A New Approach To ISO 14971 For Better Medical Device Risk Analysis
By Mark F. Witcher, Ph.D., biopharma operations subject matter expert
ISO 14971 is one of the most referenced and quoted risk analysis guidance documents in the medical device industry.1 The guidance’s influence sometimes extends well beyond just medical devices. The purpose of this article is to reinterpret the risk model in Annex C of ISO 14971 using relational risk analysis (ReRA) to describe a better approach for understanding, analyzing, and managing not only medical device risks but all risks.
ISO 14971 defines a risk as a “combination of the probability of occurrence of harm and the severity of that harm.” A related document, ISO 31000, defines a risk as the “effect of uncertainty on objectives.”2 Like virtually every risk definition, both documents define a risk as an event, situation, or objective. Neither definition has sufficient substance to provide a firm foundation for effectively dealing with risks. However, if risks are viewed as specific cause and effect relationships, a more robust foundation can be provided for understanding risks.
Figure 1 shows a summary of the risk model used in ISO 14971 to describe a risk of harm to a subject, usually a patient. The model can be used for analyzing and managing a wide variety of the device’s risks.
Figure 1: Summary of the risk model shown in Figure C.1 of Appendix C in the ISO 14971 guidance. The model states that the probability of harm P to a patient is the product of probabilities P1 and P2.
The probabilities in Figure 1 are defined in the guidance as follows:
- P1 is the “probability of a hazardous situation occurring” as the result of a hazard event.
- P2 is the “probability of a hazardous situation leading to harm.”
- P is “the probability of harm” to a patient.
A careful reading of the P1 and P2 descriptions suggests that the probabilities describe what happens between two events. P1 is the probability of the initial hazard passing through something, perhaps a “sequence of events,” to produce a hazardous situation. P2 is the probability of the “hazardous situation” passing through a second link of some kind to result in harm to the patient. The probability of the hazard producing harm in the patient P is the product of P1 and P2.
How risk events are linked is a critical part of what makes a risk. No event, no matter how large or small, occurs spontaneously or in isolation. Instead of the risk analysis focusing on the events and how likely they are to happen, the analysis should focus on how likely the links are to take an initiating or cause event or situation and transmit or propagate that event into a second event or situation.
Relational Risk Analysis (ReRA)
ReRA is based on viewing a risk as a probabilistic cause–mechanism–effect relationship as shown in Figure 2.3
Figure 2: Defining a harm risk as a causal relationship of a cause (threat or hazard) event or situation of probability LC entering a mechanism (system) that has a probability LP of producing an effect event (harm) or situation with a probability of LE where LE = LC * LP. The basic element shown can be used to build system risk structures (SRS) describing more complex risks composed of sequences or networks of events and mechanisms.
The four ReRA/SRS elements shown in Figure 2 are:
- Cause event – a hazard, hazardous situation, or threat event of probability LC that enters a mechanism called a system. The effect event cannot occur if the cause event does not occur. A cause event can be the effect event of a prior risk.
- Mechanism or system – the combination of equipment, people, actions, activities, or anything else that takes an input cause event and transmits or propagates the cause to produce an output effect event. The probability LP of propagating the cause to the effect is impacted by secondary factors, such as failure modes with a severity described as ΔLP.
- Effect event – a consequence event to a specific subject that can be either a harm or benefit event produced by the risk’s system. The effect event’s probability of occurrence LE is calculated as the product of LC and LP. The event impacts a subject of defined severity. The effect event can be, and frequently is, the cause event to subsequent risks.
- Failure modes – risk events or secondary factors that have an impact of ΔLP on the probabilistic performance LP of the system. A failure mode cannot cause the effect event although it can make the occurrence of the effect event certain (LE = 1) if the cause event occurs. Failure modes can be described as hazards or threat events to the system’s performance.
