hi everyone Welcome to our ask me anything risk management webinar I'm just going to get give everyone a few more moments enter and then we'll get [Music] started perfect so I think we'll dive into things um welcome again everyone we're thrilled to have you join us today for our risk management webinar um you know this is going to be a great interactive webinar so we'll start by discussing how you can interact with us today um to do that if you'd like to go to the next slide Peter please um please type your questions into the written Q&A box and they'll be selected for us um for a response now hopefully this won't happen today but just in case we disappear due to any technical issues stay aware Right Where You Are and we'll be back as soon as we can okay so now we're going to go on to our agenda um following instructions today's agenda will be centered around a risk management presentation by Peter and that's been designed around the questions we've received from you the attendees in advance after that you'll have the opportunity to ask Peter anything you like on medical device risk management through the Q&A chat box as mentioned earlier I encourage you to post questions while Peter is presenting as he'll respond to them as he discusses the various risk risk management topics please note that this webinar will focus on the topic of medical device risk management and not on how risk is managed in the qualo platform we received some questions specific to the qualo tool which I'll answer separately um to the relevant participants in the coming days I'd also ask that you keep the questions as generic as possible so that everybody attending benefits from the responses also because we received so many questions in advance we may not able to get through all of them in our hour time frame but fear not Peter will be writing a blog post to cover the unanswered questions and you'll receive a link to that in the near future so let's move on to introductions um hi everyone I'm Lola I am a senior quality specialist at qualo with a keen interest in Risk Management before joining qualo I worked in quality and compliance roles in large multinationals and startups across Europe and North America and I use my prior experience in eqms implementation to work closely with customers and qualo so that they achieve their quality goals and bring their product to the market efficiently I am delighted today to be joined by Peter sellus founder and head trainer of medical device HQ which I'm going to tell you more about in the next slide Peter is also a member of The Joint working group that authored the latest version of the iso 14971 standard application of risk management to medical devices so today's webinar is a chance for you to ask Peter the risk management expert any questions you have on the topic but before we dive into the presentation and I let Peter introduce himself further let me tell you more about medical device HQ and how it can make you more confident in the development of your medical device so medical device HQ was founded by Peter in 2008 with the vision to help as many as possible bring medical devices to the market in the most efficient way to achieve this Vision Peter provides training courses templates and coaching to professionals within the medical device industry medical device HQ offers fantastic resources in the form of Articles which have a great insight into all things quality related one of the most Rec recent articles for example is an illustrated guide to Quality Management for medical devices and ISO 13485 and is well worth the read so courses cover a wide range of topics ranging from risk management which I which I've actually taken myself to clinical investigations software development and usability Engineering to name a few there's two options when you take the course you can do the entire course online or participate in a blended course which combines the online course with live virtual classes so a link to all these courses offered by medical device HQ will be included in a follow-up email after the webinar so now I'm going to hand you over to Peter to take you through our risk management presentation oh thank you so much thank you so much for that introduction I'm quite delighted to be here actually because uh those of you who know me from before you know that risk management is indeed a very dear interest uh of mine so I'm looking forward to this session that we have together and I'm going to do my best to answer as many questions as I have I do encourage you to add questions as I go through the topics here to sort of bring up things that weren't clear or things to add on to the things that I'm going to be bringing up so without further Ado I'm going to jump straight into the first question which might seem like a very detailed thing a very specific thing but that's actually where we're going to start one of the questions that I received was uh about the uh clinical expertise is when is a clinical expert required and what is definition of a clinical exper expert so the first thing I want to say about this is that there is no clear requirement on what clinical expert is in the iso 491 or in the MDR or the ibdr the requirement is more General when it comes to this area saying that if you perform risk management tasks you should be competent so when I talk about this I do it based on what I consider to be accepted expectations and also what can be considered to be best practices in the medical advice industry and I think the best way to explain when a clinician is needed is to look at a flowchart and some of you have read the standard well you have seen a similar flowchart in the standard and it shows how a hazard leads to various events with their own individual probabilities in this case PA and PB as you can see here and that in turn results in a P1 which is the probability of occurrence of the Hass situation and when you have um estimated the probability of that hazardous situation leading to harm that's the P2 you get to PO which is probability of occurrence of harm and sorry for turning this into a mathematics lesson uh but this is uh is in the standard and it's very helpful uh when understanding what the clinical experts role is here so this is the typical way you would go through the estimation of the probability of occurrence of harm so when should the clinical expert be involved well here it comes I think most cases and most risks and medical devices you could get all the way to the Hass situation without involvement of clinicians or clinical experts or with very little involvement of clinicians uh in my case I've said well here you typically would require Engineers or usability Engineers or application Specialists to help you out um however when you take the step from the hassle situation for example that the patient is exposed to a particular virus or bacteria and then you turn that into harm or that is where you need a clinical expert or clinician because the P2 estimation should not be done by Engineers this should be done by a clinician and the argument for this I think is quite clear you cannot expect Engineers or nonclinical people to accurately estimate the probability uh of of harm to people or even