A
Hi all!
I work for a medical device software company.
As part of our risk management scheme, we do risk analysis using different methods. For all hazards that are unacceptable according to our criteria, we require mitigations until we agree that the risk has been sufficiently reduced. Later in the process, we assess the total residual risk for the product and (hopefully) make a statement that it is acceptable. We trace hazards to mitigation and verify that the mitigations are implemented as specified. Fine...
Now, for a 510(k) application, we are asked to "include validation testing references to show that the mitigation factors have been validated to reduce the risk to an acceptable level". I think this refers to proving the effectivness of the mitigations. Do you agree?
If so, I'm not sure what to do...
An example from our analysis: The user is required to enter a value. The user entering the wrong value may lead to patient harm. Our system has no way of verifying if the entered value is correct for a particular patient.
As mitigations, we would typically require that there is no default value and that only values within defined limits are acceptable. Perhaps we would add a labelling warning that it is crucial that this particular value is correctly entered or require that the value shall be visualized in different ways to increase the chance of error detection.
How can we verify the effectiveness of these mitigations? We add mitigations until we "feel" that the risk is reduced to "as low as reasonably practicable" and agree that the risk is acceptable, but I don't see how we can provide any objective evidence that the mitigations actually reduce the risk. It's all based on "expertise" and judgement in the risk management team...
Any ideas?
Thanks!
/A
I work for a medical device software company.
As part of our risk management scheme, we do risk analysis using different methods. For all hazards that are unacceptable according to our criteria, we require mitigations until we agree that the risk has been sufficiently reduced. Later in the process, we assess the total residual risk for the product and (hopefully) make a statement that it is acceptable. We trace hazards to mitigation and verify that the mitigations are implemented as specified. Fine...
Now, for a 510(k) application, we are asked to "include validation testing references to show that the mitigation factors have been validated to reduce the risk to an acceptable level". I think this refers to proving the effectivness of the mitigations. Do you agree?
If so, I'm not sure what to do...
An example from our analysis: The user is required to enter a value. The user entering the wrong value may lead to patient harm. Our system has no way of verifying if the entered value is correct for a particular patient.
As mitigations, we would typically require that there is no default value and that only values within defined limits are acceptable. Perhaps we would add a labelling warning that it is crucial that this particular value is correctly entered or require that the value shall be visualized in different ways to increase the chance of error detection.
How can we verify the effectiveness of these mitigations? We add mitigations until we "feel" that the risk is reduced to "as low as reasonably practicable" and agree that the risk is acceptable, but I don't see how we can provide any objective evidence that the mitigations actually reduce the risk. It's all based on "expertise" and judgement in the risk management team...
Any ideas?
Thanks!
/A