www.bringoutthebest.

eu
info@bringoutthebest.eu ,
+316 1925 1955
Bank: NL45 INGB 0008 1921 52
KvK 83404295,
BTW NL003819330B90

Regelmatig kom ik klanten tegen die hun risicoanalyse baseren op kans en impact. Hiermee laten
ze volgens mij een factor buitenspel die ze juist helpt risico's beter te beheersen; de kans van
tijdige detectie.
Het is nogal een verschil of een kwaliteitsafwijking wordt geconstateerd tijdens productie of dat
deze aan het licht komt nadat een klant heeft geklaagd.
Het toevoegen van detectie aan een risicoanalyse die al bestaat uit impact en kans heeft
verschillende voordelen. Hier zijn enkele belangrijke voordelen:
Verbeterde volledigheid: Door detectie als een aparte factor toe te voegen, krijg je een
completer beeld van het risico. Terwijl impact zich richt op de mogelijke gevolgen en kans op de
waarschijnlijkheid, richt detectie zich op het vermogen om het risico tijdig te detecteren. Dit helpt
bij het identificeren van potentiële risico's die anders mogelijk over het hoofd worden gezien.
Betere risicobeoordeling: Het stelt organisaties in staat om prioriteit te geven aan risico's die
snel kunnen worden gedetecteerd, waardoor er passende maatregelen kunnen worden genomen
om de impact te beperken. Het helpt ook bij het bepalen van de geschiktheid van bestaande
detectiemechanismen en het identificeren van gebieden waar verbeteringen nodig zijn. Dit kan
bijvoorbeeld het installeren van bewakingssystemen, het implementeren van regelmatige
controles of het opzetten van waarschuwingssignalen omvatten.
Prioritering van mitigatie: door detectie, ernst en waarschijnlijkheid samen te overwegen,
kunnen organisaties hun inspanningen effectief prioriteren. Risico's met een hoge ernst en
waarschijnlijkheid, maar een laag detectievermogen, kunnen meer aandacht krijgen, omdat ze
aanzienlijke kwetsbaarheden vertegenwoordigen die dringend moeten worden aangepakt.
Verbeterde risicobeheerstrategieën: Organisaties kunnen zo steviger beheerstrategieën
ontwikkelen. Het helpt bij het identificeren van de hiaten in detectiemechanismen, waardoor de
implementatie van passende controles, waarborgen en monitoringsystemen mogelijk is.
Verbeterde besluitvorming: Met detectie als onderdeel van de risicoanalyse kunnen organisaties
beter geïnformeerde beslissingen nemen. Het stelt hen in staat om de kosten en inspanningen
van detectiemaatregelen af te wegen tegen de potentiële impact van een risico. Dit helpt bij het
prioriteren van middelen en het nemen van beslissingen over investeringen in risicobeheer.
Continue verbetering: Door het detectievermogen van geïdentificeerde risico's in de loop van de
tijd te bewaken, kunnen organisaties hun effectiviteit meten bij het beperken van risico's en hun
detectiemechanismen voortdurend verbeteren. Deze iteratieve aanpak draagt bij aan verbeterde
risicobeheerpraktijken en een proactieve beveiligingshouding.

Hierdoor is besluitvorming meer gebaseerd op informatie en is een betere toewijzing van

middelen mogelijk, wat uiteindelijk leidt tot verbeterde kwaliteit.

Although a combination of probability and severity is commonly used for

estimating risk, it can be useful to consider other factors that may also affect
whether a risk is deemed acceptable.
Risk management is commonly defined as the
systematic application of management practices,
policies, and procedures for identifying, analyzing,
controlling and monitoring risk. Application of risk
management to medical devices is expected by
medical device regulatory bodies. For instance, risk
management is considered as an essential
requirement for compliance to the European Union
Medical Device Directive 93/42/EEC. FDA also

