Originally Published MDDI January 2005
Originally Published MDDI January 2005
Addressing the Problem of Medical Device Misuse
Medical device misuse is unavoidable. But how much responsibility should device manufacturers bear for creating safer products?
Michael E. Wiklund
|Manufacturers must consider many factors during a product's
development to ensure proper end-use of the device.
For ethical, legal, and economic reasons, medical device manufacturers need to pay close attention to the many ways their products can be misused. Misuse sometimes exposes people to serious hazards that can lead to injury, death, or property damage. Such adverse outcomes can jeopardize a manufacturer's reputation and provoke lawsuits.
Of course, not all misuses are necessarily dangerous, and they may even be desirable. As used in this article, the word misuse is a product development term of art that has sparked considerable semantic debate. To many design professionals, it encompasses not just operating a device in an erroneous, and even malevolent, manner, but also beneficial and widely accepted but off-label uses.
Understanding the full range of possible misuses will allow manufacturers to make fully informed choices about how to prepare for these misuses. They may even be prompted to reassess whether they have correctly identified all the appropriate uses of their products.
Some manufacturers will take great care to prevent or mitigate foreseeable misuses. Others will take a more-limited approach that focuses only on uses described in the product's labeling, even when they may be directly or indirectly promoting the product's off-label uses. Logically, most will seek ways to limit their responsibility for egregious misuses.
Whether a given approach is regarded as reasonable or not depends in part on the work of a joint IEC-ISO standards committee, called IEC-ISO JWG4, which is currently addressing the issue of misuse. It also depends on how particular manufacturers manage their risks and on their assumed responsibility to protect people from design-induced and self-inflicted harm.
Prudent manufacturers engineer their products to reduce the chance of misuse or abuse. For example, a manufacturer may choose to permanently seal a device's case rather than screw it together. That way, people cannot dismantle it easily. Such a solution may complicate repairs or even make them impossible. Still, it reduces the chance that someone will open the device and possibly receive an electrical shock. It also reduces the chance of tampering. As another example, a monitor manufacturer may customize its sensor leads to prevent users from inserting the leads into the wrong ports or outlets.
Other protective strategies in lieu of eliminating a hazard altogether include adding safety features, training people to use products properly, and placing warnings on the products. The last option is especially popular with manufacturers because it represents a simple, low-cost fix that also offers an essential measure of legal protection, since liability lawsuits often focus on a manufacturer's failure to warn users about hazards.
Persistent Forms of Misuse
Still, despite measures to encourage proper use, the misuse of seemingly well-designed products is a relatively common event. In fact, some misuses, often called off-label uses, have actually emerged over time as accepted practice.
For example, it has become routine to send patients home with intravenous (IV) infusion pumps. These pumps were originally designed for use in hospitals by trained medical professionals. IV pump manufacturers may not have anticipated such use or formally sanction it, despite the fact that it may be good for their business. Still, it is happening, and the situation raises concerns about laypeople using the product incorrectly. Matthew Weinger, MD, professor of anesthesiology at the University of California, San Diego, director of the San Diego Center for Patient Safety at the San Diego VA Healthcare, and cochair of AAMI's Human Factors Committee, says such misuses are common. “You have situations where patients and their family members are operating infusion pumps at home,” Weinger says. “For instance, a mother may be caring for a sick child. Should the manufacturer be held responsible if the mom turns off the alarms and there is a problem?”
Another form of common off-label use occurs with single-use syringes. Even though these syringes should be thrown away after just one injection, people may use them repeatedly. Is it enough for the manufacturer to label the syringes as single use? Or should manufacturers be held responsible for somehow disabling the syringe after its first use—a measure that can increase product cost? Some companies have already engineered single-use syringes that become inoperable after one use. Does this place companies that have not taken this step at risk? These questions do not have clear answers at this time.
Ventilators and warmers are also often misused, in the sense of the term of art. Although originally designed for use in operating rooms and ICUs only, Weinger says, “they have migrated into emergency rooms, step-down units, and even people's homes.” He adds, “These devices were intended to be used by individuals with special training but are now being used in less-acute domains by people who may have less skill. This misuse can lead to problems. For example, forced-air warmers can cause burns if you do not use them properly.”
