Risk Managementin IEC 60601-1 3rd Edition

Presented by Alberto PaduanelliMedical Devices Lead Auditor, MHS-UK, TÜV SÜD Product Service

–Time of presentation: 50-60 min.

–Questions & answers time at the end: 10 min.

–Entire webinar will be available for download from our

website www.tuvps.co.uk. You will also find it on

YouTube.

General Information

– Understanding the importance of Risk Management

– Understanding the RM requirements from the 60601-

1:2006 point of view

– Provide a clear picture of what is required

– Basic view on the creation and content of a RMF

Goals

What is risk management?

Risk Management in 60601-1 3rd edition

Methods for the visualization and identification of harms

and hazards

Creating a RMF – Minimal Documentation

Common errors when creating a RMF

Content: Modules

What is Risk Management?

MODULE 1

• BS EN ISO 14971:2009 definition:

• Risk Management:

systematic application of management policies, procedures

and practices to the tasks of analysing, evaluating,

controlling and monitoring risk

• Risk:

combination of the probability of occurrence of harm and the

severity of that harm

Definition

Risks and associated measures are called in:

43 sections in the MDD

14 sections in the AIMDD

34 sections in the IVD

4 sections in the ISO 13485

35 sections in the CMDR

3 sections in the J-GMP

153 sections in 60601-1 3rd Edition

Risk in the centre of attention

Results of risk management:

• serve the definition and dimension of goods control

• influence the supplier evaluation activities

• deliver important inputs for the design process

• serve as criteria for the evaluation of design output

• show the necessity for design modifications

• serve the definition of process controls and the assigned

acceptance criteria

Why Risk Management ?

• Standards often define only the most important, absolutely

necessary measures.

• Standards are rarely up to date on technology.

• Standards have "typical" implementations in mind. Exotic concepts

may not be covered.

• Standards (often implicitly) assume a certain environment and

method of use.

• Standards often do not cover optional components of a product.

• Potential manufacturing problems are not covered by most safety

standards.

• Potential manufacturing failures are not covered in the safety

standards for active devices.

a risk analysis is necessary in any case!

But there are standards !!

• Standards

• Existing risk analyses of similar products

• Interviews with the design engineers

• Interviews with users of similar products

• Experience of the sales people

• Brainstorming in RA team

• Analysis of FDA Medical Device Reports and Incident Reports

(MAUDE database)

• Examination of existing risk mitigation measures; they assume often

implicitly the presence of a hazard.

• Information from the field for similar products, e.g. service statistics,

complaints, incidents

• Annex C and E of ISO 14971

How to find the hazards:

Where to Start ?

Examples from ISO 14971:2009 annex E:

Electromagnetic energy: line voltage, leakage current, electric fields,

magnetic fields

Thermal energy: high temperature, low temperature

Mechanical energy: gravity, vibration, stored energy

Chemical: Exposure of airway, tissues, environment or property

Biocompatibility: Toxicity of chemical constituents

Use error: Attentional failure, memory failure, rule-based failure, knowledge-

based failure, routine violation

Annex E can help !

risk analysis risk evaluation

risk control

production and

post production

information

All included in the Risk Management File.

Risk Management Process

Risk Management in 60601-1 3rd edition

MODULE 2

WHAT IS THE 3rd EDITION ?

• Introduction of risk management as an alternative method to

meet individual requirements of the standard and covering

risks not subject to a standard

• There are 1422 single requirements in the standard. 153

have a direct link to RM (key-words such as RMF,

unacceptable risk, etc.).

One of the Major Changes

• in specifying minimum safety requirements, provision is made for assessing the adequacy of the design PROCESS when this is the only practical method of assessing the safety of certain technologies such as programmable electronic systems.

