TGFR Consulting LLC Identification of all the hazardous situations associated with the therapy or procedure requires the identification of all actions (both user and device) associated with the execution of the therapy or procedure. Use of functional analysis, rather than starting with the failure modes of the device and assessing risk of the linked therapy or procedure actions, aligns with the current approaches recommended by IEC 62366 and the recent FDA guidance, “Applying Human Factors and Usability Engineering to Medical Devices”. This approach of identifying all actions and the associated hazardous situation has the following advantages
- The risk profile of the device is identified within the context of its use.
- Use Errors, labeling and other failures are a natural result of the approach
- Traditional mitigations are easily identified.
The following is an example of identifying use errors and traditional mitigation
An infusion pump warns users to disconnect from the patient prior to purging the delivery path. This is not a failure of the device but rather a response of the device to a potential use error.
The first process step identifies the overall “mission”. In most cases the “mission” is the delivery of a single therapy or execution of a single procedure. The following drawing is a pictorial representation of a single “mission”, consisting of the operations associated with a single drug delivery
The following table summarizes each operational phases identified and the possible failure modes
Therapy Phases in Risk Analysis
| Therapy Phases | Description |
|---|---|
| Acquisition | The device ships from the manufacturer to the user. Possible failure modes would include shipping damage |
| Training | The training of the users Possible failure modes might failure to complete training |
| Deployment | Moving the device to a position of use, such as loading a disposable into the COW (computer on wheels) Possible failure modes might be storing a prefilled device in the wrong dose bin due to labeling or physical damage while pushing a device on wheels. |
| Setup | Setting up for delivery of the procedure. Possible failure modes might include improper configuration by the clinician |
| Programming | Programming the device for the procedure. Possible failure modes might include setting the wrong dose |
| Delivery | Delivering the therapy. Possible failure modes might include failure of the device to deliver |
| Handoff between users | This is the presentation of status during shift changes. Possible failure modes might be failure of the clinicians to discuss status when changing shifts. |
| Teardown | This is tearing down the setup for the procedure. Possible failure modes might include sharp objects being exposed |
| Service | This includes cleaning and service. Possible failure modes might include allowing cleaning solutions into the device |
| Manage Exceptions | Handling alarms and issues. Exceptions are generally handled outside of normal operational context. Possible failure modes might include unnecessary interruption of the therapy |
| Global | Global includes things such delivering electrical power – those things that move across other phases Possible failure modes might include battery depletion. |
Using the operational phase approach identifies the full scope for a therapy delivery or procedure and all possible functions that could be associated with a failure and hazardous situation.
The next step identifies the functions associated with each operational phase. As shown in the following figure, each phase is decomposed into 10-12 constituent functions.
At this point in the process all operational phases and associated functions have been identified.
Following the identification of the functions, a multi-disciplined team should identify the failure modes and sequence of events for each function. A failure for a function is an initiating event that will trigger the hazardous situation. The sequence of events for each failure is the subsequent events leading to a hazard. The division of the failure mode from subsequent events will help drive identification of potential mitigations. The following example describes the differences
- During delivery, over delivery by the device is detected. This is the failure mode
- The sequence of events is the improper clearing of the alarm, resulting in an interruption of delivery
As part of the failure analysis, the operational phase determines the hazard resulting from the failure. As an example, failure of the delivery pump can create an interruption of therapy during the delivery operational phase, but failure will result in delay of therapy should this occur during setup.
The process must accommodate the fact that a single function and the associated failure modes may create multiple hazardous situations, depending upon the sequence of events. A single function may be associated with multiple hazardous situations, with each hazardous situation having a unique combination of failure mode, sequence of events and hazard. As a benchmark, each function may have as many as 5-10 distinct hazardous situations. The table below describes what the combination may look like
Hazardous Situation Combination
| Function | Failure Mode | Sequence of Events | Hazard | Severity |
|---|---|---|---|---|
| Delivery | Delivery H/W fails | Operator successfully switches to back up system | Interruption of therapy less than 2 min | Minor |
| Delivery | Delivery H/W fails | Operator fails to switch to back up system | Interruption of therapy greater than 2 min | Critical |
The following elements should be identified for each hazardous situation.
Hazardous Situation Definition
| Hazardous Situation Data Element | Description |
|---|---|
| Failure Mode | The way in which a particular process input, function, or item being assessed fails or could fail. |
| Failure Cause | One or more variations in the process that lead to the occurrence of the failure mode. |
| Sequence of Events | The mechanism that causes a failure mode to become a hazardous situation. |
| Hazard | The associated Hazard |
| Hazardous Situation Probability (P1) | Probability of hazardous situation. The probability links to the exposure |
| Harm Probability (P2) | From Hazard Identification Table |
| Severity of Harm | From Hazard Identification Table |
| Risk Probability (P1xP2) | Combined Probability of Occurrence for the hazardous situation. |
| Mitigation or Control (Critical Requirement) | These will be defined in upcoming posts |
| Disposition | Disposition on whether the field performance meets target risk. |
The determination of the probability of exposure (P1) is the next step in the analysis of the hazardous situation. Hazardous situation probabilities are based upon occurrence per therapy or procedure. Calculations based upon hours and other measures should be avoided, as these measures tend to distort the real failure rates. Most regulatory agencies have settled on failure rate per therapy or procedure as the preferred rate.
The breakdown of the overall probability of a Hazardous Situation (exposure) i, is given as
Note that these parameters are defined in IEC 68012, section 5.3.4 .
As an example, for a keyboard failure (the failure mode) with the delivery device, if 90% of the keyboard use occurs during programming the delivery, the associated with of a keyboard failure during the programming of the delivery resulting in over delivery would be given as
In reviewing this example, the keyboard failure is the overall rate of a keyboard failure, with 90% (∝) of failures happening in the programming phase (logically, this is where most typing occurs). Because users generally check the typing and they system includes other checks, ß indicates that only 1 in every 1000 keyboard failures actually lead to programming over delivery.
The next step involves the determination of P2. The determination of P2 connects the hazard for the hazardous situation to the harm. During this process, it should be noted that the probability of a particular severity of harm for a hazard is not automatically 1. As an example, only about 1 in 1000 interruptions of therapy may result in a critical severity harm, with the majority of these hazards resulting in a severity of minor or negligible. Each hazard has a probability of creating harms with all possible severities (catastrophic to negligible). This can be expressed as
In most cases, an evaluation of severity and probability for all possible severities assigns the severity for the hazard associated with the hazardous situation. This yields the P2 for the hazardous situation, which is the P2 for the associated hazard. Following the determination of P1, the probability of an exposure (hazardous situation), the total probability (P1xP2) of the risk is usually determined using the following table
The final step in the hazardous situation development is the risk evaluation. Risk evaluation reviews the probability and severity for each hazardous situation against predetermined criteria. Normally a table as shown below establishes the acceptability of the residual risk for a hazardous situation.
The ranged Unacceptable, Conditionally Acceptable and Acceptable come from the standards (see ISO 14971:2012). Conditionally acceptable usually requires further analysis and documentation to establish the acceptability.
This table forms the basis for the overall acceptability of the risk for the device as well as need for risk controls.