How do you define your Hazards? <a Risk Management discussion>

ThatSinc

Involved In Discussions
#1
Hi All,

Whilst reviewing a risk management process for update I've identified an incredibly small but, what I would consider, somewhat significant difference in the "Relationship between hazards, foreseeable sequences of events, hazardous situations, and harm that can occur" table between the 2012 and 2019 editions.

How they have defined the hazard has changed from "ESD" within the 2012 edition to "No Output" within the 2019 edition for one example (as shown below, moderators if I'm not allowed to include images from the standard, sincere apologies - please delete)

I'm attempting to put some guidance together for how to consistently identify hazards, but near enough all resources online appear to have a mixture of the hazard being defined as what I would call the actual source of harm (i.e. the 2019 edition. It's the lack of output that causes the harm), and the hazard being defined as what causes the chain of events during device use (i.e. the 2012 edition. The ESD causes the device to fail, thus no output, and that lack of output causes harm)

The definition of what constitutes a hazard has not changed, and both standards still state "What is called a hazard needs to be determined by the manufacturer to suit the particular analysis."

I find that if you group them in the way the 2019 edition has for this example you have potentially a very limited number of performance/functionality based hazards, but a very large number of different sequences of events that can cause the hazard and hazardous situation.

If you group them using the 2012 example, you potentially have a huge number of hazards, with many overlapping depending on the sequence of events and where you draw the line.
As an example; Gas Leakage within a device system can be a result of users not connecting the hoses correctly due to lack of training, wear and tear on components within the gas pathway that hasn't been checked, incompatible connecting devices, all potentially resulting in insufficient output from the device, with the patient not receiving the correct therapeutic dose, and subsequent harms.
There are a huge number of ways to cut that with regards to hazards; Gas Leak, User Training, Component Wear, Servicing, 3rd Party Device Compatibility, all resulting in insufficient output.

How do you maintain consistency with regards to what you are calling a hazard and what falls into the reasonably foreseeable sequence of events?

How would you address the following scenarios with regards to Hazard / Sequence of Events / Hazardous Situation:

1. Through user error a device is not delivering the necessary drug volume to a patient, the device has a built in alarm system to detect this under-delivery as a control measure. Due to a software error the alarm system has failed and the user is unaware that there is under delivery.​
2. An electronic device is intended to be cleaned with soapy & water after each use, the waterproof seal on the device has worn away through repeated cleaning over a period of time. Water leaks into the device and contacts mains electricity causing an electric shock to the person cleaning the device.​
3. Due to a confusing interface the user sets an incorrect output voltage and triggers the device to shock the patient. The patient receives an excessive shock.​

Note the above are not specific examples for products I'm working on that I want answers for, just examples to open up a discussion.

Thanks,

Matt.

2012.png

2019.png
 
Last edited by a moderator:
Elsmar Forum Sponsor

indubioush

Quite Involved in Discussions
#2
Hazard -> Sequence of events / Hazardous Situation -> Harm

1. Low drug volume -> Through user error, a device is not delivering the necessary drug volume to a patient, the device has a built in alarm system to detect this under-delivery as a control measure. Due to a software error the alarm system has failed and the user is unaware that there is under delivery / use error and alarm failure causes inadequate drug delivery -> **Harm from inadequate drug**
2. Electricity -> An electronic device is intended to be cleaned with soapy & water after each use, the waterproof seal on the device has worn away through repeated cleaning over a period of time. Water leaks into the device and contacts mains electricity causing an electric shock to the person cleaning the device / Seal failure causing electric shock through water conduction -> Atrial fibrillation, skin burn, etc.
3. Electricity -> Due to a confusing interface the user sets an incorrect output voltage and triggers the device to shock the patient. The patient receives an excessive shock / use-error-caused high voltage resulting in electric shock at patient contact -> Atrial fibrillation, skin burn, etc.

Some may disagree. Risk management is somewhat subjective, and some standards list hazards that are actually harms. Don't worry so much about getting hazards exactly right. Worry more about documenting every hazardous situation you can think of. Develop a method for ensuring the severities listed are consistent.
 

ThatSinc

Involved In Discussions
#3
Thanks for the reply, really appreciate the input.