• Application of this principle is one of the factors leading to introduction of a general requirement to carry out a RISK MANAGEMENT PROCESS. In parallel with the development of the third edition of IEC 60601-1, a joint project with ISO/TC 210 resulted in the publication of a general standard for RISK MANAGEMENT of medical devices. Compliance with this edition of IEC 60601-1 requires that the MANUFACTURER have a RISK MANAGEMENT PROCESS complying with ISO 14971 in place (see 4.2).

Also:

• Alternative method to meet individual requirements of the standard and covering risks not subjects to a standard.

Why this major change?

3.107 RISK MANAGEMENT

systematic application of management policies,

PROCEDURES and practices to the tasks of analyzing,

evaluating and controlling RISK

4.2 RISK MANAGEMENT PROCESS for ME EQUIPMENT

or ME SYSTEMS

A RISK MANAGEMENT PROCESS complying with ISO

14971 shall be performed. (That’s the requirement!!)

Clause and Definition

• A RISK MANAGEMENT PROCESS complying with ISO 14971 shall be

performed.

• Compliance is checked by inspection of the RISK MANAGEMENT FILE.

The requirements of this clause and all requirements of this standard

referring to inspection of the RISK MANAGEMENT FILE are considered

to be satisfied if the MANUFACTURER has:

– established a RISK MANAGEMENT PROCESS;

– established acceptable levels of RISK; and

– demonstrated that the RESIDUAL RISK(S) is acceptable (in

accordance with the policy for determining acceptable RISK).

Important To Remember

NOTE:

Where requirements of this standard refer to

freedom from unacceptable RISK, acceptability

or unacceptability of this RISK is determined by

the MANUFACTURER in accordance with the

MANUFACTURER’S policy for determining

acceptable RISK.

Important To Remember

• The RMP shall be performed by a team of different experts (e.g.

physicians, hardware experts, software experts,…..).

• The RMP must be conducted at start of designing the product for

new products. Retrospective RMP is NOT the correct method.

• The RMP is an ongoing process over the whole life cycle (think

Environment / Recycle as end of life?)

• The initial risk is evaluated without any safety means used.

Remember the Rule of 10: Costs to correct failures increase by 10

between different stages of product realization: Idea // design //

planning production // production // end tests // On the market.

FACTS !

• The standard itself can already be regarded as a generic risk analysis including counter measures. If the standard specifies for certain clauses concrete limits, then care shall be taken if RMP is used to tailoring (adjust) these standard limits.

• The overall residual risk shall be evaluated and documented in the RMF. The overall residual risk is the risk for all combined single risks. It might be, that each single risk evaluated alone is accepted, but based on the fact that to much single risks are at the borderline to the intolerable area the overall residual risk can not be accepted.

FACTS !

In applying ISO 14971:

– The term “fault conditions” referred to in ISO 14971 shall include,

but shall not be limited to, SINGLE FAULT CONDITIONS identified in

this standard.

– The policy for determining acceptable RISK and the acceptability of

the RESIDUAL RISK(S) shall be established by the MANUFACTURER

.

– Where this standard or any of its collateral or particular standards

specify verifiable requirements addressing particular RISKS, and

these requirements are complied with, the RESIDUAL RISKS

addressed by these requirements shall be presumed to be

acceptable unless there is OBJECTIVE EVIDENCE to the contrary.

Risk Management within the 60601-1:2006

Compliance is checked by inspection of the RISK

MANAGEMENT FILE. The requirements of this clause and all

requirements of this standard referring to inspection of the

RISK MANAGEMENT FILE are considered to be satisfied if

the MANUFACTURER has:

– established a RISK MANAGEMENT PROCESS;

– established acceptable levels of RISK;

– demonstrated that the RESIDUAL RISK(S) is acceptable

(in accordance with the policy for determining acceptable

RISK).

Compliance

• The IEC 60601-1:2006 requires RMP in the following 3

situations:

1. A complete new hazard is identified, which is not

addressed in the standard:

- In such a case RMP is a MUST.

- Examples: New techniques are developed (innovation).

