Using what we have Sherman Eagles SoftwareCPR seagles@softwarecpr.com
2 A question to think about Is there a difference between a medical device safety case and any non-medical device safety case? Are the grounds required to justify the conclusion that a medical device is safe any different than the grounds required to justify the conclusion that an air traffic control system is safe?
What do we know about medical devices that may influence arguing about their safety?
4 Not using a medical device may result in harm to an individual (the patient) If a device does not meet safety goals, it may be determined to be adequately safe (risk is acceptable) based on a risk-benefit analysis Safety of a medical device is relative The safety of a medical device may change even though the medical device does not change
5 Use of medical devices is generally under the direction of a medical practitioner The manufacturer s intended purpose for the device must be stated very specifically for safety evaluation purposes But how a device is used after it is purchased is not regulated (directly) or controlled
6 The medical device business model is a consumer product model The manufacturer of the medical device determines the requirements for it, not the purchaser or the regulator. The regulator is a gatekeeper who evaluates whether the manufacturer has met the rules to sell the medical device Safety is only one of the rules a manufacturer must meet to sell a device
7 The regulator may only allow or not allow the sale of the product after the development is complete. May force the product off the market later based on actual performance Regulations in different parts of the world will differ for the same medical device
The same device may be used in many different areas of care (use environment) Situations in which it is not safe to use the device must be identified (contra-indications) If a care area is not contra-indicated, it is assumed the device will be safe in that use environment Medical devices are developed using a risk management process based on ISO 14971 ISO 14971 requires that risk be acceptable ISO 14971 requires all safety documentation to be collected in a risk management file 8
9 Few medical device projects start with a blank page. Many new projects are adding functionality to existing products, or creating a new platform for the same intended purpose as an existing product. Incidents where a patient is harmed because of a medical device must be reported to the regulator Information on hazards and hazardous situations of previous versions or similar products is available
What do we already do that we can use in a medical device safety assurance case?
11 Medical device risk management Safety is freedom from unacceptable risk Under 14971, the manufacturer specifies what is unacceptable Where risk is The combination of The probability of occurrence of harm The consequences of that harm (severity)
12 Probability Probability is a qualified assertion made when we cannot say for certain that something will happen ISO 14971 requires a measure of the probability that harm will occur The quality of the evidence determines the confidence or trustworthiness of the qualifier
13 Harm Physical injury or damage to the health of people, or damage to property or the environment Harm is the consequence Severity is a measure of harm Probability is the likelihood of harm For an insulin delivery system, harm will include Hypoglycemia Hyperglycemia
14 Hazard Potential source of harm In ISO 14971, it is the thing that actually results in harm High temperature Electrical energy line voltage, leakage current Incorrect transfer of a substance overdose, underdose In ISO 14971 terminology, software is not a hazard If a hazard is possible, it is always present
15 Hazardous situation Circumstance in which people, property or the environment are exposed to one or more hazards A sequence of events leads to a hazardous situation Software may contribute to the sequence of events A hazardous situation must be present before harm can occur
Table E.3 from ISO 14971:2007
17 Components of medical device safety Basic safety freedom from unacceptable risk directly caused by physical hazards when medical devices are used under normal condition and single fault condition Essential performance Performance of a clinical function, other than that related to basic safety, the loss or degradation of which beyond the limits specified by the manufacturer results in an unacceptable risk
18 Risk analysis Hazard identification What hazards can be present with the device ISO 14971 has a list to consider Hazardous situation identification How can a person be exposed to the hazard Estimation of severity of harm Estimation of probability of harm Contributing factors (causes) identification
Context Diagram (from AAMI TIR32) Medical Device/System Data entry Sensor Reading Keyboard User Interface Software Software Hardware Interface Software User Monitor Information Display Hardware Control Patient 19
Increasing Severity 20 Risk evaluation Risk is compared to the risk acceptability criteria established by the manufacturer Risk level matrix Increasing Probability Improbable Remote Occasional Probable Frequent Catastrophic High Unacceptable Medium Needs justification Low Acceptable Negligible
21 Controlling risk Eliminate the hazardous situation from the design Recognize the sequence of events leading to a hazardous situation and prevent them from causing harm Last point of control Detect a hazardous situation and notify user to take action to prevent harm Instruct the user on how to prevent harm from occurring
Causal chains (from AAMI TIR 32) Hazardous Output Causal Chains Hazardous Output First Points of Control (FPOC) Other Points of Control 22 Last Points of Control (LPOC)
23 Random and systematic failures Random - Individual devices or parts fail Numerical probability can often be determined Systematic all devices fail under some particular combination of inputs or conditions All software faults are systematic Systematic fault rates are laborious and expensive to measure Consensus does not exist for a method of estimating systematic fault rates quantitatively
24 Probability Probability of a fault is not necessarily the same as probability of harm A fault may always occur under identical conditions, but A fault will not always lead to a hazardous situation A hazardous situation will not always lead to harm
Initiating event Sequence of events Hazard P 1 Hazards are always present The probability that a sequence of events will expose a hazard and create a hazardous situation is P 1 Hazardous situation P 2 The probability that a hazardous situation will lead to harm is P 2 Harm The probability of harm being caused by a sequence of events is P h = P 1 X P 2
26 Example of P2 In 2000-2001, 28 patients in Panama received an overdose of radiation because of an error in an automated treatment planning system. US medical physicists stated that it could not happen here because of standard practice treatment protocols that require an independent manual calculation to check dosage. This check is a clinical procedure done outside of the device.
