Risk Management
in IEC 60601-1 3rd Edition
Presented by Alberto Paduanelli
Medical Devices Lead Auditor, MHS-UK, TÜV SÜD Product Service
General Information
– Time of presentation: 50-60 min.
– Questions & answers time at the end: 10 min.
– Entire webinar will be available for download from our
website www.tuvps.co.uk. You will also find it on
YouTube.
Goals
– Understanding the importance of Risk Management
– Understanding the RM requirements from the 606011:2006 point of view
– Provide a clear picture of what is required
– Basic view on the creation and content of a RMF
Content: Modules
 What is risk management?
 Risk Management in 60601-1 3rd edition
 Methods for the visualization and identification of harms
and hazards
 Creating a RMF – Minimal Documentation
 Common errors when creating a RMF
MODULE 1
What is Risk Management?
Definition
• BS EN ISO 14971:2009 definition:
• Risk Management:
systematic application of management policies, procedures
and practices to the tasks of analysing, evaluating,
controlling and monitoring risk
• Risk:
combination of the probability of occurrence of harm and the
severity of that harm
Risk in the centre of attention
Risks and associated measures are called in:
43 sections in the MDD
14 sections in the AIMDD
34 sections in the IVD
4 sections in the ISO 13485
35 sections in the CMDR
3 sections in the J-GMP
153 sections in 60601-1 3rd Edition
Why Risk Management ?
Results of risk management:
• serve the definition and dimension of goods control
• influence the supplier evaluation activities
• deliver important inputs for the design process
• serve as criteria for the evaluation of design output
• show the necessity for design modifications
• serve the definition of process controls and the assigned
acceptance criteria
But there are standards !!
• Standards often define only the most important, absolutely
necessary measures.
• Standards are rarely up to date on technology.
• Standards have "typical" implementations in mind. Exotic concepts
may not be covered.
• Standards (often implicitly) assume a certain environment and
method of use.
• Standards often do not cover optional components of a product.
• Potential manufacturing problems are not covered by most safety
standards.
• Potential manufacturing failures are not covered in the safety
standards for active devices.
a risk analysis is necessary in any case!
Where to Start ?
How to find the hazards:
•
Standards
•
Existing risk analyses of similar products
•
Interviews with the design engineers
•
Interviews with users of similar products
•
Experience of the sales people
•
Brainstorming in RA team
•
Analysis of FDA Medical Device Reports and Incident Reports
(MAUDE database)
•
Examination of existing risk mitigation measures; they assume often
implicitly the presence of a hazard.
•
Information from the field for similar products, e.g. service statistics,
complaints, incidents
•
Annex C and E of ISO 14971
Annex E can help !
Examples from ISO 14971:2009 annex E:
Electromagnetic energy: line voltage, leakage current, electric fields,
magnetic fields
Thermal energy: high temperature, low temperature
Mechanical energy: gravity, vibration, stored energy
Chemical: Exposure of airway, tissues, environment or property
Biocompatibility: Toxicity of chemical constituents
Use error: Attentional failure, memory failure, rule-based failure, knowledgebased failure, routine violation
Risk Management Process
risk analysis
risk evaluation
production and
post production
information
risk control
All included in the Risk Management File.
MODULE 2
Risk Management in 60601-1 3rd edition
WHAT IS THE 3rd EDITION ?
One of the Major Changes
• Introduction of risk management as an alternative method to
meet individual requirements of the standard and covering
risks not subject to a standard
• There are 1422 single requirements in the standard. 153
have a direct link to RM (key-words such as RMF,
unacceptable risk, etc.).
Why this major change?
• in specifying minimum safety requirements, provision is made for
assessing the adequacy of the design PROCESS when this is the only
practical method of assessing the safety of certain technologies such as
programmable electronic systems.
• Application of this principle is one of the factors leading to introduction of
a general requirement to carry out a RISK MANAGEMENT PROCESS.
