Practical Implementation of ISO 14971

SRM049

Registered
I’m trying to implement a more robust and well-defined procedure at my company for risk management activities per ISO 14971, and I’m having a lot of trouble coming up with methods that are effective, efficient, and consistent. I was hoping some of the people here might have some insights.

My current thinking is that the process should be centred around a risk traceability matrix that co-ordinates and records information from all other activities. In that matrix, you would record hazards, hazardous situations, harms, risk estimation and assessment, risk control measures etc.

As specific risk analysis tools are employed throughout the development process, information from these activities would then be used to populate the matrix, with the outputs of these processes being translated into hazards, hazardous situations, harms, and foreseeable event sequences as necessary. My intent with this is to allow individual subordinate analysis techniques (FTAs, FMEAs, PHAs) etc to be freely performed and updated throughout the development process, and the relevant findings incorporated into the overall ISO 14971 risk table without significant disruption.

Has anyone else approached risk management in this way and found it effective?


The other big issue I’m having is in consistent definition of hazards and hazardous situations without excessive duplication. For example, I have a device with a deployable/retractable fixation system that anchors it to subcutaneous tissue. For the duration of use this anchor is expected to support loads applied to protruding length of the device. To me it seems that there is an obvious hazard / hazardous situation here but documenting it seems to become complicated.

I could document it as follows (format is Hazard / Foreseeable Sequence of Events / Hazardous Situation / Harm):
Mechanical force (interaction between anchor and tissue) / Tissue anchor is deployed during use / Loading of tissue by tissue anchor / Tissue injury.

Or I could split it into further smaller hazardous situations:
Mechanical force (interaction between anchor and tissue) / Tissue anchor is deployed during use / Loading of tissue by tissue anchor during deployment / Tissue injury.
Mechanical force (interaction between anchor and tissue) / Tissue anchor supports transmitted loadings during use / Loading of tissue by tissue anchor whilst deployed / Tissue injury.
Mechanical force (interaction between anchor and tissue) / Tissue anchor is retracted after use / Loading of tissue by tissue anchor during retraction / Tissue injury.


It gets even more difficult when I try to consider conditions that may exacerbate mechanical interactions. For instance: If the user applies excessive force to the device during use there’s an obvious possibility of harm. What I can’t figure out is whether this scenario should be treated as a contributor in a sequence of events leading to a hazardous situation (Loading of tissue anchor whilst deployed), or should it be considered to constitute its own hazardous situation (something like Excessive loadings transmitted to tissue anchor).

I think I may have a fundamental misunderstanding of how I define my hazards, hazardous situations, and foreseeable sequence of events, because I run into issues like this near constantly. In many cases (except for the simplest ones) I can find justifications for defining a particular event or situation as either a contributing event, or its own hazardous situation.
 

Jen Kirley

Quality and Auditing Expert
Leader
Admin
Welcome to The Cove!

I support splitting into smaller hazardous situations if the severity is different among them and particularly if actions to address the different hazardous situations would vary.

When doing risk assessment for medical device, ISO 14971 asks us to also consider (3.13) reasonably forseeable misuse. I see you are trying to do this and want to encourage you to go deep enough in your risk identification as developer. I think FTAs can be very helpful to identify the core risk and I encourage you to leverage them to help sirt out details.

Excessive loadings transmitted to tissue anchor? seems to me a good failure mode in a design FMEA. What is it about the device that allows excessive loading? Is that risk severe enough to be addressed? If so, how will you do it; and then, what was the effect of your actions?

The thing is, the Product and Design FMEAs do not need to be limited to traditional structure. If you want to include Hazard / Foreseeable Sequence of Events / Hazardous Situation / Harm, I see no reason not to do so.

Whatever tools you use, and I hope you allow yourself to branch out and not limit yourself to FMEA, the tools are just a component to the risk management process that ISO 14971:2019 addresses. The (broken link removed) is not a new document, but its advice still looks sound to me. FDA has also published Factors to Consider Regarding Benefit-Risk in Medical Device Product Availability, Compliance,and Enforcement Decisions, as well as Factors to Consider When Making Benefit-Risk Determinations in Medical Device Premarket Approval and De NovoClassifications.

I hope this helps!
 

SRM049

Registered
Hi Jen, thanks for your advice.

I like the idea of splitting the hazardous situations to facilitate better risk estimation and determination of risk controls. However, I still have issues distinguishing whether something should be considered as a a hazardous situation in its own right, or as a foreseeable event contributing to a broader hazardous situation. Would you consider the example of excessive loadings transmitted to the anchor to be its own Hazardous situation?

Going back to the example of the tissue anchor. If we consider only the scenario where the anchor is supporting loadings after deployment there are a lot of factors involved that may lead to tissue harm or influence its severity. Just a few off the top of my head:

  • Inadequate design - poor distribution of loads into surrounding tissue.
  • Damage to anchor compromises load distribution
  • Incomplete or incorrect deployment of anchor compromises load distribution.
  • User implants anchor in diseased or weak tissue - surrounding tissue unable to withstand transmitted loadings.
  • The list goes on.
Up until now I've proceeded by defining relatively broad hazardous situations and working backwards in a sort of pseudo-FTA process to identify causal chains. Eg Hazard: mechanical force (interaction between tissue and anchor) -> HazSit: Harmful loading of tissue by anchor during support of applied loadings.

