<p>An Ethical Risk Management Approach for Medical Devices</p>

Lila Carden; Bolanle Oladapo

doi:10.2147/RMHP.S306698

Back to Journals » Risk Management and Healthcare Policy » Volume 14

Perspectives

An Ethical Risk Management Approach for Medical Devices

Authors Carden L, Oladapo B

Received 15 February 2021

Accepted for publication 26 April 2021

Published 3 June 2021 Volume 2021:14 Pages 2311—2318

DOI https://doi.org/10.2147/RMHP.S306698

Checked for plagiarism Yes

Review by Single anonymous peer review

Peer reviewer comments 2

Editor who approved publication: Professor Marco Carotenuto

Download Article [PDF]

Lila Carden,¹ Bolanle Oladapo²

¹College of Technology, Technology Project Management Program, University of Houston, Houston, Texas, 77204-4023, USA; ²Technology Project Management Program, College of Technology, University of Houston, Houston, Texas, 77204-4023, USA

Correspondence: Lila Carden
College of Technology, Technology Project Management Program, University of Houston, College of Technology Building, 4730 Calhoun Road, Room 300, Houston, Texas, 77204-4023, USA
Tel +1 713-743-4171
Fax +1 713-743-4032
Email [email protected]

Introduction: The Food and Drug Administration (FDA) audits and validates devices before mass production to ensure high standards, safety, and quality of medical devices being marketed. Despite those measures in place, consumers’ trusts in medical devices are still dwindling based on safety and privacy risks that eventually influence the health of patients.
Methods: The method employed in this study is conceptual and includes a selection of a company that develops medical devices to use as an example organization to apply the hybrid risk management framework, defined herein in the results and discussion section.
Results: The results include a hybrid risk management approach including activities and tools and techniques by risk management phases.
Discussion: The discussion includes how to apply the hybrid risk management framework using Abbott Laboratories as an example.
Conclusion: To mitigate the chances that risks (adverse events) occur during the manufacturing and use of medical devices, this study has focused on providing a hybrid risk management approach for organizations noting the use of ISO 14971 activities as well as the PMBOK activities.

Keywords: risks, medical devices, risk management, ethics

Introduction

Medical devices, as defined by the Federal Drug Administration (FDA), can range from tongue depressors and bedpans to more complex instruments such as blood glucose meters and test kits to machines such as x-rays and lasers.¹ Mobile medical applications that can be accessed via a mobile device or Internet are also considered as medical devices.¹ The FDA is charged with monitoring and communicating to health professionals and the public consumers information about the adverse events related to medical devices. ² In 2018, the United States spent 17% of their gross domestic product (GDP) on healthcare which was almost twice the amount spent in New Zealand and Australia (9%). ³ One of the expenses associated with healthcare is the money related to approvals from the Food and Drug Administration (FDA).⁴ Additionally, the number of recalled medical devices is continuing to increase.⁴ To mitigate rising costs and escalating recalls, there is a need to improve the design, certiﬁcation, and operations of current and future medical devices to prevent adverse events (risks).⁴

FDA regulation of medical devices is necessary to help assure new products are sufficiently safe in view of the anticipated patient risks and benefits.¹ The FDA is also responsible for assessing the effectiveness of medical devices as a condition of marketing approval in the United States. While the FDA regulates the safety and effectiveness of the equipment, there are other governing bodies that ensure safe and effective manufacturing techniques such as the International Organization for Standardization (ISO).⁵ Project outcomes including the development of medical devices are predicated on delivering products to satisfied stakeholders, adequate implementation strategies, and alignment of resources and deliverables (Cicmil, 2000).⁶

The research and development of medical devices focuses on the benefits and use of those devices to end users to align with the regulations of the FDA as well as overall consumer trust in the device.¹ More specifically, there are ethical considerations and risks (adverse events) associated with the trust of medical devices for patients due to the installation and usage of the devices. For example, the risks associated with the trust of medical devices include the following: regulatory risks such as many incremental patents needed for effective execution;⁷ business and project management risk such as safety and the optimal performance built into the product;⁸ product risks such as appropriate engineering objects installed and resources needed for physical installation.⁷

