Risk Management in Medical Device Design

Medical Device & Diagnostic Industry Magazine MDDI Article Index An MD&DI October 1997 Column RISK MANAGEMENT Early and continuous evaluation of a product's hazard potential increases the likelihood of correcting these faults and producing a device with a low probability of causing harm.

FDA's quality system regulation is intended to give manufacturers "the flexibility to determine the controls that are necessary to be commensurate with risk."1 FDA sees risk analysis as an essential requirement of the regulation but gives little guidance on specific risk analysis approaches and procedures such as fault tree analysis (FTA) or failure mode and effects analysis (FMEA). As medical device companies review and update their approaches to risk analysis, they may find value in what other industries­including chemical, aerospace, and defense­have learned about using it to reduce risk. Companies can manage and reduce risk more effectively by including risk thinking as early as possible in device or process development and revisiting those issues systematically throughout the development process.


An overall risk management process involves the essential steps in Figure 1. In order to manage risk, hazards must first be identified. By evaluating the potential consequences of hazards and their likelihood, a measure of risk can be estimated. This value is compared to the company's risk-acceptability criteria and, if it is too high, the risk needs to be mitigated.

Figure 1. Sample flowchart showing risk management of identified hazards.

Because risk cannot be completely eliminated, the risk that remains must be managed. The following steps can be used in a risk management program:


  • Develop written definitions of what needs to be done and how to do it.


  • Define responsibilities and accountability.


  • Define what needs authorization and who is responsible for handling it.


  • Define the skills and knowledge necessary to implement the system and a provision for training those who do not possess these skills.


  • Develop and maintain written documentation to demonstrate conformance to policies and procedures.


  • Incorporate measures to cross-check and verify that procedures are followed.


  • Verify that systems are in place and functioning properly.

Whereas many companies have good hazard- and risk-assessment programs, effective risk management is not always in place.


Even before a final design has been developed, a preliminary hazard analysis can be conducted to establish the baseline hazards associated with a device. In essence, the analysis consists of listing the major components and operating requirements of the device and evaluating their potential hazards. The components and operating requirements could include raw materials and wastes, hardware, monitoring and control systems, human-device interfaces, services, and the operating environment.

Some potential hazards that may need to be evaluated include toxicity, flammability, and reactivity of raw materials and wastes; sensitivity to environmental factors such as temperature and humidity; mechanical or electronic hazards; and human factors associated with the operator-device interface. The patient-device interface can also be hazardous because of unsafe or ineffective delivery of energy, administration of drugs, or control of life-sustaining functions. Also, incorrect information could lead to a misdiagnosis or wrong treatment or therapy being ordered.

When conducting a preliminary hazard analysis, use a what-if or brainstorming approach to identify possible failures, evaluate potential consequences, and develop risk management strategies. These strategies lead to an improved, lower-cost design. Generally, failure scenarios can be prioritized by the severity of each hazard.

At this stage, there is often insufficient detail to evaluate hazard likelihood accurately. However, comparisons may be made with similar devices and their histories in the medical device reports. An evaluation revealing severe hazard potential may prompt a radical change in the conceptual design. The goal is to eliminate all high-severity hazards and reduce as many medium- and low-severity hazards as possible. There is considerable flexibility at this early design stage. Major changes can make the device inherently safer at minimal cost. For example, if use of a chemical was determined to be a significant hazard, other less-toxic chemicals or a diluted form of the original chemical might be a reasonable mitigating measure.

During prototype development, more detailed hazard and risk analysis can be performed. At this stage of design, process and mechanical drawings are available, and the basic process operations have been defined. The device and its operation can be reviewed by a number of analysis techniques, including top-down and bottom-up approaches.2 A hazard and operability (HAZOP) study is a bottom-up approach ideal for new or complex designs involving a number of processing steps. A HAZOP is conducted on individual steps, each of which has a design intent. For example, the transfer of 100 ml of saline solution from a bulk container to a blending container could be one step of the process for preparation of intravenous solutions. Deviations from the design intent are explored by applying a series of guide words to applicable design parameters, as shown in Table I.




Design Parameter Guide Word
Part of
As well as
Other than


Table I. Guide words used to determine deviations from design intent.

If the deviation defined by the combination of a design parameter and guide word (e.g., more flow or less flow) can result in a hazard, potential causes and any existing controls are identified. The risk level can be evaluated using a risk matrix in which consequence and frequency ranges have been established according to a company's internal risk-acceptability criteria (Figure 2). Those deviations that have category A or B risks should be reduced to level C or D risks.

Figure 2. Any item falling into high risk categories (A or B) should be redesigned.

When a device contains many mechanical components, an FMEA should be considered. However, an FMEA is time-consuming and is generally applied only to Class III devices or to the safety critical portions of devices. For those devices that contain many electrical components, an FMEA is also a desirable methodology. This is another bottom-up approach that focuses on a particular component of a medical device and explores the various failure modes that can occur. For each failure mode that results in an undesirable consequence, potential causes and existing controls are evaluated, and the level of risk can be determined by using a risk matrix.

An FTA is an effective top-down approach. The team starts with the undesired consequence or top event and identifies the initiating and contributing events that must occur to produce it. These events are combined using logic gates. A logic gate is the point at which two or more independent events are combined in order to produce a higher-level event. The logic gate determines whether the subevent probabilities or frequencies should be multiplied, for an and gate, or added, for an or gate. If all events under a gate are necessary for the higher event to occur, an and gate is used. If each of the events is sufficient to produce the higher event on its own, an or gate is used. Both mechanical failures and human errors can readily be included in a fault tree. An example of a partial fault tree for a pacemaker is shown in Figure 3.

