Risk Analysis - Events which may cause to Data Loss

eyalhend

Starting to get Involved
#1
Hello All,
Would appreciate the forum aid with the following subject:
As part of risk analysis process, we are dealing with events which may cause to data loss (due to, for example, file corruption, deletion of data, communication issues, etc.)

As said, the harm was determined as data loss.
Yet, Clinical personnel claims data loss does not cause harm to patient, as the physician shall not relay on previous recorded data for its decision making and suggest not to include risks related to data loss in the risk analysis file, or at least, to separate it to a different category not related to clinical risks (suggested a term of regulatory risks, which I personally don’t except).

The same question raised from security issues, for example, exposing personal data – is that a risk which may cause harm to a patient, and accordingly shall be introduced to the risk analysis?

Thanks a lot in advance!
 
Elsmar Forum Sponsor

yodon

Staff member
Super Moderator
#2
We've bumped into that numerous times. I think if you look at the definition of 'harm' in 14971 it offers a little more flexibility:

physical injury or damage to the health of people, or damage to property or the environment

While it might be a stretch, you could maybe argue that data loss is "damage to property." If you consider the ramifications of the GDPR, it certainly makes sense to take data protection pretty seriously.

We've typically expanded our 'severity' definition to include these aspects.
 

mihzago

Trusted Information Resource
#3
I would recommend keeping the Security risk assessment separate from the safety risk, since each has a different definitions of harms and different approaches to estimating probability.
Then, any security risks with potential to result in injury could be included in the safety risk assessment. For example, loss of data, depending on the intended use may by a hazardous situation that could lead to a harm. If you have a system to provides diagnosis or treatment for a serious condition, a loss of data could be a bad thing. Similarly, data corruption, for example in a closed loop system would be a very serious problem.
A disclosure of personal or health info, probably very little or no safety risk.
 

pkost

Trusted Information Resource
#4
Data loss can affect many areas of the manufacturing and developing process. you may also want to consider data corruption that could lead to incorrect decisions at any stage that can then lead to more obvious risks

If you lose data from the manufacturing process, you may struggle to demonstrate the device has been manufactured to specification
If you lose data from the design processes, how can you prove that your device is safe and effective and in compliance with regulations?

You mention that clinical personal disagree - is this with information that is presented to the clinician? If so, why is it being presented if they don't use it? it may not be required, but they may come to use it to support a decision that they otherwise would not have made, in which case there is a risk of harm

It is worth noting that ISO13485:2016 now specifically has a requirement relating to data protection!
 

Ronen E

Problem Solver
Staff member
Moderator
#5
Good responses above.

To add another general comment, I wouldn't necessarily try to force data loss or data breach directly into the "harm" slot. It may contribute or lead to harm in a more indirect way, in which case you need to continue your analysis until you reach an actual harm (or not - that's part of the analysis). Remember that ISO 14971 is about scenarios or combinations of events/conditions that may lead to harm and thus pose a risk.

I agree with the viewpoint that clinical data loss may pose a risk even if that data is not routinely used for making clinical decisions or it's just a support for more important sources. The risk might be lower, but saying that there is absolutely no risk? I don't think so. Every bit of clinical data available to the clinician that might affect their actions is significant. Otherwise there's no point in having that device/service in the first place.
 

eyalhend

Starting to get Involved
#6
Thanks all for the responses!
Maybe I need to emphasize some issues:
1) By 'Data Loss', I mean only to clinical data acquired during clinical procedure. It has no relevance neither to manufacturing nor to design
2) An event of Data Loss may occur due to file corruption (for example, due to network issue during transferring it to PACS) or deletion of a file mistakenly by user (with no backup).
3) The clinical team argue/challenge that such Data Loss poses no risk to patient (and therefore - there is no potential harm), as the decision making post-procedure is not (solely) based on the data which is lost. Actually, the system just measures values and present it to the physician. If a redo is required (not due to the data loss), the physician may and will measure again anyway.

Given the above, the risk-management team is challenged to define whether Data Loss is posing a risk.

