You are developing a new implantable medical device to facilitate a less-invasive surgical procedure compared to your current legacy medical device. How do you analyze and document both pre-mitigation and post-mitigation risk levels in your risk assessments?

Should you try to imagine a scenario with no risk controls and guess a pre-mitigation risk level just for the sake of documentation? Should you consider a scenario with a baseline level of risk controls? Or, should you use a different terminology such as initial risk level and a final risk level? In that case, what is the initial state and what is the final state? 

This is a very common challenge in our industry. Auditors expect to see a risk assessment table with a pre-mitigation and a post-mitigation risk level that clearly demonstrates our risk control measures have been effectively implemented and risk has been sufficiently reduced. 

It is not uncommon to have a situation where both pre- and post-mitigation risk levels are the same for certain failure modes, because no new or additional risk control measures are necessary in our legacy device which we have used as a starting point for our new product development.  

Does it mean that risk has not been sufficiently reduced? Should we just guess a higher pre-mitigation risk level, only to satisfy the auditor's expectation and avoid a difficult line of questioning? If so, then what value does it bring to our risk management process? It does not help us in any way to accelerate our new product development; it only adds to the extra work we have to do to document everything. 

This was a topic of discussion in a recent Interactive Q&A session, where one of our colleagues highlighted this challenge. 

"Why we need to document a pre-mitigation risk level, when the objective is to demonstrate that risk (of harm) has been reduced to as far as possible (AFAP) without adversely affecting the benefit-risk balance?"

It is important to understand the context behind this question, and if you listen to our conversation in the video below, you can sense a certain level of confusion and frustration among our colleagues.

Often, auditors have specifically asked for a Failure Modes and Effects Analysis (FMEA) document as evidence of risk assessment to show compliance with regulatory requirements, including compliance with ISO 14971. As a result, FMEAs are often used incorrectly for analyzing and evaluating the risks of known and potential harms associated with the use of a medical device. When used correctly, FMEA is powerful tool to improve quality and reliability and reduce operating costs. However, when used for the purpose of demonstrating compliance with ISO 14971 as an exclusive method, we turn it into a hybrid tool that is no longer effective. 

When the only tool you have is a hammer, every problem looks like a nail!

In our opinion, a nearly exclusive focus on FMEAs to demonstrate compliance with ISO 14917 is one reason why this is a common problem in the industry. 

Why using FMEAs exclusively for safety risk management is a problem?

It is very important to realize that FMEA is used to analyze, evaluate and control the risk of failures, while ISO 14971 requires us to analyze, evaluate and control the risk of harms. 

The two are NOT the same!

FMEA considers a single failure mode at a time, its cause and effect on the product or process. 

Risk of harm depends on the combination of the probability of occurrence of a harm (PoH) and the severity of that harm (S). 

In a recent blog post we illustrated how a patient may experience harm in a hazardous situation, where one or more hazards are present as a consequence of a sequence of events initiated by a trigger event.

A trigger event is not necessarily initiated by a device malfunction. It may occur, for example, due to a reasonably foreseeable misuse. That is why ISO 14971:2019 requires that both intended use and reasonably foreseeable misuse be documented as part of risk analysis per Clause 5.2. Note that reasonably foreseeable misuse includes use-error, intentional misuse of the device, including using it for a purpose not intended by the manufacturer. 

It is simply not practical to build these linkages in an FMEA. We need different tools for different jobs in our risk management system.

So what is the best way to estimate and document both pre- and post-mitigation risk of harm?

In our consulting practice, we advise clients to use both hazard analysis and FMEA analysis, and then link the two in a separate risk (of harm) assessment document through specific hazards applicable to each failure mode. By understanding the context of each failure mode, its cause(s) and its effect(s) on product specifications, especially those relevant to characteristics related to safety, we can identify one or more applicable hazards that can be activated as a consequence. These applicable hazards serve as the linkage between hazard analysis and FMEA analysis. 

Let us now return to our original dilemma.

It is perfectly acceptable to start with an initial baseline level corresponding to a legacy device. You don't have to imagine a scenario where no risk controls have been implemented. It is neither practical nor useful to start with a no-controls scenario. Currently validated risk controls for the legacy device used as a starting point for the current product under development is a perfectly valid initial point. It is also perfectly valid to have no additional risk controls for certain failure modes. Therefore, it should not be a surprise to see both initial and final risk (of failure) levels to be the same for some of the failure modes in the FMEA. These can be updated throughout the product lifecycle as new information becomes available from post-market surveillance and additional risk controls are implemented over time. 

As additional failure modes are identified during design and development to achieve the desired functionality of the new device, additional risk control measures are identified and implemented. In this way, you can show a change in the failure risk level before and after implementation of risk controls. 

What changes when you go from an FMEA to a risk (of harm) assessment is the understanding of the sequence of events and hazardous situations and their link to potential harms. Hazard analysis helps you to identify a sequence of events initiated by a trigger event, that lead to a hazardous situation and exposure to hazards. ISO/TR 24917:2020 provides guidance and an illustrative example of how you can estimate the probability of occurrence of harm. 

Note that each combination of hazard-hazardous situation-harm may be linked to multiple failure modes (design, process, software etc.) and reasonably foreseeable misuse scenarios. These can be identified and appropriately analyzed using techniques such as event tree analysis or fault tree analysis. 

Risk management is not a linear process. It requires the use of different tools, each appropriate to its own specific purpose. Linking these tools efficiently is very important to achieve a risk management process which is not just compliant, but highly effective. Only then, can you fully realize its potential to help you successfully launch innovative products while also improving patient safety.