Safe Design of Medical Devices: Understanding Risk Management Fundamentals

The Three Elements of Design Requirements

In general device design, specifications are built upon functional requirements and performance requirements. However, medical device design must incorporate an additional, critical dimension: safety requirements.

When collecting user requirements from healthcare professionals (physicians, dentists, nurses, clinical laboratory technicians, etc.) and patients, the feedback typically addresses only functional and performance needs. In reality, safety requirements are seldom articulated spontaneously by users or patients. Healthcare professionals generally assume that medical devices are inherently safe to use and rarely voice explicit safety expectations. Consequently, manufacturers must deliberately and systematically incorporate safety requirements into the product requirements specification.

The Nature of Risk and Medical Device Design

Every medical device inherently carries some form of risk—potential sources of harm. All medical devices are released to the market with some degree of risk present. The critical imperative is to identify and mitigate all foreseeable risks through preventive measures before adverse events occur, thereby preventing undue harm to patients and users.

A fundamental principle must be understood here: “absolute safety” does not truly exist. What exists is risk itself. In other words, risk-free products (zero risk) do not exist. Whether it is elevators, escalators, automobiles, or medical beds—all carry some degree of risk.

What then is necessary? Manufacturers must estimate foreseeable risks and systematically reduce all identified risks to levels that are acceptable. This activity is called risk analysis (Risk Analysis), and it must be completed before the design phase of the medical device begins. Risk analysis represents one of the most critical activities in the medical device development process and must be performed at the earliest stage.

Evaluation of Residual Risk

After implementing risk control measures (safety controls or control measures), some risk inevitably remains. This remaining risk is called residual risk. Medical device design must pay particular attention to residual risk.

When residual risk exceeds acceptable levels, a risk/benefit analysis must be conducted. In other words, a medical device can proceed to design and market release only when the benefit provided by the device outweighs its residual risk. This reflects a distinctive characteristic of medical devices. General consumer products might be abandoned entirely if they pose unacceptable risks; however, medical devices are permitted to retain acceptable levels of risk when they provide essential therapeutic or diagnostic benefits. This represents a deliberate, risk-informed regulatory approach.

Integration of Safety Requirements into the Product Requirements Specification

As discussed, users and patients rarely articulate safety requirements explicitly. Therefore, the Product Requirements Specification (PRS) must explicitly incorporate the requirements from applicable safety standards.

For medical electrical equipment (Medical Electrical Equipment, ME devices), the requirements of IEC 60601-1 and its scope-specific individual standards (for example, IEC 60601-2-5 for mechanical ventilators and IEC 60601-2-25 for infusion pumps) must be included. Additionally, applicable supplementary standards—such as those addressing single-use devices, cybersecurity, and software functionality—must be identified and incorporated.

When a medical electrical device is designed in accordance with applicable safety standards, it achieves what is termed basic safety: the condition in which the device, when used in normal operation and under single-fault conditions, presents no unacceptable risks arising from physical hazards. Safety standards are, in essence, the collective wisdom of the regulatory and scientific community—they exist to prevent recurrence of past failures and accidents. These standards have been developed and refined over decades, grounded in real-world clinical experience and documented adverse events.

Common Pitfalls in Risk Analysis

During risk management consultations, many medical device manufacturers list hazards in their risk analysis worksheets such as “electromagnetic fields” or “high voltage.”

However, the reality is that electromagnetic compatibility is already prescribed in IEC 60601-1-2. In other words, manufacturers need not conduct risk analysis for this hazard; it is already a regulatory requirement. Similarly, risks from electrical shock, leakage current, and related electrical hazards are already addressed in detail by safety standards.

Many risk analyses contain only those hazards already specified in safety standards. This represents a fundamental misunderstanding of the purpose of risk analysis. When a hazard and its control measures are already prescribed by a standard, individual manufacturers need not conduct redundant analysis.

