TGFR Consulting LLC Based upon the evaluation of risk, mitigation of the hazardous situations will be needed. In determining the need for risk controls, care must be taken to align with the requirements of ISO 14971:2012. The approach to risk control should be based upon the risk for a hazardous situation and can be summarized as follows
Risk Acceptability Approach
| Risk Characterization | Approach |
|---|---|
| Acceptable | • Are existing risk controls possible? • Will additional risk controls significantly reduce risk? |
| Conditionally Acceptable | • Do existing risk controls address the concept of “safe by design”? • Can additional controls reduce the risk to an acceptable level? |
| Unacceptable | • Do existing risk controls address the concept of “safe by design”? • Can additional risks reduce the risk to an acceptable level? • Is the risk inherent in the therapy? What is the clini-cal risk/benefit? |
This approach drives to the application of risk controls in most cases, with clear direction of the approach. In most systems, any “Conditionally Acceptable” risk should have a “safe by design” risk control. “Unacceptable” risks should exist only when these risks are directly related to the therapy itself.
Developing risk controls that implement “safe by design” involve integrating mitigations into the design. The development of design mitigations relies on the analysis of the failure modes and the sequences of events. There are three types of mitigation
- Mitigating the failure mode (λi)
- Mitigating the sequence of events (ßi)
- Transform the hazard and lower the severity
Mitigating the failure mode focuses upon improving reliability. As an example, improved components can improve the overall reliability of a delivery pump, reducing the probability of a failure during delivery. This type of mitigation can be an effective mitigation, but is also the most expensive. In addition, the α factor can lower the overall effectiveness in cases where the particular phase does not occupy a significant portion of the overall therapy or procedure time.
Mitigation of the sequence of events involves mitigating the transition from the failure mode to the hazard. This mitigation of the sequence of events represents the key mitigation for use errors involving the device and should be done in conjunction with the identification of the use error type. The following figure illustrates the taxonomy of use errors
The characterization of the use error drives the identification of the appropriate mitigation. The following table identifies several established mitigations
Use Error Mitigations
| Use Error Type | Example | Possible Mitigations |
|---|---|---|
| Slip | • Failing to identify an error con-dition • Performing steps in the wrong order when loading a device | • Alarms • Wizards |
| Lapse | • Forgetting to check dose set-tings • Failing to purge delivery circuit | • Confirmation prompts • Embedded State machines for de-vice execution |
| Mistake | • Assuming the Device is work-ing properly • Skipping steps to “optimize” the execution | • Confirmation prompts • Wizards |
The process of identifying the correct mitigation for a use error may often involve observational studies during the risk analysis. Without knowledge of how users will respond to the proposed mitigations, the effectiveness may be limited. In addition, failure to identify the correct mitigation can have a significant impact on validation, where the effectiveness of the mitigation must be confirmed.
In addition to addressing user error, mitigating the sequence of events can be used to mitigate hardware or systemic issues. As an example, keyboard entry failures (mistyping) occur with a very high frequency (sometimes as much as one in every 20 entries). The use of a confirm screen does not eliminate the failure mode, but does mitigate the sequence of events (the mistyped entry is accepted and programmed into the device). Usually this type of mitigation is not considered as effective as mitigating the failure mode.
Transformation of the hazard associated with a hazardous situation is best illustrated through the application of Power-On-Self-Test (POST) as a mitigation. In this situation, the hazard is transformed from interruption to delay, with a corresponding reduction in the severity of associated harms. This is generally considered the most effective mitigation, as lowering the severity quickly moves the risk to acceptable. This type of mitigation often links closely to the operational and functional design and need to be identified and developed early in the development cycle.
Mitigations will form the essential requirements developed as part of the risk analysis process. In many cases a similar mitigation will apply to many hazardous situations and the final step is to collate the list of mitigations into a single set of requirements.