Some manufacturers have treated common off-label uses as an opportunity to develop new products to meet those needs, properly accounting for the intended users' knowledge and abilities. However, this by itself has not eliminated the persistent problem of mismatched devices and users, a problem that must be addressed by both manufacturers and healthcare institutions.
Drawing the Line
As one might imagine, manufacturers want to take a number of steps to protect themselves. Such steps include:
• Drawing a clear line between misuses that are reasonably likely and those that are not.
• Differentiating misuses that are well intentioned from those that are not.
• Limiting their risk-management efforts to misuses associated with the product's intended purposes, which one might define as use error, rather than misuse, which seems to suggest flaws in the user's intent.
Manufacturers wonder how they can protect themselves against somebody using their device for an unintended purpose or to deliberately cause harm. They reason that a deranged individual could always find a bizarre way to hurt someone with a medical device. They suggest that designing a device to prevent such criminal acts while also maintaining the device's effectiveness and usability might be impossible.
Meanwhile, regulators and human factors specialists have been encouraging manufacturers to take a closer look at misuses before dismissing them as unlikely, unrelated to the product's established purposes, or outright aberrant. The proponents of a more-expansive analysis believe that some manufacturers ignore a large number of likely misuses, including the aforementioned off-label uses. Instead, those manufacturers take the logical stance that no one should use a medical device without having the proper qualifications and training to use the device in accordance with the instructions for use.
Weinger is a proponent of intensive human factors analysis of potential misuses. “If you are going to design a device with a certain set of intended uses, doesn't it make sense to ask the customer if those uses are reasonable or not?” he asks. Weinger's proposition assumes that manufacturers will discover differences between their intentions and the users' expectations.
So, the medical device industry is caught in a debate on misuse and the manufacturer's level of responsibility. It seems headed toward a compromise solution in which manufacturers perform more-intensive analyses of potential misuses. This compromise also may establish a cutoff point for misuses falling outside the manufacturer's responsibility.
During its 2004 meetings in Vancouver and London, the IEC-ISO JWG4 committee addressed the issue of medical device misuse. Specifically, they discussed how device misuse (alternately described as use error) factors into the overall risk-management process, as defined in IEC/CD Standard 62366, Medical Devices—General Requirements for Safety and Essential Performance—Usability.
One issue facing the committee as well as others concerned with incidence of medical device–related injuries is how to reliably differentiate reasonably foreseeable misuses from those that are not reasonably foreseeable. Another issue is where to draw the line in terms of the manufacturer's responsibility to protect against such misuse. To complicate matters, two analysts could independently evaluate the same potential misuses and draw different conclusions about the reasonableness of a particular user action, never mind the limits of manufacturer responsibility. The second issue introduces all kinds of economic and political issues that are beyond this article's scope.
Currently, failure modes and effects analyses (FMEAs) and fault tree analyses (FTAs) can focus on reasonably foreseeable misuses, but one has to depend on professional judgment supported by available historical data to determine the likelihood of a particular event.
Meanwhile, there is the matter of off-label uses. Although such uses are technically considered misuses, off-label uses may be so common that they become standard operational procedure—the established standard of care. This poses challenges to manufacturers that may have focused their design efforts on the needs of a particular user population, only to see the device serve broader needs. It is these kinds of complexities that have motivated ISO-IEC to take up the issue and work toward a common framework for dealing with misuses.
Most product developers would agree that some misuses (what some developers would term use errors) could be predicted by applying human factors engineering principles. For instance, it is well-known that people often bump into medical devices in corridors and procedure rooms. Such collisions might inadvertently change a critical control setting if the control were not guarded. Product designers can use this knowledge to develop devices that can withstand casual impact.
