Transcription
Siemens Digital Industries SoftwareImproving medicaldevice riskmanagementExecutive summaryThis white paper investigates some of the classic challenges of medical device riskmanagement and demonstrates how using Siemens Digital Industries Software’ssolution significantly improves the process. It provides a robust repository andworkflow management solution that simplifies tasks such as requirementsmanagement and reporting, while automating deep traceability.siemens.com/software
White paper Improving medical device risk managementContentsIntroduction.3The challenges of medical devicerisk management.4A traceability data model.6A risk management data model.9Risk management document definition. 14Conclusion. 18Siemens Digital Industries Software2
White paper Improving medical device risk managementIntroductionMedical device product development has been a foundationalelement of the practice and betterment of medicine for aboutas long as mankind has been trying to heal people. The mortarand pestle were used to prepare medicinal powders more than6,000 years ago.Over the millennia our medical devices have become morecomplex and powerful, and the same can be said for theregulatory environment. Regulations are essential as they helpto ensure that medical devices are designed with verificationand validation (V&V) so they comply with required specifications and can be used for their intended clinical purposes.Conceptually, risk management seems simple enough. Giventhat potentially hazardous situations can lead to harm, thesepotentially hazardous situations must be documented andmitigated to control outcomes and ensure that a device canbe used predictably and safely.Tools currently used for the purpose of tracking complexityare not just simple, but simplistic. Although spreadsheetsare good for tracking one-to-one relationships, they quicklybecome far less useful when dealing with the one-to-manyand many-to-many relationship tracking required for ensuringregulatory compliance for medical device productdevelopment.Spreadsheets and Microsoft Word software documents arenot really meant for the essential task of achieving traceability. Traceability is at the heart of quality control during thedesign and development stage, and continues to be essentialpost release when linking surveillance reports back to specificproduct requirements and V&V processes.Fortunately, Siemens Digital Industries Software provides apowerful solution for medical device product development.However, as everyone working with compliance knows, thingscan get complex in a hurry, especially when dealing withmultiple regulations, conflicting definitions and the need totrack compliance at a digital level. This complexity is causedby a variety of factors, including the number of variablesneeded to describe the relationships between system components, options for whether to make these concepts unique orre-usable, the many-to-many relationships required to trackcompliance, and sometimes vague or confusing regulatoryexpectations.Siemens Digital Industries Software3
White paper Improving medical device risk managementThe challenges of medical devicerisk managementMedical device risk management needs to be based on livingdesign elements that can be shared from a central repositoryto update stakeholder documents and maintain versioning.Without using such automation to trace design elementrelationships, design intent can be lost across workflows,product changes and requirements updates.Incorporating standardsMedical device product development work is a highly integrated and regulated process. Two key standards incorporatedinto medical device risk management are InternationalOrganization for Standardization (ISO) 14971:2009, whichspecifies the process for a manufacturer to identify the hazards associated with medical devices; and ISO TechnicalInformation Report (TIR) 24971:2013, which providesguidance in addressing specific areas of ISO 14971 whenimplementing risk management. Europe has added to themix with EN ISO 14971:2012, which is different in severalimportant aspects, and is required if a company is sellingmedical devices into Europe.The process defined by these standards can be seen infigure 1.Siemens Digital Industries Software Intended use and identificationof characteristics related to thesafety of the medical device Identification of hazards Estimation of the risk(s) for eachhazardous situationRisk assessmentMuch of the difficulty comes from using old technology –static written documents and spreadsheets – to track thecomplex and dynamic environment in which applicable standards and other product requirements are tracked over timeand through design and development iterations.Risk analysisRisk evaluationRisk control Risk control option analysis Implementation of risk controlmeasure(s) Residual risk evaluation Risk/benefit analysis Risks arising from risk controlmeasures Completeness of risk controlRisk managementTraditionally, one of the more difficult system developmenttasks faced by developers is the challenge of implementingeffective medical device risk management. The key word iseffective, as risk management needs to be a living processthat becomes a granular part of the entire process; from firstdesign and manufacturing through post-market surveillance.Evaluation of overall residualrisk acceptabilityRisk management reportProduction and post-productioninformationFigure 1. Risk management workflow.4
