Risk Management of Medical Devices and Case Study of Pacemaker and Heart Lung Machine About Their Software and Battery Management System

From simple devices such as thermometers to advanced implantable devices such as pacemakers, medical devices are an integral part of modern healthcare. Medical devices have emerged as a key aspect in the healthcare sector of any developing healthcare sensitive nation. FDA defines medical device as an instrument, apparatus, implement, machine, appliance, implant, reagent for in vitro use, software, material, or other similar or related article, intended by the manufacturer to be used, alone or in combination, for a medical purpose. Risk management of medical devices under the FDA is a critical process of ensuring the safety and effectiveness of the medical devices throughout their life cycle. The FDA requires manufacturers to identify, analyze, evaluate and control potential risks associated with the medical devices through a structured process. ^[1]

Importance of Risk Management in the Medical Device Industry:

Risks are adverse events that may lead to injury to patients, users, or other involved parties. Measures which are used to minimize the chance and extent of undesirable incidents fall under risk management. Risk management is essential to minimize potential harm to patients and users of medical devices.

Effective risk management provide several benefits:

1. Patient Safety: Ensuring patient safety is a primary concern in a medical device industry. An effective risk management plan ensures the timely detection of risk and provides mitigation strategies of potential hazards.
2. Compliance with Regulatory Standards: An effective risk management plan ensures that the medical devices manufacturers comply with the regulatory standards such as FDA regulations and ISO14971.
3. Improving product quality: An effective risk management plan ensures that the medical devices are of top quality, to ensure minimum failures and defects and possible risks to the patients.
4. Reduction of Cost: An effective risk management plan prevents expensive product failures and recalls, thus reducing costs and to avoid legal problems.
5. Boosting market confidence: An effective risk management plan can boost market confidence by building trust among stakeholders, patients and healthcare providers.
6. Post marketing surveillance: The risk management plan helps in the detection of risks after the device is made available in the market, thus allowing for timely corrective actions and recalls if necessary. ^[2]

ISO 14971: Risk Management of Medical Devices:

The risk management is governed by international standard ISO 14971, known as the Medical Devices- Application of risk management to medical devices. The ISO 14971:2019 standard offers procedures for recognising, evaluating, and mitigating risks associated with the use of medical devices. A risk management system needs to be established, implemented, and maintained throughout the lifetime of the product in accordance with ISO 14971:2019.  All procedures and outcomes need to be documented and kept in a risk management file.  The risk management system will involve procedures for evaluating, analysing, and controlling potential threats. ^[3,4]

Risk Factors of Medical Devices

1. Patient Safety Risks: the risks that directly impact the health and well- being of the patient. Some examples include –
   1. Biological hazards are immunological reactions (e.g., allergic response to the implant materials), toxicity, and infection.
   2. Mechanical Hazards: Wear, fracture, or loosening of implants (e.g., hip replacement failure).
   3. Thermal Hazards: Overheating implant or electrosurgical devices causing burns.
   4. Electrical hazards encompass shock or malfunctioning neurostimulators, defibrillators, or pacemakers.
   5. Risks from radiation include exposure to high doses of ionising radiation from imaging machines.
2. Design and Manufacturing: In the following situations, a medical device may provide a risk if quality by design standards are not followed:
   1. If it is poorly manufactured.
   2. If inadequate attention is paid to the design elements influencing its performance.
   3. The medical device does something that can cause harm.
   4. It fails to provide its intended benefit.
3. Material Toxicity and Degradation: The appropriate selection of materials is important to avoid toxicity and degradation of medical devices. Toxicity testing is crucial to ensure biocompatibility and to assess potential patient risks.^[5]

Risk Management Process:

According to ISO 14971 (Risk Management of Medical Devices), the process should include the following steps:

1. Risk Analysis: Risk Analysis is a crucial step in the risk management that allows the manufacturers to define the product’s intended use and identify the potential hazards arising from the device. This step involves identification of the hazards and the hazardous situations, including the causes and their consequences.

Estimating Probability (P) And Severity (S): Even if varied techniques are used, it is common to determine the probability or likelihood of occurrence of risks and if it happens how big, the risk is (severity). The inference can be in terms of qualitative, quantitative or semi-quantitative scales

Figure 1: Graphical Determination of Risk

2. Risk Control: After risk identification, risk mitigation methods have to be implemented.  This tries to reduce the risks to a level that can be managed.  Design changes, the incorporation of safeguards, or the addition of specific instructions and labelling in device manuals to manage specific hazards are all forms of mitigation.  To avoid introducing new risks, the product has to be redesigned appropriately for risk control.
3. Production and Post- Production Activities: During production, the emphasis is on ensuring that the device is produced consistently and managing known risks while avoiding the introduction of new risks. Post-production emphasizes tracking actual device performance and managing emerging risks after the device has been released into the market.
4. Documentation of Reports and Plans: It is essential to document the risk management plan and strategies that has been put into place. This documentation process extends beyond the initial steps and must incorporate all risk management-related actions, assessments, reports, and diagrams.  The whole product development life cycle continues to rely on the risk management plan, and maintaining up-to-date documentation is critical.  In addition, there must be complete documentation of the effectiveness of control measures implemented as well as the risks that arise from them. ^[6]

Figure 2: Schematic Representation of the Risk Management Process (ISO 14971)

Example 1: Risk Management of Heart Lung Machine

A heart lung machine is an essential medical tool employed in cardiac surgery to substitute temporarily for the function of heart and lungs, providing steady circulation and oxygenation of the patient’s blood. Due to its life-support function, stringent management of risk is necessary in order to guarantee patient safety and adherence to standard such as ISO 14971.

