How do you define Risk (Medical Device)?

[Marcelo]

I know it's a lot of work (and some people claim it's pointless because there's a lot of uncertainty in determining some of the probabilities) but that's what ISO 14971 essentially prescribes.

The detailed probability evaluation should in practice be required only for specific non-trivial or very high risk hazardous situations (we may solve this in the ISO 14971 revision). And in my opinion it should also require QRA (we won't solve this one, unfortunately :-()

Regarding uncertainty, it's curious how ISO 14971 says nothing about uncertainty in risk analysis/management, it's one of the crucial points in several implementations (NASA, for example). But please note that the real concerns of uncertainties in risk analysis/management are not only in uncertainties in probability estimates, there's are several other sources of uncertainty, some even more problematic (some of these also goes back to decision theory, this is another link that ISO 14971 also fails to mention, but which is one of the basis for the need of risk management). A interesting read on this topic is this doc: UNCERTAINTY CHARACTERIZATION IN RISK ANALYSIS FOR DECISION-MAKING PRACTICE.

 

[indubioush]

First, the manufacturer is not obliged to assess risks that are not related to the device in question. The fact that a certain harm can occur with relation to the device use and also independent of it doesn't make the manufacturer responsible for the independent risk even when their device is in use.

Are you referring to my example of patient noncompliance with meds? Unfortunately this is a hazardous situation the manufacturer must consider if their device is a long-term implantable and the patient is required to take anticoagulant medication as long as the implant is still present. There may be no way to reduce this risk, but it still must be weighed against the benefits of the device. Do you agree?

 

[indubioush]

Okay, going to keep delving into the details here. Thanks for all the help thus far.

See ISO 14971 Section D.7.4 Fault tree analysis: Harm to a patient or user can originate from different hazardous situations (see Annex E). In such cases, the probability of the harm used to determine the overall residual risk is based on a combination of the individual probabilities. A fault tree analysis can be a suitable method for deriving the combined probability of harm.

This implies that you must assess the probability of harm (from multiple situations) when assessing the overall residual risk. This is making more and more sense. I also read, forgot where, that the standard is written in a way that prevents an overwhelming amount of tedious work. This two-tiered approach makes a lot of sense, and now I understand this process a lot more. I think what makes it complicated it that my company's device has quite a few of these multiple-situation harms.

Next question is how people document their fault-tree analyses. Perhaps this is another thread though.

 

[Marcelo]

Are you referring to my example of patient noncompliance with meds? Unfortunately this is a hazardous situation the manufacturer must consider if their device is a long-term implantable and the patient is required to take anticoagulant medication as long as the implant is still present. There may be no way to reduce this risk, but it still must be weighed against the benefits of the device. Do you agree?

The problem is that in your examples (For example, if 1 in 10 patients will get a stroke because of the hazardous situation of patient noncompliance with meds, 1 in 10 patients will get a stroke because of the hazardous situation of device malfunction, and 1 in 10 patients will get a stroke because of general procedural risk), only the second one is related to the device, the others are not.

(also, patient noncompliance with meds and device malfunction are not hazardous situations)

The device manufacturer is usually required to deal with the second one only. You are correct in the "real" probability of stroke is related to the the 3 scenarios (or even more), but this "real" probability of strokes is related to strokes, not use of the device. This is something that the medical doctor and the patient may need to have an idea, but not something that the device manufacturer will take into account, because there are thousands other factors that may go into that probability.

 

[indubioush]

In my experience, procedural risks must be accounted for in your risk analysis. The type of device I am thinking of is a Class III high risk implantable device. When the device is being implanted into a patient, there are associated risks, like stroke, even if the device performs exactly as intended. ISO 14971 requires that both normal and fault conditions be considered when assessing risk.

In addition, post-procedure information also provides input into the risk management system. The rate of stroke over time is something that must be considered in the risk/benefit analysis. In the case of the patient noncompliance to meds, it is true that there is no device malfunction, but since this is a factor in the probability of post-procedural risk of stroke, it is required to be considered. In the examples mentioned here, the hazard is the implantation procedure and the device itself, respectively.

 

[Marcelo]

See ISO 14971 Section D.7.4 Fault tree analysis: Harm to a patient or user can originate from different hazardous situations (see Annex E). In such cases, the probability of the harm used to determine the overall residual risk is based on a combination of the individual probabilities. A fault tree analysis can be a suitable method for deriving the combined probability of harm.

D 7.4 (which is informative) deals with Overall residual risk evaluation. Unfortunately, it's not a very good discussion, and ISO TR 24971 tried to give a better discussion and also failed. Hopefully, we can do a better job in the revision.

