FEATURE
An Introduction to Risk Analysis
for Medical Devices
By Fredric Mattsson, SEMKO, +46 8 750 03 98
L
ike all other "Ne w
Approach" directives,
the Medical Devices
Directive (93/42/EEC),
hereafter referred to as
MDD, calls for the products it covers
to meet a number of essential require­
ments. They are formulated in very
general terms and specify no Iimit val­
ues or test methods; it is the manufac­
turer's responsibility to ensure that
th�se essential requirements are met.
Why Risk Analysis?
The MDD explicitly states that the
results of any risk analysis conducted
during the design stage must be docu­
ts
mented and included in the technical
file. This statement may be found in
Annex II (Full Quality Assurance
System), Annex 111 (EC Type
�Examination), and Annex VII (EC
Declaration of Conformity).
Where no harmonized standards
exist, risk analysis is an important
means of ascertaining that all risks
relating to the product in question
have been considered. lt additionally
serves to outline the procedures
applied to reduce any possible risks.
For those products that are covered
by harmonized standards, risk analy­
sis can have other benefits. Few stan­
dards (if any) can cover all essential
requirements for a particular product,
and most tend to lag behind technical
developments (generally the case in
all standardization work).
Medical Devices: Risk mentary methods. To ensure that all
risks relating to a particular product
Analysis-prEN 1441 have been considered, several differ­
ent techniques may have to be used in
The European Committee for
parallel. In such instances, some kind
Standardization (CEN), under the
of compilation will be needed, along
mandate of the EC Commission, has
with a cross-reference document that
worked to develop a standard for risk
will allow the analysis of the various
analysis. Still a prelirninary European
risks to be traced backward.
standard as of this writing, it bears the
designation prEN 1441 and is entitled Step 1
"Medical Devices: Risk Analysis."
prEN 1441 requires that the method
prEN 1441 uses and defines a num­
and results of the risk-analysis proc-
ber of important terms, some of which
are derived from ISOIIEC Guide 51
guidelines for the inclusion of safety
aspects in standards. For example:
Harm: Physical injury and/or darn­
age to health or property.
Hazard: A potential source of
harm.
Risk: The probable rate of occur­
rence of a hazard causing harm and
the degree of severity of the harm.
Risk analysis: The investigation of
available information to identify haz­
ards and to estimate risks.
Risk assessment: An analysis and
evaluation of identified risks.
Safety: Freedom from unacceptable
risk of harm. [The notion of "accept­
able" risk of harm may seem strange
to many people.]
The flow chart shown in Figure 1 is
presented to facilitate an overview of
the standard. The various steps are
examined in some detail below.
In addition to the r isk-analysis
methods explained and discussed in
the standard itself, this article will FIGURE 1: Flow chart according to
briefly address two further, comple- prEN 1441.
Compliance Engineering 47
' :'''' A,,alysis for Medical Devices
dure be documented. The documenta­
·=,n must include:
An unambiguous definition of the
product or the accessory as
a complete description of the prod­
uct and its characteristics.
• A Iist of identified risks.
• A description of any measures taken
800.467.no5
731 Union Parkway
Ronkonkoma, Long l sland
New York 11n9-7414
Aostralla: 61-2-415-3944 Canado: 90-613-226-2365 Eaglalld: 44-0-462-421234 Fnace: 33-1-M-46-21-10
Ge1'11W17: 49�109-2788 Hoa1 Kaag: 852-763-5123 ladia: 91-842-847924 Israel: 972-3-7526333 lt.aly: 39-11-4551388
Japaa: 81-03-3435-4814 Korea: 82-02-501-4271 Netherlands: 3145206-41214 New Zealaad: 64-4-237-8392
SiDgapore: 6.5-7477234
48 Compliance Engineering
to reduce the risk to acceptable Iev­ Iimitation could mean, for example,
els, where considered necessary. that the risk analysis is restricted to
apply only to part of a larger medical­
• A Iist of names of the persons who
weil as device system, while a system defini­
carried out the risk analysis.
tion (or product definition, where the
risk analysis refers to a product) must
Step 2
include a description of its character­
Step 2 calls for both a system Iimita­
istics, chiefly those parameters relat­
tion and a system definition. A system
ing to safety. The standard provides a
Iist of questions that may be used as
an aide in verifying that no informa­
tion has been forgotten. Among these
questions (which number about 20 in
all) are the following:
• What is the intended use?
• Is the device intended to contact
the patient or other persons?
• Is energy or [any other substance]
delivered to or extracted from the
patient?
• Is the product sterile?
• Is the device interpretative?
• Does the device contain software?
Several of these questions require
further explication.
What is the intended use?
Defining the intended use of a prod­
uct is very important. "Intended use"
refers, according to the MDD, to the
use for which a product is intended, as
stated by the manufacturer in the
product's marking, directions for use,
andlor advertising material.
Intended use is the starting point in
identifying which essential require­
ments will apply to a particular prod­
uct. The major factors to be consid­
ered are the user' s competence and
training, environmental influences,
whether or not the patient can adjust
the device, and any special needs of
weaker patient groups (such as elderly
�-
and handicapperl persons). Through
restrictions, the intended use can also
serve as an instrument for risk reduc­
Voice: 516.467.8400
tion.
J
• FAX: 516.467.8558
r.J Internet address: ifi@ifi.com
America Online: IFI net
ls the device intended to contact the
patient or other persons?
Is the product i nvasive-that is,
does it penetrate into the body, either
Spaln: 34-1-3589048 Swedea: 46-8-930280 Tlilwu: 886-2-6864758 via an orifice or through the skin? For
how long is the device, or part of it, in
Reader Service #42
NoVEMBERIDECEMBER1995

