Before diving into the best practices for conducting a risk assessment, it’s important to clarify some terminology. ISO 14971:2019 (the Standard) and TR 24971 (the Guidance) provide helpful definitions and examples, but even with that, the use of some risk elements can get confusing when you’re actually working on a risk assessment. This article provides a quick review of the more straight-forward terms and spends a bit more time on those that can get confusing.
Harm is defined by the Standard as “injury or damage to the health of people, or damage to property or the environment.” The definition used to be “physical injury” but “physical” was removed from the most recent description. The “injury or damage to the health of people” part is straight-forward. If you ask the question “What is the patient suffering from?”, the answer is the harm. It might be blood loss, infection, embolism, burns, or any number of physical harms. And with the word “physical” stricken from definition, you can add stress, anxiety, frustration, or any other non-physical harm that might be appropriate.
The “property or the environment” part can be more confusing. For “property,” companies typically focus on other medical device equipment that is directly affected to the device under review. The most common “property” risk is electromechanical compatibility (EMC), where your device emits radiation that interferes with nearby equipment. If that equipment is life-sustaining, the harm can be very severe. Other “property” risks could be delivering a software virus to a connected device, or similar data corruption issues.
The best way to think about “environmental” harms is to consider events that have an area of effect. That is, the harm isn’t incurred only by a patient, device user, or a connected piece of equipment, it’s everyone and everything in the room. In the “Identification of hazards and characteristics related to safety” questions in Annex A of the Guidance, they ask the question “Does the medical device influence the environment?” The factors to consider are: “the effects on power and cooling supplies; emission of toxic materials; and the generation of electromagnetic disturbance.” So, think about radiation and fire (which would also affect property), release of toxic substances into the room, and improper disposal of hazardous waste, which can be dispersed broadly.
Annex F.3 of the Guidance identifies that there is the “potential for some overlap” between people, property, and environment. For example, damage to property (medical records) can injure people (misdiagnosis), and environmental damage (EMC) also affects property (other equipment). Bottom line: be sure to include risks to people, property, and the environment, but don’t get too hung up on which category to place each risk. You should document that you’ve considered risks in each category (e.g., by answering the Annex A questions), but there’s no requirement to report out which category each risk falls into.
Normal and Fault Conditions
Clause 5.4 of the Standard says: “The manufacturer shall identify and document known and foreseeable hazards associated with the medical device based on the intended use, reasonably foreseeable misuse and the characteristics related to safety in both normal and fault conditions.” What are “normal and fault conditions”? Generally, “normal” conditions are when the device operates as intended and “fault” conditions are when the device does not function as intended or is not used as intended. Most items in your risk analysis will be “fault condition” items. They will describe what happens when something breaks, doesn’t perform to specifications, or is used counter to the instructions in the IFU. So what’s left? The “normal condition” hazards are inherent in the use of the device: paddle burns from a defibrillator, pain from surgery, bruising at a vascular access site, and other minor/temporary effects. In these cases, the harm caused needs to be outweighed by the benefit. For example, most people would be willing to risk getting burned by a defibrillator for the benefit of restarting their heart, but a similar burn from a heating pad would not be unacceptable.
Hazards, Hazardous Situations, and Causes
By definition, Hazards are “a potential source of harm.” We’ve established that harms are injuries like infection, a burn, or radiation exposure. A hazard is just the source of that harm. Examples of hazards in the Guidance include: electricity, moving parts, infectious bacteria, chemicals, gases, sharp edges, high currents, temperature, and ionizing radiation (Table C.1 of the Standard has an even longer list of examples). The operation of your device may generate these types of hazards. On their own, they can’t cause harm. They only cause harm when people, property, or the environment are exposed to them. The question then is what are the “circumstances in which people, property or the environment is/are exposed to one or more hazards”? That’s the Hazardous Situation.
The Standard identifies that “a hazard cannot result in harm until such time as a sequence of events or other circumstances (including normal use) lead to a hazardous situation.” An important thing to keep in mind is that the Hazardous Situation describes what happens, not why. The Hazardous Situation describes the exposure to the Hazard:
- Hazard: Infectious bacteria
- Hazardous Situation: Infectious bacteria introduced into patient during an invasive procedure.
