Search the Elsmar Cove!
**Search ALL of Elsmar.com** with DuckDuckGo including content not in the forum - Search results with No ads.

The Sequence of ISO 14971 Risk Analysis Activities

medical_eng

Involved In Discussions
#1
All,
I have been looking deeper into ISO14971 and other risk analysis/management techniques. Everywhere I look, the recommendation is to 1) analyse the risk (hazards leading to harm), 2) evaluate the risk (acceptable or not), and 3) control the risk if not acceptable, in that specific order. I understand the logic of this sequence but it doesn?t make practical sense.
As I fill out my risk chart and contemplate harms, with very rare exception, I am always able to find ways of controlling the risk to either minimize the occurrence or the severity. It makes more sense to me, after analyzing the risk, to directly propose a risk control method and THEN evaluate the risk (severity/occurrence). If a control method is absolutely not available at all for whatever reason then the risk is evaluated with this knowledge directly.
Stated another way, I would be surprised to read a risk analysis document for a medical device (of any practical use) and see the majority of uncontrolled risks being deemed as acceptable.
From what I see right now, to follow 14971, one has to always rate risk twice: once before a control and again after. What?s the point of that? I hope that there are forum members that can explain why it ended up the way that it is.
Thanks!
 

Ronen E

Problem Solver
Staff member
Super Moderator
#2
Hi,

I don't share this view:

I would be surprised to read a risk analysis document for a medical device (of any practical use) and see the majority of uncontrolled risks being deemed as acceptable.
I've seen more than 1 case where this is exactly what happened. The activity then followed to focus and mitigate a relatively small number of unacceptable risks, until they became acceptable or were eliminated altogether. For such risks, yes, the process requires at least 2 evaluation cycles.

Cheers,
Ronen.
 
#3
From what I see right now, to follow 14971, one has to always rate risk twice: once before a control and again after. What?s the point of that?
We create a table of hazard / risk before / risk reduction method / risk after / verification of risk reduction method as a means of tracking the hazard to it's risk reduction method to it's verification. It's a very useful method and is something that regulators like to see as well.
 
#4
Pre / post assessment is unfortunately required by the standard, and expected by regulators.

But you are right, it does not make sense.

Rather, when dealing with a complex subject (something not obvious from first glace), good risk management requires establishing the characteristics of the particular situation without risk control(s) in place, in order to understand if the risk control(s) are effective, and for future reference in case of design changes.

For example: an electronic thermometer could read wrong if the battery is low. As a first step we need to understand at what battery voltage things start to loose accuracy (Vbatt_FAIL), which could require tests or analysis from spec sheets of individual parts. Then you design a protection (risk control) which operates with a margin before this point (Vbatt_MIN = Vbatt_FAIL + 0.2V); then you finally validate that the protection works (blanks the display at Vbatt_MIN or lower), and also that the thermometer is accurate at that point (disable the protection, confirm accuracy at Vbatt_MIN).

It's much more important to keep a record of these kind of details than to worry about pre/post risk assessment. But currently ISO 14971 does not require these records ... only the useless numbers in the table :)
 

sagai

Quite Involved in Discussions
#5
I do not see the point to debate whether or not the regulation itself is sensible to your situation. ISO14971 is a voluntary standard, it is up to you if you declare conformance to it or if you set your own way and later shelter it for legislators.
I do not like paying tax for example, but when I am in the country, I voluntarily choose that I am subject to all of its regulations and jurisdiction.
Simple is that I think.

The whole medical device is in the hazard continuum. Every feature of your device is hazardous. Basically anything can go wrong and could result in patient related event. And our lifetime is obviously not enough to minimize the risk of things possible could go wrong as regard to the medical device.
I think, it is not possible to have a safe medical device, the only thing we can have is a level of confidence about its safety maturity when we think, well ... it worthwhile to use it rather than not.

So ... the initial hazard analysis is actually helps you not to spend your lifetime on chasing all the hazardous situations and also give you a reference point to see your progress, the point that can be used to compare if you managed to increase your confidence about the safety of your device.

Many thanks, Cheers
 
#6
I do not see the point to debate whether or not the regulation itself is sensible to your situation.
The discussions can seem a little theoretical, rather than practical but, perhaps, we can develop alternative approaches or improvements that could be used to improve the standards. There are people in the Cove who are actively involved in standards work.