White paper Improving medical device risk managementFrom risk analysis to post-market surveillanceA complete medical device risk management solution needsto cover the full range of associations, as shown in figure 1.Risk management system essentialsThe risk management system should provide informationback to the product designers to inform actions, including:The basic logic flow includes: User impact – How design features affect users Risk analysis: Hazardous situation control plan – Data to guide development of the hazardous situation control plan, includingdesign, product realization and labeling mitigations‒‒ Hazards‒‒ Foreseeable sequence of events (sometimes defined asa sequence of root causes)‒‒ Hazardous situations‒‒ Harms Risk evaluation:‒‒ Pre- and post-mitigation occurrence values‒‒ Harm severity‒‒ Risk priority level‒‒ Judgment of risk acceptability Risk control:‒‒ Design requirements‒‒ Realization requirements‒‒ Labeling requirements‒‒ Verification of implementation‒‒ Verification of effectiveness Closure and reporting: Field performance – Field performance should be linked tothe risk analysis in order to ensure that issues are considered in the analysis, and provide rapid integration of issuesdiscovered during product use Mitigation – Performance data, including formulation ofrequirements to make certain that V&V efforts can be usedto ensure that requirements are implemented and effectiveThe power of relational data, enforceable workflowsand automationYou can easily be overwhelmed when using spreadsheetbased methodologies to track all of the interdependenciesof risk analysis, control, reporting and surveillance. UsingSiemens Digital Industries Software's solution for medicaldevices, with its relational data structure, enforceable workflows, automations, traceability and reporting, makes it easyto track and report against whatever risk management information is required. And the solution's central repositoryensures that everyone is using the same data sets. Identifyingharms and other artifacts is as simple as pressing a button torun reports against the work items that have been systematically populated with the relevant data.‒‒ Evaluation of product residual risk‒‒ Evaluation of risk acceptability Post-market surveillance:‒‒ Risk trending codes‒‒ Risk analysis trending code traceabilitySiemens Digital Industries Software5
White paper Improving medical device risk managementA traceability data modelTraceability is at the foundation of medical device risk management. From design, development and manufacturingexecution through post-market surveillance, organizationsneed the ability to precisely trace interrelated work items andtheir relations to design and regulatory requirements, testcases, V&V processes, build controls, hazards, harms andmitigations. Some of the basic building blocks of traceabilityare seen in the Siemens Digital Industries Software's medicaldevice template’s comprehensive traceability table, as shownin figure 2. The flow diagram shows elements that provide thebasis for developing the design V&V test plan and risk management framework.Comprehensive traceabilityThe complexity of this interrelation can’t be reasonablytracked by spreadsheets or written documents. For example,early in the design process you might specify user needs in adocument created using Word. With each user need listed, youmay place a number at the end of the sentence for tracking.When writing a separate product requirements document, youcan reference each requirement back to the user need itfulfills. The numerical link can then be placed into a spreadsheet in an attempt to trace between user needs and productrequirements.But during design, it is unlikely you will have every designoutput, including subassemblies, linked to each user need orproduct requirement.Risk recordHas risk historySourceHas risk historyHarmCauseHazardoussituationMitigates (PFMEA)Mitigate (DFMEA)DefectDesign inputsProductsourcesUser tIs triggered byIndictsTest caseVerifyImplementBuild pliercontrolValidates ifyFigure 2. Comprehensive traceability table.Siemens Digital Industries Software6
