Professional Documents
Culture Documents
L
ike all other "Ne w
Approach" directives, risks relating to a particular product
Analysis-prEN 1441 have been considered, several differ
the Medical Devices
Directive (93/42/EEC), ent techniques may have to be used in
The European Committee for
hereafter referred to as parallel. In such instances, some kind
Standardization (CEN), under the
MDD, calls for the products it covers of compilation will be needed, along
mandate of the EC Commission, has
to meet a number of essential require with a cross-reference document that
worked to develop a standard for risk
ments. They are formulated in very will allow the analysis of the various
analysis. Still a prelirninary European
general terms and specify no Iimit val risks to be traced backward.
standard as of this writing, it bears the
ues or test methods; it is the manufac designation prEN 1441 and is entitled Step 1
turer's responsibility to ensure that "Medical Devices: Risk Analysis."
th�se essential requirements are met. prEN 1441 requires that the method
prEN 1441 uses and defines a num
and results of the risk-analysis proc-
ber of important terms, some of which
Why Risk Analysis? are derived from ISOIIEC Guide 51
guidelines for the inclusion of safety
The MDD explicitly states that the aspects in standards. For example:
results of any risk analysis conducted
during the design stage must be docu Harm: Physical injury and/or darn
ts age to health or property.
mented and included in the technical
file. This statement may be found in Hazard: A potential source of
Annex II (Full Quality Assurance harm.
System), Annex 111 (EC Type Risk: The probable rate of occur
�Examination), and Annex VII (EC rence of a hazard causing harm and
Declaration of Conformity). the degree of severity of the harm.
Where no harmonized standards Risk analysis: The investigation of
exist, risk analysis is an important available information to identify haz
means of ascertaining that all risks ards and to estimate risks.
relating to the product in question Risk assessment: An analysis and
have been considered. lt additionally evaluation of identified risks.
serves to outline the procedures Safety: Freedom from unacceptable
applied to reduce any possible risks. risk of harm. [The notion of "accept
For those products that are covered able" risk of harm may seem strange
by harmonized standards, risk analy to many people.]
sis can have other benefits. Few stan
The flow chart shown in Figure 1 is
dards (if any) can cover all essential
presented to facilitate an overview of
requirements for a particular product,
the standard. The various steps are
and most tend to lag behind technical
examined in some detail below.
developments (generally the case in
In addition to the r isk-analysis
all standardization work).
methods explained and discussed in
the standard itself, this article will FIGURE 1: Flow chart according to
briefly address two further, comple- prEN 1441.
Compliance Engineering 47
' :'''' A,,alysis for Medical Devices
dure be documented. The documenta to reduce the risk to acceptable Iev Iimitation could mean, for example,
·=,n must include: els, where considered necessary. that the risk analysis is restricted to
�-
and handicapperl persons). Through
restrictions, the intended use can also
serve as an instrument for risk reduc
800.467.no5 Voice: 516.467.8400
tion.
J
731 Union Parkway • FAX: 516.467.8558
Ronkonkoma, Long l sland
New York 11n9-7414
r.J Internet address: ifi@ifi.com
America Online: IFI net
ls the device intended to contact the
patient or other persons?
Is the product i nvasive-that is,
Aostralla: 61-2-415-3944 Canado: 90-613-226-2365 Eaglalld: 44-0-462-421234 Fnace: 33-1-M-46-21-10
Ge1'11W17: 49�109-2788 Hoa1 Kaag: 852-763-5123 ladia: 91-842-847924 Israel: 972-3-7526333 lt.aly: 39-11-4551388 does it penetrate into the body, either
Japaa: 81-03-3435-4814 Korea: 82-02-501-4271 Netherlands: 3145206-41214 New Zealaad: 64-4-237-8392
SiDgapore: 6.5-7477234 Spaln: 34-1-3589048 Swedea: 46-8-930280 Tlilwu: 886-2-6864758 via an orifice or through the skin? For
how long is the device, or part of it, in
Reader Service #42
48 Compliance Engineering NoVEMBERIDECEMBER1995
Risk Analysis for Medical Devices
�rotected!
•
Step3
than 60 minutes);
In Step 3, all hazards associated
• short-term (continuous use for not
with the device must be identified and
more than 30 days); and
recorded. The goal at this stage is to
• long-term (continuous use for more draw up to a rough Iist of risks that
than 30 days). may then be gradually refined. Such a
Finally, is the device intended for structured document will serve t o
implantation? facilitate the identification o f different
hazards and decrease the risk of inad
Does the device contain software? vertent omission of significant haz
A proposal is currently being devel
ards. The standard divides possible
oped for a collateral standard govem
hazards into five different categories:
ing validation of software for medical
devices. This standard carries the des
1. Hazards related to some kind of
ignation IEC 601-1-4 and is entitled
energy
"Medical Electrical Equipment, Part
2. Biological hazards
1: General Requirements for Safety, 4.