When is Risk Management required?

2. If a clause refer to RMP, then it is justified by the standard

to use RMP to tailoring (adjust) concerned standard

requirements to the DUT (device under test). This means in

clear words: The RMP shall be conducted OR the defined

technical standard requirements must be exactly fulfilled.

- Example: Clause 8.4.2.c (2Ed.: 16.e), here accessible

voltages, e.g. 24Vdc could maybe be justified by RMP for

home use (e.g. At a ceiling host – accessible current bus-

bar), where it is ensured that the PATIENT has no catheters

(intact skin) and can be regarded comparable to an

OPERATOR.

When is Risk Management required?

3. The clause does NOT refer to RMP:

- Example: Clause 8.6.6: PE-contact in a detachable socket

shall made contact before and interrupted after the supply

connections are contacted or interrupted.

On the first view it appears as RMP would NOT be possible,

because RMP is not mentioned in this subclause 8.6.6.

However clause 4.5 (Equivalent safety) is always possible !!!

When is Risk Management required?

4.5 Equivalent safety for ME EQUIPMENT or ME SYSTEMS

Where this standard specifies requirements addressing particular

RISKS, alternative means of addressing these RISKS are acceptable

provided that the MANUFACTURER can justify that the RESIDUAL

RISKS that result from applying the alternative means are equal to or

less than the RESIDUAL RISKS that result from applying the

requirements of this standard.

Compliance is checked by inspection of the RISK MANAGEMENT

FILE.

(It must be pointed out that verification of compliance is as well here

linked to RMP, but additional evidence about equivalent safety is

required).

Equivalent Safety Concept

4.5 Equivalent safety for ME EQUIPMENT or ME SYSTEMS

If the RESIDUAL RISK is greater than the RESIDUAL RISK achieved

by applying the requirements of this standard, the ME EQUIPMENT or

ME SYSTEM cannot be regarded as complying with this standard,

even if the RESIDUAL RISK is fully justified by other considerations

such as the clinical benefit to the PATIENT.

In such a case standard compliance is only given if:

- The RMP is done adequately and additional

- Equivalent safety is reached.

That means: It is permitted to deviate from given standard limits (e.g.

certain creepage distance values), but it is forbidden to deviate the

RESIDUAL RISK level of the standard in the more risky direction.

Equivalent Safety Concept

Changes of the defined pass/fail criteria of certain standard

requirements can NOT be solely justified by RMP alone, but

need as well be supported by equivalent safety.

• Example: To show objective evidence that the RESIDUAL RISK of the

standard is not tailored if e.g. 7,5 mm creep is accepted instead of 8,0

mm, is maybe difficult, because of the 7,5 mm . However objective

evidence could be supported by:

- Performing additional specific tests

- Using alternative safety features for risk reduction.

- Other methods.

This indeed mean that a comparison of RISK levels must be

done additional to RMP. To compare the RISK levels is only

possible by evaluation of the RMF!

Equivalent Safety Concept

That means in clear words:

The manufacturer can NOT determine the RESIDUAL RISK level as

he like, rather the manufacturer is at least bound to the current

Values of society. In case of a defined pass/fail criteria in the 60601-1

and no link to RMP, the manufacturer is even bound to the RISK level

predefined in the standard itself (equivalent safety).

Current values of society = the state of the art !

The state of the art = how the majority of the world wide experts

(not a view article writers or a few test houses only!) would judge

the case!

The state of the art is how the majority of user handle it

(Example EMC of medical systems configured in hospitals).

Equivalent Safety Concept

• Checking projects for compliance with EN 60601-1:2006 (incl. applicable

collateral and particular standards) requires a 100% verification of all

applicable clauses of that standard. This includes all those clauses

which refer to RM.

• If the manufacturer deviates from any of the verifiable requirements of

the standard, he must demonstrate equivalent safety (see clause 4.5),

usually the outcome of the risk management process, to be verified by

the test house.