Risk management is utilized in this study as a framework to increase the chances that organizations achieve their goals (Project Management Institute, 2017)⁹ by planning and responding to risks (adverse events). The target audience for this paper includes companies that engage in ongoing advancements in technology and are committed to the safety of their customers. The authors suggest that this type of company would consider more than the guidelines as noted by the FDA related to safety and the effectiveness of equipment. Therefore, the focus of this paper is to provide a hybrid risk management approach including tools and techniques to decrease the likelihood and impact of risks as organizations design, develop, test, produce, and deploy medical software devices using Abbott Laboratory as an example manufacturing company. The authors in this paper: (1) present Abbott Laboratory information as context; (2) discuss ethics management as an approach to identify, manage, and respond to adverse events; (3) present a hybrid risk management approach as a framework; and (4) conclude with considerations for other manufacturing organizations.

Method

The method employed in this study is conceptual and includes a selection of a company that develops medical devices to use as an example organization to apply the hybrid risk management framework, defined herein in the results and discussion section. Abbott Laboratories was selected because the company “develops life-changing technology”,¹⁰ and the risk activities and tools and techniques identified in this study are more applicable to a company that engages in the development and use of cutting edge technology (eg, IT cyber security, IT complexity, hacking, etc.) that is aligned with ongoing advancements in technology. This type of company will continuously need to reevaluate their risk management approach, which not only includes the guidelines of the FDA but also guidelines as identified by the company based on their risk appetite. Specifically, Abbott Laboratories reported that they are committed “to helping you live your best life.”¹⁰

Abbott Laboratories

Abbott Laboratories was incorporated in 1900 and its principle business is the discovery, development, manufacturing and sale of health care products.¹⁰ The health products are managed within the following four business segments: pharmaceutical products, diagnostic products, nutritional products and medical devices.¹⁰ The focus of the company is to provide information and health care products to assist individuals in living their best lives via protecting the heart, nourishing the body, and facilitating the vision.¹⁰ The implementation of this focus requires cutting edge technologies, medicines and products to support health management.

The medical devices include the following items: rhythm management, electrophysiology, heart failure, vascular and structural, diabetes care products, and neuromodulation.¹⁰ These devices are not only marketed and sold within the United States but also globally. Specifically, in the United States, some of these products are marketed and sold to wholesalers, hospitals, ambulatory centers, physicians, Abbott-owned distribution centers and public warehouses.¹⁰ Globally, the marketing and sales of the devices are sold to customers or through distributors.¹ Competition for these medical devices include technology, price, use, service, performance and supply contracts.¹⁰

Due to the nature of Abbott’s business, the organization is subject to regulation by the FDA and other international, federal, and state authorities. The process of obtaining regulatory approvals to market Abbott’s products are usually costly and time-consuming and approvals may not be timely granted. These untimely granted approvals by the FDA may result in reduced revenues and increased additional costs.

Duty-Based and Outcome-Based Ethical Approach

Duty-Based Ethics

The duty-based theory, as defined by Immanuel Kant (1964),¹¹ supports the idea that individuals have basic rights and those rights include focusing on prevention of certain adverse events (risks). Prevention is possible because humans are different from other types of species and that humans are born with moral integrity and possess knowledge for reasoning and rationalizing.¹² More specifically, duty-based ethics is grounded in the idea that ethical situations need to be viewed within the lens of owning a certain duty and to whom.¹¹ The duty-based approach focuses on the prevention of activities that would diminish the consumer’s trust in the use of medical devices. Immanuel Kant believed that human beings have a moral compass that includes integrity based on the ability to reason and conduct affairs rationally within the context of fairness and respect for others.¹¹ The duty-based approach considers ethical dilemmas within the context of fairness and respect for all parties including the patients, users and other stakeholders. One of the driving questions related to fairness is does my actions respect the goals of humans and not just my own interests?¹²

