How do you define Risk (Medical Device)?

My company defines risk level according to the...


  • Total voters
    7

indubioush

Quite Involved in Discussions
#1
Fact 1: ISO 14971 defines risk as the combination of the probability of occurrence of harm and the severity of that harm.

Fact 2: This definition of risk does not mention "hazard" or "hazardous situation."

Fact 3: One harm could be caused by more than one hazard or hazardous situation.

Example: Using the example of stroke as the harm, let's list two associated hazards:

1. Patient noncompliance with anticoagulant medication
2. Implantable device causes blood coagulation

Discussion:
Many companies have hazard analysis documents in which they assign risk levels to individual hazards. Using the above examples:

1. Stroke due to noncompliance to meds: occurrence 2, severity 4, risk 3
2. Stroke due to device: occurrence 1, severity 4, risk 2

Is this really good enough to assess the probability of occurrence of harm and severity of the harm? Don't we really want to know the risk of stroke alone, not the risk of stroke based on a particular hazard?

Let's say there is a harm that is caused by 20 different hazards. Shouldn't this harm have a higher risk level than another harm with the same severity level but caused by only one hazard?

Please can you tell me how this is addressed in your risk management system. What is your denominator for your numeric risk levels? Is your risk per harm, per hazard, or per hazardous situation?
:thanx:
 
Elsmar Forum Sponsor

Marcelo

Inactive Registered Visitor
#2
I have some reservations against your exemples, but trying to answer the questions:

Is this really good enough to assess the probability of occurrence of harm and severity of the harm? Don't we really want to know the risk of stroke alone, not the risk of stroke based on a particular hazard?
Per ISO 14971, you want to estimate the severity of the risk to the patient/user/etc. (please let's not discuss the definition that includes property/environment because this is too complicated). So, you want to know the risk of stroke when it's part of a sequence of events that leads to a hazardous situations and the device (usually a device failure or use error) is part of that sequence of events that leads to the hazardous situation.

Let's say there is a harm that is caused by 20 different hazards. Shouldn't this harm have a higher risk level than another harm with the same severity level but caused by only one hazard?
I always totally confused by the "risk level"because different people mean difference things when talking about "risk level" (and they usually say those things thinking about a risk matrix, which confuse things even more).

Anyway, the magnitude of risk (and this is what usually the risk "level"is all about) is really not dependent on the related number of hazards)

Please can you tell me how this is addressed in your risk management system. What is your denominator for your numeric risk levels? Is your risk per harm, per hazard, or per hazardous situation?
Again, Think there's some misunderstanding here. Risk is usually per individual fatality, or per group fatality (this is usually called societal risk).

But again trying so answer your question, each hazardous situation can have more than one outcome, so:

Every hazard can have more than one related hazardous situation.
Each hazardous situation can have more than one harm.
Risk is related to the hazardous situation.
So each hazardous situation can have more than one risk (for each related harm).
Please see attached file from an overview.
 

Attachments

indubioush

Quite Involved in Discussions
#3
Will you please explain what you mean by "Risk is usually per individual fatality."

If I am a patient who will be using or receiving a medical device, don't I want to know my risk of stroke? I don't care about individual hazards. If we only assess risks based on individual hazards or situations, doesn't that obscure the information that we are truly seeking?

I as a patient want to know my chances of having something bad happen. I as a manufacturer want to know the same. The goal of risk control is to reduce the probability and severity of harm. How do we as manufacturers do that when we prioritize our actions based on individual hazards rather than the true risk of harm to a patient?

The simple question I want to ask is how you calculate risk when there are multiple completely unrelated situations that lead to the same harm.
 

Marcelo

Inactive Registered Visitor
#4
Will you please explain what you mean by "Risk is usually per individual fatality."
The risk is related to the harm (either individual risk or societal risk are the most common, as I mentioned), and in particular, the hazardous situation. nNot the hazard.