The authentic purpose of risk management is to identify hazards specific to the device—those aspects that differ from standard requirements and are unique to the product. Examples include specific clinical use cases, proprietary user interfaces, novel use methods, and particular environmental constraints in which the device is deployed. The analysis should focus on how to manage these product-specific risks. This is the true objective of risk analysis.

Usability Engineering and Human Error Prevention

Requirements for usability (for example, IEC 62366-1 and IEC 62366-2) have become increasingly stringent in recent years. While “usability” often suggests “ease of use,” the regulatory perspective encompasses a broader meaning. Usability engineering is not merely about convenience; it is a specialized form of risk management focused specifically on human error associated with user interface and operation.

Consider a concrete example: disposable lighters have deliberately stiff ignition mechanisms. This design feature is not intended to enhance ease of use; rather, it prevents unintended ignition by children and thereby avoids fire hazards. This represents safety-focused design rather than usability in the traditional sense.

As medical devices become increasingly sophisticated, complex, diverse, and demanding in their operational tempo, the probability and severity of human error continue to rise. Devices requiring multiple operational steps, those with complex settings, and those demanding rapid response in emergencies present significant human error risks. Error-related incidents involving physicians, nurses, and other healthcare professionals are becoming increasingly visible. The mitigation of human error in medical devices is now a critical regulatory priority.

The results of usability engineering analysis—specifically, use-related hazard analysis—must be incorporated into the Product Requirements Specification. Furthermore, validation studies involving actual users (healthcare professionals in their normal clinical environment) have become mandatory requirements under contemporary medical device regulations.

Risk Reduction Strategy

The fundamental importance of risk management lies in reducing the probability of risk occurrence. In contrast, reducing the severity of risk consequences is often technically difficult during the design phase. For example, one cannot design an airplane that survives all crashes without fatalities. However, one can design an airplane with a failure probability approaching zero. This represents the essence of risk reduction.

During consultations, the author frequently encounters risk analyses that include scenarios with extremely low probability of occurrence. For example, “patient falls from bed and dies during surgery” is sometimes listed as a risk requiring mitigation.

Should such scenarios realistically be anticipated? Furthermore, even if conceivable, how could device design possibly control such a risk? What is the documented historical frequency of such events in clinical practice?

Risk analysis should include only hazards meeting these criteria: genuine possibility of occurrence during foreseeable use (supported by credible evidence), technical feasibility of risk control measures, precedent in similar products or clinical literature, or human factors considerations indicating non-negligible probability. Listing risks without substantive justification constitutes a fundamental failure in risk analysis practice and likely will invite regulatory scrutiny.

Market Feedback and PDCA Continuous Improvement

Market feedback regarding products (including similar devices) represents an essential component of medical device risk management. This ongoing activity is predicated on continuous improvement following market release and is structured around the Plan-Do-Check-Act (PDCA) cycle.

Medical device manufacturers must systematically collect reports of adverse events, complaints, and malfunctions from clinical settings and analyze them to identify latent hazards. Such information informs device revisions, design modifications, and updates to warnings and instructions for use. When reporting obligations exist with regulatory bodies such as the Pharmaceuticals and Medical Devices Agency (PMDA), manufacturers must not only maintain internal controls but also provide reports to regulators and implement corrective measures as required.

Conclusion

Unfortunately, many medical device manufacturers have not yet achieved a complete understanding of proper risk management practices. Some companies conflate “compliance with safety standard requirements” with “analysis and mitigation of product-specific risks.” Others lack clarity in distinguishing between “low-probability risks” and “hazards that should be excluded from analysis.” Such deficiencies undermine genuine assurance of patient and user safety.

Medical device manufacturers must proceed beyond mere compliance with standards. They must conduct rigorous risk analysis grounded in deep understanding of their product’s clinical characteristics, foreseeable use cases, and deployment environment. Only through such dedicated effort can genuine safety for patients and users be assured.