An Ethical Risk Management Approach for Medical Devices.

INTRODUCTION: The Food and Drug Administration (FDA) audits and validates devices before mass production to ensure high standards, safety, and quality of medical devices being marketed. Despite those measures in place, consumers' trusts in medical devices are still dwindling based on safety and privacy risks that eventually influence the health of patients.
METHODS: The method employed in this study is conceptual and includes a selection of a company that develops medical devices to use as an example organization to apply the hybrid risk management framework, defined herein in the results and discussion section.
RESULTS: The results include a hybrid risk management approach including activities and tools and techniques by risk management phases. DISCUSSION: The discussion includes how to apply the hybrid risk management framework using Abbott Laboratories as an example.
CONCLUSION: To mitigate the chances that risks (adverse events) occur during the manufacturing and use of medical devices, this study has focused on providing a hybrid risk management approach for organizations noting the use of ISO 14971 activities as well as the PMBOK activities.

Introduction

Medical devices, as defined by the Federal Drug Administration (FDA), can range from tongue depressors and bedpans to more complex instruments such as blood glucose meters and test kits to machines such as x-rays and lasers.1 Mobile medical applications that can be accessed via a mobile device or Internet are also considered as medical devices.1 The FDA is charged with monitoring and communicating to health professionals and the public consumers information about the adverse events related to medical devices. 2 In 2018, the United States spent 17% of their gross domestic product (GDP) on healthcare which was almost twice the amount spent in New Zealand and Australia (9%). 3 One of the expenses associated with healthcare is the money related to approvals from the Food and Drug Administration (FDA).4 Additionally, the number of recalled medical devices is continuing to increase.4 To mitigate rising costs and escalating recalls, there is a need to improve the design, certification, and operations of current and future medical devices to prevent adverse events (risks).4

FDA regulation of medical devices is necessary to help assure new products are sufficiently safe in view of the anticipated patient risks and benefits.1 The FDA is also responsible for assessing the effectiveness of medical devices as a condition of marketing approval in the United States. While the FDA regulates the safety and effectiveness of the equipment, there are other governing bodies that ensure safe and effective manufacturing techniques such as the International Organization for Standardization (ISO).5 Project outcomes including the development of medical devices are predicated on delivering products to satisfied stakeholders, adequate implementation strategies, and alignment of resources and deliverables (Cicmil, 2000).6

The research and development of medical devices focuses on the benefits and use of those devices to end users to align with the regulations of the FDA as well as overall consumer trust in the device.1 More specifically, there are ethical considerations and risks (adverse events) associated with the trust of medical devices for patients due to the installation and usage of the devices. For example, the risks associated with the trust of medical devices include the following: regulatory risks such as many incremental patents needed for effective execution;7 business and project management risk such as safety and the optimal performance built into the product;8 product risks such as appropriate engineering objects installed and resources needed for physical installation.7

Risk management is utilized in this study as a framework to increase the chances that organizations achieve their goals (Project Management Institute, 2017)9 by planning and responding to risks (adverse events). The target audience for this paper includes companies that engage in ongoing advancements in technology and are committed to the safety of their customers. The authors suggest that this type of company would consider more than the guidelines as noted by the FDA related to safety and the effectiveness of equipment. Therefore, the focus of this paper is to provide a hybrid risk management approach including tools and techniques to decrease the likelihood and impact of risks as organizations design, develop, test, produce, and deploy medical software devices using Abbott Laboratory as an example manufacturing company. The authors in this paper: (1) present Abbott Laboratory information as context; (2) discuss ethics management as an approach to identify, manage, and respond to adverse events; (3) present a hybrid risk management approach as a framework; and (4) conclude with considerations for other manufacturing organizations.

Method

The method employed in this study is conceptual and includes a selection of a company that develops medical devices to use as an example organization to apply the hybrid risk management framework, defined herein in the results and discussion section. Abbott Laboratories was selected because the company “develops life-changing technology”,10 and the risk activities and tools and techniques identified in this study are more applicable to a company that engages in the development and use of cutting edge technology (eg, IT cyber security, IT complexity, hacking, etc.) that is aligned with ongoing advancements in technology. This type of company will continuously need to reevaluate their risk management approach, which not only includes the guidelines of the FDA but also guidelines as identified by the company based on their risk appetite. Specifically, Abbott Laboratories reported that they are committed “to helping you live your best life.”10

Abbott Laboratories

Abbott Laboratories was incorporated in 1900 and its principle business is the discovery, development, manufacturing and sale of health care products.10 The health products are managed within the following four business segments: pharmaceutical products, diagnostic products, nutritional products and medical devices.10 The focus of the company is to provide information and health care products to assist individuals in living their best lives via protecting the heart, nourishing the body, and facilitating the vision.10 The implementation of this focus requires cutting edge technologies, medicines and products to support health management.

