Supporting Risk Management for Medical Devices via the Riskman Ontology and Shapes (Preprint)

TL;DR

The paper tackles the challenge of risk management for medical devices by replacing text-based conformity submissions with a formal representation using the Riskman ontology and SHACL shapes. It combines OWL-based reasoning in $\mathcal{EL}^{++}$ with SHACL constraint checks to verify conformance to ISO 14971 and VDE Spec 90025, and it demonstrates a prototypical RiskmanPipeline that distills RDF from risk reports, reasons over it, and validates the results. Key contributions include the ontology design (with GCIs and RIAs), a probability-severity modeling approach using finite magnitudes and a multiplicative rule $P = P1 \cdot P2$, and a set of SHACL shapes enforcing critical risk-management requirements. The work offers practical impact by enabling automated, semantically enriched risk reporting, enabling reuse across manufacturers and smoother conformity assessments, while outlining clear avenues for extension to AI-driven risk management and broader standard integration.

Abstract

We propose the Riskman ontology and shapes for representing and analysing information about risk management for medical devices. Risk management is concerned with taking necessary precautions to ensure that a medical device does not cause harms for users or the environment. To date, risk management documentation is submitted to notified bodies (for certification) in the form of semi-structured natural language text. We propose to use terms from the Riskman ontology to provide a formal, logical underpinning for risk management documentation, and to use the included SHACL constraints to check whether the provided data is in accordance with the requirements of the two relevant norms, i.e. ISO 14971 and VDE Spec 90025.

Figures (5)

• Figure 1: Graphical representation of the data of a controlled risk (top) and associated SDA (bottom) provided within a risk management file for an infusion pump described in \ref{['ex:running']}. Dashed boxes illustrate how related elements are grouped -- e.g. the largest box shows that an Analyzed Risk, Residual Risk Level, and SDA together form a Controlled Risk. In the bottom part, colours distinguish elements of different classes: blue (Risk SDA); brown (Assurance SDA); green (Implementation Manifest); pink (Safety Assurance). An abbreviation in parentheses next to each element shows its unique identifier (used later in \ref{['fig:abox:graph']} for reference). Arrows arrange the elements from the bottom part into a tree.
• Figure 2: Main axioms of the Riskman ontology, i.e. those formalizing the definitions of VDE Spec 90025 in $\mathord{\mathcal{E}\!\mathcal{L}}\xspace^{++}$, with (\ref{['gci:arisk']})--(\ref{['gci:sdai']}) general concept inclusions (GCIs) and (\ref{['ria:hharm']})--(\ref{['ria:transitivity']}) role inclusion axioms (RIAs). Further axioms (subclass relationships, domain/range declarations, and disjointness axioms) can be read off \ref{['fig:schema']}. The properties $\mathsf{hasParentHazard}$, $\mathsf{hasParentSituation}$, and $\mathsf{isPartOfDeviceComponent}$ model hierarchies, while $\mathsf{hasPrecedingEvent}$ models temporal order in event chains; thus they all are defined as being transitive.
• Figure 3: Schema diagram of the Riskman classes and properties, divided into two sections covering the outcomes of Risk Assessment and Risk Control. While range restrictions have an explicit syntax, domain restrictions $\mathit{dom}(\mathsf{R})\sqsubseteq\mathsf{A}$ are expressed via $\exists \mathsf{R}.\top\sqsubseteq\mathsf{A}$, just as $\mathit{tra}(\mathsf{R})$, saying that $\mathsf{R}$ is transitive, is syntactic sugar for $\mathsf{R}\circ\mathsf{R}\sqsubseteq\mathsf{R}$. Moreover, any two classes without direct/indirect subclass relationship are disjoint.
• Figure 4: Riskman shape constraints. The following syntactic abbreviations are used for brevity: $\exists E.\phi$ for $\mathord{\geq_{1}} E.\phi$, $\mathord{\leq_{n}}E.\phi$ for $\neg(\mathord{\geq_{n+1}} E.\phi)$, $\mathord{=_{1}} E.\phi$ for $\mathord{\geq_{1}} E.\phi\land\mathord{\leq_{1}} E.\phi$, $E\neq E'$ for $\neg(E=E')$. For Constraint \ref{['shape:crisk:two']} we denote $\mathsf{X}\in\left\{\mathsf{hasProbability}, \mathsf{hasProbability1}, \mathsf{hasProbability2}, \mathsf{hasSeverity}\right\}$.
• Figure 5: Graphical ABox representation of data from \ref{['fig:rmf']}. Nodes and edges represent domain elements and role assertions, respectively. Correspondence between respective elements of \ref{['fig:rmf']} and nodes can be established by their identifiers, with node $\mathsf{cr}$ ($\mathsf{ControlledRisk}$) being the central entry point of the graph. Probability and severity nodes ($\mathsf{p}_{\mathsf{5}}$, $\mathsf{p}_{\mathsf{4}}$, $\mathsf{p}_{\mathsf{3}}$, and $\mathsf{s}_{\mathsf{4}}$) correspond to individual names from $\mathcal{K}^{{p}\textsc{-}\mkern-1mu{s}}_{5,5}$ and are interpreted by themselves. Black colour represents the asserted, whereas blue the inferred knowledge, involving either classes (labels near nodes) or roles (labels above edges or additional dashed edges). Given a constraint of the form $\mathsf{A}\leftarrow\phi$ from \ref{['fig:shacl-constraints']} labelled by some number $(n)$, the same number $n$ in red next to a node indicates that the node satisfies $\phi$. Putting all the above together, note e.g., that labels $\mathsf{SDA}$ and $\mathsf{SDAI}$ of $\mathsf{sd}_{\mathsf{1}}$ indicate that it has been classified as $\mathsf{SDA}$ due to being a $\mathsf{hasSubSDA}$-successor (range restriction) and as $\mathsf{SDAI}$, due to the previous classification and existence of an $\mathsf{hasImplementationManifest}$-successor (Axiom \ref{['gci:sdai']}). On the other hand, note that $\mathsf{irl}$ gained $\mathsf{p}_{\mathsf{4}}$ as its $\mathsf{hasProbability}$-successor due to an inference using a “multiplication” axiom from $\mathcal{K}^{{p}\textsc{-}\mkern-1mu{s}}_{5,5}$. It hence contains exactly one $\mathsf{hasProbability}$ and $\mathsf{hasSeverity}$ successor each and, therefore, satisfies the body of Constraint \ref{['shape:rlevel']}, as indicated with the (\ref{['shape:rlevel']}) in red. This holds for every node labelled with $\mathsf{RiskLevel}$, and therefore the depicted ABox satisfies Constraint \ref{['shape:rlevel']}.