• For new hazards, e.g. associated with innovative technology, the

manufacturer has the duty to include them in his risk management

process and also has to work with the test house for proper verification.

Clause 4.5 is not applicable for such hazards.

Your RMF under scrutiny

• Tailoring (adjust) the requirements of the standard to the

specific device is possible as long the RMP is done

according the rules required from ISO 14971 and IEC

60601-1.

Initial Conclusion

“Product certification (testing) according the 3rd Edition means that

the product needs to be tested in a test laboratory and additional an

audit according ISO 14971 must be conducted at the manufacturer

facility.”

Answer:

The concerned standard clause is 4.2 “RISK MANAGEMENT

PROCESS”. Within the “compliance” section it is written:

“Compliance is checked by inspection of the RISK MANAGEMENT

FILE.”

It is NOT allowed to substitute the standards words:

- inspection audit and

- FILE PROCESS.

That means: According to the standard the outcome of a RM-PROCESS

(= this is solely the RM-FILE) will be evaluated only.

RESULT: NO on-site audit required!!!

Confusion on the market

• RMP alone can be used, where a clause in 60601-1 refer to RM or a

totally new hazard is handled.

• The RMP must be conducted according ISO 14971. Risk Evaluation must be

based on the current values of society. Which means that the manufacturer

is not free to lower the safety level by increasing the level of acceptable

Risk so much that the current values of society are violated. See 3.2, 3.3 of

ISO 14971.

• In case of using the ALARP concept: If a Risk is in the ALARP region, then

the Risk must be reduced to a level as low as reasonably practicable

(ALARP) and additional the Risk/Benefit ratio must be evaluated.

• In case of Equivalent Safety in addition of fulfilling the current values of

society (1) and fulfilling the Risk/Benefit ratio (2) the remaining Residual

Risk level must be equal or less (3) to the Residual Risk level of applying

the specific requirement 60601-1.

Final Conclusion

Evaluating the RMF is required for:

- the MDD (CE commission)

- CB-scheme (IECEE).

The 3rd Edition does NOT change the role of

Notified Bodies, because they are bounded to EU law

more than to a standard !

Also Don’t Forget...

Methods for the visualization and

identification of harms and hazards

MODULE 3

system

sub-system element 1.1

sub-system element 1.2

system element 1

system element 2

system element 3

System elements:

function negated function

description of the functions:

System elements can be replaced by requirements or features of the device!

Additonal information IEC 61025

why could this

function

fail? E.g. by

systematic

HAZOP

approach

System Analysis - HAZOP

loss of blood

air infusion

damage of

vascular system

wrong blood

temperature

hemolysis

Harm Analysis

Failure blood

heating

Temperature sensor

defect

Short circuit

Cold solderingpoint

Heating does not

workHeating wire

broken

No energy

ADC delivers

wrong values

High noise

Wrong reference

voltage

Additional information in IEC 61025

Fault Tree Analysis

main cause

sub cause

measurements materials

machines

personnel

methodsenvironment

problem

Ishikawa – Fishbone Diagram

black box

inputs outputs

keyboard

mouse

command to device

screen output

Possible hazards:

• outputs not generated

• false outputs generated

Black Box

stress panic

patient

confusion

weather

Use a team to find impulsive words:

Other sources:

• ISO 14971 Annex C/D

• IEC 60601-1-6

Impulsive Words

Interface Analysis

Question: What can be done to disable the system or harm the patient and how?

