Doing Right Things When Designing Medical Devices

  • By: Dev Raheja
  • Date: June 08, 2011
  • Source: ComplianceOnline
Webinar All Access Pass Subscription

Dr. W. Edward Deming, the architect of Japan’s world dominance in quality, used to say “working hard won’t help if you are working on the wrong things.” While this may not be quite appealing to many medical device developers, the opposite paradigm seems to make sense, which is, “working hard won’t help unless we are working on the right things.” This paradigm is a good value statement for medical devices. Therefore, we will discuss what some right things that are often overlooked are.

The Requirements Should Include What the Product Shall Not Do

About 60 percent of projects fail because of incomplete, missing or vague requirements. Since such a high risk exists in requirements, it makes sense to put in extra effort in writing proper requirements and doing requirements analysis. We should not only include what functions a product must perform but also include what functions it must not perform. The purpose is not only to treat a patient but also to protect the patient from harm, if possible.  Example: a pacemaker must not deliver an excessive or insufficient rate of breathing even if an unexpected situation occurs such as a patient happens to be in a high magnetic field in a shopping mall. Ask questions such as how can a product malfunction under abnormal conditions, unintended faults, over-use, lack of maintenance, calibrations not performed, or misuse?

The function that a device should not allow is called a serious event. It includes any event [1] that is:

• Fatal
• Life-threatening
• Permanently/significantly disabling

• Requires or prolongs hospitalization
• Co genital anomaly
• Requires intervention to prevent permanent impairment or damage

Enhance the Long Term Functionality

A medical device must function safely even if a patient uses it beyond the intended device life.  The U.S. legal system accepts such a notion for protecting the consumers from harm. Therefore, we must design-in high reliability, longer durability, and ultrahigh safety. Reliability is the percent that the devices survive for a defined time. Durability is the minimum life at which the components start to fail from wear and tear. The components that are replaced during preventive maintenance are excluded from durability assessment. A good guideline is to design for twice the intended life [2]. Engineering schools teach this principle by calling it a 100% design margin. Ultrahigh safety can be defined as “freedom from harm.”

For many medical devices, failure is not an option. Critical care devices such as oxygen concentrators, lasers, ventilators, MRI scanners, insulin pumps, and implantable pacemakers must be highly reliable. However, a high reliability standard is hard to maintain in today’s environment of intense global competition, where pressure for shorter product-cycle times, stringent cost constraints, and higher customer expectations are in competition. We must find a way so that we don’t compromise safety.

Minimize Hazards in the Software of the Device

Depending on how many paths are in the software and how they interconnect, unexpected failures and malfunctions can occur. Sometimes false positives or false negatives can result in serious events. A Florida hospital disclosed that 77 brain cancer patients had received 50 percent more radiation than prescribed because the supposedly precise linear accelerators had been programmed incorrectly for nearly a year [3].

There are times when the device manufacturer does not seem to be responsible for user mistakes such as experienced physicians shutting down the alarms from the electronic medical records systems, because they thoroughly know their job. They find frequent alarms annoying. As a result, the junior physicians do not get the alarms, and wind up making mistakes. The bottom line in this case is likely to be that the hospital becomes responsible for not following the proper care of the patients, as well as the device manufacturer for allowing physicians to shut down critical alarms without any safeguards for risk mitigation.

Software is most dangerous because one cannot easily see or detect the causes of unexpected behavior. It can turn off devices at the wrong time, turn on devices at the wrong time, give inaccurate results on a CT or MRI, mix up patient records, put records in the wrong file, and give false positives or false negatives. Make sure you consider a wide range of possibilities including how to recognize false outputs.

Design to Reduce Life Cycle Costs

The total cost to a manufacturer and to the customer over the expected device life is called the life cycle cost (LCC) or the total cost of ownership for the customer. The LCC consists of “Parts Cost + Inspection/test Costs + Scrap/rework Costs + Warranty Costs + Maintenance Costs + Cost of harm and potential recall” for the entire duration of the device life. The customer pays for the entire LCC; part of it is in the price of the product and the rest is paid directly by the customer. The goal should be to minimize all these costs by design so that the device manufacturer prevents customer disruptions of downtime and harm to the users. In the early days of desk top copiers, Cannon took away more than 80% of the market share from Xerox by designing out maintenance altogether.  