what the harm should be so this is definitely where you need the clinicians both when you do the initial uh risk estimation as well as the residual risk estimation when you look at this I know one question that usually comes up here is what shouldn't the clinicians be involved also in the sequence of events when you look at that and and you could you could most certainly include the clinicians there but I think when you have a doctor or a nurse participating in the sequence of events it's actually more because of their knowledge or expertise AS application Specialists like they might know how a medical advice is used in the clinic meaning they contribute in that role instead that particular clinical knowledge so but if if if you have those nurses or medical doctors by all means bring them in and let them contribute also to this process that there's nothing wrong with that now part of this questions was also to answer what is the definition of clinical expert and as I said before to my knowledge there is no definition of this in the medical advised world not a clear one at least and if you have come across a definition of that term feel free to write it in the chat I would love to learn about that but I have never come across across that definition but I would say that if we refer to clinical expert or a notified body auditor would say did you involve a clinician here or clinical expertise I would say that um a physician or medical doctor or nurse would be appropriate uh there might be other types of professions depending on the medical advice type like dentists or physiotherapist that could also work but uh to be on the safe side a physician or medical doctor I would say is the safest bet when you're in an audit and this question comes up um as a side note in this question I got a question another question that I wanted to bring up here and sorry for doing a sort of a Sidetrack but when we have this flowchart up it makes sense to discuss another thing uh a few of the questions were about software and estimation of risk and uh how you estimate the risk and how the results from software risk analysis can be incorporated into product risk assessments and and I know it can be a challenge but uh you could also say that it's not that different actually because the the only significant difference with software is that if software is involved in for example event a here you might have heard that you should set the probability of failure of the software to 100% that's what you need to do so and that the reason for that is that S software fails um systematically so you cannot estimate the probability could you have have estimated the probability of the software failure you could have resolved the bug basically that's the argument um so if software is involved in event a that would be 100% now event B might not be 100% so P1 is not always 100% And P2 is not always 100% either but the actual software failure will be 100% other than that I would treat it the same way as any other risk management so that I hope answered that question that we got on that topic now uh there is one more Sidetrack here actually uh one question here was what is the most common approach to determine the PO the probability of occurrence based on the life cycle phases or the um and one question or in this question it was also brought up if it should be relative to the numbers of units produced during manufacturing and complaints and sales data um or what should you base it on and if I understand this question correctly there is one thing one very important advice I want to give to you now when you do risk estimation or probabilities what most medical ADV the the way you should do that for most medical advices would be to say what's the probability of occurrence of harm in conjunction with one single use of the medical device that is the best way now some medical advised manufacturers they say what's the probability of occurrence of harm for the installed base that we have which means that it basically changes the more you sell the more likely it will be that you have a harm on your your hands so the best way of doing this would be per use I think and then use any data that you have to to estimate that probability or likelihood which might be a more accurate term actually in some cases so I hope that answers that question but getting back to the clinical expert here to summarize when is a clinical expert required and what is the definition of a clinical expert well it's I would say almost uh always required when estimating the P2 or the probability that the Hass situation leads to harm and when determining the harm and I will not provide the definition as I said before of what clinical expert should be but probably a medical doctor physician or nurse or something similar then you should be on the safe side if you have other professions that you consider to have the clinical expertise feel free to add that to the chat I would love to hear about that if if you have some other profession that you think makes sense uh so feel free to share that and that means we covered the first question with a few uh built into this first question and I'm going to move to the next question which was what is the relevance actually relevance of the iso 31,000 risk management standard in the medical advice industry now for those of you who don't know ISO 31,000 is a standard which is titled guidelines or risk management guidelines and uh it provides a or principles a framework and a process for managing risk now ISO the iso organization says that this be used for by any organization regardless of its size activity or sector that's quite a bold statement but the question now is can it and we will see in a second but first the Sidetrack again what you see here on screen is the iso 31,000 on the Estonia standardization institute's website and you can find that on ev. ev. and why am i showing you this particular one well because the price of this standard is €13 on this website what do you think this one costs on other sources well the Swedish or Danish standardization institutes they charge about 10 times more so my advice to you whenever you're going to buy a standard check the price on ev. just make sure to buy the English version if that's your language not the Estonian one that won't make much sense unfortunately for most of us I believe but it's super cheap it's the same standard it's just the front page that has a different language that's a really nice tip I think getting back to the iso 31 th000 standard what about it well there is one fundamental difference between ISO 4971 uh and the iso 31,000 standards and that is the definition of risk the iso 491 definition of risk is about product safety and is therefore concerned with harm a typical example would be that a patient or user is injured by medical advice in one way or another but the iso 31,000 standard has a much broader definition uh it speaks about the effect of uncertainty on objectives and uh not only that it actually also brings up positive risk or opportunities to use another word so even though risk management according to ISO 31,000 also includes positive effects this is something that few are aware of or utilize other than