It's time to start applying system safety to medical devices

Insights from a conversation with Jon Ward

Note: this is a recording of a LinkedIn audio event with Jon Ward of Abbott. The article below highlights a few key points from the discussion.

The practice of risk management in the medical device industry continues to remain a challenge. Despite our best efforts, recalls with serious consequences to safety are common in our industry. FDA warning letters and other safety communications1 disclose many gaps in the Quality Management System that are linked to easily preventable malfunctions in the field.

It has been nearly 25 years since the FDA finalized the Quality System Regulation2, but it is clear that an industry-wide intense focus on regulatory compliance has failed to produce the desired results in Quality and Safety.

The current pace of technology innovation, particularly in the area of interoperable medical devices, is now highlighting a need to take a more holistic view of Quality and Safety.

It is time to learn from other mature industries and apply the principles of system safety in our medical device industry.

Listen to the recording of our conversation above to learn more.

Here are a few key highlights from this discussion.

1. What is Systems Safety Engineering?

Systems safety3 is one of the several engineering specialties embedded in the System Engineering process. It should not be treated as an additional process layer.

The primary objectives of system safety is to influence the design of safety-critical systems with safety-related requirements that address the entire lifecycle of a medical device. The best safety engineering processes begin in concept development with the intent of ruling out potentially unsafe design approaches from the get-go.

Safety cannot happen as an afterthought. It needs to be designed in.

So, at a high level, System Safety Engineering is about the identification and integration of safety requirements at the system level. The main goal throughout the development lifecycle is to identify, analyze, eliminate, control and monitor hazards.

It also involves building and communicating the safety case to stakeholders to ensure alignment on safety requirements. Achieving and maintaining this alignment is very important because the design and development process inherently involves many trade-offs. We want to make sure that safety-related requirements are not compromised during these discussions.

In many ways, the System Safety approach is fully aligned with risk management requirements as outlined in ISO 149714.

2. What are some of the practical challenges in the industry?

As a general observation across the medical device industry, risk management is viewed as a paperwork exercise to comply with regulatory requirements. It is not uncommon to find that different activities involved in the risk management process are conducted in a disjointed manner. In fact, one of the common challenges during risk management audits is to clearly demonstrate completeness and traceability of risk control activities in the risk management file.

Second, our industry culture is conservative and generally resistant to change. Once we have obtained regulatory approval or clearance for our medical device, there is no incentive to change unless required as a result of warning letters or recalls. The natural instinct is to stay the course.

Third, there is a general lack of sound and mature Systems Engineering practices. Medical devices continue to struggle with requirements development during the design and development process. Some medical device companies treat design input as a paperwork exercise as they do risk management. The result is missing or poorly defined requirements from a safety point of view.

When we hear “after all, safety is everyone’s job”, it practically means it is no one’s job. Safety has to be treated as a dedicated responsibility.

It is not that our industry does not think about safety. However, the primary focus during design and development is on demonstrating safety and effectiveness5 to obtain regulatory approval or clearance. It is only during the post-market phase that we become aware of gaps in our risk management and design processes. However, our instinct to stay the course keeps us from proactively taking a hard look at these vulnerabilities and take early action.

3. Best practices for improving risk management using system safety

As noted above, the system safety approach is best deployed at the early design and development phase during requirements development.

It is important to consider the overall system requirements, including safety requirements, before jumping right away into the functional requirements of a medical device. Our current approach is to start from the bottom-up, at the component level trying to build up to the device level using inductive reasoning. But we fail to see the use case at the broader level as being in the hands of a nurse, doctor or a patient.

A medical device, a system in itself, is a part of the bigger system6 which also includes the use environment. Therefore, understanding the nature of different interactions across many interfaces is critical to understanding different factors related to safety.

Step one, therefore, is to have a good process of developing requirements, starting at the system level then drilling down to the device, components and process levels. When thinking about safety, we have to first look at potential scenarios and outcomes where user or patient safety is compromised regardless of the underlying device-related factors.

Keep the outcome(s) in mind and don’t fixate on solutions first. Starting with solutions is like trying to walk in a straight line by looking at your feet.