Hope the above clarifies more the concern.
Thanks!
 

Ronen E

Problem Solver
Staff member
Moderator
#7
the decision making post-procedure is not (solely) based on the data which is lost.
Not solely based on it, but it does contributes to the decision (based on your wording). Correct? So the decision may not be as robust without it. Maybe the effect is small, maybe even negligible, but not zero. The significance should be analysed and the results documented, as a minimum.

the system just measures values and present it to the physician.
What does it mean?... Presents the values for what purpose? If no purpose, why do they need this presentation in the first place?

If a redo is required (not due to the data loss), the physician may and will measure again anyway.
Are you trying to say that data loss does not pose a risk because a redo can be had? That would represent some wasted resources. Maybe not a big risk, but again, also not zero.
 

eyalhend

Starting to get Involved
#8
Thanks again.
Decision making: well, clinical personnel may say that a redo may be interpenetrated as a complete new procedure, in the event of data loss
System measurements: I can't get into details, but the system build maps based on measured values. One may say that it only present data on a convenient manner to the physician. But the decision making is only on him. The system don't suggest/diagnose.

Hope it clarifies more.
The inputs I get from you people are extremely helpful.
Thanks!
 

mihzago

Trusted Information Resource
#9
loss of data may result in 'delay of diagnosis', or 'delay of treatment', or 'prolonged condition'.
the severity will depend on the intended use of your product, i.e. how critical is the information or its timing, how severe the condition, etc.

if you still determine that the loss of data does not result in any harm, then you can still capture it in a separate section that describes limiting factors; or, a section that lists various hazards (one example could be Annex E of ISO14971) where you can indicate that you considered these hazards, but they do not cause harm.
 

Jen Kirley

Quality and Auditing Expert
Staff member
Admin
#10
Of all the disciplines that use data, I am baffled the most by medical clinicians declaring loss of data is not a risk to process or patients.

As a patient, I can assure you that my doctors do refer to my clinical history.

Moreover, the ability to securely share data is critical for other health care providers to consider in order to avoid adverse reactions to treatments for patients with more than one condition.

Lastly, having patient clinical history helps medical personnel avoid repeating a complex case's diagnosis that previously was found to be incorrect.
 