The medical devices include the following items: rhythm management, electrophysiology, heart failure, vascular and structural, diabetes care products, and neuromodulation.10 These devices are not only marketed and sold within the United States but also globally. Specifically, in the United States, some of these products are marketed and sold to wholesalers, hospitals, ambulatory centers, physicians, Abbott-owned distribution centers and public warehouses.10 Globally, the marketing and sales of the devices are sold to customers or through distributors.1 Competition for these medical devices include technology, price, use, service, performance and supply contracts.10

Due to the nature of Abbott’s business, the organization is subject to regulation by the FDA and other international, federal, and state authorities. The process of obtaining regulatory approvals to market Abbott’s products are usually costly and time-consuming and approvals may not be timely granted. These untimely granted approvals by the FDA may result in reduced revenues and increased additional costs.

Duty-Based and Outcome-Based Ethical Approach

Duty-Based Ethics

The duty-based theory, as defined by Immanuel Kant (1964),11 supports the idea that individuals have basic rights and those rights include focusing on prevention of certain adverse events (risks). Prevention is possible because humans are different from other types of species and that humans are born with moral integrity and possess knowledge for reasoning and rationalizing.12 More specifically, duty-based ethics is grounded in the idea that ethical situations need to be viewed within the lens of owning a certain duty and to whom.11 The duty-based approach focuses on the prevention of activities that would diminish the consumer’s trust in the use of medical devices. Immanuel Kant believed that human beings have a moral compass that includes integrity based on the ability to reason and conduct affairs rationally within the context of fairness and respect for others.11 The duty-based approach considers ethical dilemmas within the context of fairness and respect for all parties including the patients, users and other stakeholders. One of the driving questions related to fairness is does my actions respect the goals of humans and not just my own interests?12

Manufacturers of medical devices, such as Abbott Laboratory, are responsible for the design and/or manufacture of the medical device for consumption.10 Specifically, manufacturers work to mitigate risks and make decisions associated with the safety and administration of medical devices. Thus, manufacturers have a duty to implement processes and procedures that identify adverse risks (hazards); assess and evaluate the risks; control and monitor the effectiveness and use of the devices through retirement.5 The decisions manufacturers make about the design, development, testing and deployment of medical devices need to include collaborations with other medical devices organizations so that their operational decisions are made with the idea that all entities are acting similarly. The duty-based ethics adhere to the idea that organizations conduct their businesses with ethics because it is their duty. Therefore, adhering to standards is paramount to practicing activities that are ethically-based.

Outcome-Based Ethics

Outcome-based ethical approaches focus on the consequences of the actions and not the behaviors themselves that may be rooted in moral values or beliefs.12 Two of the driving questions that outcome-based ethics consider are: what is my end goal and what results do I want to achieve?13 Specifically, the outcomes of the actions includes identifying the stakeholders impacted by the actions; making an assessment of the negative and positive results of the actions; and looking at the outcomes and focusing on the actions that produce the greatest benefits for the largest number of people.12 Thus, an act is morally correct if it benefits the majority in a positive manner.

The outcome-based ethical approach is grounded in John Stuart Mill’s work,13 called utilitarianism, and is focused on the consequences of the actions. For example, actions are considered ethical is they produce certain desirable outcomes. Specifically, outcomes that support happiness and do not lead to unhappiness or some type of pain are considered the ethical approach. This ethical outcome-based approach should be practiced for the betterment of all and not for selfish reasons.13 The betterment for all is based on the reasoning associated with ethical behaviors as measured based on the pros and cons of the actions that have consequential impacts for others.12 Therefore, pros related to medical devices may include: a positive impact on public health, a positive impact from diagnostic devices, and a positive impact on the quality of an individual’s life.5

Results and Discussion

Risk Management Framework

Risks are adverse events that can be caused by injury to the patient, users or other impacted parties.9 Risks can also be categorized by damage to objects, data or equipment including software or hardware.5 Risk management includes the activities related to decreasing the likelihood and impact of the adverse events9 in the design, use and regulation of medical device risks. Risk management is utilized in this case as a framework to increase the chance that organizations achieve their goals by planning for the business and project risks related to the production, management and ongoing use of medical devices. More specifically, risk management activities are focused on: (a) minimizing frustration related to problems; (b) increasing stakeholder support; and (c) building unification that leads to effective communication and control.14

The Project Management Institute presents an organizational approach to project risk management as noted in its Project Management Body of Knowledge (PMBOK) book.9

This organized approach includes the following phases: plan risk management, identify risks, perform qualitative risk analysis, perform quantitative risk analysis, plan risk responses, implement risk responses and monitor risks.9 ISO 14971 is the standard that is used for the application of risk management to medical devices.5 More specifically, this standard provides guidance for organizations to develop a risk management process that includes identification and control of risks during the development and usage of medical devices such as product, patient and user risks, and regulatory risks. The risk management processes for ISO 14971 include the following: risk analysis, risk evaluation, risk control, evaluation of overall residual risk acceptability, risk management report, and production and post-production.5