If any of the four elements — including the risk’s subject — change, the relationship describes a different risk. Figure 2 is a useful structure for modelling risks. To effectively describe risks, the selection of which events are included as cause events and which are treated as failure modes in the SRS can be left to the discretion of the risk analyst.
Using ReRA shifts the risk analysis from guessing the frequency of future events to studying the system’s structure and mechanisms to estimate the probability that it will transmit or propagate input risk events should they occur. In the case of harm risks, the probabilities of propagation need to be as low as possible. In essence, ReRA shifts the risk analysis from analyzing bad events to analyzing bad systems. A bad system is one that has an unacceptable probability of resulting in a hazardous situation or harm to the patient.
Details for describing the severity and probability of risk events and systems are left to ReRA references, including rating scales and defining acceptance criteria.3,4
A risk’s mechanism or system between the hazard and the hazardous situation, in this case the medical device, contains a great deal of analyzable information based on how it is defined, designed, constructed, qualified, and validated. This information can provide a highly effective estimate of its probability of performing its function as described by its LP of minimizing the probability of the patient being exposed to the hazardous situation. The second system is obviously the patient and how they respond to the hazardous situation with respect to harm occurring.
Redefining ISO 14971’s Risk Model
Figure 1 can be used to describe two types of risks. The first is an overall risk associated with the decision to use the medical device. Given that not using the device is a separate risk, a device that is not used cannot harm the patient and therefore the primary cause event for evaluating the device risk is using the device. However, the model in Figure 1 also can be used to model a wide variety of risks associated with the device being used to control other hazards, many of which are described in ISO 14971, Table C.1.
Using the concepts of ReRA, the ISO 14971 model in Figure 1 can be expanded to explicitly show P1 and P2 as probabilities associated with definable systems rather than events. If the risk model in Figure 1 is combined with the ReRA approach shown in Figure 2 to connect the risk events with mechanisms or systems, the result is the model shown in Figure 3.
Figure 3: A two-system SRS of the risk model shown in Figure 1 describes the risk of harm associated with using the medical device. Note that because PC = 1, the probability of the device failure is equal to P1. Should the device fail (P1 = 1), the probability of harm to the patient is equal to P2. Both the medical device and the patient are subject to failure modes or secondary factors that can significantly change their probabilities of failing to adequately control the device’s failure and the resulting harm to the patient.
If the risk analyst wants to evaluate the device’s overall risk to the patient, then the primary cause is the device’s usage. The initial analysis would be based on the device’s intrinsic probability of failure if no failure modes occur. The analysis can then identify and include the impact of various possible failure modes. An excellent example of a failure mode is human error associated with using the device.
While failure modes cannot cause the harm, they can contribute significantly to the point of certainty of the probability of the medical device failing because the primary cause of the device being used is certain. Secondary factors to the “patient system” can include a wide variety of events or conditions that impact the probability of the patient responding poorly to the device’s failure.
The second type of risks are associated with the device’s usage as a harm prevention barrier because the system’s performance in controlling various hazards can be analyzed. If the medical device or some aspect of the device is used as a barrier to prevent a hazard from impacting the patient, then the SRS shown in Figure 4 can be used.
Figure 4: In the case where the medical device provides a protective barrier against external hazards or has an internal hazard, the SRS shown describes the risk of the hazard causing harm to the patient. The fact that the device is being used is an assumption allowing the hazard to be treated in the model as the cause event.
The patient may be exposed to a wide variety of threats or hazards from or through the medical device. The risk analyst might view a risk landscape of several hazards using a bowtie format through a top event of the device’s failure to control the hazards. However, each hazard–medical device–exposure to a hazardous situation–patient response–harm relationship should be evaluated as a separate risk.
Estimating System LPs
While events, especially future events, may have very little frequency data, systems can contain significant amounts of information, experience, knowledge from experts, and data from testing or usage that can be applied to estimating their probability of passing cause events (hazards) to effect events (hazardous situations or harm), including the impact of various failure modes.