p. 1 of 5
expects risk management to be integrated with device design control activities and other
compliance activities, as made clear in the quality system regulation preamble. Standards developing
agencies have also highlighted the importance of applying risk management to medical
devices in view of ensuring patient safety, notably ISO 14971. At the facility level, IEC 80001,
“Application of Risk Management for IT Networks Incorporating Medical Devices—Part 1: Roles,
Responsibilities, and Activities,” has been released in draft form and widely commented on.
Risk management involves a three-step procedure: hazard identification, risk assessment, and risk
mitigation in case of unacceptable risk levels. In fact, the hazard identification process should
account not only for hazards directly related to the medical device itself, i.e., design and
manufacturing, but also hazards related to the device use in the clinical world, i.e., user operation,
device interaction with its environment of use, etc. After identifying the hazards, a qualitative or
quantitative evaluation of risk should follow to assess the acceptability of the risks involved. Based
on this assessment, effective design or process changes can then be developed and implemented
to mitigate unacceptable risks, thereby making them acceptable according to the action levels
defined by the analyst.
The risk evaluation process is a key step in risk management, and we have addressed certain
aspects of this process previously. This article addresses another aspect of risk evaluation: the
consideration of factors other than the probability of harm occurrence and the severity of that
harm if it were to occur. While the combination of probability and severity is helpful in reflecting
the level of risk importance, reliance on only these two factors fails to capture other significant
elements that should influence the decision-making process. For example, detectability is often
considered in manufacturing risk management. Other factors that may be integrated into the risk
equation are hazard correctability and product utility.
A Two-Dimensional Definition
ISO 14971 defines risk as the combination of the probability of
harm occurring and the severity of the harm once it occurs. The
combination of these two variables is generally depicted by a
two-dimensional matrix, sometimes called the risk space.
The risk space is divided into regions describing the level of risk
significance. One common procedure consists of dividing the risk
chart into three zones: a generally acceptable (GA) region for
which probability and severity are low, a generally unacceptable (GU) region for which probability
and severity are high, and the so-called as low as reasonably practicable (ALARP) region in
between. Note that risks corresponding to low probability and high severity can be controversial
because the clinical significance to the affected patient may be high even though the general
probability is low. After reasonable mitigation, the acceptability of such risks should be partially
based on a risk-benefit analysis, whereby they may be tolerated if benefits outweigh risk. Note also
that dividing it into three regions is quite arbitrary—more regions can be used based on a more
detailed decision-making process. A common practice in the risk space is to
break down the probability and severity
axes into discrete scales that may be also
have descriptions as shown in Table I,
yielding a segmented yet still qualitative
assessment of risk. Linguistic scales may
also be converted into ordinal numbers in
an attempt to quantify the notion of risk through applying some mathematical combination of the
probability and severity values. Figure 2 shows an example of a quantitative risk matrix using a
multiplicative combination for the scaled estimations. Multiplying probability and severity ratings is
common; however, other mathematical operations can also be employed. Although the obtained
quantitative score is intended to reflect the degree of importance of the risk, this number should
not be seen as representative of some real and measurable quantity
Other Dimensions of Risk