- Hazard: High temperature
- Hazardous Situation: A hot surgical tool contacts the patient’s or user’s skin.
- Hazard: EMC interference
- Hazardous Situation: RF radiation is released from the device in range of nearby equipment.
The objective of the risk analysis process is to identify all of the potential causes so that you can control them to prevent the harm from occurring (or at least mitigate the impact). The wording of the Hazardous Situation will help you get there. If you have a relatively simple device (a syringe, for example), the “infectious material” Hazardous Situation described above may be appropriate. But if the device is complex (maybe a kit of sterilized components including a syringe), it may be better to have separate Hazardous Situations for each component. Or if there are multiple times in the procedure when the patient can be exposed to the hazard, it may make sense to have a separate Hazardous Situation for each of those times.
A key point here is that the Hazardous Situation is a fairly high-level description. At this point we don’t know how the contamination was introduced to the patient, why the hot tool was placed on the patient’s skin, or why RF radiation was released from our device. All we know is that it happened and now a person, property, or the environment has been exposed to the hazard and that sequence of events may result in some harm (i.e., infection, burn, radiation exposure). To find out why this happened, you have to investigate the Cause.
The Cause is the thing that kicks off the whole sequence of events that leads to exposure to a Hazard and, ultimately, to one or more Harms. That said, the word “cause” doesn’t show up much in the Standard and there’s no formal definition. The Standard tends to use the terms “circumstances,” “events,” and “errors.” Whatever you call them, causes tend to fall into three buckets:
- Design errors: the device is made and used as intended but does not perform as intended.
- Production errors: the device is designed and used as intended but is not made as intended.
- Use errors: the device is designed and made as intended but is not used as intended.
If you apply those three types of errors (causes) to the “infectious material” example, you will address the question of “Why did ‘Infectious bacteria introduced into patient during an invasive procedure’ happen?” The causes include:
- Design errors:
- Product not designed for sterilization
- Sterile barrier not durable throughout shelf life
- Production errors:
- Package sealing error
- Sterilization process error
- Use errors:
- Aseptic technique not followed when opening the package
- Device reused
Any of those causes could initiate the hazardous situation that leads to the harm of infection.
The Cause should be worded at the level at which risk verification can be performed. For example, if there are 10 components that are assembled into your finished device, you don’t need to say “Component 1 not designed for sterilization,” “Component 2 not designed for sterilization,” etc. Your sterilization validation will only be done for the full, finished product so “Product not designed for sterilization” is sufficient.
When working on a risk analysis, sometimes the information in a particular column may not strictly hold to the strict definitions provided in the Standard. The wording for a Hazard may include elements of the Harm or Hazardous Situation, the Hazardous Situation may read more like a Cause, and the Cause may be too specific to serve as a good lead in to an appropriate risk control. For example, the table below presents a “Not so good” and “Better” way of describing the risk of a patient suffering an air embolism because the IV line was not primed properly:
Hazard: The first option confuses the “Hazard” and the “Harm.” Remember the “Hazard” is the “potential source of harm.” “Air in the infusion line” is the thing lingering in the environment that could harm you if you are exposed to it, while “Air embolism” is a harm that you experience after being exposed to a hazard.
Hazardous Situation: There is no harm in having “air in the infusion line” until “air is infused into the patient.” The first option jumps into the cause and doesn’t identify what happened that caused the “air in the infusion line” to cause harm (i.e., it skips the “infused into the patient” part). Also, it’s too detailed. It forces the team to only consider causes of the user forgetting to prime the line. Taking that approach, you would also need to add a few more Hazardous Situations in order to consider all the other reasons that air may be left in the IV line.
