MedCon: Expert offers considerations for risk management inputs
COLUMBUS, OH – When examining inputs for a risk management approach, it is important to consider factors such as intended use, safety characteristics, hazards, software and cybersecurity, and interoperative devices in your risk analysis, a risk management engineer told attendees at the 2025 MedCon conference, sponsored by the AFDO/RAPS Healthcare Products Collaborative.ISO 14971:2019 has three clauses that concern the intended use and reasonably foreseeable misuse of a device, the identification of safety characteristics, and the identification of hazards, including hazardous situations. Knowing the intended use of the device and any foreseeable misuse can “help you really determine what potential harms and hazards might be present in your device,” Evan Markley, risk management engineer at Eli Lilly and Company, told attendees.
“If any of you have been fortunate enough to sit in or see some human factor studies with any of your devices, I'm sure you all remember how crazy some people can use our devices, and so part of your job when planning your risk management is to account for some of those reasonably foreseeable misuse scenarios,” he said.
Intended use considerations include medical indications, the parts of the body or tissues that a device interacts with, the operating principle, patient population, user profile, and use environment. “You want to make sure that your risk management approach takes into account the various folks that might be interacting with your device, even if they're not receiving the therapy that you're intending to provide,” Markley said.
Safety considerations
Considering characteristics related to safety means “thinking about qualitative or quantitative characteristics of your device and even defining certain limits within your device safety profile,” Markley said.
Markley highlighted the IEC 60601-1 as a place to look for safety standards that “really helps you to find what characteristics of your device are essential to safety, and which can also help provide input for the rest of your design history, files and design requirements, and then even verification tests.” He also noted that the TIR 24971 annex contains questions to identify and eliminate risk considerations of a device, such as whether a device is intended for single use, whether energy is extracted or delivered to a patient, and if the medical device has software, including considerations for your risk management approach concerning “installation of that software, periodic updates, modification, different types of authorization or authentication that you need to have in your device.”
Identifying safety considerations in turn helps with locating potential hazards and hazardous situations associated with the device, he noted. Here, Annex C of ISO 14971 is a good reference for potential hazard types and categories for your device, “Anything from electrical shock to radiation to even data-related hazards,” he said.
“One great tool to make sure that you have in your risk management approach is some type of hazard analysis where you list your potential hazards, you come up with certain scenarios that could lead to a hazardous situation, and then you evaluate what harm that could lead to, and then you assess the severity of that,” Markley explained.
Software and cybersecurity risks
For software and cybersecurity, “It really matters that you know what your different software functions do,” Markley said.
Software and cybersecurity have security risks, safety risks, and business risks. “[S]ecurity of your device should also be paramount in your risk management approach. Failures in your software, either through software fault or a vulnerability in your software, can lead to not only patient risk, but also security related risk,” he said.
“It's important in your risk management approach to establish acceptability criteria not only for patient safety related risks, but also security related risks, because there are some times where a vulnerability in your software may not necessarily lead to patient harm, but you need to make sure you're assessing how that may affect the security of your device,” he added.
The IEC 62304 standard is helpful for classifying software functions by function and then assessing risk and rigor in a risk management approach. “It's really important when you're planning your risk management to establish what your software unit is and how you might assess different levels of risks for your different software functions,” he said.
There are some devices that interface with mobile applications on the market, and these devices need to be accounted for in a risk management approach as well. The risk management approach should identify risks where two interoperable devices interact, Markley noted.
“[I]t's paramount that you identify controls that are within your scope as the manufacturer, but also have a way to identify if there are any mitigations that you need to pass on to the finished medical device assembler installer, and make sure that they're made aware if there are any risk controls that they need to account for in their file,” he said.
×
Welcome to the new RAPS Digital Experience
We have completed our migration to a new platform and are pleased to introduce the updated site.
What to expect: If you have an existing login, please RESET YOUR PASSWORD before signing in. After you log in for the first time, you will be prompted to confirm your profile preferences, which will be used to personalize content.
We encourage you to explore the new website and visit your updated My RAPS page. If you need assistance, please review our FAQ page.
We welcome your feedback. Please let us know how we can continue to improve your experience.