In parallel with the development of the third edition of IEC 60601-1, a
joint project with ISO/TC 210 resulted in the publication of a general
standard for RISK MANAGEMENT of medical devices. Compliance with
this edition of IEC 60601-1 requires that the MANUFACTURER have a
RISK MANAGEMENT PROCESS complying with ISO 14971 in place
(see 4.2).
Also:
• Alternative method to meet individual requirements of the standard and
covering risks not subjects to a standard.
Clause and Definition
3.107 RISK MANAGEMENT
systematic application of management policies,
PROCEDURES and practices to the tasks of analyzing,
evaluating and controlling RISK
4.2 RISK MANAGEMENT PROCESS for ME EQUIPMENT
or ME SYSTEMS
A RISK MANAGEMENT PROCESS complying with ISO
14971 shall be performed. (That’s the requirement!!)
Important To Remember
• A RISK MANAGEMENT PROCESS complying with ISO 14971 shall be
performed.
• Compliance is checked by inspection of the RISK MANAGEMENT FILE.
The requirements of this clause and all requirements of this standard
referring to inspection of the RISK MANAGEMENT FILE are considered
to be satisfied if the MANUFACTURER has:
– established a RISK MANAGEMENT PROCESS;
– established acceptable levels of RISK; and
– demonstrated that the RESIDUAL RISK(S) is acceptable (in
accordance with the policy for determining acceptable RISK).
Important To Remember
NOTE:
Where requirements of this standard refer to
freedom from unacceptable RISK, acceptability
or unacceptability of this RISK is determined by
the MANUFACTURER in accordance with the
MANUFACTURER’S policy for determining
acceptable RISK.
FACTS !
• The RMP shall be performed by a team of different experts (e.g.
physicians, hardware experts, software experts,…..).
• The RMP must be conducted at start of designing the product for
new products. Retrospective RMP is NOT the correct method.
• The RMP is an ongoing process over the whole life cycle (think
Environment / Recycle as end of life?)
• The initial risk is evaluated without any safety means used.
Remember the Rule of 10: Costs to correct failures increase by 10
between different stages of product realization: Idea // design //
planning production // production // end tests // On the market.
FACTS !
• The standard itself can already be regarded as a generic
risk analysis including counter measures. If the standard
specifies for certain clauses concrete limits, then care shall
be taken if RMP is used to tailoring (adjust) these standard
limits.
• The overall residual risk shall be evaluated and documented
in the RMF. The overall residual risk is the risk for all
combined single risks. It might be, that each single risk
evaluated alone is accepted, but based on the fact that to
much single risks are at the borderline to the intolerable area
the overall residual risk can not be accepted.
Risk Management within the 60601-1:2006
In applying ISO 14971:
– The term “fault conditions” referred to in ISO 14971 shall include,
but shall not be limited to, SINGLE FAULT CONDITIONS identified in
this standard.
– The policy for determining acceptable RISK and the acceptability of
the RESIDUAL RISK(S) shall be established by the MANUFACTURER
.
– Where this standard or any of its collateral or particular standards
specify verifiable requirements addressing particular RISKS, and
these requirements are complied with, the RESIDUAL RISKS
addressed by these requirements shall be presumed to be
acceptable unless there is OBJECTIVE EVIDENCE to the contrary.
Compliance
Compliance is checked by inspection of the RISK
MANAGEMENT FILE. The requirements of this clause and all
requirements of this standard referring to inspection of the
RISK MANAGEMENT FILE are considered to be satisfied if
the MANUFACTURER has:
– established a RISK MANAGEMENT PROCESS;
– established acceptable levels of RISK;
– demonstrated that the RESIDUAL RISK(S) is acceptable
(in accordance with the policy for determining acceptable
RISK).
When is Risk Management required?
• The IEC 60601-1:2006 requires RMP in the following 3
situations:
1. A complete new hazard is identified, which is not
addressed in the standard:
- In such a case RMP is a MUST.