Should I consider separating out some of these higher level contributors as their own hazardous situation? In this case I'm still very confused as to a consistent definition as to what part of the chain of events constitutes a hazardous situation in its own right.
 

ThatSinc

Quite Involved in Discussions
The other big issue I’m having is in consistent definition of hazards and hazardous situations without excessive duplication.
I think I may have a fundamental misunderstanding of how I define my hazards, hazardous situations, and foreseeable sequence of events, because I run into issues like this near constantly

I've had the same issue myself, despite leading risk management processes for 8 years and having very positive feedback from technical file auditors over that time. This forum has helped significantly with rethinking how I approach hazards/hazardous situations and how the foreseeable sequences of events fit in - but note I'm still (re)learning myself, so don't take this as gospel, but want to keep the conversation going.

Hazards, Hazardous Situations and R.F.S.E

Do you have a copy of the new TR24971? I've found that has clarified a few things for me too.

As @Jen Kirley has said, splitting the hazardous situations to allow the controls to be readily identified and specific is a good start.

Previously I was finding that I was documenting the actual exposure of the patient/user to the hazard as the hazardous situation, and documenting the causes of the exposure in the sequence of events.
I was taking the guidance from the standard very literally and linearly; hazards lead to hazardous situations through sequences of events, hazardous situations lead to harm.

e.g. under infusion as a hazardous situation, device impacts user as a hazardous situation.

It resulted in so many sequences of events resulting in the same hazardous situation and a complete tangle when trying to define probabilities, it sounds like this might be your issue too?

Whereas now I think of hazardous situations more closely aligned with their definition in the standard; hazardous situations allow a hazard to cause harm.

I could document it as follows (format is Hazard / Foreseeable Sequence of Events / Hazardous Situation / Harm):
Mechanical force (interaction between anchor and tissue) / Tissue anchor is deployed during use / Loading of tissue by tissue anchor / Tissue injury.


When I struggle defining it now, I've started looking at a hazardous situation with regards to how I control it, to either prevent it from occurring or prevent harm from occurring if it occurs.

Assuming you think you need control mechanisms for these scenarios, what would they be?
 
It think it would benefit you to perform various FMEAs prior to trying to compile your larger risk matrix. As an alternative, you could create separate categories in your matrix to allow you to focus on only one source of risk.

Design FMEA - only focus on the design and how different components/assemblies could cause harm.
Process FMEA - only focus on how the manufacturing process could contribute to harm.
Use FMEA - only focus on how use errors could result in harm.
Hazard analysis - first document risks that are not associated with a fault condition (i.e., normal risks), then, using the information already documented in your FMEAs to add in the rest

Now instead of a random thought of "user applies excessive force to the device during use," you will have this use error listed as a hazardous situation associated with a particular step during use of the device. This would be listed in detail in the UFMEA.

Now instead of "Inadequate design - poor distribution of loads into surrounding tissue" you will have the specific fault condition listed in your DFMEA under the "anchors" section.
 

Tidge

Trusted Information Resource
I have a few thoughts, they aren't exactly random but depending on your specific approach will impact if/how the advice can work for you. This advice is offered in the spirit of "seems like the risk file may have too many lines" for folks trying to visualize/represent the risk analysis in 2-dimensions as a matrix (i.e. on paper). A multi-dimensional, relational database allows more freedom (and links between the elements of the risk analysis) but representing the information from such a risk analysis to all necessary parties (internal and external) is trickier.

1) I have found the best reason for having multiple lines for otherwise similar use cases/sequences of events is when those lines end up with different risk ratings (usually because of P1, P2 differences). For medical devices used in extreme circumstances, it is common that the least acceptable risks are those with rather low severity harms but occur frequently. It is generally true that risk controls for high-severity harms will also work for low-severity harms, but the acceptability space is usually different.

I wrote number 1 first, because

2) My preference is: for a given hazard I don't like to see different lines with the same (pre-control) severity/P1/P2 ratings and the same (effective) risk controls. Too many lines clutter the risk analysis and can in extreme circumstances (*see below) give misleading assessments of final acceptability. In my preferred matrix/paper approach to risk analysis I'm content to identify the use cases in the lines of analysis while making sure that the use cases have enough information so that it is clear how the sequence of events in the risk analysis can derive from the use cases. If the same risk control(s) apply evenly to similar use cases for the same hazards I wouldn't find that much value in having multiple lines of analysis.

(*) How "too many lines" can mislead folks about the risk acceptability: Occasionally I observed that some folks would mistakenly believe that they'd done a good (enough) job addressing risks because a great majority of lines of risk analysis were addressed by a relatively few (effective) risk controls. Simply adding more lines of analysis for specific hazards that would be mitigated by already existing risk controls doesn't necessarily explain anything about the acceptability of risks for other hazards.
 
Top Bottom