(Table 1, figure 1) displays the similarities and differences in ISO 14971 and PMBOK processes. Note that risk planning is a phase that is utilized in the PMBOK processes and not ISO 14971. Likewise, risk reporting is included in ISO 14971 and not the PMBOK phases. Risk planning in PMBOK includes the activities needed to develop a risk management plan and is developed based on input from impacted parties such as patients, care givers, and manufacturers. Also note in Table 1 that ISO 14971 and PMBOK methodologies have similar activities in the Risk Assessment and Risk Monitoring and Controlling phases.

Table 1

ISO 14971 and Project Risk Management

Phases	ISO 14971a	Project Risk Managementb
Risk Planning		Plan Risk Management
Risk Planning		Identify Risk Management Processes
Risk Assessment	Risk AnalysisRisk Evaluation	Perform Risk ManagementPlan Risk Responses
Risk Monitoring and Control	Risk ControlEvaluation of overall residual risk acceptability	Control Risk Responses
Risk Reporting	Risk Management Report

Notes: aISO 14971. Medical Devices – Application of Risk Management to Medical Devices. Switzerland, ISO, 2007. bProject Management Institute. A Guide to the Project Management Body of Knowledge (PMBOK Guide). 6th ed. Newton Square, Pennsylvania: Project Management Institute; 2017.

Figure 1

Ethical risk management framework. Data from these studies.5,9

After integrating ISO 14971 and Project Risk Management methodologies, the next step is to use the hybrid methodology to execute the activities related to each phase using the tools and techniques identified in Table 2. The phases in Table 2 are conducted using an ethical underpinning related to duty-based and outcome-based ethics. The duty-based components of the framework are focused on the prevention of adverse events related to medical devices and the outcome-based components of the framework focus on the consequences of the actions and are related to the end goals.

Table 2

Risk Breakdown Structure: Example Using Abbott Laboratories

Medical Device Risks
Regulatory	Cybersecurity	Environmental	Business/Project	Product
Regulations PoliciesComplianceIncremental policiesValidation and certifications	IT CyberattacksIT complexityMalicious IntrusionThird party Hacking	Natural disastersPolitical/Economic InstabilityPrice Controls	Project IssuesResource SkillsDesign/Development/PrototypeHardwareSoftware LicensesLawsuits and Claims	Research FailuresCompetition Patent/User Equipment Malfunction Hardware Software Safety

Step 1: Risk Planning: Risk Planning includes a framework to plan risk management activities. Specifically, during risk planning the project team and stakeholders need to identify risk management processes and create a plan which will detail how risk management activities will be planned and implemented. The risk management plan includes identifying the potential sources of harm (risks) from using a device as well as the uses and foreseeable misuses5 with an emphasis on preventing the activities that diminish the consumer’s trust. Plan risk management activities is focused on how to conduct risk management activities in the risk management plan. Some of the key components of the risk management plan are as follows: risk strategy, methodology, roles and responsibilities, funding, timing, risk categories, scales for probability and impact, and reporting.9 See the Risk Breakdown Structure tool for Abbott Laboratories in Table 2 that is used to display risk categories in the risks management plan.

Step 2: Risk Assessment: Risk assessment includes risk analysis, evaluation and prioritization of the identified risks. During this phase, the risks are analyzed and evaluated based on the severity of the risks and the probability of occurrence with a focus on the duty to prevent activities that create adverse events.4,9 See Table 3 for the Example Severity Criteria used in this study and Table 4 for the Example Probability of Occurrence Criteria. Thereafter, the risks may be prioritized in rank order based on the severity criteria and probability criteria considering fairness and trust as a duty. This step also includes planning for the responses to the identified risk. In this study we use the following PMBOK responses: mitigation (response will reduce the probability of occurrence and/or impact of an adverse event) and accept (no proactive risk responses).9

Table 3

Example Severity Criteria

Category	Severity	Description
1	High	Life-threatening injury or event that will impact the design, development, or deployment of the device
2	Medium	Serious injury or event that may impact the design, development, or deployment of the device
3	Low	Limited injury or event that will not impact design, development, or deployment of the device

Table 4

Example Probability Criteria

Category	Probability of Occurrence	Description
1	High	100% to 65% that risk will occur
2	Medium	65% to 30% that risk will occur
3	Low	30% to 0% the risk will occur

Step 3: Risk Monitoring and Control: Risk monitoring includes implementing the risk response plans and usually includes tracking the impacts of the responses and evaluation of overall residual risk acceptability which can yield new risks.9 The control component of this step is focused on the risk control options such as safety by design, protective measures in the design or manufacture as well considerations for product safety. The activities in this phase are focused on monitoring and controlling the risk activities as well as the consequences that are the result of not performing the duties associated with preventive tools and techniques. See Table 5 for the Risk Register that can be used to document risks, assess risks, monitor and control risks as well as track the outcomes associated with the risks. Therefore, the Risk register displays key comprehensive information related to ongoing risks identified and assessed from steps 1, 2, and 3, herein and in one study classified as a trust-level document to help with a broader understanding of risks.15 Note in Table 5 the authors recommend Abbott Laboratories provide response plans for those risk that have been assessed as Medium and High.

