This article is the first in a series of three that will address the products liability risks associated with software failures and medical devices. While software can transform medical device capabilities, its use also creates new products liability risks or changes the nature of existing risks. This series will provide descriptions of some of the software-related trends the author has observed as well as some prognostications about where software is taking us. This first article, however, is an introduction to the topic. It discusses the fundamentals of products liability law and its application to medical device software.
A medical device that is strictly mechanical is transformed—and not merely in terms of its technological capabilities—when a software component is added. Developments in software have pushed the cutting edge of new medical technologies, enabled new functionality in “old” devices, and disrupted healthcare delivery. Along with speeding the evolution of medical devices, software has also created a host of new risks that require new risk management strategies. In an era of well-publicized and expensive cyber breaches, managing “software risks” often means safeguarding products from hacking and infection. A 2016 report by Grand View Research estimates that the global healthcare cyber security market will reach nearly $10.85 billion by 2022. This number was just $5.5 billion in 2014, but the increasing frequency of cyber attacks, regulatory and security compliance requirements, and data leaks have forced life sciences companies to dedicate more financial resources to preventing cyber breaches. Yet, despite receiving the lion’s share of attention and resources, cyber attacks are not the only risk associated with medical device software. A category of risk that has received less attention than cyber risk but is also worthy of consideration relates to software failures.
What happens when a product is defective and causes bodily injury or property damage? Products liability is the area of law that provides redress and holds manufacturers responsible when their products—whether medical devices or other types of products—malfunction and cause harm to users. What underpins this theory of liability is the premise that a manufacturer that profits from the sale of a defective product must bear the costs of remuneration when it injures someone.
The medical device industry has long been a favorite target of the plaintiffs’ bar. The typical scenario involves a patient who is injured physically by a defect in a medical device. In the lawsuit that follows, the patient becomes the plaintiff and pursues a products liability action against the medical device manufacturer. In recent years, the products liability landscape for medical device manufacturers has been dominated by litigation involving products like transvaginal mesh and metal-on-metal hip implants. Transvaginal mesh is a widely prescribed treatment to address urinary incontinence or pelvic organ prolapse in women, particularly following childbirth. Some women have reported experiencing serious health issues after receiving the implants, including when mesh erodes, breaks into pieces, and cuts or perforates nearby organs. More than 100,000 women are currently in litigation involving this product. Metal-on-metal hip implants are also the subject of major products liability litigation. Plaintiffs claim that debris from the product’s metal components migrates through the body and causes tissue poisoning. The products, which are manufactured by several companies, allegedly cause dangerous levels of chromium and cobalt to enter the patient’s bloodstream, resulting in a variety of debilitating conditions. More than 100,000 devices have been recalled, and the products liability litigation has cost manufacturers of metal-on-metal products several billion dollars, collectively.
While these are two examples of “big” cases, every year thousands of products liability lawsuits are filed against medical device manufacturers by patients allegedly injured by their products. Most of these cases settle out of court and never make the headlines. Whether a particular product will wind up being the subject of a products liability lawsuit cannot be predicted with certainty. Nevertheless, it is important for manufacturers to attempt to identify those medical devices that may become the subject of products liability actions. Every type of medical device has a unique products liability “risk profile,” a collection of attributes that make it more or less vulnerable to this type of legal claim. Knowing the products liability risk profile of a medical device is critical to formulating a risk management strategy that can address potential problems before they arise. Addressing the theme of this series specifically, software and its use as a component in a medical device impacts the products liability risk profile of the device, and it is essential for medical device manufacturers to understand how and know what to do to mitigate the risks.
Before getting to the heart of the matter, I must first address a pesky legal issue that has complicated software-related liability matters for years. The question is whether software can be the subject of a certain type of products liability claim.