Figure 3. A partial fault tree analysis for a pacemaker.

The top event is an injury resulting from installation or operation of the device. Below the top event are two subevents labeled operator injury and patient injury. Since either could produce the top event, they are combined using an or gate. Under the operator injury branch, one potential scenario has been identified that involves having the device contaminated with a biohazard such as blood (the initiating event) and the operator not wearing gloves (contributing event). Since both the initiating and contributing events must occur for an injury to take place, these events are combined using an and gate.

If failure rates for each event on a fault tree are available or can be estimated from generic data, the top-event frequency can be calculated and compared to a company's internal risk-acceptability criteria. A fault tree is a powerful risk-analysis tool, but its greatest limitation is the availability of relevant failure data. Therefore, fault trees are generally best used to compare risks of various alternatives. The greatest benefit of a fault tree is that events that contribute most frequently to the top event can readily be identified, and mitigating measures can be focused on reducing the frequency of these events.


Although HAZOP, FMEA, and FTA allow evaluation of human errors in design, operation, and maintenance of medical devices, it is often desirable to conduct a separate analysis focused on procedures. Typically, a what-if approach is used for this type of analysis. Procedures are grouped into process steps similar to those study sections used with HAZOP. Each process step is evaluated to determine if an undesirable consequence could result from incorrect procedures.

Checklists are the simplest tools for conducting design reviews but are generally not sufficient. The true benefit of checklists is to support the other techniques described previously. For example, a checklist of potential hazards identified in previous reviews or from incidents associated with similar devices would be useful during a design review. After completion of the review, the checklist can be examined to ensure that the study evaluated all previously identified potential hazards. For example, during a HAZOP, possible human errors are evaluated; however, as a final check, a human-factors checklist is often used.

The risk analysis should include any risks associated with the manufacture and delivery of the device to its intended location. For devices that involve solutions or components that can be degraded by environmental factors (e.g., heat, humidity, cold, or light), storage and transportation methods need to be reviewed. Identified problems could lead to changes in packaging or warnings on storage or packaging containers.

It is important that any changes made during the design process be reviewed to ensure that safety hazards are not being introduced into the design. Small changes are generally reviewed using a what-if approach, whereas larger changes may require a HAZOP or FMEA.

A final design or prestart-up review should be conducted before starting production. Extensive checklists ensure that all design specifications have been met and all previous design review recommendations have been addressed. The final design review should also include a physical inspection of the device in its intended workspace (e.g., laboratory, hospital, doctor's office) to identify any issues not readily apparent from looking at drawings, such as location of vents and drains, accessibility for maintenance, pinch points, and sharp edges. A punchlist (findings or observations developed during a safety or design review) of final action items is typically generated and prioritized into items that need to be completed prior to start of production and others that can be incorporated into the next model.

Software used to control or monitor a medical device also needs to be reviewed. Software can be grouped into its primary functions (e.g., start-up, treatment, diagnostics, maintenance) just as procedures can be grouped into process steps. Three generic subfunctions are evaluated for each primary function:


  • Function­The software component does not perform its intended function correctly per its original design intent.


  • Timing­The software component performs its function at the wrong time.


  • Data­The software component performs its function using incorrect or corrupt data.

Software errors can produce unexpected consequences, particularly those that involve corrupt data or false alarms. It is important to have a means of detecting software errors or a means to detect the effects of software errors on a device. For example, a software error resulting in a failure of the alarm notification system would disable all alarm systems. Separate redundant alarms or interlocks on critical aspects of a device need to be considered.


All of the techniques described above have been successfully used in design reviews of medical devices. FTA is being used by pacemaker manufacturers based on FDA guidance for software aspects of 510(k) notification submissions for medical devices. Other computer-controlled medical devices will also need to be reviewed using FTA as a primary risk analysis tool.

For mechanical devices that are used away from the patient, such as plasma and blood viral inactivation devices, as well as devices for preparing intravenous solutions, an FMEA is a reasonable choice. However, for associated activities such as preparation of disposables, which are manual operations, a what-if approach is preferred.

The key to successful risk management in medical device design is to start early. As soon as conceptual designs are available, the risk management process can begin. A preliminary hazard analysis can be useful in selecting the concept with the highest level of inherent safety. Later, as the design is developed, design reviews at key points in the development process will allow changes to be made without significantly affecting the project schedule. The further along in the design process that changes are identified, the fewer choices are available to mitigate hazards without significant schedule implications.

Generally, risk management activities will identify opportunities to improve device performance. The benefits of conducting risk analysis during medical device design can be significant and can be used to offset some or all of the cost of implementing risk-mitigating measures. There is always a trade-off in how to manage risk. Hardware or software controls are generally viewed as more effective since they are more reliable than humans. However, since there is need for human interaction in the operation of all medical devices, the element of risk needs to be adequately evaluated. Minimizing the level of routine human intervention will reduce risk and improve efficiency. Such risk reduction must be weighed against the cost of automating tasks that can be performed by individuals.


1. Code of Federal Regulations, 21 CFR 820.

2. Ozog H, "Hazard Identification, Analysis, and Control," Chem Eng, 2:161-170, 1985.

Henry Ozog is a principal of Arthur D. Little, Inc., Cambridge, MA.


Copyright ©1997 Medical Device & Diagnostic Industry


500 characters remaining