- Examples: New techniques are developed (innovation).
When is Risk Management required?
2. If a clause refer to RMP, then it is justified by the standard
to use RMP to tailoring (adjust) concerned standard
requirements to the DUT (device under test). This means in
clear words: The RMP shall be conducted OR the defined
technical standard requirements must be exactly fulfilled.
- Example: Clause 8.4.2.c (2Ed.: 16.e), here accessible
voltages, e.g. 24Vdc could maybe be justified by RMP for
home use (e.g. At a ceiling host – accessible current busbar), where it is ensured that the PATIENT has no catheters
(intact skin) and can be regarded comparable to an
OPERATOR.
When is Risk Management required?
3. The clause does NOT refer to RMP:
- Example: Clause 8.6.6: PE-contact in a detachable socket
shall made contact before and interrupted after the supply
connections are contacted or interrupted.
On the first view it appears as RMP would NOT be possible,
because RMP is not mentioned in this subclause 8.6.6.
However clause 4.5 (Equivalent safety) is always possible !!!
Equivalent Safety Concept
4.5 Equivalent safety for ME EQUIPMENT or ME SYSTEMS
Where this standard specifies requirements addressing particular
RISKS, alternative means of addressing these RISKS are acceptable
provided that the MANUFACTURER can justify that the RESIDUAL
RISKS that result from applying the alternative means are equal to or
less than the RESIDUAL RISKS that result from applying the
requirements of this standard.
Compliance is checked by inspection of the RISK MANAGEMENT
FILE.
(It must be pointed out that verification of compliance is as well here
linked to RMP, but additional evidence about equivalent safety is
required).
Equivalent Safety Concept
4.5 Equivalent safety for ME EQUIPMENT or ME SYSTEMS
If the RESIDUAL RISK is greater than the RESIDUAL RISK achieved
by applying the requirements of this standard, the ME EQUIPMENT or
ME SYSTEM cannot be regarded as complying with this standard,
even if the RESIDUAL RISK is fully justified by other considerations
such as the clinical benefit to the PATIENT.
In such a case standard compliance is only given if:
- The RMP is done adequately and additional
- Equivalent safety is reached.
That means: It is permitted to deviate from given standard limits (e.g.
certain creepage distance values), but it is forbidden to deviate the
RESIDUAL RISK level of the standard in the more risky direction.
Equivalent Safety Concept
Changes of the defined pass/fail criteria of certain standard
requirements can NOT be solely justified by RMP alone, but
need as well be supported by equivalent safety.
• Example: To show objective evidence that the RESIDUAL RISK of the
standard is not tailored if e.g. 7,5 mm creep is accepted instead of 8,0
mm, is maybe difficult, because of the 7,5 mm . However objective
evidence could be supported by:
- Performing additional specific tests
- Using alternative safety features for risk reduction.
- Other methods.
This indeed mean that a comparison of RISK levels must be
done additional to RMP. To compare the RISK levels is only
possible by evaluation of the RMF!
Equivalent Safety Concept
That means in clear words:
The manufacturer can NOT determine the RESIDUAL RISK level as
he like, rather the manufacturer is at least bound to the current
Values of society. In case of a defined pass/fail criteria in the 60601-1
and no link to RMP, the manufacturer is even bound to the RISK level
predefined in the standard itself (equivalent safety).
Current values of society = the state of the art !
 The state of the art = how the majority of the world wide experts
(not a view article writers or a few test houses only!) would judge
the case!
 The state of the art is how the majority of user handle it
(Example EMC of medical systems configured in hospitals).
Your RMF under scrutiny
• Checking projects for compliance with EN 60601-1:2006 (incl. applicable
collateral and particular standards) requires a 100% verification of all
applicable clauses of that standard. This includes all those clauses
which refer to RM.
• If the manufacturer deviates from any of the verifiable requirements of
the standard, he must demonstrate equivalent safety (see clause 4.5),
usually the outcome of the risk management process, to be verified by
the test house.