Also consider the case of a digital thermometer with a pointed tip. One could predict that someone might someday stick the thermometer's tip in an ac power outlet and receive an electrical shock. Such an outcome could be extrapolated from documented cases of people sticking a medical device's leads into an ac outlet and causing burns and electrocution.1 Therefore, some manufacturers may address these kinds of predictable misuses in their risk management efforts. At the same time, some manufacturers might feel this goes beyond their risk-management responsibilities.
There seems to be a strong consensus among manufacturers, regulators, and patient safety advocates that manufacturers should not be held responsible for malevolent acts, such as using a surgical instrument deliberately as a weapon. Gerald Panitz, an anesthesia equipment developer with Draeger Medical (Lubeck, Germany) and an IEC committee member, concurs. “Some theoretical possibilities, such as throwing a device at somebody, should be dismissed,” he says. He thinks that reasonable people would agree that such acts qualify as abuse and should be outside the manufacturer's responsibility.
One possible scheme for characterizing product uses as proper or improper included the following categories:
• Normal use: Using the device as the manufacturer intended, as described in the device's user manual.
• Common use: Using the device in ways that the manufacturer did not intend but that fall within the established standards of care.
• Misuse subject to mitigation: Using the device in ways that could be predicted by a thorough human factors analysis that considers the user population, the task, and the use environment.
• Misuse not subject to mitigation: Using the device in ways that could not be predicted by a thorough human factors analysis.
• Abuse: Using a device in ways intended to cause damage and personal harm.
However, this approach could be viewed as expanding the manufacturer's risk management responsibilities beyond reason, particularly because of the complexities of predicting human behavior.
Another possible scheme for characterizing product uses includes the following categories:
• Correct use: Using the device as intended by the manufacturer and as described in the device's instructions for use.
• Use error: Using the device in a well-intentioned but
• Abnormal use: A deliberate act of omission or commission intended to produce adverse results.
Notably, the latest scheme reduces manufacturers' burden to manage the risks associated with off-label uses, even if those uses are indirectly encouraged—or at least not discouraged—due to medical and economic benefits. It instead leaves the responsibility to explore other kinds of predictable misuses unresolved. However, the very existence of a common classification scheme should prove to be a benefit to industry and risk management efforts as a whole. It would provide an industry-consistent method for dealing with a very challenging problem for manufacturers.
Identifying Potential Misuses
While a classification scheme for product uses ranging from normal to malevolent evolves through the work of the ISO-IEC committee and others, manufacturers still face the daunting task of identifying unintended product uses to go along with the intended ones.
Of course, some manufacturers may want to limit themselves to addressing intended uses. But, as Weinger suggests, this could create a false picture of how their products will actually be used. He believes that “if manufacturers approached the task of identifying and mitigating potential product misuses in a manner consistent with the human factors guidance provided by AAMI and FDA, the rate of use error could be reduced by 50%.”
The simplest strategy for identifying unintended product uses is for subject-matter experts and representative users to imagine them. Consider the case of a metered-dose inhaler. What are some of the unusual things that people might do with a metered dose inhaler? A few minutes of creative and mischievous thought might yield to the following list.
• Toss a partially filled canister into a campfire.
• Aim the puff of gas into a flame to see if it works like a torch.
• Direct a puff into someone's ear or eye.
• Try to replace the medicinal gas canister with the kind of butane canister used in lighters.
• Trip and fall with the inhaler's mouthpiece in one's mouth.
• Crush the canister with a pair of pliers to see what will happen.
One could expand this list dramatically with more time and imagination. But the exercise is not just about envisioning absurd and risky behaviors. Rather, it should consider a wide range of scenarios involving not only careless users but also people who err while trying to do their best. Use errors involving an inhaler might include:
• Insert the wrong pressurized canister into the inhaler.
• Drop the device on the ground.
• Forget to shake the inhaler before using it.
• Lose count and administer too many puffs.
• Bite down forcefully on the mouthpiece.
• Fail to remove cap before use.
• Clean mouthpiece with a damaging, toxic cleanser, leaving a residue.
Shifting focus to other medical devices, one could also envision circumstances in which someone might remove a valve from a rebreathing system but fail to replace it before use, or fill an analyzer with the wrong or expired fluid, despite existing protections against this outcome. According to the latest category list, these actions would be use errors.