when they perform like a basic SWAT analysis or something like that where opportunities would be the O in the SWAT and getting back then to objectives what would that be well in the context of ISO 31,000 it could be almost anything uh relating to the performance of the company it could be to reach a certain sales goals or or um certain profit or Milestone and things that could impact that would be the loss of Key Personnel or or the currency exchange rate changes or anything like that that that that impacts you and these are all things that could could uh impact your objectives obviously now you should avoid mixing these two concepts up and here I'm getting to the answer slowly now I sometimes refer uh to risk management when when we talk about ISO 491 risk management as product safety risk management and then I call the risk management that is done in accordance with the requirements of I ISO 31,000 uh corporate or project risk management that's a quite good way I think of of making a difference between them the problem is that sometimes people that are not that experienc in Risk Management in the medical advice industry they mix these two concepts up so so you shouldn't make that mistake you should never find a risk as it's defined in ISO 31,000 in your ISO 49 one risk management file however you can actually find a product safety risk in your project risk list according to ISO 31,000 because let's say that you are waiting for some U results on on or risk estimates uh which relates to probability of occurrence of harm and if you learn that those estimates or that risk or magnitude of risk is really high that might require a design change and that could delay your project thus that becomes a project risk so it could be that a missing or or um uncertain product risk is a project risk but not the other way around usually now there is one Pitfall that I would uh like to bring up here in this context and that is that the medical advice industry we tend to be so obsessed with product safety risk management that the corporate or project risk management is completely overshadowed and neglected so and this means that we miss out on the benefits of implementing good project risk management which could lead to delays and cost overruns so do not let the product safety risk management completely take all the time from all the risk management you're planning on doing both these two types of risk management are important so I would say that the statement from ISO uh about ISO 31,000 makes sense and any sector can apply the principles of iso 31,000 just don't try to use the definition of risk from the iso 31,000 in your ISO 4901 product safety risk management file and don't mix ISO 4901 risk management with ISO 31,000 risk management that's not a good idea so to answer the question it's very relevant but not for product safety risk management keep that in mind yes uh that was another big question now next up a heavy one and I have a feeling that a lot of you um are in this area and that this will be relevant to you a lot of the questions are touching upon the topic of FMEA which is uh which is uh in interesting and sometimes challenging and even a little bit controversial so I'm going to try to answer when you should use fmaa in the risk management process and let's see here what uh what you say about this it's going to be interesting so if we take a look into the iso 49 s what is risk management according to that standard well it's the systematic application of management policies procedures and practices to the tasks of analyzing evaluating controlling and monitoring risk not very tangible I hate to say it that's the definition though if we take a look at it from a more visual point of view what you are required to have is a process that includes risk analysis risk evaluation risk control production and post- production activities that will address risks all risks actually from all the life cycle phases and you see examples of the life cycle phases here yours might be different depending on the nature of the product but these are quite typical ranging from initial conception until final decommissioning so this is what you need to do according to ISO 4971 now what about fmaa there there's another definition of that and here I'm going to be using the definition from the standard which is on FMEA and that is I 60812 and the definition here is a systematic method both both definitions include the word systematic method of evaluating an item or process to identify the ways in which it might potentially fail and that's probably where you have that failure mode thing and the effects of the mode of failure upon the performance of the item or process and on the surrounding environment and personnel that's the definition now if we are taking a look at this definition is maybe not not yet Crystal Clear what this is and how these things are different so let me let me show you a table which I think shows quite typical product safety risk management according to ISO 4901 and the reason why I say this is quite typical is because you can see it starts with Hazard sequence of events Hazard of situation harm basically these are the headings of all the sections not all of them but from from section or chapter four going going forward in the standard so this would be all the things you need to do to meet the requirements of iso 491 when it comes to risk assessment and risk control and having a table that is dissimilar to the standard is great because there's no confusion which requirement is met where now if we add a typical fmaa table it could look something like this now you might be saying well that's not how we do f F in fact some companies they actually do risk management according to ISO 491 and they just refer to it as fmaa I don't like that because if there is a standard that describes what fmaa is I think we should be using that definition and stick to that otherwise it gets very confusing but if you turn to the IC 60812 this would be quite typical FMEA you can see there are some similarities like P and S and that's not so strange that it's mixed up but there are still some very fundamental and important differences between the two and one of the main differences is that ISO 49 And1 risk management starts with hazards whereas the FMA starts with looking at a part or a process step and how it can fail and that's one of the big differences here now having said this that lots of companies are actually using both and some just one of them I would love to hear more in the chat if you um use ISO 49 in one product risk management or product safety risk management or is it an FMEA you use or maybe both would be super interesting to hear so feel free to write up a note about that we can see if Lola can uh feed feed some information back to us later on on that topic But continuing here on the differences um or actually there was one more question now that I it comes to mind uh there was a question about ivd and risk management for I ivds in vro diagnostic medical devices and there there was it the question was relating to detectability and the rpn number was brought up and are there options for this and you can see rpn risk priority number is a typical FMEA concept