Estimating risk due to a software fault 27 A software fault occurs in the sequence of events If a hazard is present, and there is a software fault, P 1 = 1, a hazardous situation will occur It may be possible to determine P 2 the likelihood that the hazardous situation leads to harm. If P 2 can be determined, then the risk resulting from the software fault can be estimated If P 2 cannot be determined, then the risk is unknown and the software fault needs to be addressed
28 Criteria for acceptable risk Established by the manufacturer May be based on number of failures, failures per patient, failures per hour of device use, etc. Rationale for the criteria should be part of the confidence case
29 Risk Control
Preferred order of Risk Control Measures 30 Inherent Safe design Protective Measures Detection and Notification Labeling & Training
31 Inherent safe design Fail-safe philosophy unique to intended use: life sustaining, diagnostic, therapeutic Prevent hazardous situations by changing software architecture Isolate safety functions and data Firewalls Simplify the user interface Use defensive design and programming Use static memory structures instead of dynamic Use a restricted version of a programming language that prohibits structures likely to lead to programming errors
32 Protective measures Must be independent of the function they are being applied to Segregation between the protective measure and the feature Fault tolerance Redundancy Diversity Memory protection, correction
33 Detection and notification Applied at system boundaries Checking for correct inputs Range checks on outputs Limits on transfer of energy or substance to the patient Safe operating envelope (interlocks) Applied to interfaces between software items Inconsistencies between inputs and outputs
34 Labeling and training Least desirable risk control measures because it is difficult to show effectiveness Warnings and confirmation
35 Residual risk Risk remaining after risk control measures have been applied Documented in a risk assessment register Hazard Hazardous situation Causes Initial severity, P(1), P(2), P(h) Risk control measures Residual severity, P(1), P(2), P(h) Link to requirement for risk control measures
Safety case using risk control concepts
37 A medical device safety assurance case Top level claim Device is reasonably safe (residual risk is acceptable) Context For the intended use in the intended use environment Assumptions Legislation sets the standard that medical devices must be reasonably safe. The manufacturer s policy for acceptable risk meets the legislative intent. The residual risk is acceptable if the residual risk of each hazardous situation is acceptable and the overall residual risk of all hazardous situations combined is acceptable.
38 First level sub-claims are that the top level hazardous situations from risk analysis have a residual risk that is acceptable and that the total residual risk from these hazardous situations is acceptable Hazardous situations may be a lack of essential performance or exposure to a basic safety hazard Strategy argue by addressing each of the hazardous situations and the total residual risk from all of the hazardous situations.
41 The residual risk of each hazardous situation is maintained in the risk management file. The risk management file information can be used in the safety assurance case if the risk management was done carefully and probability estimates were based on evidence.
42 A passionate feeling that the probability of harm occurring is low is not evidence! The opinions that are held with passion are always those for which no good ground exists; indeed the passion is the measure of the holder s lack of rational conviction. - Bertrand Russell
43 Can we just reference the RMF? Other than the intended purpose, 14971 does not require recording of context, assumptions or strategy These elements of a safety assurance case are usually necessary to ensure correct communication
44 Why we need context A hazard for an infusion pump is air embolism The hazardous situation is air gets in the line and is infused into the patient The infusion pump manufacturer claims the risk of this hazardous situation is acceptable because the pump detects the air in the line and alarms Assuming everything works as intended, has the risk been made acceptable?