• For new hazards, e.g. associated with innovative technology, the
manufacturer has the duty to include them in his risk management
process and also has to work with the test house for proper verification.
Clause 4.5 is not applicable for such hazards.
Initial Conclusion
• Tailoring (adjust) the requirements of the standard to the
specific device is possible as long the RMP is done
according the rules required from ISO 14971 and IEC
60601-1.
Confusion on the market
“Product certification (testing) according the 3rd Edition means that
the product needs to be tested in a test laboratory and additional an
audit according ISO 14971 must be conducted at the manufacturer
facility.”
Answer:
The concerned standard clause is 4.2 “RISK MANAGEMENT
PROCESS”. Within the “compliance” section it is written:
“Compliance is checked by inspection of the RISK MANAGEMENT
FILE.”
It is NOT allowed to substitute the standards words:
- inspection audit and
- FILE PROCESS.
That means: According to the standard the outcome of a RM-PROCESS
(= this is solely the RM-FILE) will be evaluated only.
RESULT: NO on-site audit required!!!
Final Conclusion
• RMP alone can be used, where a clause in 60601-1 refer to RM or a
totally new hazard is handled.
• The RMP must be conducted according ISO 14971. Risk Evaluation must be
based on the current values of society. Which means that the manufacturer
is not free to lower the safety level by increasing the level of acceptable
Risk so much that the current values of society are violated. See 3.2, 3.3 of
ISO 14971.
• In case of using the ALARP concept: If a Risk is in the ALARP region, then
the Risk must be reduced to a level as low as reasonably practicable
(ALARP) and additional the Risk/Benefit ratio must be evaluated.
• In case of Equivalent Safety in addition of fulfilling the current values of
society (1) and fulfilling the Risk/Benefit ratio (2) the remaining Residual
Risk level must be equal or less (3) to the Residual Risk level of applying
the specific requirement 60601-1.
Also Don’t Forget...
 Evaluating the RMF is required for:
- the MDD (CE commission)
- CB-scheme (IECEE).
 The 3rd Edition does NOT change the role of
Notified Bodies, because they are bounded to EU law
more than to a standard !
MODULE 3
Methods for the visualization and
identification of harms and hazards
System Analysis - HAZOP
System elements:
system element 1
sub-system element 1.1
system element 2
sub-system element 1.2
system element 3
system
why could this
function
fail? E.g. by
systematic
HAZOP
description of the functions:approach
function
negated function
System elements can be replaced by requirements or features of the device!
Additonal information IEC 61025
Harm Analysis
loss of blood
wrong blood
temperature
air infusion
damage of
vascular system
hemolysis
Fault Tree Analysis
Failure blood
heating
Temperature sensor
defect
Cold soldering
point
Short circuit
Heating does not
work
No energy
Heating wire
broken
ADC delivers
wrong values
Additional information in IEC 61025
Wrong reference
voltage
High noise
Ishikawa – Fishbone Diagram
measurements
materials
personnel
main cause
sub cause
problem
environment
methods
machines
Black Box
inputs
outputs
keyboard
command to device
mouse
screen output
black box
Possible hazards:
• outputs not generated
• false outputs generated
Impulsive Words
Use a team to find impulsive words:
stress
panic
patient
confusion
weather
Other sources:
• ISO 14971 Annex C/D
• IEC 60601-1-6
Interface Analysis
Sabotage
Question: What can be done to disable the system or harm the patient and how?