disconnect the

bubble detector

increase the

pump speed to

maximum

implement

sharp edges to

cause

hemolysis

Sabotage

FMEA: Failure mode and effects analysis

a method to

identify hazardsa method used for structuring

and evaluation risks

(similar to ISO 14971)

here

FMEA

production failure: wrong

glue

key-board not waterproof

water comes in during

cleaning

contact through water

bolus executed

FMEA Example

FMEA in Production

Process step /

component

# Failure Harm Root

cause

A S E RPZ Risk control A S E RPN

packaging Insuffici

ent

steam

penetrati

on

Infection

by insterile

product

Wrong

packagin

g

material

6 1

0

8 480 Packaging

validation

1 1

0

8 80

Temperature

control

Tempera

ture

sensor

defectiv

e

Blood

heating

No

contact

5 1

0

1

0

500 Final testing

+ 100% Visual

inspection

5 1

0

1 50

A: Occurrence; S: Severity; E: Detectability;

RPN: Risk Priority Number

FMEA Example

top

downbottom

up

hazard analysis (PHA)

fault-tree analysis (FTA)

Ishikawa

impulsive words

system analysis

(HAZOP)

system analysis (HAZOP)

black box

interface analysis

FMEA (as defined)

intended use,

function,

patient

realization

Differentiation

With what? With whom?

Input

With what? How?

OutputprocessRequirements Requirements

• Instructions

• Procedures

• Methods

• Training

• Knowledge

• Abilities

• performance

indicators

• Equipment

• Installation

Turtle – For Processes

Material ResourcesWith what (equipment, material)

Process risks Human ressourcesWho (training, knowledge)

- reflow soldering oven- soldering paste

- function of the oven- calibration- paste specs

- no or insufficient instruction - craftsman electrical engineering- special briefing for the oven

Inputs Outputs

- PCB with paste and components- soldering programme

- PCB without paste- missing components- wrong soldering programme

- soldered PCB- protocol of the oven

Performance indicators know howHow (Instructions, procedures, methods)

- wrong soldering points

- Old work instruction- component specification wrong- component specification not available

- Instruction „Soldering with our reflow oven“- component specs

Turtle (for processes)

Creating a RMF - Minimal Documentation

MODULE 4

Intended use

Describe your device such that it is obvious who will use your device

what for and how.

Risk management plan

When, what, how something should be done by whom?

Scope

Describe for which part of the product life cycle the risk management file

is valid.

Definitions

What is…?

Qualification

Who was involved in risk management (development, doctor etc.)?

Minimal File

Severity and probability

Provide categories for severity and probabilities (including examples).

Acceptance matrix

Define the acceptance matrix (severity vs. probability). Include the

acceptable risk in your considerations.

Table

List the risks in a table with the following columns: harm, cause, severity

before measures, probability before measures, risk acceptance before

measures, risk mitigation measures including links to specifications and

verifications, severity after measures, probability after measures and risk

acceptance after measures.

Minimal File

Explanation for exceptional decisions

Exceptional decision have to be explained!

Acceptance matrix before and after mitigations

Fill out the matrix with the number of risks in each field before and after

mitigations.

Assessment of the overall remaining risk

Assess the overall remaining risk using the acceptance matrix after

mitigations. It might be worth to calculate the number of injuries/death

according to your matrix.

Production and post production information

How is the interface to the production ruled and how is the information

from the field (production, service, installation, user etc.) fed back.

Risk management report / approval

Minimal File

Common Errors when Creating a RMF

MODULE 5

• Assess only the risks associated to the BIG issues

• Do a RMF retrospectively

• Not looking at residual risks

• No conclusion

• Associate ALARP to the meaning of “Acceptable” or “no actions involved”

• Thinking that Probability of Occurrence and Severity must always be multiplied

• Not involving experienced/specialists personnel in regards to the

process/product

• Not keeping the RMF a “live” document

• Using the RMF as an “escape route” to product re-design, improvements, CAPA,

etc...

• Not looking at the worst case scenario

• Make the RMF look good so that the auditor is happy !

Common Errors

Alberto Paduanelli

Medical Devices Lead Auditor, MHS-UK

TÜV SÜD Product Service

Tel: +44(0)1489 558219

apaduanelli@tuvps.co.uk

www.tuvps.co.uk