We've Bot Your
PowerMains
�rotected!
�" '\449 Lts'f:
��<)*
....... �.
...,. Fast <25ns - Full Leads
...,. Breakered lnterna/ly
...,. Loca/ and Remote Status
...,. Independent of User Loads
...,. Surges Shunted to
Entrance Ground
...,. *NRTL 1449 Approved
...,. 10- Year Warranty
2500 models of coax,
power and twistedpair
protectors ... plus
lightning/EMP and
grounding solutions
lfl'olyraf10"A�!�
(800) 325·7170. (702) 782-2511
FAX: (702) 782-4476
25 Park Place • P.O. Box 9000
Minden. NV 89423-9000
Reader Service #63
Risk Analysis for Medical Devices
contact with the patient? The MDD
specifies three different durations:
transient (continuous use for less
•
than 60 minutes);
• short-term (continuous use for not
more than 30 days); and
• long-term (continuous use for more
than 30 days).
Finally, is the device intended for
implantation?
Does the device contain software?
A proposal is currently being devel­
oped for a collateral standard govem­
ing validation of software for medical
devices. This standard carries the des­
ignation IEC 601-1-4 and is entitled
"Medical Electrical Equipment, Part
1: General Requirements for Safety, 4.
Collateral Standard: Safety
Requirements for Programmahle
Electronic Medical Systems." The
proposal at present enjoys CDV
(Committee Draft for Vote) status.
In many respects, this standard dif­
fers from its predecessors. Applying
pass/fail criteria to the final product,
as per the usual test procedure, could
cause critical safety faults to be over­
looked; to avoid that possibility, IEC
601-1-4 requires t h e preparation,
before the development phase even
begins, of documents strictly control­
ling the device's design and develop­
ment.
The standard comprises two basic
sections, one dealing with risk analy­
sis and the other with the "life-cycle"
concept. The risk-analysis part repris­
es the prEN 1441 flow chart shown in
Figure 1, and consequently needs no
further elaboration in this context. The
life-cycle concept is concemed with
the division into discrete phases of the
e n tire life of a p rod uct, from the
preparation of the frrst specifications
to the product's entry into the market.
As each phase is completed, the man­
ufacturer must verify that the require­
ments set up prior to the beginning of
the phase have been fulfilled; after the
last phase, the manufacturer must val­
idate the system and check to make
sure that the intended use specified at
the initial stage has been achieved.
Step3
In Step 3, all hazards associated
with the device must be identified and
recorded. The goal at this stage is to
draw up to a rough Iist of risks that
may then be gradually refined. Such a
structured document will serve t o
facilitate the identification o f different
hazards and decrease the risk of inad­
vertent omission of significant haz­
ards. The standard divides possible
hazards into five different categories:
1. Hazards related to some kind of
energy
2. Biological hazards
3. Environmental hazards
4. Hazards related to the use of the
device
5. Hazards arising from functional
failure, maintenance, or aging
By complying with the requirements
of the IEC 601 series, manufacturers
of many (though not all) electrica1
medical devices may be able to verify
that their products do not constitute a
hazard within certain specific areas.
For devices covered by IEC 601-1,
compliance with the requirements
specified in Section 3, "Protection
against Electric Shock Hazards," and
Section 9, "Abnormal Operation and
Fault Conditions," can demoostrate
that the device itself does not consti­
tute an electric hazard.
Fu rther, by complying w i t h the "'
p
requirements contained in the collater­
al standard for electromagnetic com­
d
VI
patibility, IEC 601-1-2, manufacturers
p
can also show that their products nei­ tt
ther influence nor are influenced by d
their environment.
D
In developing new medical devices
(perhaps within new spheres), manu­ 1:
facturers may need to rely on scientific
V
a
data, experience with equivalent kinds
c
of products, or clinical evaluation.
1
I
Steps 4 and 5
In Step 4, the risk of each identified
hazard must be estimated. "Risk" is
NOVEMBERnDECBMBER1995
Risk .�nalysis for Medical Devices