Manufacturers of medical devices, such as Abbott Laboratory, are responsible for the design and/or manufacture of the medical device for consumption.¹⁰ Specifically, manufacturers work to mitigate risks and make decisions associated with the safety and administration of medical devices. Thus, manufacturers have a duty to implement processes and procedures that identify adverse risks (hazards); assess and evaluate the risks; control and monitor the effectiveness and use of the devices through retirement.⁵ The decisions manufacturers make about the design, development, testing and deployment of medical devices need to include collaborations with other medical devices organizations so that their operational decisions are made with the idea that all entities are acting similarly. The duty-based ethics adhere to the idea that organizations conduct their businesses with ethics because it is their duty. Therefore, adhering to standards is paramount to practicing activities that are ethically-based.

Outcome-Based Ethics

Outcome-based ethical approaches focus on the consequences of the actions and not the behaviors themselves that may be rooted in moral values or beliefs.¹² Two of the driving questions that outcome-based ethics consider are: what is my end goal and what results do I want to achieve?¹³ Specifically, the outcomes of the actions includes identifying the stakeholders impacted by the actions; making an assessment of the negative and positive results of the actions; and looking at the outcomes and focusing on the actions that produce the greatest benefits for the largest number of people.¹² Thus, an act is morally correct if it benefits the majority in a positive manner.

The outcome-based ethical approach is grounded in John Stuart Mill’s work,¹³ called utilitarianism, and is focused on the consequences of the actions. For example, actions are considered ethical is they produce certain desirable outcomes. Specifically, outcomes that support happiness and do not lead to unhappiness or some type of pain are considered the ethical approach. This ethical outcome-based approach should be practiced for the betterment of all and not for selfish reasons.¹³ The betterment for all is based on the reasoning associated with ethical behaviors as measured based on the pros and cons of the actions that have consequential impacts for others.¹² Therefore, pros related to medical devices may include: a positive impact on public health, a positive impact from diagnostic devices, and a positive impact on the quality of an individual’s life.⁵

Results and Discussion

Risk Management Framework

Risks are adverse events that can be caused by injury to the patient, users or other impacted parties.⁹ Risks can also be categorized by damage to objects, data or equipment including software or hardware.⁵ Risk management includes the activities related to decreasing the likelihood and impact of the adverse events⁹ in the design, use and regulation of medical device risks. Risk management is utilized in this case as a framework to increase the chance that organizations achieve their goals by planning for the business and project risks related to the production, management and ongoing use of medical devices. More specifically, risk management activities are focused on: (a) minimizing frustration related to problems; (b) increasing stakeholder support; and (c) building unification that leads to effective communication and control.¹⁴

The Project Management Institute presents an organizational approach to project risk management as noted in its Project Management Body of Knowledge (PMBOK) book.⁹

This organized approach includes the following phases: plan risk management, identify risks, perform qualitative risk analysis, perform quantitative risk analysis, plan risk responses, implement risk responses and monitor risks.⁹ ISO 14971 is the standard that is used for the application of risk management to medical devices.⁵ More specifically, this standard provides guidance for organizations to develop a risk management process that includes identification and control of risks during the development and usage of medical devices such as product, patient and user risks, and regulatory risks. The risk management processes for ISO 14971 include the following: risk analysis, risk evaluation, risk control, evaluation of overall residual risk acceptability, risk management report, and production and post-production.⁵

(Table 1, figure 1) displays the similarities and differences in ISO 14971 and PMBOK processes. Note that risk planning is a phase that is utilized in the PMBOK processes and not ISO 14971. Likewise, risk reporting is included in ISO 14971 and not the PMBOK phases. Risk planning in PMBOK includes the activities needed to develop a risk management plan and is developed based on input from impacted parties such as patients, care givers, and manufacturers. Also note in Table 1 that ISO 14971 and PMBOK methodologies have similar activities in the Risk Assessment and Risk Monitoring and Controlling phases.