However, despite its usefulness in identifying potential misuses, individual imagination has its limits. Human factors and ethnographic research methods listed below can make a significant contribution to identifying the range of possible product uses, misuses, and abuses.
Observations. One productive method for identifying common misuses is to observe the device in question or comparable devices in use. Ethnographic research techniques, such as job shadowing, should reveal common misuses and perhaps some rare ones. This technique presumes that the researchers have a sufficient understanding of the associated medical procedures to detect problems. Field researchers can also identify potential misuses by imagining how things might go awry based on their observations.
Conducting Interviews. Another means of identifying potential misuses is to interview the people likely to come into contact with the product. This group can include physicians, nurses, technicians, therapists, patients, the patient's family members and friends, technicians, and maintenance workers. During individual interviews or group interviews, relevant scenarios can be presented and people can imagine how things might go wrong. Interviews may also include brainstorming exercises to identify common uses, misuses (including those due to use error), and abuses.
Conduct Usability Tests. Usability testing reveals how people may use a device based on their intuition rather than the manufacturer's instructions. It also reveals how design complexities can lead people astray as they perform a task, even when the people have received proper training. As such, usability tests reveal misuses that could be hazardous in a real-life setting in a safe environment. Simulating device use in a more controlled setting can protect caregivers and patients while exploring the more troublesome scenarios.
Analyze Incidents. The public record of adverse events is another place to look for potential misuses. The record is particularly useful if a new product has predicates, or devices already on the market that function similarly. Take, for example, a manufacturer of an automated external defibrillator (AED). The manufacturer might look at adverse events involving previous-generation AEDs or defibrillators in current use to inform a new development effort.
FDA's medical device reporting database is another useful resource for identifying potential misuses. However, many of the reports may lack the detail necessary to inform a proper hazard analysis. Panitz often works on the design of anesthesia delivery systems. He suggests also looking over customer complaints to identify possible misuses.
Conduct a Task Analysis. Another step toward identifying potential misuses is to conduct a task analysis. Decomposing an overall task into its myriad components enables manufacturers to develop a sense for the normal, safe way to perform a task. Such an analysis includes data input and output, decisions, and actions. A task analysis is a good way to examine the various and creative ways that the flow of tasks can go astray. For example, protective shields used during shipping might inadvertently be left on a product and produce an electrical or fire hazard.
Conduct a Fault Tree Analysis. Fault tree analysis, a staple among risk managers, can help to identify unintended uses. This analytical method traces negative outcomes back to their root causes. As such, one might start with the terminal event of electrocution and then assess the full range of events that could lead up to it. Then one could move along to other negative outcomes, such as poisoning, blunt trauma, misdiagnosis, etc.
Limitations of Quantification
Numbers can be comforting to those who seek to manage risk. A manufacturer would probably act quickly to protect users from a severe hazard that had a 1 in 10 probability of occurrence. The need for mitigation becomes questionable when the risk and severity of consequences decline. But analyses based on the probability of occurrence and severity of consequences is complicated by the unpredictability of certain human behaviors.
Unfortunately, it is difficult to predict how people will behave in specific circumstances, and not much data exist on the subject. As such, it is hard to predict the probability that someone will inadvertently misuse a device. The probability of misuse depends heavily on factors including the type of user, the design of the device, and environmental conditions.
Human factors resources can offer estimates of the chance of omitting a procedural step (3 ¥ 10–3) or making an arithmetic error despite self-checking (3 ¥ 10–2), for example.2 But the legitimacy of using these values is questionable.
Accordingly, manufacturers may institute a simpler, less-precise risk estimation scheme to prioritize risks of product misuse and determine the need for mitigation. For example, manufacturers could draw on the judgment of an advisory panel that includes human factors specialists, other kinds of experts, and representative users. The panel could rate misuses on a 10-point scale, ranging from low to high probability. At the same time, they could rate the severity of consequences on a 10-point scale, ranging from low to high severity. The final step would be to choose cutoff points for the level of probability and severity that warrants manufacturer action.