defined here as both the likelihood of An error in any element is called

;· ')Ccurrence and the gravity of its failure mode, and the effect of that
Frequent

.equences. error-that is, what the error means to

gi
An easy way of illustrating this is to elements on higher levels-is called
Occasional
use a graph as shown in Figure 2. The failure effect. A failure effec t on a
.s::;
X-axis corresponds to the conse­ � lower Ievel thus corresponds to a fail­
quence of the harm and the Y-axis to ure mode on a higher Ievel.
::J

its probability. Demarealion of three
different areas allows the hazard to be
classified as acceptable (i.e., falling
w i t h i n the area corresponding t o
minor probability and minor conse­
quence), unacceptable (great probabil­
i t y a n d serious conseque n c e ) , or
ambiguous, necessitating a further
estimation o f whether or not risk
reduction is necessary (this area is
usually called ALARP, for "as low as
reasonably possible").
Because some uncertainty
inevitable in estimating not only prob­
ability but also degree of harm, the
risk graph will always contain an
ambiguous zone. This area can be
reduced, however, as more informa­
tion is received-for example, from
f<>1Jlt reports. A risk analysis must be
ated continually and must never be
static.
There are a number of different risk­
analysis me thods, most emanating
lncrecllble
J l
Minor Moderale
FIGURE 2: Risk gra ph showing risk
regions.
number of systems involved depends
not only on the complexity of the sys­
tem but also on how detailed an analy­
is
sis is required. The lowest subsystem
Ievel may be equivalent to component
Ievel or lowest spare-part Ievel, or it
may be somewhat higher.
lf the analysis is to be feasible, each
element in the system must be clearly
defined as to its characteristics, func­
tion, and connection with other ele­
ments. Any redundancy (information
that is not strictly necessary but can
help to detect and correct errors) must
Starting from the lowest level-for
example, the component level-the
1 I
Major Cataslrophic analysis works its way through the
system by asking at each new Ievel,
. "What happens if . . . ?" The failure
effect is then recorded for all compo­
nents and possible failure modes.
FMEA is an efficient means of ana­
lyzing failure modes in elements that
affect the performance characteristics
of a whole system, though it can get
very complex as the number of func­
tions and components increases. For
cer tain s t r u c t u r e s , i t m a y a l s o b e
essential t o determine exactly when
the failure mode occurs; different fail­
ure modes may be obtained at differ­
ent times and consequently may have
different effects on the total system.
A useful extension of the F M EA
method is failure modes, effects, and
criticality analysis, or FMECA, which
additionally calls for an investigation
of b o t h the consequences a n d the -.