disconnect the
bubble detector
increase the
pump speed to
maximum
implement
sharp edges to
cause
hemolysis
FMEA
FMEA: Failure mode and effects analysis
a method to
identify hazards
here
a method used for structuring
and evaluation risks
(similar to ISO 14971)
FMEA Example
production failure: wrong
glue
key-board not waterproof
water comes in during
cleaning
contact through water
bolus executed
FMEA Example
FMEA in Production
Process step /
component
# Failure
Harm
Root
cause
A S E RPZ
Risk control
A S E RPN
packaging
Insuffici
ent
steam
penetrati
on
Infection
by insterile
product
Wrong
packagin
g
material
6
1
0
8
480
Packaging
validation
1 1 8 80
0
Temperature
control
Tempera
ture
sensor
defectiv
e
Blood
heating
No
contact
5
1
0
1
0
500
Final testing
+ 100% Visual
inspection
5 1 1 50
0
A: Occurrence; S: Severity; E: Detectability;
RPN: Risk Priority Number
Differentiation
intended use,
function,
patient
hazard analysis (PHA)
fault-tree analysis (FTA)
Ishikawa
impulsive words
system analysis
top
down
system analysis (HAZOP)
bottom
up
(HAZOP)
black box
interface analysis
FMEA (as defined)
realization
Turtle – For Processes
• Equipment
• Installation
Input
With what?
Requirements
• performance With what?
indicators
With whom?
process
Requirements
How?
• Training
• Knowledge
• Abilities
Output
• Instructions
• Procedures
• Methods
Turtle (for processes)
Material Resources
With what (equipment,
material)
- reflow soldering oven
- soldering paste
Inputs
- PCB with paste and
components
- soldering programme
Performance indicators
- wrong soldering points
Process risks
- function of the oven
- calibration
- paste specs
- no or insufficient instruction
- PCB without paste
- missing components
- wrong soldering programme
Human ressources
Who (training, knowledge)
- craftsman electrical
engineering
- special briefing for the oven
Outputs
- soldered PCB
- protocol of the oven
- Old work instruction
- component specification
wrong
- component specification not
available
know how
How (Instructions,
procedures, methods)
- Instruction „Soldering with our
reflow oven“
- component specs
MODULE 4
Creating a RMF - Minimal Documentation
Minimal File
Intended use
Describe your device such that it is obvious who will use your device
what for and how.
Risk management plan
When, what, how something should be done by whom?
Scope
Describe for which part of the product life cycle the risk management file
is valid.
Definitions
What is…?
Qualification
Who was involved in risk management (development, doctor etc.)?
Minimal File
Severity and probability
Provide categories for severity and probabilities (including examples).
Acceptance matrix
Define the acceptance matrix (severity vs. probability). Include the
acceptable risk in your considerations.
Table
List the risks in a table with the following columns: harm, cause, severity
before measures, probability before measures, risk acceptance before
measures, risk mitigation measures including links to specifications and
verifications, severity after measures, probability after measures and risk
acceptance after measures.
Minimal File
Explanation for exceptional decisions
Exceptional decision have to be explained!
Acceptance matrix before and after mitigations
Fill out the matrix with the number of risks in each field before and after
mitigations.
Assessment of the overall remaining risk
Assess the overall remaining risk using the acceptance matrix after
mitigations. It might be worth to calculate the number of injuries/death
according to your matrix.
Production and post production information
How is the interface to the production ruled and how is the information
from the field (production, service, installation, user etc.) fed back.
Risk management report / approval
MODULE 5
Common Errors when Creating a RMF
Common Errors
•
•
•
•
•
•
•
•
•
•
•
Assess only the risks associated to the BIG issues
Do a RMF retrospectively
Not looking at residual risks
No conclusion
Associate ALARP to the meaning of “Acceptable” or “no actions involved”
Thinking that Probability of Occurrence and Severity must always be multiplied
Not involving experienced/specialists personnel in regards to the
process/product
Not keeping the RMF a “live” document
Using the RMF as an “escape route” to product re-design, improvements, CAPA,
etc...
Not looking at the worst case scenario
Make the RMF look good so that the auditor is happy !
Alberto Paduanelli
Medical Devices Lead Auditor, MHS-UK
TÜV SÜD Product Service
Tel: +44(0)1489 558219
[email protected]
www.tuvps.co.uk