White paper Improving medical device risk managementTracing gets more complicated when design file outputs arehanded off to production, which typically creates a productrealization plan and a spreadsheet to track its own productionconcerns. So to establish what your traceability is from userneeds, product requirements and outputs to manufacturingrequirements, you will need to open all these documents.They may or may not have been updated, stored centrally andhave version controls, and you're going to have to manuallyfind the elements and decipher the traceability for each one.This lack of efficient traceability adds a lot of pain and delayfor teams attempting to respond to corrective action preventative action (CAPA) needs.User requirement and product requirement testingAn efficient solution for managing product requirementsshould make it easy to associate user needs with productand software requirements and the relevant testing, asshown in figure 3.For example, the first entries in the figure 3 table show thatuser need 1010-3873 (the device will be sterile) is matchedwith product requirement 1010-3874 (the device will beethylene oxide sterilized per ISO 11135), and references thetest (1010-3821).A robust requirements management solution supports workflows and traceability throughout the design, manufacturingand risk management relationships typical in a medical deviceproduct development process. The solution should supportintegration of concepts used in the development process,such as standards integration, United States Food and DrugAdministration (FDA) guidance, ISO, American Society forTesting and Materials (ASTM) and all other applicable compliance data, as well as images and text-based justifications.Tracking ancillary artifactsOne of the most powerful leverage points in the use of a solidrequirements management tool is the way ancillary artifactscan be referenced throughout the design history file (DHF).Consider, for example, the medical device intended use statement. Your tool should support the approved definition so itcan reference a tagged work item wherever it is used. Thisensures consistency in the text, and the ability to establish apoint wherever the standard text is used. This can be criticalto determining the full impact of a change, and ensuring achange is properly propagated to all relevant documents.Robust tracking and traceability are required for the documentation and mitigation of hazardous situations to control outcomes and ensure that a device is predictable and safe.Figure 3. User requirement and product requirement test.Siemens Digital Industries Software7
White paper Improving medical device risk managementBest practicesAs we’ve seen, the implementation of an efficient and effective risk management system – especially one based on traditional spreadsheets and static documents – is complicatedand challenging.As noted earlier, this is due to a variety of factors, including: The number of variables needed to describe the relationships between system components Options for whether to make these concepts unique andre-usable The ability to support many-to-many data relationships Sometimes vague or confusing regulatory expectationsSome best practices for organizing components of thesystem to support post-market surveillance include: Organize data by how it will be reviewed: After release ofa product to the field, post-market surveillance is used toevaluate the product on the basis of user harm, user hazardand the number or percentage of field occurrences. Yourdata fields should link directly with the data returned foreasy comparison and response to issues identified in thefield. You should be able to see the occurrence of a harmin the field and directly compare it with the risk management process. This will allow you to immediately evaluatewhether the factor used to determine how often the hazardous situation results in a harm is correct, or whether theprobability of the hazardous situation occurring has beenimproperly assessed. Use common terminology for data fields: Regulatory bodies have defined what is meant by a hazard, or hazardoussituation. You should build that regulated terminology intoyour model to provide a system that helps auditors betterunderstand your intent without additional explanation. Minimize linking complexity: Work items should be organized in such a way as to minimize linking complexity. It ispossible to provide so many degrees of freedom (DOF) inthe system that the logic becomes difficult to follow. Thiscan make it difficult to train employees on the system, aswell as explain your processes to regulatory authorities.Siemens Digital Industries Software8
