Safety Assurance Cases: A Way to Shorten Painful Discussions with Auditors

Are you tired of discussing whether your devices are sufficiently safe with notified bodies? Then you should use safety assurance cases. Using this top-down approach, you can easily and elegantly produce documented evidence.

With an approach that complies with AAMI TIR 38, ISO/IEC 15026 and the FDA requirements, you can have the arguments on your side. Your notified body will not just be convinced of the conformity of your devices, they will also be won over by your professionalism, making authorization almost a formality.

1. What are safety assurance cases?

a) Definition #1

Definition: Safety assurance case

“A safety assurance case is a structured argument supported by a body of evidence that, in turn, convincingly and completely permits the valid assumption that a device is safe and effective for a specific use in a defined use environment.”

Based on ISO 15026 and other sources

This argument requires a number of specific activities, which is why some people refer to safety assurance cases as a method.

b) Components of safety assurance cases

The evidence provided in safety assurance cases consists of several components, as detailed, for example, by ISO 15026-2:

Component

Examples

Conclusion that an reviewer (e.g., a notified body or authority) should come to.

The medical device meets the regulatory requirements.

Claim: A statement or assurance about a property of a device, system or subsystem to be demonstrated.

Claims usually relate to safety or performance.

According to ISO 15026-2, a safety assurance case has one or more top level claims. The claims are often structured hierarchically.

The medical device is safe. (Top-level claim).

The electrical hazards have been controlled. (Sub-claim).

The insulation is adequately dimensioned.

Context: Information, e.g., about the device, its use and use environment.

Intended purpose.

Assumption: Conditions that must be met, or facts that are usually accepted without further evidence being required or that are undisputed.

Intended users (e.g., with training and experience).

Leakage currents that are lower than required by IEC 60601-1 do not represent an unacceptable risk.

Evidence: Data used for the presentation of evidence or the argument.

Test results (e.g., from safety measures), observations, expert opinions, scientific principles, research results.

Argument: Reason why the evidence is suitable for substantiating the claim.

 

In some cases, a strategy for presenting evidence is also formulated in the safety assurance case.

Mathematical induction.

Identification and control of hazards.

ISO 15026-2 also has another justification part. But this is not a justification of why a claim is correct, but a justification of why a particular claim was chosen.

c) Definition #2

The standard defines safety assurance case as follows:

 Definition: Assurance case

“An assurance case is defined to be a quadruple of a claim c, a justification j of c, a set es of evidence and an argument g which assures c using es. “

Source ISO 15026-1, section 6.2

The regulations, in particular the general safety and performance requirements establish a lot of claims that the manufacturers have to prove.

2. Structure of safety assurance cases

A safety assurance case has one or more top-level claims that are what the evidence is intended to prove. Their choice requires “justification”.

Claims can be restricted by “limitations”, e.g., with regard to duration, safety or the conditions.

To demonstrate a claim, you need either exactly one argument or one or more (sub-)claims, pieces of evidence or assumptions.

Arguments must, in turn, be supported by one or more claims, pieces of evidence or assumptions.

Fig. 1: A simplified metamodel of safety assurance cases, as derived from ISO 15026-2. The standard does not include the abstract entity “support”.

The OMG (Object Management Group) published a more precise metamodel in its document Structured Assurance Case Metamodel (SACM). However, it is not quite aligned with ISO 15025-2.

3. Graphical representation of safety assurance cases

a) Goal structuring notation

Goal structuring notation (GSN) helps document safety assurance cases graphically. It makes it easier to provide a quick overview of the case.

Fig. 2: Overview of the notational elements of goal structuring notation (GSN)

The AAMI TIR 38 Medical device safety assurance case report guidance also uses this notation.

A section of a safety assurance case modeled with GSN might look like Figure 3.

Fig. 3: Example of a safety assurance case modeled using goal structuring notation (GSN).

 Tip

Whether intentionally or not: the AAMI has made the older version of AAMI TIR 38 available for free download here.

b) Other graphical modeling languages

Claim argument evidence (CAE) is a slightly more straightforward notation. There are modeling tools available for this language as well.

SysML is also used as a multi-purpose modeling language for the representation of safety assurance cases.

General drawing tools, such as draw.io can be used to display all notations.

4. Process for preparing safety assurance cases

a) Defining the intended purpose

An important prerequisite for preparing a safety assurance case is having a complete intended purpose, including the intended users and the intended use environment. Because the context and some assumptions depend on it.

 Further information

The article on defining intended purposes explains the aspects this document should define in order to meet the regulatory requirements.

b) Formulating top-level claims

Manufacturers have to formulate top-level claims and define a strategy for them. Some people start with one or more general claims, for example, “the medical device is safe.” Others base the top-level claims on the top-level hazards.

Example: infusion pumps

In the guidance document “Infusion Pumps Total Product Life Cycle”, the FDA has indirectly defined these top-level claims because the claims must be that the following problems will not arise:

  • Errors when delivering the infusion, e.g., due to an incorrect dose, an incorrect volume, infusion at the wrong time or site
  • Incorrect therapy due to an incorrectly selected or delivered drug
  • Biological or chemical contamination, e.g., through unintended contact or unintended biological reaction by the patient or user to a substance
  • Injuries, e.g., burns, cuts, air embolisms, electric shock

 NB!