not only that it's quite an old FMEA concept more modern FMEA would be more likely to evaluate the risks with the system similar to what we have in ISO 49 and one meaning you have P and S probability of occurrence of harm and severity so I would not recommend using rpn um I would go with the P and S and there are multiple reasons for it one is obviously that it's in the is of 491 standard which is both harmonized as well as a recognized consensus standard meaning it is the expectation of European as well as us authorities or or agencies um to to comply with so I hope that answers the ivd question that was mentioned here to me before so if we go back to risk management versus FMEA which we spoke about this ISO 491 starts with hazards FMEA with parts or process STS ISO 49 some1 covers all the um risks and fmaa actually aims to improve the reliability and it only address fault conditions not risks from normal use and the normal use is interesting because that's typically where we get our side effects or after effects which we need to be aware of in the medical iice industry and identify and disclose in the disclosure residual risk so that's an important aspect that you will miss out on completely if you only do FME but what do these things mean well let's take a look and try to put ISO 4971 product safety risk management uh uh put that into the context of FMEA or the other way around for that matter so if you have um ISO 49 some1 risk management the purpose is to prevent harm that's what we're after here but FMA tries to prevent the product from failing and improve the reliability now sometimes a failing product can lead to harm to no surprise if you have a pacemaker or a ventilator or a defibrillator that fails to deliver uh a shock well that failure will result in harm there are also harmless stops like a digal thermometer where you can't measure your temperature or a patient bed that you cannot Elevate none of those will result in harm they are going to result in annoyed customer and maybe warranty case but not not a harm what you need to do is to make sure that if you have a medical advice where the failure leads to harm you need to feed that information into your product safety risk management process so that the overall uh residual risk is estimated properly and it's handled the way it should according to ISO 4971 so you need to you need to connect the two and there's actually a lot of issues in that area to be honest and uh um so now we basically have the answer to when should you be using fmaa well if the if the safety of your device depends on the reliability and function it's a good idea to use fmaa it would be the case when you for example develop a pacemaker and in the 6601 standard there is something called essential performance which is relevant to mention here what that basically means in late person's terms is that if you lose a function and if the risk is then unacceptable if you lose that function well that is essential performance and if you have essential performance in your product well then uh it makes perfect sense to try to improve the reliability and therefore to do FMEA it's a great tool for that there is one more situation and that is uh if you're a contract manufacturer and you don't have the necessary information to estimate the risk or you might not even know what the hassle of situation would be uh because you don't know the clinical consequences of a failure or a fault well it's I regret to say that it's quite common that contract manufacturers are never given that information so they can look at deviations from the spec but do not know what harm it will cause and the problem with that is obviously that the priorities and risk evaluation might be completely off and this even happens sometimes with internal production where where the production Department never gets that information so if you are in production and you do not get that information on the clinical consequences of various failures or Hass situations then FM is a good fallback position however that obviously then assumes that someone picks up on the results from the fmaa in the iso 49 so1 uh product safety risk management process so that those risks are also found there so when should you use FMEA in the risk management process when the safety of the medical advice depends on reliability or if you have essential performance makes perfect sense it's not required though but it makes sense if you're a contract manufacturer and you don't have information on the clinical consequences of failures it also makes perfect sense to use FMEA because then you can at least do something yes so that is a potentially controversial topic I'm hoping that we uh uh we are going to get some feedback on that and I I can see there's lots of uh lots of questions coming up here uh there are some here I'm going to save some of them but let me see here um and I believe examples when one of the question here is from tanas is when can we get some examp or some examples when it's better to use FMEA or risk assessment based on ISO 4971 well there is actually a quite simple answer to that question you have to use ISO 491 risk management FMEA is optional so there is really no at least if you if you um use the meaning and definition as I provided here from ISO 49 so1 and FMEA standard you have to do ISO 49 at once risk management it's optional with FMA so it's an add-on it's a tool that you can use I and I think that answers the question yes um good thank you very much for that question now I'm going to move forward a little bit here and bring up another question here that was sent to us beforehand oh by the way there is one more thing I want to say there is an article on medical advice uh about uh FMEA and U actually there are several articles there is also a series of articles about splitting up which is common in fmaa like design fmaa use fmaa and process FMA and the risks of doing that one should keep in mind that ISO 49 And1 requires you to look at combination of events not just single faults and FMEA is a single fault technique it will only look at one error and what that will lead to but we are required to take a broader approach and look at combinations which is important so I recommend to take a look at that the FMA article I believe we can link here in the webinar when it comes to the uh this article series the danger of division as I call it uh there will be a link sent to you after the webinar where there is more to read on that if you're interested in that yes next question what are the most common mistakes in risk management and I've added that no one talks about yet because there is a super common mistake and very few people talk about it in fact you are likely to get through an audit with making this mistake anyway but I'm going to tell you about it because I think it's going to be more and more important in the future and to talk about this we're going to use a patient lift as an example to charge the battery of this patient lift there is a 230 volt cable uh that you put into the device and and and connect to the wall outlet and in this case the insulation has been removed and user touches the live cables inside and is exposed to 230 volts uh of alternating