Thread starter Similar threads Forum Replies Date
M Risk Analysis Flow - Confusion between ISO 14971 and IEC 62304 IEC 62304 - Medical Device Software Life Cycle Processes 8
R ECG Risk Analysis Standards ISO 14971 - Medical Device Risk Management 2
adir88 Documenting Risk Control Option Analysis ISO 14971 - Medical Device Risk Management 8
MrTetris Should potential bugs be considered in software risk analysis? ISO 14971 - Medical Device Risk Management 5
M IATF 16949 (6.1.1 - Planning and Risk Analysis for a remote site) Process Maps, Process Mapping and Turtle Diagrams 5
D Risk Analysis & Technical File - What detail goes in the Risk Management Report ISO 14971 - Medical Device Risk Management 5
M An example of risk analysis of class I MD ISO 14971 - Medical Device Risk Management 36
T Risk analysis of QMS software - Validating software we use for QMS ISO 13485:2016 - Medical Device Quality Management Systems 5
B Grouping of Products for Risk Analysis ISO 14971 - Medical Device Risk Management 9
A Risk-benefit Analysis - Hazard Analysis (HA) and FMEAs ISO 14971 - Medical Device Risk Management 18
R The difference b/w FMEA & Risk analysis as per iso 14971 ISO 14971 - Medical Device Risk Management 8
K Risk Analysis Updates due to complaints ISO 14971 - Medical Device Risk Management 10
S The Severity of a Medical Device Hazard - Risk Analysis Clarification ISO 14971 - Medical Device Risk Management 6
Ed Panek Transition to IEC 60601 4th Edition - Risk Analysis and test submissions CE Marking (Conformité Européene) / CB Scheme 2
S In a risk analysis, how can we tie mobile app security breach to ISO 14971? 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 4
Q Risk / benefit Analysis in Risk Management Report CE Marking (Conformité Européene) / CB Scheme 12
R IATF 16949 Clause 6.1.2.1 - Lessons Learned and Risk Analysis IATF 16949 - Automotive Quality Systems Standard 6
S Risk analysis 6.1 and contingency plans 6.1.2.3, are they related? IATF 16949 - Automotive Quality Systems Standard 26
B Software Class A - Lengthy further risk analysis IEC 62304 - Medical Device Software Life Cycle Processes 9
W Biocompatibility Risk Analysis for Clinical Practitioner 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 4
F Risk Analysis of a Medical Device Accessory ISO 14971 - Medical Device Risk Management 4
S How we can use risk analysis for suppliers IATF 16949 - Automotive Quality Systems Standard 6
I Medical Device Software Risk Analysis ISO 14971 - Medical Device Risk Management 4
Q Risk Analysis - Same Risk Treatment for Context and Interested Parties ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 7
C Risk Analysis for COTS/OTS Risk Management Principles and Generic Guidelines 4
M IATF 16949 Cl. 8.7.1.4 - Risk analysis for decision making about rework IATF 16949 - Automotive Quality Systems Standard 2
W Risk Benefit Analysis - ISO 14971:2012 Requirements ISO 14971 - Medical Device Risk Management 27
F Medical Device HACCP (Hazard Analysis and Critical Control Point) Risk Management ISO 14971 - Medical Device Risk Management 2
Q Risk Tools in ISO 31010 - Root Cause Analysis vs. Cause-and-effect Analysis ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 1
S Organizing Risk Analysis and Controls for a New Medical Device (ISO 14971) ISO 14971 - Medical Device Risk Management 4
S Please review my Risk Analysis Table ISO 14971 - Medical Device Risk Management 13
K Risk Analysis and "Information for Safety" / Labeling ISO 14971 - Medical Device Risk Management 10
M Risk analysis - ISO/TS 16949 clause 7.2.2.2 IATF 16949 - Automotive Quality Systems Standard 2
C Help with Risk/Benefit Analysis Self-help Device for Diabetics ISO 14971 - Medical Device Risk Management 3
A FTA-Top/Down approach to Risk Analysis ISO 14971 - Medical Device Risk Management 2
A Industry best practice about Post-Market Surveillance and Risk Analysis ISO 14971 - Medical Device Risk Management 6
T Risk Analysis help for CE Marking Class I Medical Device ISO 14971 - Medical Device Risk Management 10
T Risk Analysis for moving manufacturing equipment ISO 14971 - Medical Device Risk Management 17
D Different kinds of Risk Analysis for various Hazards ISO 14971 - Medical Device Risk Management 3
L GHTF/SG3/N15R8 - Process Validation and Risk Analysis ISO 13485:2016 - Medical Device Quality Management Systems 4
R Risk Analysis of Class IIb Disinfectant ISO 14971 - Medical Device Risk Management 6
J Does anyone have an example of Risk-Benefit Analysis per ISO 14971? Other ISO and International Standards and European Regulations 2
P FMEA Risk Analysis Recommended Action Priority FMEA and Control Plans 2
N ISO 14971 Risk Analysis - Sections 4.2 and 4.3 ISO 14971 - Medical Device Risk Management 2
D ISO 14971 - Risk Analysis Best Practices ISO 14971 - Medical Device Risk Management 5
S Internal Audit Plan per Risk Analysis Internal Auditing 5
K RISK ANALYSIS SAMPLE according to Annex ZA of EN ISO-14971-2012 Other Medical Device and Orthopedic Related Topics 1
S Help me with preparing Internal Audit Schedule based on Risk analysis 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 2
R Risk Analysis and Hazard Identification concerning Clinical Decision Support Systems ISO 14971 - Medical Device Risk Management 1
A Should Intentional Misuse be covered in the Risk Analysis under ISO 62366? IEC 62366 - Medical Device Usability Engineering 3

Similar threads

Top Bottom