also be shown. Very often block dia­

from some specific application in the
grams are used to show the structure
industrial sector. Five methods are
of a system, with the various blocks
described below. Two o f these,
(elements) connected by straight lines
FMEA and FTA, have been published
representing input and output. For a
in IEC documents and are referred to
medical device, a number of different
in the standard. A third, HAZOP, has
structures may be necessary to cover
not been published in any IEC docu­
mul tiple functions and functional
ment but is both referred to and dis­
modes.
cussed in the standard as weil as in
other extensive literature. The final
two methods, A E A and E T A , are
never mentioned in the standard, but a Deviation
great deal of Iiterature exists about
them. Figure 3 illustrates some of the FMEA Failura
mode
differences and similarities among the
•
ETA
various methods. ()
c Unwan1ed
• event
::s
c:r
•
.. HAZOP
Failure-Mode and Effects Analysis c Construcled
0 faiJure
u >-
(IEC 812)
Failure-mode and effects analysis AEA Critical
(FMEA) builds on the principle of
action
J.. �eaking down a system-for exam­
. , a medical device-into a series of
subsystems or elements. The precise
FIGURE 3: Comparison of risk­
analysis methods.
probability of a failure mode.
FMEA makes it possible to delin­
eate the relationship between failure
modes in basic individual elements
and the total system. It is an essential
tool, but it is often insufficient for
analyzing complex systems. In the ini­
tial d e v e l o p m e n t p h a s e of a n e w
device, when little more than the func­
tion and a general system structure
have been established, a complemen­
tary analysis method, such as fault­
tree analysis, or FTA, will likely be
FMEA
'C required (see below).
•
c A worksheet like the one shown in
FTA &.
E Figure 4 may be used to document an
0
u
FME(C)A analysis.
e
.!
..
Fault-Tree Analysis (IEC 1025)
..
Sl
::s
(/) A fault-tree analysis ( F T A) is a
structured graphic presentation in the
shape of a tree of circumstances con­
tributing to or causing a defined event,
called a top even t. Thi s an aly sis

52 Compliance Engineering NOVEMBERnDECEMBER1995

Risk Analysis for Medical Devices Ri

FME(C)A
method is particularly weil suited to
r�"lplex systems comprising a num­ System!Equipment: _______________ Date: ------
Jf subsystems with different func­ Person(s) who carried out the analysis: ------- Page: (

tional purposes.
The top event, which serves as the d'
starting point for the whole analysis, tl
corresponds to an unwanted result e

such as a deterioration of the perfor­ 1

mance characteristics of the system or
a change in function entailing a haz­
ard to a patient, a user, or the environ­
ment. E a c h d iffer e n t top e v e n t
requires its own specific tree.
An FfA that does not describe the
right top events is, of course, useless.
The graphic presentation of an FfA
may employ a number of different
symbols. The standard calls out some
15 of these, but in some cases the
analysis may be made easier if new,
case-specific symbols are defined.
In an FTA, each event corresponds
to a box. It is very important that each
box be given a precise designation so
that it can be readily identified. If the
tJ
a
i·
f
FIGURE 4: Worksheet for use in documenting an FME(C)A analysis.
same event is found in more than one most common gate types are AND,
place, whether in the same tree or in OR, and Exclusive- O R , defined as
different trees, the same designation follows:
should be used. The boxes are then o AND: The event out occurs only if
linked together with the aid of logical all input events occur.
gates. Each gate may have an unlimit­
o OR: The event out occurs if any
ed number of inputs but may corre­
input event occurs, either by itself
spond to only a single output. The
or in combination with other events.