current and that's obviously not a good thing so I've written up this here in a risk analysis and um uh I'm saying that the hazard of situation is user is exposed to electricity and the harm is electrocution now I want you to get involved in this a little bit because I want to ask you what do you think the severity of this risk should be and I have a actually I've added let me see here I've added the definitions here uh so you you have the uh yeah here you have the definitions ranging from one to five uh inconvenience or temporary discomfort all the way to death so I would love to hear from you uh you know what what do you think is it a is it a five is it a four three getting fives and fours in here so far yeah yeah lot of yeah we have both do you have a majority vote is there is there more five or more four more fours yeah okay and four is probably more common I would say so I think this is in line with my expectations here uh I think I think we can also probably agree that that uh people can die from this right it happens it's not it's not common you you can touch a cable often times but it's not something I recommend don't get me wrong but it could lead to death uh it could also be four uh for sure so uh but now we are getting to the most common mistake and and let me now try to show you what I mean because I think we can all agree that both four and five are possible now let's get to it here I'm saying that most hassle situations have a range of harms with different severities but we tend to treat them as if there was only one outcome for every Hassler situation and and this is the problem this is the problem I believe that the true representation of this risk and the probabilities would be something more like this we have uh some people with really thick skin completely dry hands rubber shoes not touching anything else touching the cable they would feel it maybe it's one or two we have those more normal that gets it's significantly painful but nothing more happens four that would be the ones that have to get resuscitated with a defibrillator or get an natural fibrillation and needs to go to the hospital to have a check and five the unfortunate ones that would actually die and I think we could say that all of these things could happen as the result of this hassle situation but what severity should we then use we should not use the average I can tell you that much that would be completely inappropriate but maybe we should be using all the different severities because I believe that you would find that we have different probabilities for them maybe it's 1% that has that really really thick skin uh that wouldn't be so P I mean it's maybe a little bit unrealistic I should add I'm not a clinical expert that we talked about before so I've been doing quite much of guesstimates on these ones but it shows you the principle and I believe that we have these uh different percentages on the different hars and I believe this one is round about one in, I think that would die from that kind of accident as far as I can tell but what if you like most organizations do just recorded the 0.1% or maybe the 20% here because most of you wrote four or five well what you're effectively doing is that you ignore if you went with five you ignore the rest of the outcomes so you had the poor 20% that had to go to the hospital and and have their heart checked or even were resuscitated we just ignored them I think that's a problem because your overall resid risk evaluation will be completely incorrect as a result of that right you are not you are just discarding a huge group of patients that have serious problems with this product when they're electrocuted and we pretend like they don't exist now if you went with uh with four instead don't pat yourself on the shoulder too much because what you're doing then is this you're basically you're ignoring the ones that die and this happens you know I had a company contacting me saying oh Peter we have this great problem uh uh one of our patients had an adverse and actually died but we wrote four on the severity in our table what should we do and the problem is that they had only room for one row for each hassard of situation that was the only way they could work and obviously the death was true so should they change it to five well it was extremely rare on the same time well the solution is obviously to include them all that would be more appropriate and provide a more true picture now this might be a little bit terrifying you can see yourself expanding your risk R tables here with a factor of five if you include all harms and severities for all risks um am I just making life difficult for you now uh or is there any support of this in in the standards and and actually there is if you take a look in the isot 2497 I know it's not the standard but it's sort of a very trustworthy guidance and you can see here what it says uh this is the second half of 547 where it stated that the hassin situation can lead to different kinds of harm the P2 have different values and at the end it concludes that several scenarios can be relevant not only those with the highest severity of harm or with the highest probability of occurrence of harm other scenarios can also be relevant and the manufacturer should consider what the best manner is to document the hassle of situation describing look at that one or more sequences of events that can lead to this hassle situation and the different kinds of harm that can occur so it's in there it's in there for sure so documenting more than one row for each risk is rare not many companies would do that but I think a lot more companies should and there are multiple ways you can do it one is obviously to just add more rows another one is to use columns and and there is a lot to be said about that uh so for a short webinar like this I'm not going to go into all the details of that but I want you to reflect on this uh because one thing that happens a lot is that people sit and have arguments about this like if I were to look you in the room and say what's the severity of this electrical shock and I would lock you in the room for 20 minutes and see if you could agree whether it would be four or five I bet you would come out and say it's 4.6 and the reason for that is that people are arguing in the risk management workshops is it four now it's five no I don't agree should before where in fact they're just talking about two different entries in the risk management table or Hazard Trace Matrix so understanding this can help you reduce friction in your risk management workshops which is important by the way to do so I want to open your mind to this um this here if you are already working with multiple severities I would love to hear that in the chat and Lola you will be following up I'm sure like if you if you if you say yeah yeah we can we can address multiple severities for and harms for one hassle situation would be super cool to hear I know some larger companies do it I do it always when I work with risk management nowadays but far from everyone are doing this so having said that what are the most common mistakes in Risk Management I would say it's to include only one harm one Po and one severity for each