Table 1 ISO 14971 and Project Risk Management

After integrating ISO 14971 and Project Risk Management methodologies, the next step is to use the hybrid methodology to execute the activities related to each phase using the tools and techniques identified in Table 2. The phases in Table 2 are conducted using an ethical underpinning related to duty-based and outcome-based ethics. The duty-based components of the framework are focused on the prevention of adverse events related to medical devices and the outcome-based components of the framework focus on the consequences of the actions and are related to the end goals.

Figure 1 Ethical risk management framework. Data from these studies.^5,9

Table 2 Risk Breakdown Structure: Example Using Abbott Laboratories

Step 1: Risk Planning: Risk Planning includes a framework to plan risk management activities. Specifically, during risk planning the project team and stakeholders need to identify risk management processes and create a plan which will detail how risk management activities will be planned and implemented. The risk management plan includes identifying the potential sources of harm (risks) from using a device as well as the uses and foreseeable misuses⁵ with an emphasis on preventing the activities that diminish the consumer’s trust. Plan risk management activities is focused on how to conduct risk management activities in the risk management plan. Some of the key components of the risk management plan are as follows: risk strategy, methodology, roles and responsibilities, funding, timing, risk categories, scales for probability and impact, and reporting.⁹ See the Risk Breakdown Structure tool for Abbott Laboratories in Table 2 that is used to display risk categories in the risks management plan.

Step 2: Risk Assessment: Risk assessment includes risk analysis, evaluation and prioritization of the identified risks. During this phase, the risks are analyzed and evaluated based on the severity of the risks and the probability of occurrence with a focus on the duty to prevent activities that create adverse events.^4,9 See Table 3 for the Example Severity Criteria used in this study and Table 4 for the Example Probability of Occurrence Criteria. Thereafter, the risks may be prioritized in rank order based on the severity criteria and probability criteria considering fairness and trust as a duty. This step also includes planning for the responses to the identified risk. In this study we use the following PMBOK responses: mitigation (response will reduce the probability of occurrence and/or impact of an adverse event) and accept (no proactive risk responses).⁹

Table 3 Example Severity Criteria

Table 4 Example Probability Criteria

Step 3: Risk Monitoring and Control: Risk monitoring includes implementing the risk response plans and usually includes tracking the impacts of the responses and evaluation of overall residual risk acceptability which can yield new risks.⁹ The control component of this step is focused on the risk control options such as safety by design, protective measures in the design or manufacture as well considerations for product safety. The activities in this phase are focused on monitoring and controlling the risk activities as well as the consequences that are the result of not performing the duties associated with preventive tools and techniques. See Table 5 for the Risk Register that can be used to document risks, assess risks, monitor and control risks as well as track the outcomes associated with the risks. Therefore, the Risk register displays key comprehensive information related to ongoing risks identified and assessed from steps 1, 2, and 3, herein and in one study classified as a trust-level document to help with a broader understanding of risks.¹⁵ Note in Table 5 the authors recommend Abbott Laboratories provide response plans for those risk that have been assessed as Medium and High.

Table 5 Risk Register to Support Duty-Based and Outcome-Based Activities

Step 4: Risk Reporting: Risk reporting includes communicating the risks to all impacted parties. The reports include documented evidence of the risk management plan and risk management reviews.^5,9 The activities in this step are focused more on the consequences of the actions with an emphasis on what is my end goal and what results do I want to achieve through reporting.¹² The reports address critical risks and emerging risks that may cause future issues if not monitored and controlled and also involve collecting production and post-production information.⁵

Conclusion

Risk-free medical devices are not realistic; however, stakeholder’s expectations about the use and performance of the devices are becoming more risk averse with the expectations that manufacturers have a duty to focus on the prevention of activities that will diminish the consumer’s trust in the use of the devices.⁷ The research and development of medical devices focus on the benefits and use to ensure those devices align with the regulations of the FDA as well as overall consumer trust in the device. Risk management is utilized in this study as a framework to increase the chances that organizations achieve their goals by planning and responding to risks related to the design and development of medical devices.