The simple question I want to ask is how you calculate risk when there are multiple completely unrelated situations that lead to the same harm.
See the graph I included in my last post.
 

indubioush

Quite Involved in Discussions
#5
The graph you included in your post describes a situation in which one hazard results in multiple harms. I am posing questions based on the situation in which many different hazards with different hazardous situations lead to the same harm. The occurrence of harm, if based on the harm alone, is one thing, but if you are using occurrence of hazards as a factor in your occurrence of harm, that is where it gets complicated. I have found that many companies calculate their occurrence of harm per each individual hazardous situation. I am questioning whether this is the right thing to do.

How do two different, unique hazardous situations that result in the same harm factor into the probability of that harm?
 

Marcelo

Inactive Registered Visitor
#6
I'm not sure what you mean by "occurrence of hazards", as a hazard is only a potencial source of harm; it has no occurrence (or probability of occurrence).

For different hazards, that leads to different hazardous situations, but with the same harm...it's the same as the graph. You need to evaluate the sequence or combination of events that leads to each hazardous situations (which will probably be different also), and then the harm/s.

The probability of occurrence of harm (which is related to the hazardous situation, not the hazard) will be different depending on P1 and P2, and P1 will depend on the sequence or combination of events, and P2, on the possible harms (as shown in the graph). You can also check the graph at annex E of ISO 14971.
 

Ronen E

Problem Solver
Staff member
Moderator
#8
I think that some of the confusion is caused by a wrong premise. The patient and the manufacturer are not necessarily after the exact same thing in this context.

The patient might want to know the overall risk of some specific harm realising (eg stroke), associated with a given device.

The manufacturer is more concerned with the components of that risk because reduction of risk to an acceptable level can only be achieved through addressing particulars. It has already been stated that the severity of a given harm can hardly be reduced (if at all, it's still moot). So the only other way is attacking the probability of occurrence. As Marcelo has pointed out, the overall probability of occurrence of a harm is a composite result of several (conditional) probabilities, hence it is unique to each specific harm of each specific hazardous situation. To reduce that unique figure you'd need to attack at least one of the events / conditions that lead to that unique outcome. Once you do, the overall resulting probability of that unique outcome might go down to a level deemed "acceptable" (which is subject to debate and much confusion). This is what the manufacturer is initially interested in. Until all individual risks (of specific harms resulting from specific hazardous situations) have been reduced to an "acceptable" level, the risk management process can't move forward, except in extreme/special situations. Of course, even when that has been achieved the manufacturer still needs to consider the bigger, cumulative risk picture, which might be a bit closer to the patient's perspective (eg "what are my chances to die if I receive that implant?") but it's still not the same as the more specific question you posed on behalf of the patient, "what are my overall chances for a stroke?".

ISO 14971 is targeted at the manufacturer, so it doesn't necessarily serve the patient's desire to know. The process it describes focuses on individual risks, and on the overall resulting benefit/risk ratio (all risks against all benefits, combined). It doesn't necessarily address the sum risk of any specific harm as a result of all foreseeable hazardous situations that might lead to it.
 
Last edited:

indubioush

Quite Involved in Discussions
#9
Thank you for your reply. I fully agree that the manufacturer must address hazards and hazardous situations to reduce risk to an acceptable level. I also agree that the overall probability of occurrence of a harm is a composite result of several probabilities.

My question is how these probabilities are calculated when many different hazardous situations lead to the same harm. For example, if 1 in 10 patients will get a stroke because of the hazardous situation of patient noncompliance with meds, 1 in 10 patients will get a stroke because of the hazardous situation of device malfunction, and 1 in 10 patients will get a stroke because of general procedural risk, our probability of stroke is not 1 in 10, it is 3 in 10. However, if the manufacturer only calculates risk based on individual hazardous situations, they may incorrectly determine that the risk of stroke (in each case) is acceptable.

With the understanding the risk is the combination of severity of harm and probability of occurrence of harm, and that the probabilities come from multiple sources, what is the best way to calculate risk where multiple hazardous situations lead to the same harm?

