Estimating the Probability of Occurrence and Severity of Harm When Assessing Medical Device Risks

There are a number of steps that need to be taken in relation to risk management when designing a new medical device. This includes identifying hazards and hazardous situations.

You then need to evaluate the hazards and hazardous situations you identify before, potentially, putting control/mitigation measures in place and then monitoring those controls.

The second stage of the above process, evaluating hazards and hazardous situations, involves estimating two essential factors:

  1. The probability of occurrence
  2. The severity of harm

By combining these two estimations together you will be able to define the risk as being either acceptable or unacceptable. This definition of acceptability will determine what you do next.

Risk Acceptability = Severity of Harm X Probability of Occurrence

This is all outlined in ISO 14971 which is a common framework used by regulators when deciding on whether or not to approve your medical device.

Medical Device Risk Acceptability Table

It can be helpful to create a risk acceptability table to determine the acceptability of each hazard and hazardous situation you identify. The table will need to be customised for your medical device, but an example of such a table is below.

In this example of a risk acceptability table, hazards or hazardous situations that are green are low risks while orange indicates a medium risk and red highlights high risks. Without further steps, only those that are green can be deemed to be acceptable.

In other words, hazards and hazardous situations that have a negligible severity of harm are likely to be classified as acceptable regardless of the probability of occurrence. Therefore, for these hazards and hazardous situations, no further action is needed apart from documenting why you reached this conclusion.

However, hazards or hazardous situations that could cause the patient or user a minor injury or worse would require further steps if you deem the probability of occurrence to be probable or frequent.

Those further steps would involve putting mitigation or control measures in place. Once you do this, you then need to estimate the probability of occurrence and severity of risk again to determine if the risk is now acceptable.

As you move further across the severity of harm axis, there is an increased requirement for the taking of additional mitigation and control steps, i.e. as the potential harm that can be caused becomes more severe and the probability of occurrence increases.

Readily Predictable Human Behaviour

When going through the above, you can’t simply assume that people will use your medical device the way you have designed it when you are identifying and evaluating hazards and hazardous situations. There is also a requirement for you to anticipate misuse or user error and to then:

  • Evaluate how user error impacts your existing acceptability evaluations; and,
  • Identify additional hazards and/or hazardous situations the user error/misuse creates.

To determine device misuse and user error under ISO 14971, you must take into account “readily predictable human behaviour”.

Benefit-Risk Analysis

In an ideal world, you would be able to determine that all the hazards and hazardous situations you identify are acceptable, particularly after applying control measures to those that needed them. In reality, however, this is not possible.

Even after applying all the control measures you can, you may still have risks that remain categorised as unacceptable. What do you do in these situations?

For risks that remain categorised as unacceptable even after all possible control measures are taken you will need to conduct a Benefit-Risk Analysis. Put simply, this means assessing whether the benefit outweighs the risk.

It’s important to note the phrasing of this in ISO 14971 as Benefit-Risk Analysis rather than Risk-Benefit Analysis. In the 2019 update to ISO 14971, more emphasis is placed on benefits, with a benefit being anything that has a desirable outcome or positive impact.

Data to Back-Up Your Evaluations

Finally, you need to document the above process in detail to get regulatory approval for your medical device product. To make sure this documentation is watertight when you submit it to regulators, make sure you gather data from everywhere.

This includes data from:

  • Published standards
  • Clinical data
  • Investigation results
  • Technical data
  • Results from your own tests
  • Information from user/patient complaints
  • Expert opinion
  • And more

The above data should clearly show how and why you reached your risk acceptability and benefit-risk analysis conclusions.