The SRS models in Figures 3 and 4 focus the risk analysis on the medical device and the subject’s health and medical “systems” that propagate the cause events while including possible secondary factors to estimate the probabilities of ultimately producing the harm event.
In the case of the medical device, if the design and engineering teams use good life cycle and ReRA management practices, they should be able to reduce the probability of the device’s failure to an acceptable level based on the severity of the device’s failure by anticipating and designing the device to appropriately manage all reasonable usage, causal hazards, and failure modes, including human errors. In addition, the team should be able to execute full validation activities to test and document the device’s performance.
The patient or human system LP response can be estimated by the device’s technical and medical team, the patient’s medical providers, as well as regulatory agencies prior to licensure of the device’s applications. Secondary factors or failure modes of the patient might include the patient’s history or other medical status or conditions.
Future Harm/Benefit Analysis
Although outside of the scope of this article, the ReRA approach can be used to build an SRS for initiating a harm/benefit analysis for the medical device as shown in Figure 5.
Figure 5: An SRS extension of ISO 14971’s model in Figure 2 that can be applied to analysing harm/benefit risk problems. For many cases, PH + PB = 1.
In simplistic terms, the medical practitioner or the decision maker basically evaluates PB vs. PH. by looking at P1 * P2 vs. P1’ * P3. However, a more detailed risk analysis might include looking at PDF and PDF’. A very detailed analysis might also include the impact of failure modes to P1 and secondary factors that might impact P3 and P2. A more detailed discussion of Figure 5 and a more complete SRS of Figure 4 can be addressed in future articles.
Summary
Expanding the definition of a risk to include the risk’s mechanism of action using ReRA opens the door to better understanding of how risks work. The reinterpretation of ISO 14971’s risk model using ReRA enables including a wide variety of information about the device during its definition, design, qualification, and validation life cycle to estimate its ability to control a wide variety of hazards to prevent harming the patient.
Viewing and defining risks as the impact of uncertainty on the risk’s mechanism, system, or processes that produce the risk’s objective or consequence provides a much more robust foundation for understanding, analyzing, and managing medical device risks. In addition, the complete risk landscape can be analyzed by dividing the risks into individual cause and effect relationships to estimate P1 and P2 for determining the appropriate P values for the device’s many hazards and failure modes.
References
- ISO 14971:2019(E) – International Standard: Medical devices – Application of risk management to medical devices, 3rd edition, 2019-12.
- ISO 31000:2018(E) – International Standard: Risk management – Guidelines, 2nd Edition, 2018-02
- Witcher, M., Relational Risk Analysis For The Bio/Pharma Industry, Bioprocess Online, 1/29/2024. https://www.bioprocessonline.com/doc/relational-risk-analysis-for-the-bio-pharma-industry-0001
- Witcher, M., Rating Risk Events: Why Adjusted Risk Likelihood (ARL) Should Replace Risk Priority Number (RPN), Bioprocess Online, 4/7/2021. https://www.bioprocessonline.com/doc/rating-risk-events-why-we-should-replace-the-risk-priority-number-rpn-with-the-adjusted-risk-likelihood-arl-0001
About The Author:
Mark F. Witcher, Ph.D., has over 35 years of experience in biopharmaceuticals. He currently consults with a few select companies. Previously, he worked for several engineering companies on feasibility and conceptual design studies for advanced biopharmaceutical manufacturing facilities. Witcher was an independent consultant in the biopharmaceutical industry for 15 years on operational issues related to: product and process development, strategic business development, clinical and commercial manufacturing, tech transfer, and facility design. He also taught courses on process validation for ISPE. He was previously the SVP of manufacturing operations for Covance Biotechnology Services, where he was responsible for the design, construction, start-up, and operation of their $50-million contract manufacturing facility. Prior to joining Covance, Witcher was VP of manufacturing at Amgen. You can reach him at witchermf@aol.com or on LinkedIn (linkedin.com/in/mark-witcher).