Design to Add Value

Value Analysis is a process of simplifying the design so that the product is produced with high inherent quality at a lower cost. In other words, use this tool for increasing the efficiency of the design. Examples: Minimize the number of fasteners in the design or eliminate them if possible. Some standard techniques are:

·         Combine several parts of an assembly into a single piece so that tolerance stack-up is avoided.
·         Eliminate the unreliable processes such as welding, adhesive bonding, and dependence on production operator skills.
·         Design components so that the assembly operators and maintenance personnel cannot install them backwards or in wrong orientation.
·         Modularize the design such that modules can be replaced easily instead of troubleshooting for a problem component when a device malfunctions.
·         Design unique fittings and interfaces where safety is critical, such as for intravenous tubes and connectors.
·         Design electrical controls to increase the quantity in the clockwise direction and design pneumatic controls to increase the quantity in the anticlockwise direction. The reason: to accommodate human stereotype behavior and prevent inadvertent errors.

Design for User-Friendliness


Patients using the medical devices are often disoriented and make mistakes easily. To protect them from harm, we must attempt to design devices that prevent such vulnerability. A ventilator may have the volume control and the breathing control knob next to each other. A patient may select a wrong knob and initiate harm. Keeping the knobs far apart prevents such misunderstanding. Even highly trained personnel make mistakes, such as maintenance technicians working on anesthesia equipment may connect a wrong hose to the wrong supply of gases. Designing unique fittings for each hose prevents such accidents.

A good tool for designing for user-friendliness is called the Usability Analysis. It requires brainstorming on the following structured topics to get a comprehensive vision of the potential user errors. Such issues as the following are discussed:

·         What can go wrong in normal use? Includes unexpected behavior of the device, user errors, and sudden failures. Make sure to include software anomalies.

·         What can go wrong in abnormal situations such as loss of electric power, fire or an epidemic?
·         How can anyone in the system misuse the product?  Include misuse by caregivers, patients, visitors, maintenance technicians and support staff.
·         How can the product experience abuse? Includes someone ignoring procedures or a housekeeper spraying water near the electrical devices while washing the floor. In one hospital, a patient died because the housekeeper unplugged the life support system in order to plug the vacuum cleaner in the outlet.

Design for Prognostics to Minimize Surprise Failures of the Device

The purpose of prognostics is to detect the symptoms of possible malfunctions and failures, and warn the user well in advance before a product actually fails. The devices can analyze the data collected from various types of sensors in real-time to diagnose performance problems, discern impending faults, and schedule maintenance procedures. It may involve monitoring the vital signs of the device and using artificial intelligence to analyze what could go wrong, diagnose potential problems, and suggest an intervention.

Recommendations for Design Improvements

My recommendation for the medical device companies is to include the above requirements and more as an integral part of the preliminary design review process. An efficient and safe design is the key to leadership and the FDA compliance. When trying to make the product more robust, use the following actions in order of their precedence.

·         Eliminate the problem entirely. In an analysis on neuraxial analgesia at Washington Hospital Center, the team discovered that a major potential cause of error was an additional port on the line that would allow for a medication to be administered into the epidural space. They asked the manufacturer of the equipment to eliminate the additional port. The cost was nothing. The errors disappeared for ever! [4]

·         Implement fault tolerance. In a blood analyzer device, the analysis revealed that the blood test results can be false if the device temperature is above a threshold temperature. The supplier added a fan to keep the device cooler. Someone in the team questioned what would happen if the fan failed? The team added another fan in such a way that the fans took turns. This alerted the device technician to know when either of the fans failed. The result: The device worked fine even if a fan failed. This is the concept of fault tolerance. We can have two procedures such that if one procedure failed, the other procedure will safeguard the patient safety. At Johns Hopkins the surgeon prevents central line blood stream infections by having a nurse monitor his/her steps in the process. This is still fault tolerance.

·         Design the device to fail Safely. If the above strategies are not practical, design intelligence in the system (inside or outside the device) to shut down the system before any harm is done.

·         Design-in early warning of potential harm. Usually statistical control charts are used for monitoring trends of patient’s vital signs or the device’s abnormal behavior with an alarm.

·         Develop robust training for customers. Robust training requires periodic audits by an independent person to assure the procedure is adequate. It also requires enhancement of the training procedures as the problems are discovered.



[1] Medwatch, Continuing Education Article from the FDA, The Clinical Impact of Adverse Event Reporting, October 1996. Downloaded on May 28, 2011 from

[2] Hegde, V., Raheja, D., Design for Reliability in Medical Devices, Annual Reliability and Maintainability Conference, 2010


[3] Bogdanich , W., 2010. Radiation Offers New Cures, and Ways to Do Harm, The New York Times, January 23

[4] Source for Washington Hospital Center FMEA was the Directory of Solutions, Fifth Annual Maryland Patient Safety Conference, 2009.

Best Sellers
You Recently Viewed