Is this from a specific document/standard?

So the Consensus Paper was never adopted...that’s unfortunate ... and brings up a couple more questions if you don’t mind:
1) In regards to Deviation 2, the document introduced the concept of “end-points for risk reduction” along with re-introducing the concept of ‘risk acceptability’. I guess that’s out the window then?
I know the MDD refers to “taking account of the generally acknowledged state of the art.”, but, our SW product IS actually the ‘state of the art’, so when you are a trend setter in a market, what do you go by then to determine how far you go?
2) For Deviation 3 regarding “economical consideration”, the consensus paper does raise a good point about the existing paragraph in the MDD that says “...any reference to ‘minimizing’ or ‘reducing’ risk must be interpreted and applied in such a way as to take account of technology and practice existing at the time of design and of technical and economical considerations compatible with a high level of protection of health and safety...”, which therefore seems to infer that economical consideration is a relevant factor (recognizing that we don’t want to cheap-out when assessing risk control measures). So given the text in the MDD, is economical consideration viable?
3) Deviation 7 on IFU, the document basically outlines 2 types of IFU, which I might have actually seen in other posts on this sight but forget now, which are as follows:
i. Action-based info to prevent/mitigate a hazard. Can this still be considered a control option? Note that for our product, which is an aid for people with vision impairment, we provide extensive training over a period of 6 months (minimum) to gradually introduce the users to the product; many of the elements encountered in the use of the product are simply not ‘design’ related.
ii. Informational only to highlight an inherent (residual) risk. I think it’s pretty clear that this type of info cannot be considered a control option.

I really appreciate all the feedback received so far. I usually don’t bother people with this stuff; I’ve been implementing standards for 25+ years but I am new to the medical device world so I’m just trying to make sure I interpret these standards correctly.

Thanks again.
 

Marcelo

Inactive Registered Visitor
1) In regards to Deviation 2, the document introduced the concept of “end-points for risk reduction” along with re-introducing the concept of ‘risk acceptability’. I guess that’s out the window then?
The document as a whole has some weird positions regarding risk acceptability.

I know the MDD refers to “taking account of the generally acknowledged state of the art.”, but, our SW product IS actually the ‘state of the art’, so when you are a trend setter in a market, what do you go by then to determine how far you go?

Not sure what you exactly mean what you say "our SW product IS actually the ‘state of the art’".

2) For Deviation 3 regarding “economical consideration”, the consensus paper does raise a good point about the existing paragraph in the MDD that says “...any reference to ‘minimizing’ or ‘reducing’ risk must be interpreted and applied in such a way as to take account of technology and practice existing at the time of design and of technical and economical considerations compatible with a high level of protection of health and safety...”, which therefore seems to infer that economical consideration is a relevant factor (recognizing that we don’t want to cheap-out when assessing risk control measures). So given the text in the MDD, is economical consideration viable?

Fact: there's no infinite resources anywhere.
Fact: risk management historically has always been related to resources (in particular resource allocation to worst-case scenarios)

A bizarre interpretation does not change those facts.

Point is, it's impossible not consider economic considerations. If you would treat every little imaginable possibility of a hazard with the best safety solution, you could have:
- a device which is not physically possible to exist
- a device so expensive that no one would be able to use it
- more bizarre options

3) Deviation 7 on IFU, the document basically outlines 2 types of IFU, which I might have actually seen in other posts on this sight but forget now, which are as follows:
i. Action-based info to prevent/mitigate a hazard. Can this still be considered a control option?
If it is "information for safety", yes, per ISO 14971.

Please note that there's a bit of a cloud on the historical acceptance of information as a means to control risk. Some literature says that it cannot be used (and this was clearly the position several EU directives/regulations if you read the text), some say that it can be used.

Anyway, if you think about it, it's obvious that there's are some problems that are impossible for a design to solve (including due to the problems I mentioned above), and that warning the user about them is the only viable solution.
 
Top Bottom