Is occurrence unique to the harm or unique to the hazardous situation? Based on the definition of risk, in my opinion, occurrence is unique to the harm. However, many people see occurrence as unique to the hazardous situation. Could this understanding cause problems when assessing risk and determining which risks are unacceptable?
 

Ronen E

Problem Solver
Staff member
Moderator
#10
My question is how these probabilities are calculated when many different hazardous situations lead to the same harm.
ISO 14971 does not require that such aggregated probabilities are calculated.

For example, if 1 in 10 patients will get a stroke because of the hazardous situation of patient noncompliance with meds, 1 in 10 patients will get a stroke because of the hazardous situation of device malfunction, and 1 in 10 patients will get a stroke because of general procedural risk, our probability of stroke is not 1 in 10, it is 3 in 10. However, if the manufacturer only calculates risk based on individual hazardous situations, they may incorrectly determine that the risk of stroke (in each case) is acceptable.
First, the manufacturer is not obliged to assess risks that are not related to the device in question. The fact that a certain harm can occur with relation to the device use and also independent of it doesn't make the manufacturer responsible for the independent risk even when their device is in use.

Second, what the manufacturer should evaluate in your example is not "the risk of stroke", but "the risk of stroke in composite setting 1", "the risk of stroke in composite setting 2"... up to "the risk of stroke in composite setting N". Each of them has to be deemed or made acceptable, and the aggregate of ALL such individual risks (including other than involving stroke) needs to be outweighed by the device's benefit to the patient. That's all, as far as ISO 14971:2007 is concerned.

Is occurrence unique to the harm or unique to the hazardous situation? Based on the definition of risk, in my opinion, occurrence is unique to the harm. However, many people see occurrence as unique to the hazardous situation. Could this understanding cause problems when assessing risk and determining which risks are unacceptable?
Assuming that by "occurrence" you refer to the probability/frequency of occurrence, the hazardous situation has its own occurrence (built up of the probabilities of each and every event and condition that have to occur for it to realise) and every harm of every hazardous situation has its own occurrence. You should always look at a chain/aggregate of events and conditions that are, together, necessary for the realisation of a specific harm-as-a-result-of-a-specific-hazardous-situation. The chain up to the hazardous situation will yield the hazardous situation probability, and then you also need to consider the probability of that situation actually culminating in a specific harm, to get the final probability that is considered in the "severity & probability" combination that is the risk "level". I know it's a lot of work (and some people claim it's pointless because there's a lot of uncertainty in determining some of the probabilities) but that's what ISO 14971:2007 essentially prescribes.
 
