Standards · Risk Management

Medical Device Risk Management for Ultrasound Probes per ISO 14971

Konted clinical standards library · handheld & wireless probes

A convex probe in use; the risk file behind it has to account for every way the device could harm the patient it touches.

ISO 14971 is the standard that tells a manufacturer how to think about everything that could go wrong with a medical device and what to do about it before the device reaches a patient. It is not a list of limits and it names no single number a probe has to clear. It is a discipline: find every way the device could harm someone, judge how bad each harm would be and how likely, reduce the ones that matter, and keep watching once the device is in the field. For a diagnostic ultrasound probe the list of ways to cause harm is longer than a buyer might guess, and this standard is the framework that forces a maker to write all of them down and answer for each one rather than hoping the obvious hazards are the only ones.

Other standards cap a hazard; this one asks whether the maker even found it.

A process, not a limit

The heart of the standard is a loop that runs from the first sketch of a device to the last unit retired from service. A maker identifies hazards, estimates the risk each one carries, decides whether that risk is acceptable, controls the ones that are not, and then checks that the controls worked without quietly creating new hazards of their own.

Risk in this standard is two things multiplied together, the severity of a harm and the probability it happens, and the pairing is deliberate because the two pull in different directions. A harm that is catastrophic but almost impossible can sit at the same level of concern as a harm that is mild but constant, and the standard makes a maker weigh both rather than fixating on the dramatic case and missing the frequent one. Once a risk is judged too high, the standard sets an order of attack that a maker cannot reshuffle for convenience: design the hazard out first, add a protective measure second, and fall back on a warning in the manual only when the first two cannot reach far enough. The order matters because a warning is the weakest control, easy to print and easy to ignore, and a maker that leans on warnings where a design change was possible has taken the cheap path the standard exists to close off. Each control is then checked for whether it introduced a fresh problem, since a fan added to cool a probe can pull in fluid, and a louder alarm added to catch one error can train a user to silence all of them. The loop closes only when the residual risk that remains, after every reasonable control, is weighed against the clinical good the device does and judged acceptable to carry.

The output is a file rather than a certificate, and the file is meant to be argued with.

The hazards hiding in an ultrasound probe

A probe looks simple from the outside, and the catalogue of things it can do wrong is long. The standard pushes a maker to walk the whole catalogue rather than the few hazards that come to mind first.

An abdominal scan; a misread image is itself a hazard the risk file must weigh.

The acoustic output can heat tissue or drive cavitation, the hazard the particular safety standard caps and the one buyers think of soonest. The surface that touches the patient can grow hot enough to mark skin during a long study. The materials of the lens and housing can provoke a reaction in the skin they rest against, the question biocompatibility testing answers. A probe moved from one patient to the next can carry infection if it cannot be cleaned the way the label claims. The electronics can leak current, fail in a way that hides a fault, or interpret a stray signal as a command. The image itself is a hazard when it misleads, since a probe that renders an artefact as a lesion or smooths a real lesion into invisibility can send a clinician down the wrong path, and the harm there is a wrong decision rather than a burn. A wireless handheld adds a battery that can overheat, a radio link that can drop mid-scan, and a small body that invites being dropped, splashed, or pocketed unclean. The standard asks a maker to find every one of these, estimate the risk of each, and show the control, and a risk file that lists only the acoustic hazards has skipped the bulk of the device.

The dangerous hazard is the one the file left out.

How it ties the other standards together

ISO 14971 sits above the particular standards rather than beside them, and it gives them their reason for existing. Each narrower standard a probe meets is, in the language of risk management, a control measure for a hazard the risk file identified.

The acoustic limits of the diagnostic safety standard are the control for the acoustic hazard; the biocompatibility testing of the materials standard is the control for the tissue-reaction hazard; the electromagnetic compatibility standard is the control for the interference hazard. The risk file is where they all report in, the document that says which hazard each standard answers and how much risk is left once it has been applied. A maker that treats the narrower standards as a checklist to be stamped, without ever asking whether the set of them covers every hazard the device presents in use, has met a stack of standards and still missed the point of this one, since the gaps between standards are exactly where an unexamined hazard hides. The reviewer who reads the file well checks the seams, looking for the hazard that no single standard owns, the cleaning instruction that no test quite covers, the failure mode that falls between the electrical standard and the software one. Conformance to the parts does not add up to safety on its own; the risk file is the argument that the parts, taken together, leave nothing dangerous unaddressed.

An ultrasound system; conformance to the narrower standards reports into the one risk file above them all.