White paper Improving medical device risk managementA risk management data modelA well-designed, comprehensive risk management toolshould be able to support a risk management data modelthat ensures consistent use of definitions, work items andworkflows to identify and mitigate harms and hazards.Your risk management tool should support logic flows such asthe one in figure 4, which is derived from ISO 14971 Annex E,and is required for compliance with both the United Statesand European medical device approval systems. It addressesmeasuring elements such as sequence of events, and theprobability of a hazardous situation occurring, andthe probability of a hazardous situation leading to harm.A risk management data model brings precision to your operations. It allows you to set definitions – based upon whateverdesign or regulatory requirements you are dealing with – andthen enforce consistency of use to greatly enhance dataquality.Enforceable workflowsCreating a risk management data model using Siemens DigitalIndustries Software's solution for medical devices gives youthe ability to develop enforceable workflows so all teammembers, regardless of their geographic location and othervariables, use the same defined workflows. Your organizationcan create whatever workflows it needs. The key is that once itis designed, you are able to ensure that it is used consistently.This provides a unifying framework that helps ensure thattasks can be completed without leaving anything out, andintroduces variables caused by casual definitions or incomplete tasks.The process of defining your workflows in an enforceableframework brings clarity to the work of identifying potentialhazards and harms and determining optimal mitigationstrategies.The framework also enables automation. Once you've established your framework, you're going to create the work items.You go through the same evaluation process to identify hazards and harms as you would if working from a spreadsheet,but now all the interrelationships are managed. This greatlyreduces the amount of time that's required to perform calculations, tracings and other normally time-intensive tasks.Re-using the requirements and relationships on similar futureproducts also provides a compelling reduction in workload.It’s important to underscore the fact that a spreadsheet isn’ta framework. It’s just a collection of cells that can’t be usedfor enforcing workflows or working with relational data.The need for consistencyThe framework and its supporting environment provided withthe Siemens solution, also gives you the ability to enforce consistency for other elements, including definitions, terminology andspelling. Although enforcing consistent spelling and terminologymight seem inconsequential at first glance, the absence ofconsistency can sap the strength of your data.If you were searching a database for a harm such as perforatedbowel, you would only see a portion of such incidents if the wordperforated was misspelled in 30 percent of your spreadsheetentries. With a risk management tool that can enforce consistentspelling, a search would result in identifying all incidents.Enforcing consistent terminology is needed for the same reasons. For example, if you are working with arterial balloon hazards, some incidents might be described as a dislodged balloon,while others define the same incident as a deflated balloon, andthere could be a spectrum of variations. By agreeing on properterminology at the outset, your framework can enforce consistent use of it, while providing the flexibility to accommodate andproperly document incident variations.Sequence of eventsRisk management methods are often poorly understood andimprecisely defined, making it all the more important to havea solid risk management model.HazardExposure (P1)HazardoussituationP2HarmSeverity ofharmProcessProbability ofoccurenceof harmRiskP1 x P2Note: P1 is the probability of a hazardous situation occuring.P2 is the probability of a hazardous situation leading to harmFigure 4. Risk management logic flow based on ISO 14971Annex E.Siemens Digital Industries Software9
White paper Improving medical device risk managementRisk evaluation work itemsImplementing systematic risk management logic flow requiresthat multiple work items and commensurate variables mustbe defined in order to logically organize the analysis. figure 5provides an example of a flow diagram of a system compliantwith the risk management flow chart shown earlier in figure 4.The system is organized with three work items: risk record,harm and hazardous situation.The overall system analysis is in the form of a traditionalfailure mode and effects analysis (FMEA).Risk record work item**Risk report data**Step 3**Pre-mitigation harm**Link relationship**Step 2P2 – Probability thatHS leads to harm**Risk report data**Step 3**Pre-mitigation harmAnalyzed by 1/1Mitigation effective**Risk reportdata**Step 4**Post-mitigationRPLEssential performanceyes/noAnalyzed by 1/1Harm work itemHazard situation work itemHazard/sourceMitigationimplemented**Risk reportdata**Step 4**Pre-mitigationRPLForeseeablesequence of eventsHarm descripitionHazardoussituationCauses**HS AttributeStep1**P1 – Pre-mitigation probabilityof HS occuring**Harm attribute –Step 4****Harm severity**HS AttributeStep1**P1 – Post-mitigation probabilityof HS occuringProcess/source/design attribute HS work itemsPre-mitigationdetection Harm work itemsPost-mitigationdetection Table driven User inputFigure 5. Risk evaluation work items.Siemens Digital Industries Software10
