Risk assessment is a standard component of the medical device design cycle.
Risk assessment has three basic parts:
- The identification of specific risks.
- The assignment of a severity to that risk.
- The assignment of a probability to that risk.
The form of these assignments may vary in number and range subject to the risk assessment protocol of the individual manufacturer. Given a pair of probabilities and severities, the question must then be asked if the risk is “acceptable.” If not acceptable, then the design must be changed to reduce severity, probability, or both. If the original risk is acceptable, or a now mitigated risk is acceptable, then that risk is passed through to the final device (i.e., the final design has a known set of risks associated with it, although there may also be unknown or unaccounted-for risks).
The known “residual risks” may be the subject of instructions and warnings, or they may not if they are below an individual manufacturer’s threshold of warning creation. Even when a warning is created, it is rare that the warning will include probability information in the form of the likelihood that a patient or user would suffer the identified risk. If complaints or injury reports occur for an already predicted risk, then the manufacturer may compare the rate of occurrence of that risk to their previous identification of what rate would be acceptable. If the rate is within that deemed to be acceptable, then no action might be taken while the rate continues to be monitored. This raises the issue of acceptable to whom. It is by definition acceptable to the manufacturer, but it may not be acceptable to users and patients, especially when they were not told in advance what the manufacturer of their device deems acceptable.
If injury reports are related to risks that were not part of the risk assessment, then the risk assessment has to be reconsidered with the addition of the new risk. But this will still involve a severity and frequency assessment. The possibility of new risks is why risk assessments are described as processes that are a not a one-time exercise to be filed away, but something to be revisited as necessary.
In this regard risk assessments may be discoverable during post-injury litigation. If this occurs, then either the risk will be identified on the risk assessment or it will be absent. If identified, it will demonstrate what the manufacturer thought the severity and likelihood were and what they concluded about it. These decisions will be scrutinized for their accuracy and reasonableness. If the risk is absent, there will scrutiny about the reasonableness of not having considered the risk in question. If there have been prior incidents of the risk, these will be scrutinized for rates or for there not having been a risk assessment update even after an absent risk was demonstrated. Complaint-related conclusions that the occurrences were within acceptable levels will also be noted. If a risk is occurring at a higher rate then predicted, the subsequent course of action will be reviewed and possibly challenged. For example, was a corrective and preventive action opened, and, if so, what was the time course of its resolution and how was it resolved?
Thus, the manufacturer of a device has specifically identified discrete risks along with their severity and probability of occurrence, but this information—in particular probability—is generally not shared with customers. Isn’t this something that customers would both like to know and deserve to know? Can the manufacturer having this information but not sharing it be justified?