Last edited:
Thread starter Similar threads Forum Replies Date
T How do you define your Hazards? <a Risk Management discussion> ISO 14971 - Medical Device Risk Management 16
alonFAI How to define a Risk Based Approach for Supplier Management per ISO 13485:2016 ISO 13485:2016 - Medical Device Quality Management Systems 1
V How to define Risk Acceptance Criteria? ISO 13485:2016 - Medical Device Quality Management Systems 3
B Define Fault, Double Fault and Normal Conditions - Preparing a Risk Management File FMEA and Control Plans 1
R How to define risk levels in an audit - Is a Major critical? General Auditing Discussions 7
M Define voltage and frequency to perform tests 61010-1 and 61326-1 for CE certification CE Marking (Conformité Européene) / CB Scheme 4
I Sampling processes - Who must define the AQL level? AQL - Acceptable Quality Level 9
V Who should define and own the Design and Development Plan and how to maintain the updates and revisions. ISO 13485:2016 - Medical Device Quality Management Systems 2
S API Spec Q1 - How to define Management Representative competency for QMS Oil and Gas Industry Standards and Regulations 12
M How To Define ISMS (information Security Management System) Scope IEC 27001 - Information Security Management Systems (ISMS) 9
Kuldeep Singh How to define Expected life service life of medical device Other Medical Device Related Standards 4
S How to Define Importers under EU MDR / Brexit EU Medical Device Regulations 3
MrPhish Should Potential Customer Complaint Outcome Define Registrar NC Rating? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 8
K ISO 9001:2015 clause 9.2.2 a. - Define the audit criteria and scope Internal Auditing 2
Q QI Macro Histogram - Can someone define *sorted data*? Capability, Accuracy and Stability - Processes, Machines, etc. 7
H How to define Root Cause when some points are out of control chart Statistical Analysis Tools, Techniques and SPC 6
M SOP or template for a study to Define Storage Conditions of Orthopaedic Implants EU Medical Device Regulations 3
D Definition Client - How does the government define their clients? Definitions, Acronyms, Abbreviations and Interpretations Listed Alphabetically 1
G How to define the scope of QMS as per ISO 9001:2015 ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 21
R How to define QMS certification scope statement? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 11
R Review of "Key Data" for contract labs, but SOP doesn't define "key data". Problem? Pharmaceuticals (21 CFR Part 210, 21 CFR Part 211 and related Regulations) 2
G Procedure to define Signing Authority for Procurement Limits ISO 13485:2016 - Medical Device Quality Management Systems 2
P Can a company define new quality standards for special industry ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 2
L Are there any requirements to define barcode requirements ? Misc. Quality Assurance and Business Systems Related Topics 2
X How to define Calibration Acceptance Criteria General Measurement Device and Calibration Topics 3
H ISO 17025 - How to define a "Test Equipment" ? ISO 17025 related Discussions 2
J Where do you define Internal Auditor qualifications? Internal Auditing 9
V Is there an approach to define the "must 'or' should" in supplier audits? US Food and Drug Administration (FDA) 2
T Internal Audit - How to define the Importance of Departments and Processes Internal Auditing 8
T Help me understand how to define Processes ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 40
L How to define R & D Receiving (Incoming) Inspection Plan Design and Development of Products and Processes 18
B How to define and implement Configuration Management Document Control Systems, Procedures, Forms and Templates 5
C How to Define and Document Controls of Outsourced Processes Food Safety - ISO 22000, HACCP (21 CFR 120) 5
S Please help me define training requirements for a Career in Regulatory Affairs 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 2
K How to define the Acceptances Criteria for all equipment? Manufacturing and Related Processes 7
L Definition Program - How do you define Program with regard to ISO 9001? Definitions, Acronyms, Abbreviations and Interpretations Listed Alphabetically 3
A Supplier Evaluation SOP - How do I Define Major and Minor Suppliers? Supplier Quality Assurance and other Supplier Issues 14
Q Where to define Authorities and Responsibilities in Documentation? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 1
J Define Energy Used/Delivered - Applicable to Electrical or Mechanical Power or both? 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 1
R 820.50 (A) (2)Define the Type and Extent of Control to be exercised over Vendor Misc. Quality Assurance and Business Systems Related Topics 5
A Where to define Process Tailoring Form used in CMMI in the ISO 9001 Quality Manual? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 5
Q Criteria to define QMS processes in ISO/TS 16949:2009 IATF 16949 - Automotive Quality Systems Standard 23
S How to define New Equipment? Device is Returned, Refurbished or Repaired Misc. Quality Assurance and Business Systems Related Topics 3
C Controlling Documents: Beyond the standard, how do we truly define what to control ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 9
C How to define Process Special Characteristics (SC) FMEA and Control Plans 4
kedarg6500 What is the meaning of "define/defined" in ISO 9001? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 19
Crusader Local Control Document procedure....define it or not? Document Control Systems, Procedures, Forms and Templates 24
M Excel Templates for Plan & Define Phase in NPI Process for Tire Manufacturer Excel .xls Spreadsheet Templates and Tools 1
R Define Data from Taguchi to Response Surface Methodology in Minitab Using Minitab Software 2
K How to define PVC Pellet Quality Manufacturing and Related Processes 8

Similar threads

Top Bottom