3. Environmental hazards
Collateral Standard: Safety
4. Hazards related to the use of the
Requirements for Programmahle
device
Electronic Medical Systems." The
5. Hazards arising from functional
proposal at present enjoys CDV
failure, maintenance, or aging
(Committee Draft for Vote) status.
In many respects, this standard dif By complying with the requirements
fers from its predecessors. Applying of the IEC 601 series, manufacturers
�" '\449 Lts'f:
��<)*
pass/fail criteria to the final product, of many (though not all) electrica1
....... �.
as per the usual test procedure, could medical devices may be able to verify
cause critical safety faults to be over that their products do not constitute a
looked; to avoid that possibility, IEC hazard within certain specific areas.
...,. Fast <25ns - Full Leads 601-1-4 requires t h e preparation, For devices covered by IEC 601-1,
before the development phase even compliance with the requirements
...,. Breakered lnterna/ly
begins, of documents strictly control specified in Section 3, "Protection
...,. Loca/ and Remote Status ling the device's design and develop against Electric Shock Hazards," and
...,. Independent of User Loads ment. Section 9, "Abnormal Operation and
The standard comprises two basic Fault Conditions," can demoostrate
...,. Surges Shunted to
sections, one dealing with risk analy that the device itself does not consti
Entrance Ground
sis and the other with the "life-cycle" tute an electric hazard.
...,. *NRTL 1449 Approved concept. The risk-analysis part repris Fu rther, by complying w i t h the "'
p
...,. 10- Year Warranty es the prEN 1441 flow chart shown in requirements contained in the collater
al standard for electromagnetic com
d
Figure 1, and consequently needs no
VI
2500 models of coax, further elaboration in this context. The patibility, IEC 601-1-2, manufacturers
p
life-cycle concept is concemed with can also show that their products nei tt
power and twistedpair
the division into discrete phases of the ther influence nor are influenced by d
protectors ... plus their environment.
e n tire life of a p rod uct, from the D
lightning/EMP and preparation of the frrst specifications In developing new medical devices
grounding solutions to the product's entry into the market. (perhaps within new spheres), manu 1:
facturers may need to rely on scientific
V
As each phase is completed, the man
lfl'olyraf10"A�!�
a
ufacturer must verify that the require data, experience with equivalent kinds
c
ments set up prior to the beginning of of products, or clinical evaluation.
1
the phase have been fulfilled; after the I
(800) 325·7170. (702) 782-2511 Steps 4 and 5
last phase, the manufacturer must val
FAX: (702) 782-4476 In Step 4, the risk of each identified
idate the system and check to make
25 Park Place • P.O. Box 9000 hazard must be estimated. "Risk" is
Minden. NV 89423-9000
gi
An easy way of illustrating this is to elements on higher levels-is called
Occasional
use a graph as shown in Figure 2. The failure effect. A failure effec t on a
.s::;
X-axis corresponds to the conse � lower Ievel thus corresponds to a fail
quence of the harm and the Y-axis to ure mode on a higher Ievel.
::J
its probability. Demarealion of three lncrecllble Starting from the lowest level-for
different areas allows the hazard to be example, the component level-the
J l 1 I
classified as acceptable (i.e., falling Minor Moderale Major Cataslrophic analysis works its way through the
w i t h i n the area corresponding t o system by asking at each new Ievel,
minor probability and minor conse . "What happens if . . . ?" The failure
quence), unacceptable (great probabil effect is then recorded for all compo
FIGURE 2: Risk gra ph showing risk
i t y a n d serious conseque n c e ) , or nents and possible failure modes.
regions.
ambiguous, necessitating a further FMEA is an efficient means of ana
estimation o f whether or not risk lyzing failure modes in elements that
reduction is necessary (this area is affect the performance characteristics
number of systems involved depends
usually called ALARP, for "as low as of a whole system, though it can get
not only on the complexity of the sys
reasonably possible"). very complex as the number of func
tem but also on how detailed an analy
Because some uncertainty is tions and components increases. For
sis is required. The lowest subsystem
inevitable in estimating not only prob cer tain s t r u c t u r e s , i t m a y a l s o b e
Ievel may be equivalent to component
ability but also degree of harm, the essential t o determine exactly when
Ievel or lowest spare-part Ievel, or it
risk graph will always contain an the failure mode occurs; different fail
may be somewhat higher.
ambiguous zone. This area can be ure modes may be obtained at differ
lf the analysis is to be feasible, each
reduced, however, as more informa ent times and consequently may have
element in the system must be clearly
tion is received-for example, from different effects on the total system.
defined as to its characteristics, func
f<>1Jlt reports. A risk analysis must be A useful extension of the F M EA
tion, and connection with other ele
ated continually and must never be method is failure modes, effects, and
ments. Any redundancy (information
static. criticality analysis, or FMECA, which
that is not strictly necessary but can
There are a number of different risk additionally calls for an investigation
help to detect and correct errors) must
analysis me thods, most emanating of b o t h the consequences a n d the -.