When a risk counts as acceptable

The hardest judgement in the whole file is the one the standard cannot make for the maker: deciding when a remaining risk is small enough to live with. The number is never zero, and pretending it is would be its own kind of dishonesty.

Every device that does anything useful carries some residual risk once the controls have done their work, and the standard asks a maker to set, in advance and in writing, the criteria by which it will call a residual risk acceptable. Setting those criteria before the analysis begins is the safeguard against the temptation that comes later, since a maker that decides what counts as acceptable only after seeing its own results will quietly bend the line to fit the device it already built. The acceptable risk is then weighed against the clinical benefit the probe delivers, because a scan that catches a bleed early carries a benefit that can justify a risk a frivolous device never could, and the same residual risk can be acceptable in a lifesaving application and indefensible in a cosmetic one. This benefit-risk weighing is where the standard stops being arithmetic and becomes judgement, and a serious file shows its reasoning rather than asserting a conclusion, naming the benefit, the residual risk, and the grounds for calling the trade defensible. A handheld sold for emergency assessment can defend a different risk profile than one sold for routine screening, and a file that applies one blanket threshold to every use has skipped the thinking the standard is built around. The reviewer reads this section closely, since it is where an honest maker admits what it could not eliminate and a careless one papers over what it never examined.

A device with no residual risk on paper is not safer; it is less honestly described.

State of the art, and why it moves

The standard judges a maker against what is achievable now, rather than against what was acceptable a decade ago. That moving benchmark is one of the document’s quiet teeth.

A risk control that counted as reasonable when a device class was young can count as negligent once the field has found a better way, and the standard expects a maker to keep its file abreast of the state of the art rather than freezing it at launch. A probe that still relies on a warning in the manual to manage a hazard that competitors now design out has fallen behind the benchmark, and the residual risk it carries is no longer the risk it was when the file was written, since the benchmark moved underneath it while the device stood still. A maker that tracks the field can see that drift coming and revise its controls before a regulator or a court points it out. This is why a risk file is a living document and not a launch artefact: the same residual risk can drift from acceptable to unacceptable without the device changing at all, simply because the world around it learned to do better. A maker that revisits the file as the field advances is doing the unglamorous work the standard asks for, and one that files it once and forgets it has a document that describes a device the market has already moved past.

Post-market is half the standard

The work does not stop when the device ships. A large part of the standard concerns what a maker does once real users meet the device in conditions no laboratory fully predicted.

Field complaints, service records, and reports of harm flow back into the risk file, and a probability a maker estimated before launch gets corrected by what in fact happens in clinics. A failure judged rare on paper that turns out common in the field forces the risk back up the ladder and the controls back under review, and the standard treats that feedback loop as part of the device’s safety rather than as customer service. For a wireless handheld sold in large numbers to varied users, this matters more than it did for a costly cart operated by a trained sonographer, since the device meets hands and environments the designers never sat across from. A maker with a real post-market system catches the cleaning step users skip, the drop the housing does not survive, the preset that runs hotter in practice than in the test, and feeds each back into the file. A maker without one learns the same lessons from lawsuits and recalls, and the patients who taught them did not consent to the lesson. The cost of finding a hazard late is paid first by a patient and second by the maker, in that order, and a working post-market system is the maker buying itself the chance to find the hazard before the patient does.

A risk file that never changed after launch is a file sitting unread.

Reading a risk file, and what a thin one looks like

A buyer rarely sees the full risk management file, and an integrator or a hospital’s procurement team often can. A few things separate a serious file from a thin one.

A serious file reads as though its authors went looking for trouble: the hazard list is long and specific, the probabilities are tied to real data rather than to optimistic guesses, the controls follow the design-first order rather than leaning on warnings, and the residual risks are stated plainly instead of being rounded down to nothing. A thin file reads as though its authors wanted to finish: the hazards are generic, the severities are soft, the controls are mostly manual labels, and the post-market section is a paragraph of intent with no system behind it. The buyer who can read the file looks for the awkward admissions, the residual risks the maker conceded rather than hid, because a file with no admitted residual risk is not a safe device but an incurious one. The handheld maker confident in its engineering writes a file that names the battery hazard, the dropout hazard, the cleaning hazard, and shows the control for each, and a maker that hopes the question never comes writes a file that mentions none of them. Reading the file is reading the maker’s honesty as much as the device’s safety, and the two turn out to be hard to separate.

The maker that wrote down its own worst cases is usually the one that engineered against them.