What I can see from your approach is that we agree on the hazard as the entity that causes the harm.
I attempt to ensure that severity ratings are aligned directly with the harms in conjunction with clinician input - I've only worked with a few devices where the harms caused can have varying severities and this was relating to quantitative measurements that resulted in varying doses being given.

Where we differ is in the what is being defined as the hazardous situation.
I tend to not include anything from the sequence of events in the hazardous situation, just the outcome of the sequence of events that leads to the harm.
I like your method, although it differs from the way the hazardous situation is documented in the informative annexes as above, it facilitates working with clause 7.5 for risks arising from risk control measures where the standard does not.

If you have your hazard documented as "no output" and the hazardous situation as "failure to deliver drug" (as per the standard example) and you incorporate an electronic alarm system to detect no output to mitigate the probability of hazardous situation becoming harm, the failure of that alarm system is the same hazard and same hazardous situation - you just have a new sequence of events.

It would also be interesting to know at what point people stop when it comes to the risks arising from control measures, particularly when it comes to software.

Note: I appreciate I'm referring back to informative annex guidance, but if they're there to provide guidance directly from the standard then they should be able to be followed.
 

Tidge

Quite Involved in Discussions
#4
I instruct teams that it is best to think of Hazards as "Elemental Forces" which are present in the natural world: fire, radiation, potential or kinetic energy, fumes, infectious agents, other fundamental biological circumstances, and the like. "No Delivery" isn't really a Hazard, it's more like a failure to meet Essential Performance... in the example provided the hazard of ESD is leading to the failure of essential performance. Essential Performance failures should be considered in Risk Analysis: if you seek a Hazard for insulin pumps I would suggest that 'no delivery' is part of P1. The hazard is likely to be the (faulty) blood chemistry.

I will also add this: software is not a hazard. Software is typically responsible for essential performance, or can be a contributing factor allowing a hazardous situation to occur.
 

ThatSinc

Involved In Discussions
#5
Thanks for the input, interesting take on things RE the insulin pump example and blood chemistry being the hazard.
though I'm not sure where you would draw the line on that, as it could be said about most devices when it comes to performance related hazards that the patient physiology is the hazard.

With regards to essential performance, If the function of the device is provision of a substance/drug/energy then the properties of that substance/drug/energy would be the hazard rather than the absence of output, or difference in output from the set parameters?
e.g. pressure/volume/concentration of a gas delivery, voltage and amperage of an electrical energy delivery.


I agree that software is not a hazard, but often have a hard time persuading others that software is a contributing factor to either the probability of harm or severity of harm.

How would you go about the three scenarios in the original post?
To what level of detail do you document your hazardous situations?

So far with the comments on here, and discussions elsewhere it seems that the guidance is up for so much interpretation that you could easily have one person documenting a hazard as a hazardous situation, and vice versa.
 

Tidge

Quite Involved in Discussions
#6
How would you address the following scenarios with regards to Hazard / Sequence of Events / Hazardous Situation:

1. Through user error a device is not delivering the necessary drug volume to a patient, the device has a built in alarm system to detect this under-delivery as a control measure. Due to a software error the alarm system has failed and the user is unaware that there is under delivery.​
2. An electronic device is intended to be cleaned with soapy & water after each use, the waterproof seal on the device has worn away through repeated cleaning over a period of time. Water leaks into the device and contacts mains electricity causing an electric shock to the person cleaning the device.​
3. Due to a confusing interface the user sets an incorrect output voltage and triggers the device to shock the patient. The patient receives an excessive shock.​
For simplicity, I will assume a very simple Hazard Analysis with only two sections: Section 1 will address risks related to Essential Performance (1) and Section 2 will address electrical hazards (2). The Essential Performance will simply be "delivery of established doses of therapy". Case (3) can straddle either, but as described it sounds more like a therapy and less like an accidental delivery. I will treat (3) as electrical, because I lack personal experience with devices intended to deliver this type of therapy and I am primarily concerned with avoiding accidental exposures of this type.

1) The hazardous situation is under-delivery of medicine. The harm will be whatever the medical harm is, let's invent "tissue necrosis, severe". The sequence of events is presumably normal use. The primary line of analysis will have a risk control of 'software monitoring'. This should motivate testing of the effectiveness of the risk control which ought to allow for a reduction of risk. The 'software error' would simply be an ineffective risk control.

