The role of detectability in medical device risk management is often discussed and debated.
If you are clinging to the argument that detectability should be a component of evaluating and assessing product risks, it is time to stop.
Move to ISO 14971 Risk Management
ISO 14971 provides a very clear definition of risk:
RISK – combination of the probability of occurrence of harm and the severity of that harm
No mention of detectability or detection.
ISO 14971 has been in existence for many, many years. The 2007 version has been harmonized for quite some time.
This means that ISO 14971 is the medical device industry’s go to standard for medical device risk management.
Bottom line: Your risk management process must conform to ISO 14971.
It is also possible that you might be clinging to the value of detectability in your risk management process because you are still relying heavily on the use FMEA.
There is nothing wrong with using FMEA as a reliability tool. However, if you are only using FMEA, then you are not meeting ISO 14971.
Drawbacks of using FMEA
Let me dive into this a bit further.
In a classic FMEA, you estimate severity, probability of occurrence (sometimes stated as likelihood), and detectability. Severity, occurrence, and detectability are then multiplied to produce a risk priority number (RPN).
If you are using FMEA, then you might make the argument that RPN is the same as “risk”.
Refer back to the ISO 14971 definition of risk.
RPN is not the same as risk.
Risk includes severity and occurrence.
Detectability to evaluate risks is flawed
The topic of FMEA being appropriate for ISO 14971 risk management and the value of estimating detectability has been widely debated for many years.
There is a really good article by Mike Schmidt from 2004 “The Use and Misuse of FMEA in Risk Analysis” that is relevant still today.
In this article, Schmidt discusses the concept of detectability:
“. . . detection of a hazard during use of the device may not assure that the harm will be avoided . . .”
Understanding this point is VERY important.
When you estimate the risks of your medical device, you are tasked with identifying which risks are acceptable and which risks require mitigation through risk controls.
Risk controls are implemented to reduce the severity of harm and/or reduce the probability of occurrence of harm.
You get no credit for detecting if a harm occurred. You get no credit for detecting if a hazard or hazardous situation exists.
But how can you conduct a proper FMEA without the use of detectability? You can’t properly calculate a RPN without it.
I’ll say it again. FMEA is a reliability tool and not a risk management solution.
Detectability is actually built into probability of occurrence. Detecting a hazard or hazardous situation has a direct correlation to whether or not it will actually occur.
Detectability is not stand alone and independent.
An example using concepts of detectability
Let me illustrate with a brief example.
Hazard: hot burner on a stove
Harm: I get burned
The risk is the severity of the harm and probability of occurrence of the harm.
In my example, let’s consider the risk to be low to moderate. I will have a minor burn (severity) yet not very likely that I’m going to touch a hot burner on a stove (occurrence).
Ah, but you might say that the reason risk is low to moderate in my example is related to detectability. You might argue that I can see the stove is hot because maybe the burner is red or that the dial is turned on.
Exactly! Detectability has a direct impact on probability of occurrence that I’m going to touch (or not going to touch) a hot burner.
Consider this in another way, using detectability as a stand alone value. I’ll use the same example.
I will have a minor burn (severity), yet not very likely that I’m going to touch a hot burner (occurrence). But if I do touch that burner, will I be able to detect this? You bet! It’s going to hurt.
You see, detectability as a stand alone metric does not ensure that a hazard or hazardous situation does not occur.