Be careful: unfortunately, the FDA confuses the terms hazard, harm and cause. Burns are harm, not a hazard. It probably also means biological or chemical hazards and not contamination because an adverse reaction (harm) is not caused by contamination.

Strategy

One of the tried and tested strategies is to consider that safety is guaranteed when all hazards are known and controlled.

Therefore, for the top-level claims, claims that these same hazards or hazard classes have been controlled are appropriate.

c) Formulating sub-claims

The FDA stipulates that manufacturers of infusion pumps must divide the “hazard classes” into individual hazards. Various sources must be taken into account in this risk analysis:

  • Operational sources, e.g., blocked line due to the precipitation of substances
  • Environmental sources, e.g., malfunctions due to EMC problems
  • Electrical sources, e.g., battery failure or leakage current too high
  • Hardware sources, e.g., network errors, false alarms due to sensor errors
  • Software sources, e.g., null pointer exception, memory leak
  • Mechanical sources, e.g., motor failure or damage to the power cable
  • Biological and chemical sources, e.g., non-biocompatible materials or damage to the device cause by cleaning agents
  • Use sources, e.g., incorrect programming due to poor usability

 Tip

These lists of hazards and causes do not exist for other devices. In these cases, you can use hazard analysis methods, such as PHA, FMEA or FTA to define the hazards.

The (sub-)claims, i.e. the manufacturer's claims, are that these risks are under control or that the sources have been eliminated. Sub-claims could be:

  • The system detects air bubbles and consequently stops the infusion
  • The risks of overdose have been reduced to an acceptable level

The strategy at this level is therefore to identify and mitigate all relevant hazards.

d) Deciding how to prove claims

ISO 15026-2 lists the options for proving claims. As described above, manufacturers can take two approaches:

  • Either the manufacturer argues that the claim has been fulfilled with exactly one “argument.” In this case, the argument must be based on one or more claims, pieces of evidence or assumptions.
  • Or the manufacturer must justify a claim with one or more (sub-)claims, pieces of evidence or assumptions.

A “library” of previously formulated arguments and checklists helps manufacturers to avoid redundant work and not to forget any arguments.

5. Conclusion

a) Helpful method

Safety assurance cases are useful and help manufacturers to structure their arguments logically and, therefore, to make it plausible to authorities and notified bodies that their devices meet the regulatory requirements.

They are also helpful for systematically evaluating the completeness and effectiveness of systematic risk mitigation measures for risks identified during development. Manufacturers should weave working with safety assurance cases into their development processes, particularly when establishing requirements and creating system architectures.

The FDA even prescribes this method for infusion pumps.

b) Useful and less useful literature

There are a lot of sources with guidance and examples available to companies who want to use safety assurance cases, including:

  • Standards, e.g., ISO 15025 family
  • Technical reports, such as AAMI TIR 38
  • The FDA guidance document on infusion pumps
  • Specifications for several modeling languages, such as GSN
  • The OMG metamodel

However, these documents are not aligned with one another. Different notations and concepts can cause confusion.

The FDA document does use any form of graphical representation, is not even consistent itself and only uses the concept of strategy implicitly. However, this guidance document provides a good checklist for manufacturers of infusion pumps – and is also mandatory for these manufacturers.

IEC 60601-1 is interesting in this context: it defines safety assurance cases for numerous hazards, without explicitly formulating them. In Annex A, the standard describes strategies and arguments.

c) Using the method in a meaningful way

Deciding whether to use it

Manufacturers should use safety cases particularly when they are a regulatory requirement or if there are no standards that are sufficiently device-specific.

The decision whether to use this method or not is also not a binary one. There is no reason why manufacturers shouldn’t create an initial “safety case” (as the German version of 15406-2 calls them) and then add others over the device's life cycle. This iterative approach of continuous improvement is highly regarded by authorities and notified bodies.

Using it as a bridge between risk management and architecture

If manufacturers use safety assurance cases, they can use them as a bridge between risk management and system architecture:

  • The claims often correspond to statements that the risks have been controlled
  • The arguments correspond to the requirements that the device and its architecture must meet

The top-level claim is often one of the last sentences of the risk management report in which the manufacturer confirms that the device is safe and that its benefits outweigh the residual risks.

Using it over the complete device life cycle

As the device evolves and new information is obtained from the post-market phase, manufacturers should update the safety assurance cases. This does mean additional work. But it does mean that the basis, e.g., for the post-market surveillance update report is laid, since the aim of this report is to confirm that the device is still safe and the benefits outweigh the risks.

d) Conditions must be met

Safety assurance cases do not mean companies no longer have to think less. On the contrary: this method requires companies to be able to think logically and following the MECE principle. Without such precise thinking, a safety assurance case will degenerate into graphics that only give the illusion of having provided evidence (for the safety of the device).

Auditors, authorities and notified bodies will spot holes in the manufacturer’s logic there faster than they will in a risk table with thousands of entries.

But this is also true for your own team: they can detect errors (including their own) quickly and then work on reasoned chains of argument. And this is the strength of the safety assurance cases.


Do you need support in creating safety assurance cases? Do you any someone to check that your arguments are complete and plausible? Then get in touch with us, for example via the contact form. The Johner Institute's team is looking forward to hearing from you!

Starter-Kit_rot_dunkel

A quick overview: Our

Starter-Kit

Learn More Pfeil_weiß
blog_rot_dunkel

Always up to date: Our

Institutejournal

Learn More Pfeil_grau