Products liability claims come in a few varieties, including strict liability and negligence. Strict liability focuses on the product itself, while negligence focuses on the activities of the manufacturer. A plaintiff who asserts a strict liability argument must show that the product was defective in order to prevail. On the other hand, at issue in a negligence claim is whether the manufacturer failed in some way, causing the product to be defective. Between the two theories, negligence can be the harder case for plaintiffs to make. Typically, it involves demonstrating that the manufacturer was required to take reasonable steps to protect patients from foreseeable hazards arising from the product but failed to do so. In general, most plaintiffs will assert both strict liability and negligence arguments in any given products liability lawsuit. When software is the product that allegedly injures the plaintiff, however, the plaintiff may be barred from recovering under a strict liability argument (though negligence is still fair game).
Whether software can be the subject of a strict liability claim is contentious. One argument goes like this: Software is more like a service rather than a tangible thing and is unlike the broad category of material goods that gives rise to strict products liability but instead resembles a class of items that courts have traditionally decided are not, in fact, products and are not, therefore, subject to products liability. On the other side of the debate, it is argued that software that is embedded in tangible goods, or that is mass produced, sufficiently resembles a tangible product, therefore making strict liability applicable. Courts in various jurisdictions have decided the issue differently, and the law is still unsettled. Manufacturers that are considering adding software capabilities to their medical devices, including as accessory products, such as mobile phone applications (“mobile apps”), which are addressed specifically in the second article in this series, should monitor how this legal issue evolves. If strict liability is applied more widely in cases involving embedded or mass-produced software, this legal development would make it easier for more plaintiffs to prevail in cases involving products like mobile apps—theoretically, anyway, since strict liability is usually an easier case for plaintiffs to make than negligence.
What’s important for the purposes of this series, however, is not whether a plaintiff’s argument sounds in negligence or strict liability, but why the plaintiff claims the device failed. The possible ways in which a device can fail determine the device’s products liability risk profile and may indicate possible risk mitigation measures to enhance product safety and prevent liability. Regardless of whether the plaintiff makes a negligence or strict liability argument, at issue in the case will be three aspects of the product—its design, warnings and instructions, and manufacture or assembly—and whether the product was defective with respect to any one of them.
Continue to page 2 below.
It’s the mid-1980s. The cost of a U.S. postage stamp is 22 cents. Jim McMahon and William “The Refrigerator” Perry do the Super Bowl Shuffle and lead the Chicago Bears to victory over the New England Patriots in 1986’s Super Bowl XX. That same year, Comet Halley visits the solar system for the second time during the 20th Century. Madonna, Whitney Houston and Michael Jackson achieve pop stardom. The era sees life-changing technological advancements. Microsoft Corp. releases Windows 1.0, and the first artificial heart transplant is performed. However, there are also significant technological disasters, namely in the explosions of the space shuttle Challenger and the Chernobyl nuclear power station.
Another awful but less well known technology-related event occurs during this same time period. The Therac-25, a medical device that provides radiation to cancer patients, experiences a software failure and administers as much as 125 times the intended doses of radiation to six patients, killing four and causing serious bodily injury to two. This event, which unfolds between 1985 and 1987, is considered the first major medical device software failure to give rise to products liability. Little is known about the specifics of the plaintiffs’ claims against the Canadian manufacturer of the device, however, as the cases are settled prior to any public litigation.
Given the nature of the malfunction and seriousness of the resulting injuries, the Therac-25 becomes the subject of much conversation in the popular media as well as in the medtech industry in the years following the disaster. By most accounts, the device’s malfunction was attributable to several problems, among them poor protocols for quality control, hazard analysis and testing. Reportedly, software design problems were further compounded by omission of critical hardware safety features that would have prevented overdosing when software controls failed. Nancy Leveson, a software safety expert who researched the Therac-25 extensively for her 1995 book, Software: System Safety and Computers, wrote this about the software problems that plagued the Therac-25. “A common mistake in engineering, in this case and in many others, is to put too much confidence in software,” Leveson wrote. “There seems to be a feeling among non-software professionals that software will not or cannot fail, which leads to complacency and overreliance on computer functions.”