To mitigate the chances that risks (adverse events) occur during the manufacturing and use of medical devices, this study has focused on providing a hybrid risk management approach for organizations noting the use of ISO 14971 activities as well as the PMBOK activities. The PMBOK activities included in the approach are focused on the development of the medical devices as operational projects. These operational projects need to planned and managed by dedicated project teams including skilled resources to plan, identify, and implement risk-related activities.⁹ The hybrid risk management approach provides a roadmap for manufacturers, such as Abbott Laboratories, to use project planning tools and techniques to augment the activities identified by ISO 149171. Additionally, the framework included tools and techniques to decrease the likelihood and impact of risks as organizations design, develop, test, produce and deploy medical software devices. The risk management approach in this study is used to not only to prevent and mitigate adverse events related to medical devices; but also, to help companies make informed medical device decisions by recommending the steps, activities, and tools and techniques to support the management of adverse events to medical devices.

Acknowledgments

The authors have no acknowledgments.

Disclosure

The authors report no conflicts of interest in this work.

References

1. Federal Drug Administration. How to determine if your product is a medical device. Available from https://www.fda.gov/medical-devices/classify-your-medical-device/how-determine-if-your-product-medical-device. Accessed December 27, 2019.

2. Medical Device Safety; 2020. Available from https://www.fda.gov/medical-devices/medical-device-safety. Accessed January 6, 2021.

3. Preidt R. U.S. spends trillions on health care, but health stats remain low: study. Available from https://www.usnews.com/news/health-news/articles/2020-01-31/us-spends-trillions-on-health-care-but-health-stats-remain-low-study. Accessed January 10, 2021.

4. Insup L, Pappas G, Cleaveland R, et al. 2006. High-Confidence medical device software and systems. Computer. 2006;39(4):33–38. doi:10.1109/MC.2006.127

5. ISO 14971. Medical Devices – Application of Risk Management to Medical Devices. Switzerland: ISO; 2007.

6. Cicmil S. Quality in project environments: a non-conventional agenda. Int J Reliability Manage. 2000;17(4/5):540–570.

7. Citron P. Ethics considerations for medical device R&D. Prog Cardiovasc Dis. 2012;55:307–315. doi:10.1016/j.pcad.2012.08.004

8. Altayyar SS. The essential principles of safety and effectiveness for medical devices and the role of standards. Med Devices Evidence Res. 2020;13:49–55. doi:10.2147/MDER.S235467

9. Project Management Institute. A Guide to the Project Management Body of Knowledge (PMBOK Guide). 6th ed. Newton Square, Pennsylvania: Project Management Institute; 2017.

10. Form 10-K Abbott Laboratories. Available from https://sec.report/Document/0001104659-20-023904/. Accessed January 6, 2021.

11. Kant I. Groundwork of the Metaphysics of Morals. New York: Harper & Row; 1964.

12. Miller FB, Cross RL. The Legal Environment of Business. 9th ed. Stamford, CT: Cengage Learning; 2014.

13. Varouxakis G, Kelly P, eds. John Stuart Mill - Thought and Influence: The Saint of Rationalism (Routledge Innovations in Political Theory). 1st ed. New York: Routledge; 2010.

14. Kendrick T. Identifying and Managing Project Risk. New York, NY: AMACOM; 2009.

15. Simsekler MCE, Card AJ, Ward JR, Clarkson PC. Trust-level risk identification guidance in the NHS East of England. Int J Risk Saf Med. 2015;27:67–76. doi:10.3233/JRS-150651

Creative Commons License © 2021 The Author(s). This work is published and licensed by Dove Medical Press Limited. The full terms of this license are available at https://www.dovepress.com/terms.php and incorporate the Creative Commons Attribution - Non Commercial (unported, v3.0) License. By accessing the work you hereby accept the Terms. Non-commercial uses of the work are permitted without any further permission from Dove Medical Press Limited, provided the work is properly attributed. For permission for commercial use of this work, please see paragraphs 4.2 and 5 of our Terms.

Download Article [PDF]