As you say standards are voluntary, but the fact is, "sticking to the book" is generally much easier than having to prove the acceptability of an alternative approach.
 

sagai

Quite Involved in Discussions
#7
:topic:
I think there is a whole industry that was lined up for this business due to the fact that people in this industry found more palatable and relaxing to rely on standards rather than their own common sense and understanding. :cool:
 

medical_eng

Involved In Discussions
#8
Thanks everyone for the feedback and counterpoints.

Here's my example case to illustrate the point which forum members can weigh in on.

You're designing an electrically powered medical device. As such, compliance to 60601 is required and you know that up front. So you're now starting your risk analysis and you are contemplating the electric shock hazard. 60601 goes into a lot of detail how to design and verify to prevent this. Where is the value in contemplating all the sequence of events, hazardous situations, and harms from an electric shock when in the end (and there may be quite a few), compliance to a recognized standard is your method of risk control, reduces the risk to an acceptable level, and covers it all? Why not zero in on it right away?

Remember that a risk analysis is not a document created by one person and then filed away never to see the light of day. It?s also a communication tool for others to read and understand (and approve, if appropriate). Eliminate detail that in the end would be basically irrelevant is my suggestion.

Now, if your device has a new application of technology not contemplated by the standard, or is used in a particularly severe environment, or no direct standard exists, etc., one has to recognize this and then I see the value in the two step process. You still need to have your thinking cap on at all times on these matters.

What does ISO31010 have to say on all of this?

I?ve read 14971 and 60601 several times (!) and it is quite evident that the authors of the one were aware of the other document and vice versa, and likely fully aware of 31010 as well. So getting back to the original question, why is ISO14971 strict on the two step process for every hazard? What?s the practical point? Why did it end up that way?

Cheers!
 

sagai

Quite Involved in Discussions
#9
You can do a workaround saying all your initial risk evaluations deem the risk unacceptable due to your manufacturer policy and you immediately continue with the mitigation/control measure, simple is that.

There is a danger actually spending more time on looking into and chasing standards rather than carry out the work on a sensible manner.

Another angle ...
If I understand correctly that you are doing this analysis and control identification work.
I am wondering how do you involve medical science domain knowledge into such analysis in order to see the medical extent of those discretion?

Cheers!
 
Last edited:

Ronen E

Problem Solver
Staff member
Super Moderator
#10
Thanks everyone for the feedback and counterpoints.

Here's my example case to illustrate the point which forum members can weigh in on.

You're designing an electrically powered medical device. As such, compliance to 60601 is required and you know that up front. So you're now starting your risk analysis and you are contemplating the electric shock hazard. 60601 goes into a lot of detail how to design and verify to prevent this. Where is the value in contemplating all the sequence of events, hazardous situations, and harms from an electric shock when in the end (and there may be quite a few), compliance to a recognized standard is your method of risk control, reduces the risk to an acceptable level, and covers it all? Why not zero in on it right away?

Remember that a risk analysis is not a document created by one person and then filed away never to see the light of day. It’s also a communication tool for others to read and understand (and approve, if appropriate). Eliminate detail that in the end would be basically irrelevant is my suggestion.

Now, if your device has a new application of technology not contemplated by the standard, or is used in a particularly severe environment, or no direct standard exists, etc., one has to recognize this and then I see the value in the two step process. You still need to have your thinking cap on at all times on these matters.

What does ISO31010 have to say on all of this?

I’ve read 14971 and 60601 several times (!) and it is quite evident that the authors of the one were aware of the other document and vice versa, and likely fully aware of 31010 as well. So getting back to the original question, why is ISO14971 strict on the two step process for every hazard? What’s the practical point? Why did it end up that way?

Cheers!
Mind you, there are a lot of medical device types which do not have the equivalent(s) of 60601. People involved in electrical medical equipment tend to forget it sometimes (no offence).

I'm not a 60601 expert, but in my opinion you could add a clause at the beginning of your RMF excluding all generic hazards addressed by 60601 (applicable parts) on the grounds that your device is properly tested and certified. Then go on to analyse those "special" risks that are unique.

Cheers,
Ronen.
 
Last edited:
Top Bottom