p. 2 of 5
The risk space is meant to give the user an insight into whether a considered risk should be further
mitigated or whether it could be tolerated without unduly compromising patient safety. However,
relying on a two-dimensional definition of risk overlooks other important decision factors. Such
factors include the ability to detect the hazard before harm occurrence, the economic and technical
practicability of correction procedures, and the device's value or medical significance.
Detection, when applied to hazards rather than harms, is a significant measure to consider in the
sense that it alters the probability of the harm actually occurring, assuming the detected condition is
effectively acted on. High detectability yields a reduction in the likelihood that harm would occur, and
thus it should influence the risk score. Consideration of the ease of mitigation in the risk equation is
appropriate given the general philosophy that risks should be lowered to the lowest practicable level.
Therefore, all easily correctable risks should be prioritized and dealt with.
Product benefit is another factor that can be added to the risk score. In fact, a risk that remains
unacceptable after performing all practicable mitigation measures may be tolerable if the device's
clinical benefit or medical significance outweighs its residual risks.
Hazard Detectability
Hazard detection accounts for the likelihood of discovering and correcting a hazard or failure mode
prior to harm occurrence. For example, in the manufacture of a catheter, there might be a gluing or
welding step to attach a connector to tubing. This in turn can introduce the hazard of leakage. A
leakage test can then be added to eliminate (with some degree of assurance) the further processing
of badly glued or welded units. Hazard detection suggests the existence of an inverse relationship
between the level of detectability and the degree of risk seriousness. If severity and probability were
weighted such that a higher rating corresponds to a more frequent hazard occurrence and more
critical harm consequences, detectability should then be scaled such that increasing scores denote a
decreasing likelihood of hazard detection.
Note that the introduction of detectability into the risk equation actually induces a modification in
the definition of probability. Instead of denoting the probability of harm, i.e., the end result, it now
refers to the probability of hazardous condition prior to detection. In this context, the hazard
detectability factor can be thought of as a correction factor for the probability of failure prior to
detection. Their combination would result once again in the probability of harm occurring. Although
detection seems to be an integral part of probability, keeping it distinct from the harm probability
measure helps to recognize two ways of mitigating the associated risk: either by reducing the
probability of failure or by improving detectability.
An example of a detection scaling is shown in Table II. If a multiplicative combination is applied to
evaluate risk in the case of a five-level ordinal scaling of probability, severity, and detectability, risk
indices from as low as 1 to as high as 125 can be obtained. Note that adding a third variable increases
the opportunity of obtaining the same risk score for distinct combinations. In fact, a total of 125
combinations can be made with only 30 unique numbers generated. Notice that even though they
both yield a risk score of 25 for the same detectability value of 5, a risk combination of a high severity
of5 and low probability of 1 should in general not be treated equally to a risk combination of a low
severity of 1 and high probability of 5. This difference may be made more explicit with the use of a
three-dimensional risk chart (see Figure 3).
Another option is considering detectability as a correction factor for the probability measure by
introducing a scaling centered on unity (see Table III). In this case, unity would denote a moderate
detectability that does not affect the risk score. Values above and below unity refer to poor and good
hazard detectability, respectively. The advantage of such scaling is that it preserves the same
numerical acceptability criterion that might be used for only probability and severity.
Although commonly used in manufacturing risk analysis, detectability is generally associated with
specific inspection processes. However, detection can also be defined at various levels of the product
life cycle, from the design and development phase to the use and operation phase.
Whether considered at the design stage or at the operation phase, assessing detectability can be
more challenging because inspection procedures are typically less well defined. However, the risk
assessment can indicate the need for detection, and thus drive the development of an appropriate
process.