2) The hazard is electricity; the hazardous situation is the worn seal. The sequence of events is 'during cleaning'. The harm will be something like "electric shock, mild".

3) The hazard is electricity; the hazardous situation is improper configuration. The sequence of events is presumably normal use. If the device is intended to deliver these shocks, there will be different risk controls than if it is not intended to deliver the therapy. For the former, the user interface (and presumably design thresholds) would likely be the risk controls. For the latter it will be elements of the insulation diagram.

It is valuable to establish use cases and reference them early within your hazard analysis. I believe there are different ways to do this. I prefer to reference them early on each line of analysis. I find this to be advantageous when analyzing complaints with the hazard analysis because two pieces of information we almost always have with a complaint are variations of "what was the harm" and "under what circumstances did it occur"?
 

ThatSinc

Involved In Discussions
#7
Thanks, Tidge, I appreciate the detailed response, that helps me understand your approach.
Yes, example 3 was intended to be an excessive delivery that I would consider falls under performance related hazards.

Agreed when it comes to harms being actual issues and not a classification of the severity or requirements following the harm e.g. "ailment requiring medical attention"

It seems that the interpretation of hazardous situation is fluid and changes between 1 and 2/3 where in example 1 the hazardous situation is the direct exposure of the patient to the hazard which I would consider insufficient output.

Hazard: Insufficient Output
Hazardous Situation: sub therapeutic dosage received
Harm: tissue necrosis (taken your example, it's a physical harm)

For example two it appears that the hazardous situation has been defined as an issue that allows exposure of the user to the hazard.

I would have considered that for example two, if using the same approach as the first, the hazardous situation would have been fluid ingress contacts electrical components with the reasonably foreseeable sequence of events including the repeated exposure of the seal to cleaning chemicals causing it to break down.

Would you consider this approach in line with the standard?
Is it appropriate to use both approaches in the same document?

It doesn't help that EN 62366-1:2015 provides guidance on determining hazardous situation using both logical approaches (Figure A1 and Table B2)
 

ThatSinc

Involved In Discussions
#8
Where a single sequence of events, the user cleaning the device with excessive liquid as an example, could result in fluid ingress that results in electric shock, and can also result in component failure that either results in device failure whilst on a patient or putting the device out of service; would you list this reasonably foreseeable sequence of events under each appropriate hazard (electricity, no output, device availability) and have your mitigation for this (the casing sealing and subsequent IP rating) repeated for each hazard?

would you consider device availability a hazard?
Where particular standards require you to assess, within your risk management file, the probability of the device being taken out of service due to component failure I can only see that the hazard is the device availability (or lack thereof).
 

indubioush

Quite Involved in Discussions
#9
You need to document each hazardous situation applicable to your device. You mention at least two hazardous situations above. Since we here don't know the details of what your device does, we can't tell you what to include or not. Just try to go with your gut and keep the patient in mind as you go through this.
 

Tidge

Quite Involved in Discussions
#10
would you consider device availability a hazard?
Where particular standards require you to assess, within your risk management file, the probability of the device being taken out of service due to component failure I can only see that the hazard is the device availability (or lack thereof).
Device (un)availability is not a hazard. This is more appropriately considered in a failure to provide essential performance.
 