In the years since the Therac-25 disaster and Leveson’s book, the medtech industry has seen increasingly more software-related problems with devices—so many, in fact, that it is questionable whether Leveson’s observation about the confidence of non-software professionals still holds true today. The medical device industry, as a whole, seems to be grappling with software-related quality problems as indicated by recall activity. Software failures are a leading reason that medical devices are recalled by manufacturers. Stericycle ExpertSOLUTIONS is a firm that offers recall management services to the medical device industry and others. It also publishes a quarterly “recall index” that provides data about recalls by industry. According to their recall index for the first quarter of 2017, “software issues” was one of the top four reasons that medical devices were recalled, accounting for 24.4% of all medical device recalls (based on the number of units) conducted during that time period. The pervasiveness of software quality problems may also explain why it has become fairly common to see software problems give rise to products liability claims.
Product Defects & Liability. Quite simply, when software fails and causes bodily injury or property damage, the nature of the products liability claims against the manufacturer is the same as if a mechanical component of the medical device had failed. Imagine, for example, that you are a manufacturer of ventilators, an FDA-cleared Class II medical device that is used by critically ill patients who experience difficulty breathing on their own. Due to a software problem with your device, a diagnostic code (which relates to the functioning of the software) may be triggered while your product is in use with a patient. When this occurs, the ventilator stops functioning and will not alarm properly. You determine that you can fix the software problem through a software update, which you make available through your website (in accordance with FDA’s requirements for conducting a recall). You also send an “Urgent Medical Device Voluntary Field Correction” letter to your hospital-customers, who are instructed to take immediate action to update their ventilators’ software. Around the time that one of your hospital-customers receives your letter—but before it is able to perform the software update—a ventilator in use with a patient shuts off due to the software problem. The patient is unable to breathe on her own, and she suffers severe and irreversible brain injury as a consequence of oxygen deprivation. Not surprisingly, this injury becomes the subject of a products liability lawsuit filed against you.
Given the astounding and transformative impact that software has had on medical device capabilities and the disruption that software-driven products have caused to healthcare delivery, it seems incongruous that any products liability that arises from software is handled according to traditional and well-established legal principles that apply equally to low-tech, simple component parts, such as nuts and bolts. Nevertheless, these same legal principles will determine the outcome of a lawsuit involving medical device software. In making her case against you, your plaintiff will likely assert that your ventilator was defective in its design, warnings and manufacture. It’s important to note that the typical plaintiff will likely assert all three arguments in any lawsuit, as offering alternative theories of what went wrong is permissible. So, what is she really claiming?
The three types of product defects at issue in a products liability case are commonly recognized by courts as follows, though the law may vary slightly between states:
Returning to the fictitious example of the ventilator and considering how the plaintiff might allege defects in your product, she may argue that her injuries are the result of a design defect in the ventilator’s software that caused the diagnostic code to be triggered, stalling the operation of the device and depriving her of oxygen. The plaintiff may further allege that you failed to warn healthcare providers about the hazard, either because the device’s alarm failed to sound, your field correction letter wasn’t timely, or you failed to convey the extent of the hazard and urgency of the software upgrade necessary to fix the problem. Finally, the plaintiff may allege that the software was manufactured improperly, causing the software to be corrupted and to malfunction as a result.
Trends, Prognostications and Risk Management. In the above-described scenario, you, the manufacturer, will have defenses available to you, which will become the subject of litigation or which will influence your decision to settle the case. At this point, the actions you took (or failed to take) to mitigate software risks and make your product safer will likely become relevant to the defense of your case. Legal theories aside, however, the purpose of this series is to examine what manufacturers can do before a claim arises to prevent such a scenario from occurring. Accordingly, the remaining articles in this series will discuss common ways in which software can impact a device’s products liability risk profile and what manufacturers should do about it.
The next article in this series, Medical Device Software & Products Liability: The Homefront, looks at the use of software-driven medical devices at use in non-clinical settings; particularly, in the home environment. The article addresses software’s role in the home healthcare trend, explains the software-related risks that arise from home-use products, and discusses what manufacturers can do to mitigate these risks.
This article does not constitute legal advice.