The overall residual risk evaluation requirement came from the understanding that, although we usually treat individual risks of harm to patient/user/etc, the real risk is an aggregate of the individual risks. However, none of the "techniques" identified in D 7.4 is good to do this.

For example, the fault tree analysis mentioned. FTAs (some good tutorials are here: http://www.barringer1.com/mil_files/NASA-FTA-1.1.pdf and http://www.cems.uwe.ac.uk/~a2-lenz/n-gunton/worksheets/FTA-Tutorial.pdf are good for estimating probability of harm, including combined probability for the same hazardous situation. It does not deal with aggregate risk.

For analyzing the aggregate risk related to individual risks with a focus on quantitative probabilities, you would need to use a risk summing technique (and example is in this link: http://www.isss-tvc.org/Summing_Risk_Slides.pdf. The questions is if this (which is clearly a tough job to be done, in particular because it does require that you use QRA techniques instead of only estimating the risk in a qualitative manner) is worth the effort.

The real requirement to estimate probabilities is in 4.4. However, the standard also mentioned the probability can be estimated either quantitatively or qualitatively. Unfortunately, most implementations seem to think that, as the standard "permits" I can simply estimate probability qualitatively (the rationale is that it might be difficult to estimate probabilities for some hazardous situations before putting the device into the market, and only post-market data gan give that). This in fact is not in consonance with good risk management practices - imagine if manufacturer of planes waited for planes to be in the market before estimating risk ).

 

[Marcelo]

In my experience, procedural risks must be accounted for in your risk analysis. The type of device I am thinking of is a Class III high risk implantable device. When the device is being implanted into a patient, there are associated risks, like stroke, even if the device performs exactly as intended. ISO 14971 requires that both normal and fault conditions be considered when assessing risk.

Normal and fault conditions related to the device, not the procedure in which the device is part.

But you are right the procedure may be accounted for, but not in the way your are saying. The risk of stroke during implantation is something that the clinical and user have to know as part of clinical decision making, but it's not something that a device manufacturer will need to consider unless the device can led to the stroke (was part of the sequence of events leading to the hazardous situation).

In addition, post-procedure information also provides input into the risk management system. The rate of stroke over time is something that must be considered in the risk/benefit analysis. In the case of the patient noncompliance to meds, it is true that there is no device malfunction, but since this is a factor in the probability of post-procedural risk of stroke, it is required to be considered. In the examples mentioned here, the hazard is the implantation procedure and the device itself, respectively.

Implantation procedure and device itself are not hazards. You seems to be confusing all the definitions related to ISO 14971 (as I already mentioned about hazardous situations).

 

[indubioush]

Help me out then. Let's say this is a high risk invasive device that is a long-term implant, and 15% of the population who receive the device will have a stoke in year following the procedure. As a comparison, the patient population who don't receive the device have a stroke rate of 7%. We know there is a risk of stroke associated with receiving this particular device.

So...

What is the hazard?

What is the hazardous situation?

 

[Marcelo]

Help me out then. Let's say this is a high risk invasive device that is a long-term implant, and 15% of the population who receive the device will have a stoke in year following the procedure. As a comparison, the patient population who don't receive the device have a stroke rate of 7%. We know there is a risk of stroke associated with receiving this particular device.

So...

What is the hazard?

What is the hazardous situation?

It's impossible to know with only this information. We need to know how the device induces the stroke. Then we would have the hazardous situation (and we can derive the hazard out of it).

The hazardous situation is a situation in which the patient is exposed to a hazard.

Let me try to give an example myself.

Let's say the device is the long-term implant, and the problem is that the device, after some time, leaks some residues, and the, when the residues reach a high level, they create a reaction with the heart that leads to the stroke.

In this case (and trying not go into too many details not to complicate the discussion):

- Hazard:
Chemical

- Sequence of events:
Implant leaks residue
Residue accumulate

- Hazardous situation:
High level of residue into circulatory system

- Harm:
Stroke (high residue acting with heart)
Other harm related to high residue reacting with another organ)

 

[indubioush]

In this case, the stroke is caused from the device being implanted in the vasculature. An embolism can develop on the device itself and then travel through the patient bloodstream to the brain. Also, the act of implanting the device means the interior walls of the vasculature may be damaged or there may be plaque in the vasculature that breaks loose from the vascular wall and is large enough to block an artery in the brain. With all of these hypothetical situations, there is no way to know exactly what happened to a particular patient. Does that help clarify?