Thread starter Similar threads Forum Replies Date
M Define voltage and frequency to perform tests 61010-1 and 61326-1 for CE certification CE Marking (Conformité Européene) / CB Scheme 4
I Sampling processes - Who must define the AQL level? AQL - Acceptable Quality Level 9
V Who should define and own the Design and Development Plan and how to maintain the updates and revisions. ISO 13485:2016 - Medical Device Quality Management Systems 2
S API Spec Q1 - How to define Management Representative competency for QMS Oil and Gas Industry Standards and Regulations 12
M How To Define ISMS (information Security Management System) Scope IEC 27001 - Information Security Management Systems (ISMS) 9
K How to define Expected life service life of medical device Other Medical Device Related Standards 4
S How to Define Importers under EU MDR / Brexit EU Medical Device Regulations 3
MrPhish Should Potential Customer Complaint Outcome Define Registrar NC Rating? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 8
K ISO 9001:2015 clause 9.2.2 a. - Define the audit criteria and scope Internal Auditing 2
Q QI Macro Histogram - Can someone define *sorted data*? Capability, Accuracy and Stability - Processes, Machines, etc. 7
H How to define Root Cause when some points are out of control chart Statistical Analysis Tools, Techniques and SPC 6
I How do you define Risk (Medical Device)? ISO 14971 - Medical Device Risk Management 30
M SOP or template for a study to Define Storage Conditions of Orthopaedic Implants EU Medical Device Regulations 3
D Definition Client - How does the government define their clients? Definitions, Acronyms, Abbreviations and Interpretations Listed Alphabetically 1
alonFAI How to define a Risk Based Approach for Supplier Management per ISO 13485:2016 ISO 13485:2016 - Medical Device Quality Management Systems 1
G How to define the scope of QMS as per ISO 9001:2015 ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 21
R How to define QMS certification scope statement? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 11
R Review of "Key Data" for contract labs, but SOP doesn't define "key data". Problem? Pharmaceuticals (21 CFR Part 210, 21 CFR Part 211 and related Regulations) 2
G Procedure to define Signing Authority for Procurement Limits ISO 13485:2016 - Medical Device Quality Management Systems 2
P Can a company define new quality standards for special industry ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 2
L Are there any requirements to define barcode requirements ? Misc. Quality Assurance and Business Systems Related Topics 2
X How to define Calibration Acceptance Criteria General Measurement Device and Calibration Topics 3
H ISO 17025 - How to define a "Test Equipment" ? ISO 17025 related Discussions 2
J Where do you define Internal Auditor qualifications? Internal Auditing 9
V Is there an approach to define the "must 'or' should" in supplier audits? US Food and Drug Administration (FDA) 2
T Internal Audit - How to define the Importance of Departments and Processes Internal Auditing 8
T Help me understand how to define Processes ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 40
L How to define R & D Receiving (Incoming) Inspection Plan Design and Development of Products and Processes 18
B How to define and implement Configuration Management Document Control Systems, Procedures, Forms and Templates 5
C How to Define and Document Controls of Outsourced Processes Food Safety - ISO 22000, HACCP (21 CFR 120) 5
S Please help me define training requirements for a Career in Regulatory Affairs 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 2
K How to define the Acceptances Criteria for all equipment? Manufacturing and Related Processes 7
L Definition Program - How do you define Program with regard to ISO 9001? Definitions, Acronyms, Abbreviations and Interpretations Listed Alphabetically 3
A Supplier Evaluation SOP - How do I Define Major and Minor Suppliers? Supplier Quality Assurance and other Supplier Issues 14
Q Where to define Authorities and Responsibilities in Documentation? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 1
J Define Energy Used/Delivered - Applicable to Electrical or Mechanical Power or both? 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 1
R 820.50 (A) (2)Define the Type and Extent of Control to be exercised over Vendor Misc. Quality Assurance and Business Systems Related Topics 5
A Where to define Process Tailoring Form used in CMMI in the ISO 9001 Quality Manual? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 5
Q Criteria to define QMS processes in ISO/TS 16949:2009 IATF 16949 - Automotive Quality Systems Standard 23
S How to define New Equipment? Device is Returned, Refurbished or Repaired Misc. Quality Assurance and Business Systems Related Topics 3
C Controlling Documents: Beyond the standard, how do we truly define what to control ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 9
C How to define Process Special Characteristics (SC) FMEA and Control Plans 4
kedarg6500 What is the meaning of "define/defined" in ISO 9001? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 19
Crusader Local Control Document procedure....define it or not? Document Control Systems, Procedures, Forms and Templates 24
M Excel Templates for Plan & Define Phase in NPI Process for Tire Manufacturer Excel .xls Spreadsheet Templates and Tools 1
R Define Data from Taguchi to Response Surface Methodology in Minitab Using Minitab Software 2
K How to define PVC Pellet Quality Manufacturing and Related Processes 8
J How to define a Product's Realization Process and Scope ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 8
S How to define Permissible Error for Measurement and Test Equipment? Measurement Uncertainty (MU) 3
I Any Ideas To Define The Root Cause of Corrosion Issue? Manufacturing and Related Processes 12

Similar threads

Top Bottom