Hass situation where in fact we know that most Hass situations will in fact have multiple outcomes with different probabilities and different severities that would be the most common mistake I see by far yeah I think that's a super interesting perspective Lola do you have anything to report that people have commented on this here are there any questions comments um I was taking note of those who um do ISO 14971 risk management um or FMA or both so we actually had a pretty even split between both um some using one some using the other smaller number actually doing the two together um and other than that we've had a few questions coming in about that um one one question I copied in from the chat is where do we draw the line in the assessment of severity often including multiple severities has caused the risk assessment to be too long and not usable yeah yeah the there obviously you need to find an administrative way of documenting this in a in an appropriate way and and I think um I regret to say that we won't be able to show any pictures of how it can be done during this uh webinar I I could spend a dedicated webinar on that I believe uh to do that as that that at least if I understand the question correctly it would be to to go down the road that we won't have time for unfortunately uh but it's a good question in the sense that a lot of people are struggling with this where to draw the line it's a it's a common issue to know where to stop in in several ways uh yeah both in terms of how far you should go in terms of consequences but also how uh low or how small and insignificant risks should you include and I think the only good uh advice to give there is to apply as much common sense as you can to not go overboard there is no point in having 10 thousands of row or 10,000 rows in your tables that that will probably not make anyone happy perfect thanks for answering that pet I hope that's a little bit answer in that direction have you received anything more on the uh on the multiple severities or there are no comments relating to that um just checking the chat not yet I will let you know um yeah I have somebody say said they only document the one they like your approach but they only document the one outcome yeah yeah but I'm hoping that you will be able to see how limited this is and that you might have you know 10% on five 10% on four 10% on three and if you select one you're just ignoring a whole bunch of quite severe risks or or outcomes so so that's my key Takeaway on that part I have also received one question here uh as a contract manufacturer when performing process FMEA do we investigate the risk of failing this safety of the final device or the component we are producing well if you get if you get the information uh like the clinical uh situation and consequences of various failures you could uh you could be doing a real product safety risk management uh on the final device you would say well if we fail on our power supply or whatever it might be it's going to have the following consequence on the top level however it's quite uncommon that you can do that uh because usually the the production Department won't have the clinical expertise so then you would look at more the component you're producing or the subsystem you're producing and then the manufacturer that has the whole picture would bring that information in and address it in the product safety risk management file that would be my my suggestion there uh or reflection okay I have one or two more questions that I prepared so I'm going to continue moving but Lola you can catch up with me in the next uh before the next question I believe one question here is should all warnings stem from risk analysis and this here also is one very very common mistake so stay tuned for this one here now in order to get through this here we should talk about risk control options and there are three risk control options in ISO 49 in one it's inherently safe design and manufacturer protective measures in the medical device itself or in the manufacturing process and lastly information for safety and where appropriate training to users and uh now that we have spoken about mistakes let me bring up two more firstly some people believe still believe that information for safety cannot reduce the risk it most certainly can it's not effective uh it's the least effective of these three risk control options but it it does reduce RIS or it can reduce risk and it is a viable risk control option now you might want to avoid it because it's really difficult to prove that it reduces risk but it still can so it is a risk control option and secondly if you chck the design of the medical device to reduce the risk that does not automatically mean that you are going with this first option inherently safe design and manufacturer a lot of people get this wrong I say that if you apply a protective measure let's say an alarm or a cover that is also or it is a protective measure right a cover or an alarm they are protective measures they are also changes to the design I would even argue that if you put a sticker on the product that's in information for safety like don't touch or do this before you use it that's also changed to the design so to determine which risk control option it is you need to think about the way by which you change the design and in the first case it's more or less the complete removal of the hazard here you prevent exposure to the hazard and information for safety you try to convince the user of not doing silly things or avoid certain things that puts them in a Haz situation having said that let's get back to the question on information for safety and whether everything needs to stem from the risk analysis now here the key to unlocking this thing here is to uh look at examples of information for safety and this comes from isot 24971 the guidance document and it says that placing warnings on the medical advice that's one information for safety including Contra indications in the accompanying documentation and the third one is the most interesting one providing instructions for used to support correct use and to avoid use error this means that if you state important things in the instructions for use and they might not be warnings but you you say this is important that you do they those statements are information for safety so anything you say where if you do not comply with it or conform to it results in harm it is information for safety and information for safety is a risk control measure and there is a interesting another interesting requirement in 491 that says that you need to identify the hazards and hazardous situations and the short version of this is that you need to identify all hazards and hazardous situations and the associated risk control measures which means that if you have uh something in the ifu which says well it's important that you do this and you know and the underlying cause is because if you don't there's going to be a problem or harm well that must be found also in your risk analysis and risk control section of your hazard traceability Matrix or whatever we call it now if you do not include it here but you write it here well then you fail to identify all the hassard situations