An Innovative Risk Assessment Methodology for Medical Information Systems

Modern Medical Information Systems very often comprise Medical Devices and governed by regulations which require stringent Risk Management activities to be implemented to minimize the occurrence of safety risks. Currently, the reference standard adopted by manufacturers for Risk Management is ISO 14971, which, however, was devised for traditional (mostly hardware) Medical Devices and does not either take into account the peculiarities of modern Medical Information Systems, or define a formal methodology to conduct Risk Assessment. Moreover, the approaches currently implemented by manufacturers typically aims at obtaining qualitative Risk Assessment results. Within the so-delineated application scenario, this paper proposes a methodology for the Dynamic Probabilistic Risk Assessment of Medical Information Systems, by specifically looking at medical devices that are intended as one of the most relevant components in such systems. The methodology complies with ISO 14971 and improves current practices because it allows the analyst to conduct a quantitative analysis, also taking into account the temporal dimension. It relies on a Probabilistic Risk Model, defined as a set of Markov Models, which is model-checked to obtain quantitative information about the risks. The proposed methodology is also adopted to improve definitively the Medical Device post-market surveillance, which is currently implemented as a wait for an incident activity. In other words, currently a manufacturer sets up a service that has to react to an incident by starting an investigation activity. Instead, the methodology proposes the adoption of risk models defined during the development phase also to re-assess periodically the risks related to the product during the post-market surveillance. This may prevent some incidents because risks are assessed using data collected in the field (no longer guesstimated as during the development phase) and taking into account the temporal effects on probability distributions (such as the deterioration of hardware/software components over the time).

Automated summary

Modern medical information systems and devices require stringent risk management activities to ensure safety. The current risk management standard, ISO 14971, is not suitable for modern medical information systems and lacks a quantitative analysis method. This paper proposes a dynamic probabilistic risk assessment methodology that complies with ISO 14971 and allows for quantitative analysis considering the temporal dimension.