However, taking the product of the probability and severity scores might downplay the value of mitigating a potential misuse that could lead to severe consequences but could be easily remedied. For example, one's analysis might identify a misuse with a high severity (e.g., 9) but low probability of occurrence (e.g., 2), yielding a score of 18. This score might make remediation a low priority. However, the remedy might be quite simple and inexpensive. Therefore, one may want to consider each score, rather than the product of the scores, in the course of risk analysis and mitigation.
Along with regulatory compliance, liability exposure will be an important consideration in choosing the appropriate cutoff point. Therefore, manufacturers have a lot of ethical, regulatory, and economic reasons to analyze misuses and implement protections.
There is an increasing concern among manufacturers about their responsibility for device misuse. This may be attributed to the large financial settlements that have gone to people who have sued companies for injuries that could have easily been avoided.
Manufacturers are aware that caregivers are sending patients home with devices that were not designed for use by laypersons. This knowledge leads them to ponder how far they need to go with their risk management efforts. To some, committing to a rigorous analysis of potential misuses feels like opening a Pandora's box, placing them in more legal jeopardy than less. Yet there is also the debate about taking corporate responsibility even if it causes economic consequences.
Weinger is sympathetic to the manufacturers' plight. He says, “Manufacturers want to produce safe and effective devices. But because they are fundamentally economically driven, they are averse to losses, strive to limit their financial risk, and want to ensure they are in regulatory compliance. But, for their long-term success, they have to provide products that enable the best possible patient care, one patient at a time. If they can conceive of a possible device misuse, or even a criminal use for the device, they should examine economically viable ways to mitigate the potential problem. It's in their best interest to do so.”
But Weinger also notes: “A manufacturer may look at a potential problem and legitimately decide not to do anything about it. In our society, this may enable lawyers to attack the manufacturer in the future, saying in retrospect that it didn't do enough to prevent the injury from a recognized problem.”
In other words, manufacturers face the tough reality that once they identify a potential problem, they will be at risk unless they try to mitigate it.
Presently, manufacturers have to make educated guesses about their liability in the absence of any industry conventions or standards on the subject. Therefore, the IEC-ISO's initiative to develop guidance for manufacturers on device misuse promises to clarify the boundaries in ways that could increase the breadth and depth of safety analyses. At the same time, it is likely to cut down on the manufacturer's need to mitigate against malevolent actions. Ultimately, manufacturers may still have to decide for themselves how to address misuses that are likely to occur over the life of a product. Expanded safety analyses may be driven as much by product liability and commercial considerations as risk management policies.
According to Panitz, such analyses fit well with the commercial interests of medical device companies. Taking a commercial viewpoint, “If a device is error-prone, customers will not accept it and will buy from somebody else.” However, Panitz would leave the decision on the depth of analysis up to the manufacturer.
Taking an even broader view of product safety, Panitz makes an important point. He says, “Using a device outside its intended use, even with the best of intentions, has to be considered abuse. What really makes trouble is poor [device] usability leading to risks during normal use.…If a device is ideally safe—optimally designed to prevent use errors—most uses just outside the intended use would create no problem.” Panitz adds that the medical industry has a long way to go to address all of the problems associated with normal product uses. So rather than obsess over the few special cases of misuse, the industry should deal with them in the normal course of designing the safest possible product.
1. PL Clemens, Fault Tree Analysis, [on-line] (2004); available from Internet: www.sverdrup.com/safety/fta.pdf.
2. U.S. FDA: Medical Devices; Establishment of a Performance Standard for Electrode Lead Wires and Patient Cables, [on-line] (Rockville, MD: FDA, CDRH, 1997); available from Internet: www.fda.gov/cdrh/comp/fr0509af.html.
Michael E. Wiklund, PE, is a certified human factors professional who consults with medical device developers on the design and evaluation of safe, effective, usable, and appealing medical devices. He serves on the AAMI and IEC Human Factors Committees. He can be reached via e-mail at [email protected].
Copyright ©2005 Medical Device & Diagnostic Industry