1. Risk Management Plan: The manufacturer provides a master plan outlining how the risk will be identified, estimated, tracked and reduced.
2. Risk Analysis: Determination of possible risks and their causes of the device.

               Risk control measures

5. Benefit risk analysis: Weigh the clinical benefits of the heart-lung machine against any remaining residual risks. ^[7,8]

Example 2: Risk Management of Implanted Pacemaker

How To Detect Low Battery of An Implanted Pacemaker?

An essential part of risk management of a pacemaker is detecting low battery. Risk management of medical devices, including pacemakers, follows the ISO 14971 standards, which requires the manufacturers to identify, analyse and reduce the risks throughout the lifecycle of the device.

1. Automatic Low Battery Alerts (Elective Replacement Indicator - ERI): An Elective Replacement Indicator is an automated alert signal, usually a tone or a setting change which indicates that the battery of the pacemaker is nearing the end of its lifespan and needs replacement.
2. End of Life (EOL): The End of Life (EOL) alert indicates that the battery of the pacemaker has depleted and it is no longer functioning properly. End-of-life (EOL) is indicated by a single-step rate drop, which is initiated by a voltage-sensitive electronic switch.
3. Regular Pacemaker Check-Ups & Interrogation: Pacemaker patients need regular follow-ups with their cardiologist, usually every 3 to 6 months. During these checkups, A programmer device (from the pacemaker company) is placed on the chest to communicate with the pacemaker wirelessly. The programmer reads battery voltage levels, pacing thresholds, and device function. Doctors can estimate remaining battery life based on trends in voltage and make setting adjustments as necessary. ^[9]

Risk Management Techniques:

1. Preliminary Hazard Analysis (PHA): A PHA is a compilation of hazards, hazardous conditions, and damages, arrived at by taking into account materials of construction, components employed and their interfaces, use environment, working principle (chemical, electrical, mechanical, electromagnetic etc.), and other pertinent parameters. It can also encompass an early indication of the POH and S values, qualitative or quantitative, to each of hazard-hazardous condition-damage relationships and a compilation of possible control measures for risks. Through this method, a PHA can serve as the first step for risk assessments to include both risk analysis and risk evaluation. They classify hazards based on severity such as catastrophic, critical or marginal.
2. Fault Tree Analysis (FTA): Fault Tree Analysis (FTA), also referred to as event tree analysis, is an important method of determining risks and guaranteeing the safety of medical devices, particularly with the growing integration of artificial intelligence and machine learning (AI/ML) into healthcare. This method starts with a major event like patient injury then walk backwards through the levels of tree to identify the cause of the hazard.
3. Failure Mode and Effect Analysis (FMEA): It is an evaluation tool to pinpoint potential failures in a design, manufacturing or assembly process, or product or service in a device. "Failure modes" are methods in which a device can fail, potentially impacting the patients. "Effects analysis" is an assessment of the effects of those failures. It is an element-by-element approach to making devices reliable and of good quality.
4. FDA Benefit-Risk Assessment: It is an integral step for medical device development. The device is then evaluated for its potential benefits and disadvantages, and it must be determined if the benefits outweigh the disadvantages. This allows for the evaluation of the safety, trustworthiness, and how applicable the medical device is to be used on one's body without inflicting harm. ^[10]

Software For the Management of Risk in Medical Devices:

The medical device industry requires risk management software to ensure devices meet safety requirements and comply with global standards. The implementation of risk management techniques like Failure Mode and Effects Analysis (FMEA), Fault Tree Analysis (FTA), and Preliminary Hazard Analysis (PHA) increases accuracy and reduces human errors during risk assessment activities. Automated functions enable continuous real-time surveillance of potential hazards. Protecting medical devices is an urgent issue now that Internet of Medical Things (IoMT) technology use has grown. Networked hospital monitoring devices alongside insulin pumps and pacemakers now face security threats from malware and hackers. Through patch management, IEC 62304 conformity for software lifecycle security, and automated vulnerability scanning, risk management software plays an essential role in detecting and preventing cybersecurity threats. Manufacturers and clinicians face a severe risk of patient harm, data loss, and unauthorized access without such devices.

1. Greenlight Guru: Greenlight Guru is a software that provides medical device companies with industry-leading software to scale faster, become more efficient, and reduce risk throughout the product lifecycle.
2. Orcanos: Orcanos is a QMS software for medical devices that integrates Application Lifecycle Management and Quality Management System processes for efficient compliance management.
3. Qualio: enables complete visibility and automatic document stack creation by integrating risk management into product design and development processes.
4. Master Control: MasterControl software is a family of electronic quality management systems (QMS) meant to assist life science, manufacturing, and pharmaceutical companies in streamlining quality procedures, compliance, and product development and manufacturing processes.
5. AssurX: It provides a comprehensive approach to risk management, covering risks associated with QMS failures and product quality. 
6. Knowllence: Offers a module for centralizing the monitoring of risk reduction actions in compliance with ISO 14971.  ^[11,12]

Potential Risk Factors and Consequences Associated with Different Medical Devices: ^[13,14]