FME(C)A
method is particularly weil suited to
r�"lplex systems comprising a num System!Equipment: _______________ Date: ------
Jf subsystems with different func Person(s) who carried out the analysis: ------- Page: (
tional purposes.
The top event, which serves as the d'
starting point for the whole analysis, tl
corresponds to an unwanted result e
INSTANT
A DATA BY •••
XYE
DELTA NETWORK
e -40'C to +lOO'C Operoffng Temp. Range e Ale suppresslng R+C network e Best pertormonce serleS tn most e INiatled cost sovlngs wHh slngte pockage
e CapacHance votues from O.OlUFO e UL. CSA. VDE approved populor apptlcotlons deslgn and smatl PCB rootprlnl
to 2.2 UFO ot 250 VAC 50/60Hz e 250 VAC roted e Drop ln replocement for most e 8oth normal ! common mode ottenuotlon
e New X2 closs copocHor serles ls pelfect lor e AC/DC apptlcotlons populor conllgurotlons uslng one X ! two V nolse supp. networks
high votume. tow cost appllcotlon s e PC8 mount or nex lnsuloled Ieads e Dtelectrlc wHhstond voHoge e Deslgned wHh seH-heaßng metatltzed potyester
e Cose material and Internot polltng e Hfgh pulse/non-lnductlve twlce sotety agency requlrennents ntm, double wound constructlon and oll
are roted UL 94-VO reslstor used e High DV/DT surge reslslonce and 1/11 rotlngs tnnpregnoted lor high relabUity
e Sotety ogency approvols lnclude, e Fo;xbock Documem. 1102 e Xl and V closs roted e Meels elghl sotety agency requlrements
UL. CSA. VDE and SEV e Double wound constructlon melalllzed ot 250 VAC 50/60Hz
e Fo;xbock DocvrMnlt 1101 polyester11m 1or high DV/DT • The XYE serles conslsts ol75 models ln
e Faxbock DocumenN 110J three dlsllnct pockeging stytes
e Faxbock DocvmenN 1106
hemodialysis equipment.
According to this method, faults or 160 School House Road
disturbances are fabricated without Souderton, PA 18964-9990 USA
215-723-8181 Fax 215-723-5688
•
Reader Service #9
I
Compliance Engineering 55
Risk Analysis for Medical Devices Ri
TRANSIEHT SURGE
PROTECTION
Action-Error Analysis
Action-error analysis, or AEA, analyzes interactions
between machine and man. lt can be used to analyze such
things as starting procedures of devices and to answer ques
tions such as "What will happen if the right thing is done at
the wrong time, the wrong thing is done at the right time, or
nothing is done at all?" Where complex patient connections
are involved, AEA can disclose deficiencies in instructions
or directions.
o A Wlde range of EMIIEMC lest servlces
o CE marklng expertlse Event Tree Analysis
Event-tree analysis, or ETA, is again based on the ques
o Helpful, frtendly, professlonal slaff
tion "What happens if . . . ?" But whereas an FMEA applies
o Fully accredlted faciJIUes
that question to subsystems or components, an ETA Iooks
o Fully equlpped Iab areas at the unwanted event itself.
o Independent 3rd party lest Iab This method can help determine whether the event needs
o Aggressive pr1clng further analysis-as, for example, a top event in an FfA
o Convenlent JocaUon
Step 6
IIMifltl
Reader Service #43 If the risk is deemed unacceptable, a risk reduction is
37-7 1rt« Road - l.itiEioo, MA 01460 \T" Services, !nc. • Inherent safe design and construction to be incorporated
• Where risks cannot be eliminated, i n fact the risk-analysis concepts • IEC 601-1, "Medical Electrical
adequate protection measures to be should be part of the natural product Equipment, Part 1 : General
implemented, including alarms development from the start. In this Requirements for Safety" (1988)
Conclusion
Introducing a standardized proce
dure for risk analysis may seem at
first to constitute an extra burden, but
Reader Service #26
Compliance Engineering 57