ISO Registrars/CBs citing for use of "Detection" in Risk Management

[g frias]

Hi all. I work for a medical device company that designs and manufactures class II devices. Our tool of choice for risk management has been FMEA (application, design and process). We are ISO certified and during a re-certification audit at one of our other sites the notified body cited them for the use of "Detection" in the application and design FMEAs. Their argument was that ISO 14971:2007 omits discussion of detection and that we were unduly placing the burden of detection of a hazard on the end user to avoid harm to the clinician and/or patient. As a result the company revamped the risk management tools to accommodate this finding.

My husband also works in the industry and this was news to him so I'd like to hear from others in the industry to see if this is the direction in which industry is moving or if someone at our sister site should have argued a little harder . Thanks for the input!

 

[Bev D]

This is the way the industry is moving. and I think it's a good thing.

My organization only uses 'detection' as a mitigation. If we have on-board error detection (we make diagnostic devices and instruments) to mitigate a failure it get's it's own 'assessment' as a function.

We've also gone a step further and prior to V&V risk assessment si restricted only to the severity of the effect. Only low severity failures can be excluded from V&V testing and/or mitigation beyond detect and repair. Post validation, we use the observed occurence rate to guide our risk management decisions.

We take the postion that "risk isn't the probability of occurence but the severity of the effect should it occur" adn that drives our risk management decisions...

We cannot determine the liklihood of occurence or the occurence rate without testing. Without testing it's just guessing and opinion...

We can determine the severity based on knowledge of function and use. It's just physics.

 

[Marcelo]

Please refer to Question 2 on the following FAQ thread regarding FMEA and other techniques. ISO 14971 Medical Device Risk Management FAQ

Regarding detection, ISO 14971 does not accept detectability in the equation. Risks for ISo 14971 are only based on the severity of the harm and probability of the harm.

 

[MIREGMGR]

Regarding detection, ISO 14971 does not accept detectability in the equation. Risks for ISo 14971 are only based on the severity of the harm and probability of the harm.

Yes, but.

Clearly the intent of ISO 14971, and more importantly the overriding legal and ethical responsibility of the device maker, is that the device should be safe and effective.

In the US FDA system, risk analysis is a required part of product design. It's self-evident that if two alternate design solutions have comparable severities and comparable probabilities of occurrence, but one of the alternates has greater user detectability after occurrence but before the full extent of harm occurs, that alternate design is preferable. My understanding of US FDA's intent in regarding risk analysis as a part of design is to assure just this sort of consideration of harm-avoidance. Thus, at least in my view, detectability needs to be considered and documented as a part of the process, even though ISO 14971 does not require it...that is, such an implementation of risk analysis should go beyond the minimum requirements established by ISO 14971.

As an example, the above scenario particularly applies to simple, low-risk, professional-use devices for which the most likely risks involve user error, and the presence and training of the professional user result in a significant likelihood that that user will detect the incipient harm and act in a situationally appropriate manner to mitigate it.

 

[Marcelo]

Re: ISO Notified Body citing for use of "Detection" in Risk Management

In the US FDA system, risk analysis is a required part of product design. It's self-evident that if two alternate design solutions have comparable severities and comparable probabilities of occurrence, but one of the alternates has greater user detectability after occurrence but before the full extent of harm occurs, that alternate design is preferable. My understanding of US FDA's intent in regarding risk analysis as a part of design is to assure just this sort of consideration of harm-avoidance. Thus, at least in my view, detectability needs to be considered and documented as a part of the process, even though ISO 14971 does not require it...that is, such an implementation of risk analysis should go beyond the minimum requirements established by ISO 14971.

The main problem with this type of example, is that this kind of "detectability", in terms of ISO/IEC standards, is related to the usability engineering process of IEC 62304. And the usability process is tied to the risk management process.


Anyway, ISO 14971 does permit that you make a decision regarding options for risk control measures, and you can, if you want, decide that one is more "detectable" by the other so you prefer that one.

However, both are primarily related to severity and probability. Detectability is in this case only a second-tier design decision.

One of the real main problems with detectability and why it does not fit into ISO 14971: essential principles require that risk control measures are defined in order, 1 - inherit safety, 2 - protective measures, 3 - information for safety.

If we put detectability in the mix and let the risk be lowered because of the detectability, it means that we could bypass the required order.

 

[yodon]

Regarding detection, ISO 14971 does not accept detectability in the equation. Risks for ISo 14971 are only based on the severity of the harm and probability of the harm.

??? From the standard (G.4, FMEA):

FMEA can be extended to incorporate an investigation of the individual
component fault modes, their probability of occurrence and detectability (only to the degree that detection will
enable preventive measures in the context of this International Standard) and also the degree of severity of
the consequences.

I think this clearly indicates that detectability is a valid means to assess (and possibly reduce) the likelihood that the harm is realized.

I've seen detectability (by the system, not necessarily by the operator) used frequently. I can't imagine why an NB would prohibit this. Maybe it was too heavy a reliance on operator detectability?

14971 (for better or worse) is not a rigid Risk Management template but an overview of what needs to be done. How things are done are left to the user (to some degree, of course).

 

[MIREGMGR]

This discussion further illustrates the conceptual differences in use of ISO 14971 in particular, and standards in general, among different national/regional regulatory systems.

 

[Marcelo]

??? From the standard (G.4, FMEA):

FMEA can be extended to incorporate an investigation of the individual
component fault modes, their probability of occurrence and detectability (only to the degree that detection will
enable preventive measures in the context of this International Standard) and also the degree of severity of
the consequences.

I've seen detectability (by the system, not necessarily by the operator) used frequently. I can't imagine why an NB would prohibit this. Maybe it was too heavy a reliance on operator detectability?

***************

Annex G has comments on risk analysis techniques. It means that FMEA does use detectability. That´s it. I´m not sure why you are implying that this annex comment means that detectability can be used.

I think this clearly indicates that detectability is a valid means to assess (and possibly reduce) the likelihood that the harm is realized.

From 6.2 - Risk control option analysis:

NOTE 2 Risk control measures can reduce the severity of the harm or reduce the probability of occurrence of the harm, or both.

14971 (for better or worse) is not a rigid Risk Management template but an overview of what needs to be done. How things are done are left to the user (to some degree, of course).

Yes, you really can do anything you want, however, if you claim conformity to ISO 14971 and uses detectability, it´s really incorrect. That´s why the OP had a problem in the first place.

 

[MIREGMGR]

If we put detectability in the mix and let the risk be lowered because of the detectability, it means that we could bypass the required order.

I've highlighted a key phrase above. I wouldn't argue that detectability is in itself a mechanism for lowering analyzed risk. Rather, it's a parameter for selecting the preferable design approach among alternatives. I.e., among design alternatives with equal risk, more detectability always is preferable.

This does of course raise the possibility of a scenario in which a higher risk design approach might be preferable to a lower risk one because the higher risk approach has much more detectability, and a present professional user would mitigate the harm. I would suggest though that in that scenario, the analyzed risk remains higher, and acceptability of the detectability-based design approach is a deviation from the normal procedure and would require documentation of why it can and should be accepted.

 

[MIREGMGR]

Regarding the OP's issue, we've had this specific discussion with both our NB and our Authorized Representative. We initiated the discussion with our NB, who accepted our approach after discussion. Our Authorized Representative raised the point themselves, but again accepted our approach after discussion.

It may have been relevant in both cases that they recognize that we must comply to both the US FDA's and the EU's expectations.