INSTANT
A DATA BY •••

f:l\Okaya Electric America lnc. �:: aF���;��-8561

� 1509001
�=-�������������=-����
�
--:.�
. � CER TI F IE D
------��
�---�
�· -'��----��----------�
Jt
AC NOISE SUPPRESSION CAPACITORS 'M@@@(S)@®®<®@

XYE
DELTA NETWORK

e -40'C to +lOO'C Operoffng Temp. Range
e CapacHance votues from O.OlUFO
to 2.2 UFO ot 250 VAC 50/60Hz
e New X2 closs copocHor serles ls pelfect lor
high votume. tow cost appllcotlon s
e Cose material and Internot polltng
are roted UL 94-VO
e Sotety ogency approvols lnclude,
UL. CSA. VDE and SEV
e Fo;xbock DocvrMnlt 1101
e Ale suppresslng R+C network
e UL. CSA. VDE approved
e 250 VAC roted
e AC/DC apptlcotlons
e PC8 mount or nex lnsuloled Ieads e Dtelectrlc wHhstond voHoge
e Hfgh pulse/non-lnductlve
reslstor used
e Fo;xbock Documem. 1102
e Best pertormonce serleS tn most
populor apptlcotlons
e Drop ln replocement for most
populor conllgurotlons
twlce sotety agency requlrennents
e High DV/DT surge reslslonce and 1/11 rotlngs tnnpregnoted lor high relabUity
e Xl and V closs roted
e Double wound constructlon melalllzed
polyester11m 1or high DV/DT
e Faxbock DocumenN 110J
e INiatled cost sovlngs wHh slngte pockage
deslgn and smatl PCB rootprlnl
e 8oth normal ! common mode ottenuotlon
uslng one X ! two V nolse supp. networks
e Deslgned wHh seH-heaßng metatltzed potyester
ntm, double wound constructlon and oll
e Meels elghl sotety agency requlrements
ot 250 VAC 50/60Hz
• The XYE serles conslsts ol75 models ln
three dlsllnct pockeging stytes
e Faxbock DocvmenN 1106

For a Complete Nolse Suppression Or Call/ Fax Us At... ..

Componen1s Product Selector OKAYA ELECTRIC AMERICA1 INC.
Call.... 80�755-8561 503 Wall Street, Valparaiso, Indiane 46383
And Select Document #1001 Ph: 219-477-4488/ Fax: 219-477-4856

Reader Service #58

54 Compliance Engineering NOVEMBER/DECEMBER1995

 Risk Analysis for Medical Devices·

• Exclusive-OR: The event out

occurs if one and only one input
event occurs.
Construction of a tree starts with a
determination of what it is that makes
the top event occur; one event or sev­
eral may be necessary to generate it.
These generating events are in turn
treated as top events themselves, with
a corresponding determination of what
it is that makes them occur. Figure 5
shows an example of a highly simpli­
fied tree.
When the tree has been completed,
careful examination is required. Many
systems yield trees that are too large to
survey without the aid of suitable soft­
ware; the upper Iimit for feasible visu­
al analysis is about 70 events. Because
events link:ed to the top event only by
Catch rf emissions problems at
OR-gates will generate the top event
every time they occur, no further
board Ievel, where compliance
analysis is required for a tree that con­
sists solely of OR-gates. If other gate fixes are least costly.
types exist, it means that the system

N ow you can quickly get a color intensive spatial examination.