p. 3 of 5
Detection during the device conception and production phases can be defined as the ability of the
design controls to identify possible weaknesses and failures before releasing the product on the
market. In fact, the evaluation of this type of hazard detectability requires an assessment of the
likelihood of detecting causation during such activities as design reviews, reliability modeling,
verification and validation, etc. In short, detectability at this stage is closely related to the quality
practices implemented by the design and production entities responsible for developing the final
product. Adequate detectability assessment may be more difficult to achieve in outsourcing, whether
it involves a partial or complete subcontracting of the design or the manufacturing of device
components
Hazard detection can also be defined as the likelihood of detecting possible failures or complications
in the operation environment and purportedly preventing their culmination in a harmful occurrence.
Important considerations in the process of assessing detectability within the clinical environment
include resource availability, response timeliness, and personnel practical expertise.
For instance, a high patient-to-nurse ratio can negatively affect the likelihood of a nurse detecting
possible hazards within the clinical environment. Response timeliness is yet another major element
to be considered in the assessment of detectability. In this context, several questions may be raised.
How much time is really available between detection and harm? If the hazard failed to be announced
by a clinical alarm, how likely is it to be otherwise detected or communicated by other alarm
notification systems? Knowing the noise background in the clinical world and the tendency to ignore
alarms, how likely are nurses to respond to a sounding alarm and in how timely a manner?
Another important factor is the user’s practical expertise and knowledge. Assuming the hazard was
detected prior to the occurrence of harm, does the caregiver have the required skills to perform the
preventive procedure under real-world situational stress in a safe, effective, and timely manner?
The temptation by manufacturers to assume a high level of detection by clinical users, and to
therefore not adequately eliminate hazards at the source, must be avoided. In general, reliance on
the end-user to avoid hazards that should otherwise be mitigated is undesirable and unacceptable
because, in the parlance of this article, the probability of such detection is low, giving it a high
numerical score.
Hazard Correctability
The hazard correctability factor rates the relative ease of mitigating a certain risk. It accounts for the
associated feasibility and effort required in reducing a particular risk to the lowest practicable level. In
this context, ease and practicability address the ability to mitigate the risk taking into account both
technical and economic feasibility. Practicability has two components, as mentioned n Appendix E of
ISO 14971: a technical practicability denoting the ability to mitigate the risk regardless of cost, and an
economic practicability denoting the ability to reduce a risk without making the medical device an
unsound economic proposition.
In other words, in assessing the level of hazard correctability, both the availability of technical
solutions and their economic feasibility and budget constraints should be considered.
The inclusion of this factor into the risk equation is meant to prioritize risks for which mitigation can
be performed fairly easily, regardless of its degree of importance otherwise. More precisely, this
suggests that there is no justification for a device to bear risks that can be easily eliminated or
reduced while considering the technical and economic feasibility of the mitigation procedures. As a
result, the easier the mitigation, the higher the correctability and the recalculated risk score.
However, the opposite is not true. If the mitigation is hard to accomplish due to technical or
economic limitations, the risk score should not be decreased. This implies that the corresponding risk
is more acceptable as a result of low correctability. But ISO 14971 asserts that the economic
impracticability should not be used as a rationale for the acceptance of unnecessary risks.
Furthermore, an unacceptable risk should not be considered tolerable if corrective measures were
judged impracticable. Alternatively, a risk-benefit analysis must be performed whenever mitigation
procedures are hard to achieve in view of assessing the acceptability of such risks while considering
the medical significance of the device.
Product Utility

p. 4 of 5
The product utility factor is meant to integrate clinical benefit into the risk score. Consideration ofthe
benefits that arise from the use of a medical device need to be carried out whenever
correctivemeasures are deemed impracticable or whenever a risk mitigated to the lowest practicable
level isstill judged unacceptable or otherwise unwarranted. In fact, if the risk is outweighed by
thebenefits, it may be thought of as acceptable based on the device’s medical significance. As a
result,the product utility may be factored into the risk score obtained by multiplication such that
thescore would be increased in the case of a low utility—i.e., risk is unjustified by clinical benefits,
anddecreased by a high utility—i.e., benefits outweigh the risk. See Table V for an example of a
utilityscaling.
Estimating the benefits of a medical device can be made through considering its performanceduring
clinical use and the clinical outcomes expected from that performance compared with thoseof similar
devices on the market.
Such estimation can be challenging because certain clinicaloutcomes are difficult to compare. For
example, which is more
acceptable: severe pain or loss ofmobility?
Determination of whether theestimated benefits outweigh therisk can then be addressed
throughperforming clinical studies involvingpatients, users, and medicalpractitioners in view of
assessing the risk acceptability to both society and individuals. This is also achallenging task because
the notion of utility is subjective. For instance, there is an ongoing debateas to whether one should
be more tolerant to a high-risk life-saving device as opposed to a high-risk cosmetic implant. While a
high-risk cosmetic implant may be thought of as unacceptable sinceit is not an essential device, one
may also argue that a high-risk life-support device is unacceptablebecause it is an essential piece of
equipment designed for the very purpose of saving a life.
As with detection, the analyst must avoid overstating value in an effort to make risks acceptablethat
would otherwise be unacceptable. Besides outright cheating to get the risk scores one desires,self-
delusion itself is a risk that must be mitigated.

p. 5 of 5