Medical Device Design: Determining if a Risk Requires Mitigation

October 31, 2011

By Kristy Bell, Human Factors Engineer

A risk management plan documents how a project team will identify and evaluate potential risks with a product. The plan outlines the process and the criteria the team will use to determine if mitigation is required for a particular risk. This document becomes part of the complete Design History File (DHF). This activity is an integral part of Ximedica’s product development process to satisfy the requirements of HE-75, 21 CFR 820.30(g), and ISO 14971:2007, (i.e., the guidelines and regulation published by the FDA and the international standard for risk management in the medical device industry).

Creating a risk management plan is an integral part of the device development process.

At Ximedica, the risk management activities are completed by a cross-functional team of researchers, designers, engineers, and management. The team uses tools, such as Fault Tree Analysis and Failure Mode and Effects Analysis, to conduct a systematic evaluation of the device from use, design, and manufacturing perspectives. These analyses identify hazards and the harms associated with those hazards.

Risk is defined in ISO 14971 and a combination of severity of harm and the likelihood of occurrence of the hazard.
Ximedica’s risk management process places risks into one of three categories:
For risks classified as “ALARP”, a Risk versus Benefit Analysis is performed if the team is not able to pursue further mitigation. This analysis compares the benefits of using the device against the risk associated with use to determine if residual risk is acceptable without further mitigation. For example, when working on a specific project recently, Ximedica’s team identified a possible risk of infection when inserting the device. The risk was categorized as ALARP, however further mitigation to the device was deemed not practicable. The potential benefit of establishing a patient airway in order to maintain respiration outweighed the potential risk of infection.

  • Severity - an assessment of the seriousness of the harm associated with the potential hazard.
  • Occurrence - the likelihood that a specific cause will result in the listed failure mode and lead to the associated potential effect.
  • Acceptable - Does not require mitigation because residual risk is low.
  • Unacceptable – Mitigation is required because the residual risk is above acceptable limits.
  • As Low as Reasonably Practicable (ALARP) - the team should pursue additional mitigations to reduce the residual risk, provided the additional effort is reasonable.

When mitigation is required for a risk, best practice is to provide risk controls in this order:
Whenever possible, incorporating features that minimize the likelihood of occurrence or the severity of a harm it is the best form of mitigation. This means adjusting or modifying the design of the product to remove the possibility of the error. This is why it is important to start your risk management activities sooner rather than later!

  • By use of design features (Inherently Safe by Design).
  • Using alarms in the device or process controls (Protective Measures).
  • Addition of warnings, cautions, or contraindications to the IFU (Information for Safety).

Mitigation through the use of protective measures means that alarms or fail-safes are incorporated in the device or the manufacturing process to ensure safe function of the device. Examples of this are an alarm to detect if the delivered energy was too high or using a hi-pot test to verify electrical safety.

The team should avoid relying solely on controls, such as warning labels and cautions, as these types of controls are considered the least effective.