Harm: The error made in the first option (i.e., putting the Harm in the Hazard column) leads to getting even more detailed in the Harm column and adding symptoms of an air embolism. The second option identifies three levels of harm (you could have more or fewer) that are aligned with typical severity wording: No injury, Temporary Impairment, and Permanent Impairment. Identifying categories of harm rather than specific symptoms allows you to consider specific harms that are not explicitly called out in the list provided in the first option. For example, if you used the first option and received a complaint of “numbness that resolved with no sequelae,” you wouldn’t know how that fits into the risk analysis. Using the second option, it falls pretty squarely into “Air embolism – temporary impairment.”
Cause: In this example, we’ve only listed one Cause in each of the two options—you could have multiple causes associated with each Hazardous Situation. That said, the Cause in the first option is very specific. Describing the Cause as “User was distracted” leads to the need to identify a risk control that reduces the probability that a user becomes distracted. There may be many other reasons that the user doesn’t prime the IV line properly. Instead of trying to list all of those reasons in the risk analysis, the second option brings the Cause up to a level that that can be addressed more effectively. You may have data that identifies how often a clinician doesn’t prime an IV line properly and, if that risk is not acceptable, identify risk controls (air filters, air alarms, instructions, warnings) to reduce that risk and therefore address a range of causes, not just “User was distracted.”
Another example would be if the console for a surgical device fails to start up correctly prior to a procedure.
Hazard: The first option identifies one of potentially many reasons why a procedure may be delayed. Since it is the “Delay of treatment” that is the “source of potential harm,” it’s better to list the delay as the hazard. There may be multiple Hazardous Situations that can cause a delay, which is fine. Each of those sequences of events that could expose the patient to a “Delay in treatment” can be investigated separately.
Hazardous Situation: The two options for Hazardous Situation aren’t too far apart. The first option focuses on the “Self-test” while the second option is the broader category of “console-related problems.” If the self-test is particularly complicated, it may make sense to word the Hazardous Situation to focus on the self-test and then have multiple Causes that break the self-test down into greater detail. However, using “console-related problems” provides a larger bucket to capture all of the issues that could prevent proper start-up and delivery of treatment.
Harm: Using “Delay of treatment” as the harm doesn’t provide much information for determining Severity. In some cases, a delay may not have a significant impact. In other cases (like when the patient has already been exposed to anesthesia) there is a higher level of risk. If the device is life-sustaining, a delay could cause death. In these more severe scenarios where the Harm is death, it is likely that even a low Occurrence of Harm would raise the assessment of risk up to a level that would require the engineering team to add greater redundancy into the system to ensure that it works every time it’s needed.
Cause: Like the Hazardous Situation, the difference in the two options is the level of detail. If there are, for example, five steps in the self-test, following the first option would suggest that you will run separate test validations for each step. That’s unlikely. In most cases, you will evaluate the reliability of the self-test as one process, implement needed controls to ensure that the whole test runs effectively, prepare a protocol to assess the self-test under a range of use conditions, and complete a validation to show that each step in the self-test runs as intended and the overall output meets expectations.
When working on a small risk assessment (<100 lines), you may be able to get away with allowing the Hazardous Situation to include some Cause language and for the Hazard to suggest the Harm – it’s small enough that reading across the line gives the team a good understanding to the risk so they can address it appropriately. But if the device is more complicated (and particularly if you are tracking these items in a database), it’s important to stay disciplined about the content in each column. By properly describing the Hazards and especially the Hazardous Situations, you will establish the architecture for completing the risk assessment at an appropriate level of detail and assess the full range of device risks.
With these definitions in mind, the next articles will begin to dig into the challenges of using the FMEA process to guide decisions that will improve device safety.
MEDIcept … Trusted Solutions, Rapid Response …
MEDIcept Inc. is an international consulting firm specializing in medical device, IVD, and biotechnology Regulatory, Quality, and Clinical Services. Since 1996, we have worked with thousands of companies to solve their most critical FDA and ISO issues. Our integrated solutions are rooted in our direct experience and span all stages of the product life.
MEDIcept is committed to providing our clients with what they need. We are committed to quality deliverables because we value our clients’ time and resources. This is why 90% of our clients come back to us again and again to solve new issues.
For additional information, please contact Susan Reilly at SReilly@MEDIcept.com.