45 What s an alarm? Webster s - 1. a signal (as a loud noise or flashing light) that warns or alerts 2. A device that signals IEC 60601-1-8 does not define alarm Alarm condition Alarm signal Alarm system What did the manufacturer mean?
46 The importance of context Context when the pump detects air in the line, the alarm stops the infusion and sounds an alert to notify the caregiver that infusion has been halted While this description will surely be somewhere in the documentation, it is seldom found in a risk management document
Lower level claims that support the acceptable risk of the hazardous situation are that the causes of the hazardous situation have been mitigated to an acceptable level The argument strategy is to argue that risk control measures control the hazard causes effectively The solutions are the risk control measures or mitigations The evidence shows that the risk control measure has been implemented and is effective 47
Example 48
49 Conclusions Much of what is already being done for risk management by medical device manufacturers can be used in a safety assurance case. Strategy, context, assumptions and rationale need to be added to current risk management practices to make safety assurance cases effective communication tools
50 Final conclusion What you do is more important than how you represent it. What you do will make the device safe How you represent what you did will explain it
51
Residual risk R(1) is acceptable GOAL Is solved by Causes of hazardous situation have been identified and controlled STRATEGY Is solved by Is solved by Risk from cause A has been reduced to an acceptable level GOAL Is solved by Risk from cause B has been reduced to an acceptable level GOAL Is solved by Show that risk control measures reduce the risk to an acceptable level STRATEGY Show that risk control measures reduce the risk to an acceptable level STRATEGY Is solved by Is solved by Is solved by Is solved by Is solved by RCM M has been implemented SOLUTION RCM N has been implemented SOLUTION Residual risk is xyz SOLUTION RCM S has been implemented SOLUTION Residual risk is uvw SOLUTION
Initiating event Sequence of events Hazard P 1 Hazards are always present The probability that a sequence of events will expose a hazard and create a hazardous situation is P 1 The residual risk due to P 1 is R 1 Hazardous situation The probability that a hazardous situation will lead to harm is P 2 P 2 Harm The residual risk due to P 2 is R 2 The probability of harm being caused by a sequence of events is P h = P 1 X P 2 The residual risk due to this hazardous situation is R h
54 Risk from a hazardous situation The residual risk of a hazardous situation is acceptable if: R 1 is acceptable, or R 2 is acceptable, or R h is acceptable
Risk from hazardous situation n is acceptable GOAL Is solved by CONTEXT The residual risk of a hazardous situation is acceptable if: R(1) is acceptable or R(2) is acceptable or R(h) is acceptable In context of STRATEGY Show that residual risk is acceptable or that risk control measures reduce it to acceptable Is solved by Residual risk R(1) is acceptable GOAL
56 Overall residual risk The overall residual risk is acceptable if the combination of all R h from all hazardous situations is acceptable
Overall residual risk from all hazardous situations is acceptable GOAL Is solved by STRATEGY Determine the combination of all residual risk from hazardous situations In context of The manufacturer selects an appropriate method for combining the residual risk from hazardous situations CONTEXT Is solved by Overall residual risk is abc SOLUTION
Risk of harm is acceptable GOAL Is solved by Probability of residual risk P(h) is residual risk P(1) times residual risk P(2) CONTEXT In context of After risk control, all hazardous situations result in residual risk that falls within the acceptable range STRATEGY In context of The policy that defines acceptable risk can be used to evaluate risk for hazardous situations ASSUMPTION A Is solved by Is solved by Is solved by Risk due to hazardous situation 1 is acceptable GOAL Risk from hazardous situation n is acceptable GOAL Overall residual risk from all hazardous situations is acceptable GOAL Is solved by Is solved by Is solved by Show that residual risk is acceptable or that risk control measures reduce it to acceptable STRATEGY. Show that residual risk is acceptable or that risk control measures reduce it to acceptable STRATEGY STRATEGY Show that the total of all residual risk from hazardous situations is acceptable
Risk Haz Situation Cause Severity P1 P2 Ph Risk level Risk control P1 (M) P2 (M) Ph (M) Residual risk level 59 Air embol ism Air in line Impro per primin g 5 3 2 2 U Manu als and trainin g 2 1 1 A
60 ce to RESPONSIBLE ATION S specifications, or test reports or to m in this document er is applicable for ility) RESIDUAL RISK