contains a redundancy-that is, it is
error-tolerant.
Certain events may be found in sev­
eral different parts of a tree. Estab­
lishing that such events do not remove
the redundancy in the system requires
recourse to B o o l e a n reduction o r
Boolean algebra.
When the tree has been reduced, the
so-called minimal cut set-corre­
sponding to the smallest group of
events required for the top event to
occur-may be isolated.
Hazard and Operability Study
(HAZOP)
The HAZOP method was originally
developed to study the effects of vari­
ous deviations or disturbances on a
factory production line by following
the natural flow through the line. The
same principle could also be used to
follow a natural flow other than the
one in a manufacturing process-for
example, the route taken by blood in
image of the electromagnetic
performance of your printed-circuit
board or subassembly before final
compliance testing. Spatial and
spectral displays generated by the
EMSCAN PCB emissions scanner
show you which frequencies and
which areas of the board under test
are guilty. These scans are stored
for later comparison after design
alterations, to check whether offend­
ing emissions are now down to
acceptable levels.
Just plug your receiver or spec­
trum analyzer, and your computer
with IEEE-488 interface, into the
EMSCAN scanner, and a matrix of
1280 H-field probes maps the area
of your test board (up to 9" x 12") for
high, medium, and low-emissions
spots within the 10 MHz-1.5 GHz
frequency range. Or you can see a
spectral display showing the overall
condition of the board across the
spectrum. You may then choose a
frequency of particular interest for
After the development stage,
you can use EMSCAN as a quality­
control tool, checking completed
boards against a "good" scan before
they go into assembly. This is the
point where production compliance
becomes virtually assured.
The software operates under
"Windows" to make early diagnosis
easy, even for those who are new to
compliance testing. It can run on
several PCs and workstations, and
is readily ported to other environ­
ments for analysis.
You should learn all about this
qualitative and quantitative measure
of emissions for use during product
development-where design correc­
tions are least costly. To start, call
toll-free (1-800-933-8181) to speak
with an applications engineer and
arrange to see·
a demonstra­
tion in your
office or
plant.

hemodialysis equipment.
According to this method, faults or 160 School House Road
disturbances are fabricated without Souderton, PA 18964-9990 USA
215-723-8181 Fax 215-723-5688
•

regard to their feasibility. Examples of

guide words and possible deviations For engineering assistance, sales, and seruice throughout Europe, call
EMV • Munich, 89-612-8054 • London, 908-566-556 • Paris, 1-64-61-<>3-29 12140

Reader Service #9

I
Compliance Engineering 55
 Risk Analysis for Medical Devices Ri
TRANSIEHT SURGE
PROTECTION

FIGURE 5: Event A will occur only if events B and C both

occur. Event C will occur if either Event D or Event E
occurs. The terminating input symbol at Event D indicates
c
that it cannot be subdivided, while the input symbol at ..
Event B indicates that it is further developed on another
tree. The transfer-out symbol at Event B indicates that B r
reappears elsewhere.

include none (flow failure), more (higher pressure), and less

(lower pressure).
HAZOP requires documentation of a !arge nurober of
deviations and disturbances, many of which can be quickly
discounted, with no additional measures necessary. Other,
TECCOR ELECTRONICS, INC. more serious deviations and disturbances may be processed
1801 Hurd Drive PH: 214-580·1515 further, most likely using a supplementary risk-analysis
lrving, Texas 75038 FAX: 214-550-1309
' method.
Reader Service #84 One advantage of HAZOP is its unbiased approach, which
tends to reveal faults that might otherwise be missed. Then,
too, unlike FMEA and others, HAZOP is a time-efficient

�t lntegrity Design & Test Services... method.