so then you're missing out on that requirement and if you write it here and you don't have it in the ifu well then that's the other way around you have identified the risk but you didn't do the risk control measures so you need to have both and that is true for anything where the U if you don't follow the instructional information uh it results in harm uh if you want to prove that this information is effective keep in mind that this is most often done in your summative evaluation or human factors validation as part of the usability Engineering Process so that's a good place to include that always basically and it's it's it's perfectly valid or legitimate for an auditor to look in the instructions for use and say look here you are saying that that you have to do this and that because that's important for whatever reason uh what happens if you don't and then you're going to say well if you don't do that then this bad thing is going to happen and then going back to the hazard traceability matri and check that that has been identified that's perfectly valid to do and in fact I would encourage Auditors to do it because there are supposed to be a link between the two what about precautions then because this is a subset of this question precautions are usually there to prevent damage to the medical device you say there might not be harm in the sense that it's to people but you could ruin the device or something like that well harm as it's defined in ISO 49 so1 actually does include both people any people not just the patient property and the environment so if the medical advice is ruined because the user did not take the necessary precautions it can still be seen as within the scope of iso 1491 risk management but then again that kind of harm most Auditors are not that interested in it you know if you have a product that breaks down and you can't use it usually not that interesting the focus is on people but strictly speaking I would argue that also precautions that are there to protect property should be in your hazard traceability Matrix strictly speaking so to answer the question should all warnings stem from risk analysis absolutely uh not only the warnings but all the information for safety should come from the risk analysis or risk control section maybe we should say uh because first in the risk analysis you would identify the the risk and then you would say this is the risk control measure which is to include information for safety in the instructions views or on the product for that matter so I hope that answers that question Lola do you have anything you would like to report to me now no everything's going great everything's going great thanks Peter yeah good good so I am moving into the oh this is a heavy one this is for all the Nerds uh in this uh webinar do you have to reduce the risk as far as possible and I've received a few questions about this it's a challenging topic because the ones that wrote the MDR weren't so lucky when they did it there's a lot of ambiguities and unclear things in the MDR ivdr and I say this not to depress you I'm saying this that because if you read it and you struggle understanding what's meant you're normal that can be good to know so do you have to reduce the risk as far as possible let's bring that up in the MDR there are no less than seven different terms of phrases for this reduce as far as possible uh unfortunately but that's how they reason it and there is a clause to in the standard in the Gs or sorry in the MDR or and ibdr CLA 2 says that uh the requirement in this Annex to reduce risks as far as possible means the reduction of risks as far as possible without adversely affecting the benefit risk ratio where does this come from well if we take a look at a defibrillator uh you send an electric shock through the patient chest when they suffer from cardic rest to resuscitate the heart putting 360 jewels of electric shock through the chest is potentially harmful the patient could get Burns and the heart muscle could be uh injured uh so if we were to only reduce the risk as far as possible which is actually what the MDD said it just said you have to reduce the risk as far as possible and MDD is the medical advice directing what would you do well you would bring down the electrical energy to maybe five or 10 ules that is basically harmless it's also completely useless in a defibrillator because you would not resuscitate any hearts so the medical advice directive was well pretty bad in that sense because it basically said make the medical advice ineffective so therefore in the MDR someone almost smart enough to say well that wording wasn't perfect so let's say that you should find that balance by reducing the risk as far as possible without adversely effect and the benefit risk ratio so you want to bring down the energy so that you can still successfully resuscitate at the patient while not risking the patient's Health at the same time and this makes perfect sense I think so so it's a it's a pretty good thing what does the iso 4971 say about this well it doesn't specifically require you to reduce risk as far as possible in fact it does not at all specify what magnitude of risk constitutes acceptable or unacceptable it on the other hand it just says that you need to have a policy that is going to be the basis for you to decide what is acceptable and unacceptable risk so you could look at any regulatory requirements and bring them in and say this is what we have decided so from that point of view it's not in you know it's not U uh counter to what the MDR says it's it's the umbrella that you can use here the iso 14901 so you should base this policy on relevant International standards or national or Regional uh regulations uh like the MDR ivdr and there is a number of other factors you should take into account and if you then try to to comply with MDR and ivdr you should reduce the risk as far as possible without adversely affecting the benefit risk ratio and then you need to take that into uh the risk management plan uh there is actually a uh article one of the questions we got was about the risk management or risk policy or the policy for establishing criteria for risk acceptability and the I've recen a blog post about that there is an article on medical advis HQ about that so if you are the one asking that question uh look out for that link that will take you to that article that answers your question uh so the consequence of this requirement here is that if you're planning to sell to the EU you need to include this thinking uh or statement in your policy and it should then be found in your risk management plan as well now most companies would still do risk evaluation using a matrix like this which looks at the magnitude of risk but the MDR says you need to reduce it as far as possible which is more of a relative measure it's not absolute so in theory you could have a risk with a magnitude 55 you would be down here and you managed to bring it down just a little bit down to here and then you couldn't bring it further down without adversely affecting the benefit risk ratio so now this by definition according to the MDR is acceptable because the MDR doesn't mention magnitude of risk but if you