White paper Improving medical device risk managementThis is a convenient grouping due to several factors,including: The work is completed and reviewed by different departments, each using their appropriate workflow. Thisbifurcation is logical because a hazardous situation is largelyan engineering exercise, while risk analysis tends to be doneby risk management professionals and clinical staff. The conversion/probability variables cannot be definedwithout the components described by the work item:for example, the probability that a hazardous situationoccurring cannot be defined without knowing the hazard,foreseeable sequence of events and the resulting hazardoussituation. In risk analysis the probability that a hazardoussituation will lead to patient harm cannot be known withoutan accumulation of the occurrence of the hazardous situation, and a characterization of the harm. The hazardous situation term, for example, is discussedin regulatory documents (ISO 14971) and it’s convenientto match the work item with the regulatory term for auditclarification.Work item examplesWork items types can be defined to meet a range of needs. Asnoted above, three basics include a harm work item, hazardous situation work item and a risk record work item.Harm work itemThe risk assessment work item includes a harm descriptionand harm severity. For example, a harm description for anaphylactic shock might be assigned a severity of four on a scaleof one to five.Hazardous situation work itemThe fully characterized hazardous situation includes thesource from which the failure mode originated (hazard), thefailure mode description (foreseeable sequence of events) andthe local effect (hazardous situation). Variable input includesthe pre- and post-mitigation probability of hazardous situationoccurrence (P1), and pre- and post-mitigation detection.An example of this is: Electromagnetic radiation 1) cut insulation, 2) conductortouches case electrification of the cabinet chassisor Biocompatibility, allergenicity 1) Syringe tip hole out ofspecification, large, 2) excessive dosage applied patientoverdosedRisk record work itemThe risk record work item combines a single hazardoussituation with a harm so they can be analyzed as a pair.Several operations are completed in this stage to completethe risk assessment.The P2 factor is defined as a relationship between thehazardous situation and the harm (probability of the hazardous situation leading to harm). In our above example, thehazardous situation is electrification of the chassis. The harmis electrical shock to the user. The obvious question is howoften will shocking the user lead to user death? Thankfully,one does not always follow the other. This P2 conversionfactor is the method we use to reduce the occurrence to alevel the user would experience.The P1 and P2 factors are then combined to determine theoccurrence of the harm.The final P factor is then used along with the harm severityto determine the harm/hazardous situation risk index.The risk priority level, or risk index, is calculated to determinethe effect of the risk on the product and company systems.Grading scalesWhenever a risk management system is defined, it is alsonecessary to develop the grading scales. The following is adiscussion of each scale and their meaning. The scales arejust examples of how this can be done.Harm/severityIn the system described in figure 6, harm severity is definedas one of five levels, on a scale of one to five.Harm severity characterizationLevelDefinitionsMinor (1)Results in temporary injury orimpairment that does not requireprofessional medical intervention;inconvenienceModerate (2)Temporary injury or impairment thatrequires minor professional medicalinterventionSerious (3)Results in injury or impairment requiringmajor professional medical interventionCritical (4)Results in permanent impairment or lifethreating injuryCatastrophic (5)Results in patient deathFigure 6. Harm severity characterization on a scale ofone to five.Siemens Digital Industries Software11
White paper Improving medical device risk managementHazardous situation occurrence (P1)The hazardous situation occurrence is ranked on the basisof probability. The table shown in figure 7 provides anexample of such a ranking system.Probability of harm occurrenceBy factoring the P1 and P2 occurrence values defined above,you can estimate the probability of harm occurrence, asshown in figure 9.Probability that hazardous situation will leadto harm (P2)The likelihood that the hazardous situation will lead to aharm is also ranked by probability. An example of this isshown in figure 8.Probability of occurrence of a hazardous situation (P1)Probability the hazardous situation will result in harm (P2)LevelFrequencyLevelDefinitionsProbability of harmFrequent (5) 1/100 and 