Table 5

Risk Register to Support Duty-Based and Outcome-Based Activities

				Abbott Laboratories Risk Register
Ref No	Risk	Prob 1–3	Impact 1–3	PI Score	Risk Category	Risk Response	Detail Response
1	Regulatory Risks
1.1	Governmental regulations and policies	2	2	4	Medium	Mitigate	Hire resources
1.2	Compliance	2	2	4	Medium		Compliance department
1.3	Incremental patents	3	1	3	Low	Accept
1.4	FDA regulations	1	1	1	Low	Accept
1.5	Validations/Certifications
2	Cybersecurity Risks
2.1	IT cyberattacks	1	2	2	Low	Accept
2.2	IT complexity	1	1	1	Low	Accept
2.3	Malicious disruption	1	2	2	Low	Accept
2.4	Hacking	1	2	2	Low	Accept
3	Environmental Risks
3.1	Natural disaster	3	1	3	Low	Accept
3.2	Political/economic instability	1	1	1	Low	Accept
3.3	Price controls	1	1	1	Low	Accept
4	Business/Project Risks
4.1	Project issues	1	1	1	Low	Accept
4.2	Resource skills	3	2	6	High	Mitigate	Hire dedicated project resources
4.3	Design, Development, Prototyping	3	3	9	High	Mitigate	Testing and risk management
4.5	Hardware	1	1	1	Low	Accept
4.6	Software Licenses	1	1	1	Low	Accept
4.7	Lawsuits and Claims	3	2	6	High	Mitigate
4.8	Safety	2	2	4	Medium	Mitigate	Train and communicate safety
5	Product Risks
5.1	Research failures	1	1	1	Low	Accept
5.2	Competition	2	1	2	Low	Accept
5.3	Equipment malfunction	3	2	6	High	Mitigate	Testing during prototype
5.4	Patient/User Error	1	1	1	Low	Accept
5.5	Liability Claims/Lawsuits	3	3	6	High	Mitigate	Purchase insurance

Notes: a: Prob 1–3 indicates the probability of occurrence with 1 representing low and 3 representing high. b: Impact 1–3 indicates the impact if the risk occurs with 1 representing los and 3 representing high. c: PI score = Probability score * Impact score d: Risk category indicates the PI score with red representing score 6 or above and medium representing scores of 4 and green representing score 1 thru 3. The risk categories that are red and yellow includes detail responses.

Step 4: Risk Reporting: Risk reporting includes communicating the risks to all impacted parties. The reports include documented evidence of the risk management plan and risk management reviews.5,9 The activities in this step are focused more on the consequences of the actions with an emphasis on what is my end goal and what results do I want to achieve through reporting.12 The reports address critical risks and emerging risks that may cause future issues if not monitored and controlled and also involve collecting production and post-production information.5

Conclusion

Risk-free medical devices are not realistic; however, stakeholder’s expectations about the use and performance of the devices are becoming more risk averse with the expectations that manufacturers have a duty to focus on the prevention of activities that will diminish the consumer’s trust in the use of the devices.7 The research and development of medical devices focus on the benefits and use to ensure those devices align with the regulations of the FDA as well as overall consumer trust in the device. Risk management is utilized in this study as a framework to increase the chances that organizations achieve their goals by planning and responding to risks related to the design and development of medical devices.

To mitigate the chances that risks (adverse events) occur during the manufacturing and use of medical devices, this study has focused on providing a hybrid risk management approach for organizations noting the use of ISO 14971 activities as well as the PMBOK activities. The PMBOK activities included in the approach are focused on the development of the medical devices as operational projects. These operational projects need to planned and managed by dedicated project teams including skilled resources to plan, identify, and implement risk-related activities.9 The hybrid risk management approach provides a roadmap for manufacturers, such as Abbott Laboratories, to use project planning tools and techniques to augment the activities identified by ISO 149171. Additionally, the framework included tools and techniques to decrease the likelihood and impact of risks as organizations design, develop, test, produce and deploy medical software devices. The risk management approach in this study is used to not only to prevent and mitigate adverse events related to medical devices; but also, to help companies make informed medical device decisions by recommending the steps, activities, and tools and techniques to support the management of adverse events to medical devices.