We should consider using a variety of risk analysis techniques, not just rely on Failure Mode Effects Analysis (FMEA). FMEAs are widely used in the medical device industry, sometimes to a point that it is the only technique used for risk analysis. But FMEA is not hazard analysis, which in combination with Fault Tree Analysis (FTA), can be more effectively applied at the system level. In this way, the process can be turned into a deductive process rather than a bottom-up inductive process.

Second, we should learn from other industries such as automotive and aerospace, where system engineering approaches, including system safety, are at a more more mature stage. ISO 26262, for example, is a series of functional safety standards for the automotive industry. In particular, ISO 26262-2:20187 is applicable to automotive safety-related systems that include electrical and/or electronic (E/E) systems for management of functional safety. Similarly, a vast body of knowledge has been developed in the aerospace industry.

In the context of medical devices, we have to figure out how best to connect the terminology used in our industry with terminology and concepts used in these other industries to appropriately apply these principles.

Third, as discussed in this recent article below, we need a stronger, more effective post-market safety-surveillance system.

Let's Talk Risk!
The real real reason why post-market safety surveillance must become a top priority
A cardiac defibrillator locks-up after delivering the first shock causes delay in treatment, which can result in serious injury or death. A needle-free closed system used to deliver chemotherapy drugs could release tiny plastic particles in a patient’s blood stream which can cause blockage…
Read more

One common problem we face is that our current hazard analysis and FMEA practices are not effective in helping us map each individual complaint to specific hazards and hazardous situations. We are not able to understand the differences between the predicted rate of occurrence and actual rate observed in the post-market data. Finally, our risk acceptability criteria are not specific and actionable, and we tend to accept a traditional 5x5 risk matrix without question. These challenges in our current post-market system limit our ability to make risk-based decisions in a timely way.

Using a system safety approach throughout the device lifecycle can help.

In Conclusion

  1. System safety is one of the engineering specialties embedded in the system engineering process. The primary objectives of system safety is to influence the design of safety-critical systems with safety-related requirements that address the entire lifecycle of a medical device.

  2. In general, risk management in the medical device industry is viewed as a paperwork exercise. Our conservative and change-resistant culture does not facilitate a mindset of continuous improvement unless forced by a serious external event or FDA warning letters.

  3. We have to overcome some of these barriers listed above and start applying a systems approach to engineering and safety. Medical devices do not operate in isolation. Some of the best practices we can implement are: developing safety-critical requirements early in the design process using system safety, applying a variety of techniques each suited to its specific purpose, learning from other industries and building a strong and effective post-market surveillance process.

About Jon Ward

Jon Ward is currently the Senior Manager of Risk Management and Patient Safety at Abbott. He holds a Ph.D. in Computer Science with an emphasis on fault-tolerant distributed computing. Prior to entering the medical device industry, Jon was the Chief Engineer at Eaton’s Innovation Center supporting automotive, truck and aerospace projects in the embedded controls group. In this role, he developed a strong, practical knowledge of system safety by learning industry best practices and translating theories, tools and techniques into working models. Jon has been active in the medical device industry for the last 13 years after his first 20+ years as an industry R&D leader with Honeywell, Rockwell and Eaton.

About Let’s Talk Risk with Dr. Naveen Agarwal

Let’s Talk Risk with Dr. Naveen Agarwal is a weekly live audio event on LinkedIn, where we talk about risk management related topics in a casual, informal way. Join us at 11:00 am EST every Friday on LinkedIn.


Information and insights presented in this article are for educational purposes only. Views expressed by all speakers are their own and do not reflect those of their respective organizations.


As an example, a recent safety communication by the FDA disclosed that 80% of certain knee and ankle-replacement devices were shipped in defective plastic bags since 2004, which may contribute to the degradation of a plastic component leading to premature failure and revision surgeries.


Code of Federal Regulations: 21 CFR 820 Quality System Regulation


FDA defines safe and effective as “probable benefits outweigh probable risks” (See 21 CFR 860.7). This analysis involves a considerable amount of uncertainty at the time of initial review prior to market authorization.


A system is a holistic unit that is greater than the sum of its parts (See System Safety Engineering by Clifton A. Ericson II). A medical device by itself is not the only determinant of safety.

Naveen Agarwal, Ph.D.