are used to using a risk evaluation Matrix you might rightfully wonder how can this risk which is fairly high right be acceptable we did Ru reduce it as far as we could but we couldn't go any further without adversely affecting the benefit risk ratio should this be acceptable and probably probably not uh because from an ISO 4971 point of view it would say that if it's accept unacceptable you need to do a benefit risk analysis and for the MDR we are saying that you need to do that every time you have a risk you should because otherwise you couldn't determine when you stop producing it but so if we were to work according to MDR only you could in theory throw out the risk evaluation Matrix and stop thinking of risks in terms of magnitude I think that's a wrong decision though because that would create a lot of problems in relation to other standards because most medical advice standards when they talk about acceptable and unacceptable risk they would refer to a matrix like this that's the underlying assumption so if you have a risk up here that's not going to be other standards would not appreciate having that as an acceptable standard just because you brought it down as far as you could so um I think what you should do is to have both criteria you would say can I bring it down or did I bring it down as far as I could and where did I end up in this evaluation Matrix and if both those two you brought it down as far as you could and you're in the green you're good to go the risk is acceptable now how do you document this that's a very common question let's look at a few examples now here um you I have included in my table that I check the magnitude of risk which is a traditional risk evaluation Matrix and then I check whether I reduce it as far as possible without adversely affecting the benefit risk ratio and uh in this case I concluded that both yes it was acceptable from magnitude point of view and we did it as far as we could so therefore I say this is acceptable but what if we have then another case here where the magnitude of risk is acceptable but the we could not reduce it as far as we could well then it's unacceptable right because both criteria should be met and if it's no here but yes here on the uh as far as possible we get another situation it's actually acceptable because we have from the MDR point of view it's acceptable and we've done our benefit risk analysis when it comes to the magnitude and and hopefully then we get to the result that this can be accepted it could be debated a little bit whether benefit risk analysis that is favorable results in acceptable or unacceptable but that's for another session I believe now one question here is how much do you need to document about this here and I have found that practices vary a lot is it enough to say yes I hope it is in most cases but you could say no no no we're just doing it we don't say it you could have yes no you could have a short text or you could have a numerical rationale I would not recommend you to try to quantify this it's a very slippery slope and super difficult to do uh so don't go down that road a short rationale might do the job and write it almost like a standardized thing that you use on most of the risks and then if you have something where it really matters like should we have 360 uls in the defibrillator or 300 and you look at really the science behind it write a lot more that's perfectly valid Justified and value adding so I would adjust it a little bit to the situation actually sometimes you can group it uh and say all electrical risks you do one risk benefit analysis for those uh sometimes you do it on an individual level that's really um depending a lot on what your reviewers are used to seeing and what they require from you there is nothing specific on this in the MDR or in the uh ISO 49 one so you need to go as far as you think is value adding and where you do not get into trouble with your technical reviewers have your notified body required or expressed requirements in this area let me know in the chat that would be super interesting to know if they said no no no we need to write for each and every row they they said that was necessary or you just did a yes no or a short rationale I would love to hear about that in the chat so type there if you can or you know that would be super nice so do you have to reduce the risk of as far as possible yes as long as it does not adversely affect the benefit risk ratio and it does apply to all risks that you identify for sure that was what I had prepared in terms of presentation we've managed to squeeze in one or two questions in between um Lola uh let me take a look here if there's anything high priority that we should be trying to address here perfect and in the chat we just have a few people saying that the notified body is indicating that they expect a statement on each row regardless of acceptability um so that seems to be the trend there yeah and that that is that is unfortunate I think because what if you have a risk where you say well you could drop drop the medical advice on your foot it it it is not meaningful to write about that to be honest I I hope that the notified bodies will be very sort of forgiving in that when you write about well we have a medical advice that's the benefit the risk is that we drop it on our foot uh so if you ask me it's it's in many cases a complete waste of time but that's what that's where we are perfect um I know we're coming close to time um Peter I don't know if there was one question that stood out to you there that you wanted to answer beforehand but if not um I think it's wise that we would wrap up the presentation and we'll work on addressing the remaining questions after the webinar yes we should do that and I would be super happy if uh participants would connect with me on LinkedIn uh look me up think the link has been here in the webinar before but if not look for Peter silius and I will be happy to connect with anyone who is interested in Risk Management it's a dear interest of mine obviously uh and Lola I think we should also mention that we are we got such big interest here that we are considering having another session again uh if there is an interest so feel free to indicate that in the chat if you would like us to run a similar event later on and uh which topics or questions would be interesting to bring up up then I believe there's also a link right to um to uh submit your interest in participating in another webinar event like this and uh that's basically all I had I'm just hoping that as many as possible will connect with me on on LinkedIn perfect thank you so much Peter and and thank you for everyone um for participating in all the questions that you sent in I've hope you've all learned something new from today um again I'll just reiterate that the session is recorded it'll be emailed to soon with lots of extra useful resources including the link to the medical device HQ courses and a short survey just to get your feedback on how you found this session which we'd really appreciate you completing um again thank you Peter for your time and answering your questions uh and we hope to see you again soon in a future webinar thank you so much by everybody