1 5%Injury would be rareProable (4) 1/1000 and 1Extremelyunlikely (1)Occasional (3) 1/10K and 1/10006 – 25%Remote (2) 1/100K and 1/10KUnlikely butpossible (2)Injury is conceivble butnot likelyUnlikely (1) 0 and 1/100KLikely (3)26 – 75%Injury may occurVery likely(4)76 – 95%Injury is expected tooccurExtremelylikely (5) 96%Injury will occurFigure 7. Hazardous situation occurrence probability.Figure 8. Probability that a hazardous situation will resultin harm.P2 – Probability of hazardoussituation leading to harmP1 – Probability of occurrence of a hazardous (4)Frequent(5)Extremelyunlikely (1)11112Unlikely butpossible (2)11113Likely (1)11124Very likely (4)12235Extremelylikely (5)12345Figure 9. Probability of a hazardous situation occurring.Siemens Digital Industries Software12
White paper Improving medical device risk managementRisk priority levelThe risk priority level (RPL) can be calculated from the severityand occurrence levels established in the previous tables. It canbe derived either from a pick table or a variety of calculationmethods. The pick table definition is shown in figure 10.Occurrence of harm (p1xP2)Severity of DDCCB2DDCBB3DCBBA4CCBAA5CBAAAFigure 10. Probability of a hazardous situation occurring.Report exampleOnce the characterization is completed for each hazard/harmcombination, a risk management and mitigation assessmentreport can be generated. A partial screenshot of such a reportis shown in figure 11.FMEA analysis – harm/hazard and mitigation assessmentFigure 11. Harm/hazard and mitigation assessment report.Siemens Digital Industries Software13
White paper Improving medical device risk managementRisk management document definitionDefinitions are essential throughout the process of medicaldevice risk management, including defining structure andcontents of required documents, such as the risk managementplan, risk analysis and risk management report.Some of the structure of document artifacts is mandated.Of course, special attention must be paid to ensure that thedocuments contain all of the information required by law.Risk management planThe risk management plan, as defined by EN ISO 14971:2009,should include: Scope of activities Assignment of responsibilities Criteria for acceptability Verification activities Activities related to collection and reviewRisk analysisThe ISO requires that risk analysis documents take aharms-based approach. Elements of risk analysis include: Device failure mode and effects analysis (DFMEA) Process failure mode and effects analysis (PFMEA)Using Siemens Digital Industries Software’s solution, you canpull information from United States Federal Registers into thetool as requirement documents, and link them to companystandard operating procedure (SOP) requirements. Joining thetwo helps ensure legal requirements are satisfied by the company’s SOP requirements or an ISO standard, which would inturn support compliance with the company SOP for designdocuments.This process establishes audit traceability from the requirement source to the design document evidence. During anaudit, the company could demonstrate compliance with aparticular paragraph of the FDA Code of Federal Regulations(CFR) or European Medical Device Directive (MDD) by directlytracing from the legal requirement to the SOP, making it easyto identify records that prove compliance.This provides a proof progression of:Legal requirement Company SOP requirement/ISO standard All project document records Product realization data Post-market surveillance data Use failure mode and effects analysis (UseFMEA) Harms Hazardous situations Harms-based fault tree analysis (FTA): databasetraceability tableRisk management reportThe risk management report, as defined by EN ISO14971:2009, should help ensure that: The risk management plan has been appropriatelyimplemented The overall residual risk is acceptable Methods are in place to obtain relevant productionand post-production informationSiemens Digital Industries Software14
White paper Improving medical device risk managementDocument integrationYour risk management documents should provide properintegration of well-defined elements, including:Document designWhen planning your total documentation package, you’llwant to be sure to include documentation on: Harms: Harms should be at the top of the comprehensiveproduct risk analysis. Aside from the regulatory desire forthis to be the case, it provides a convenient post-marketaudit trail. When adverse events occur in the field, theyare most often associated with harm(s) to the user. In suchcases, as the risk manageme
Medical device product development work is a highly inte-grated and regulated process. Two key standards incorporated into medical device risk management are International Organization for Standardization (ISO) 14971:2009, which specifies the process for a manufacturer to identify the haz-ards associated with medical devices; and ISO Technical