Action-Error Analysis
Action-error analysis, or AEA, analyzes interactions
between machine and man. lt can be used to analyze such
things as starting procedures of devices and to answer ques­
tions such as "What will happen if the right thing is done at
the wrong time, the wrong thing is done at the right time, or
nothing is done at all?" Where complex patient connections
are involved, AEA can disclose deficiencies in instructions
or directions.
o A Wlde range of EMIIEMC lest servlces
o CE marklng expertlse Event Tree Analysis
Event-tree analysis, or ETA, is again based on the ques­
o Helpful, frtendly, professlonal slaff
tion "What happens if . . . ?" But whereas an FMEA applies
o Fully accredlted faciJIUes
that question to subsystems or components, an ETA Iooks
o Fully equlpped Iab areas at the unwanted event itself.
o Independent 3rd party lest Iab This method can help determine whether the event needs
o Aggressive pr1clng further analysis-as, for example, a top event in an FfA

o Rapid servlce analysis.

o Convenlent JocaUon

Step 6

IIMifltl
Reader Service #43 If the risk is deemed unacceptable, a risk reduction is

ß Design & Test

r��(508)486�32 mandated. The MDD's essential requirements call for each
,.. of the following measures to be taken in turn:
.4: (508)486-0592
•

37-7 1rt« Road - l.itiEioo, MA 01460 \T" Services, !nc. • Inherent safe design and construction to be incorporated

56 Compliance Engineering NOVEMBERnDECEMBER1995

 '
Risk Analys s for Medical Devices

• Where risks cannot be eliminated, i n fact the risk-analysis concepts • IEC 601-1, "Medical Electrical
adequate protection measures to be should be part of the natural product Equipment, Part 1 : General
implemented, including alarms development from the start. In this Requirements for Safety" (1988)

w ay, structuring the production IEC 601-1-2, "Medical Electrical

• Users to be informed of any resid­ •

process with the aid of a standard may Equipment, Part 1: General

ual risks attributable to shortcom­
ings of the protection measures
adopted. (Residual risks are dini­
cally acceptable if the advantages
associated with the device out­
weigh the possible disadvantages.)
be regarded as a boon rather than a Requirements for Safety, 2. Collateral
chore. Standard: Electromagnetic
Compatibility: Requirements and
Reference Literature Tests" (1993)
prEN 1441, "Medical Devices: Risk • EN 30993-1, "Biological Evaluation of
•

Analysis" (1994) Medical Devices, Part 1: Guidance on

Steps 7 and 8
Any new hazards introduced by the
risk reduction shall be treated in the
same way as other hazards.
• CD IEC 601-1-4, "Medical Electrical
Equipment, Part 1: General
Requirements for Safety, 4. Collateral
Standard: Safety Requirements for
Programmabte Electronic Medical
Selection of Tests" (1994)
• Copious Iiterature is available on the
hazard and Operability study (HAZOP)
method, event-tree analysis (ETA), and
action error analysis (AEA).

Step9 Systems" (1993)

Fredric Mattssan works at
A decision must be made as to the • IEC 812, "Analysis Techniques for
SEMKO's Centre for Medical
System Reliability-Procedure for
intended use of the device, and decision Engineering and Physics in Sweden,
Failure Mode and Effects Analysis"
criteria set up before the analysis is appointed as a Notified Body accord­
(FMEA) (1985)
started, to determine whether or not the ing to the Medical Devices Directive.
risks of the identified hazards for the • IEC 1025, "Fault Tree Analysis" (FTA)
He holds an M.Sc. from Chalmers
product can be considered acceptable. (1990)
University ofTechnology.
Informative Annexes
The standard also contains a nurober
of informative annexes dealing with
such matters as biological hazards and
hazards associated with in vitro diag­
nostic devices. One of these, EN
30993-l, "Biological Evaluation of
Medical Devices, Part 1: Guidance on
Selection of Tests," addresses the
question of which tests should be con­
sidered for which applications. The
need for testing should be reviewed
on a case-by-case basis so that unnec­
essary testing may be avoided.
Since in vitro diagnostic devices do
n ot come into direct contact with
patients, they do not represent a direct
hazard; however, risks of indirect haz­
ard do exist, as for example through
incorrect analysis of test samples. A
thorough evaluation of such risks may
require the use of criteria different
from those employed for medical
devices.

Conclusion
Introducing a standardized proce­
dure for risk analysis may seem at
first to constitute an extra burden, but
Reader Service #26

Compliance Engineering 57