Role of hazard analysis in ISO 14971Medical device hazard analysis is a fundamental requirement of ISO 14971 risk management. Hazard analysis entails identification of hazards from possible occurrences or “hazardous effects”. These hazardous events could stem from the environment or usability of the device from human factors.
After an assessment of the possible failures in the products or “causes”, steps should be taken to do a comparison of the risks’ costs to its benefits. This is known as a “top-down” approach that reviews the component of the product at the end. In the case the cost is greater than maintaining a residual risk—actions should be taken to mitigate or eliminate this risk. In the case the benefit is greater than perceived cost—actions should be taken to ensure that stakeholders are aware of the residual risks that they are being exposed to during use, why they are necessary to the medical device, and how they should be handled. There are two major co-dependent factors used in determining whether the risks the medical device poses are acceptable. On one axis there is probability of hazardous event’s occurrence, or the likelihood of this event happening.
![Form Form](/uploads/1/2/5/6/125624919/440673987.gif)
IMSXpress 14971 Medical Device Risk Management software is a Windows application for implementing Risk Analysis, Risk Evaluation, and Risk Control in strict compliance with the ISO standard.
On the other axis there is the evaluation of the severity of the event, or how risky the consequences are. Methodology of hazard analysis in medical device developmentThe most common approaches to top-down hazard analysis in medical device development include Fault Tree Analysis (FTA) and Hazard Analysis and Critical Control Point (HACCP). The two are similar in approach, but visually FTA is seen as a convenient way to estimate probabilities of frequency. At the top of the tree lies the hazardous event that poses a risk, which then branches down to various levels of factors that cause this event to happen that need to be addressed. This method is based off of logic gates to target all causation events or “gates”, are necessary to make the top level event occur.In the initial steps of development, it can be difficult to know specific hazardous events that might occur, but there are still high-cost baseline hazardous events that could pose risk during development that must be considered. This is useful for determining the best course of action when selecting materials, developing monitors, controls, and other design features for the product.
Thus FTA is primarily risks of various alternatives.HACCP has a specific seven step process in structuring the hazard analysis. In addition to identification, HACCP targets critical points and limits. Once done, a specific system is established to monitor these critical control points and verify that the HACCP system is working effectively while establishing a record-keeping system.The same perspective is applied throughout the intricacies of production to post-production of medical devices to ensure there are considerations for life threatening risks from malfunctions and misinformation. Often a risk matrix will be created with the aforementioned probability of occurrence, set in relativity to severity based on the company’s risk-acceptability criteria. The result is a constantly improving and low cost product.At Sterling Medical Devices we embed hazard analysis with our human factors engineering process. To learn more about our human factors engineering, visit.
MethodsInsulin pump hazards and their contributing factors are considered in the context of a highly abstract generic insulin infusion pump (GIIP) model. Hazards were identified by consulting with manufacturers, pump users, and clinicians; by reviewing national and international standards and adverse event reports collected by the FDA; and from workshops sponsored by Diabetes Technology Society. This information has been consolidated in tabular form to facilitate further community analysis and discussion.
IntroductionInsulin pumps play an important role in modern diabetes treatment. These pumps are typically used to help maintain blood glucose (BG) levels by delivering rapid-acting insulin through a catheter placed under the skin. Pumps used for subcutaneous insulin delivery not only provide patients with increased convenience and flexibility, but also provide the potential for greater dose precision, more reliable insulin action, and relatively quick dosing adjustments for different lifestyle activities.While insulin pump technology has helped patients lead a more normal, healthy life, the devices do present risks (i.e., combination of the probability of occurrence of harm and the severity of that harm ) to the patient or user of the device. These risks are rooted in the complex technology itself, development and manufacturing errors, individual differences in physiology and lifestyle, and because the devices are operated by patients themselves, on a daily (24/7) basis, and in diverse environments.The Manufacturer and User Facility Device Experience database maintained by the U.S. Food and Drug Administration (FDA) indicates that there were over 5000 adverse events reported for insulin pumps in the year 2008. It is imperative that the diabetes community and insulin pump manufacturers work together to comprehensively address foreseeable risks and establish risk control measures (i.e., process in which decisions are made and measures implemented by which risks are reduced to, or maintained within, specified levels ) that reduce overall risk to an acceptable level.We believe it would be helpful to the diabetes community to establish a common insulin pump safety reference model.
All stakeholders could use this as a basis for discussing and exchanging information as well as specific concerns about insulin pump safety. This article strives to establish the foundation for such a reference model by identifying hazardous situations and their causes for a notional generic insulin infusion pump. We make no claim that this set of hazardous scenarios or their causes are exhaustive. We encourage users, manufacturers, researchers, and regulators alike to consider them and expand upon them in an open forum.
BackgroundFor several years now, software researchers at the FDA/Center for Device and Radiological Health/Office of Science and Engineering Laboratories have been exploring the concept of model-based engineering (MBE) as a means for manufacturers to develop certifiably dependable/safe medical devices, software, and systems. In MBE, developers use executable models as the primary development artifact for discovering and eliminating design errors early in the life-cycle development process. Infusion pumps were selected as a target for studying MBE methods because their design provides the desired degree of research complexity and these types of devices present an ongoing regulatory challenge.
To date, this research has been focused on the development of a generic patient-controlled analgesia infusion pump safety model.,In light of the growing incidences of diabetes in our society, we are extending our research to address safety (i.e., freedom from unacceptable risk ) issues associated with insulin pumps. This article represents the first step in establishing safety properties for a generic insulin infusion pump (GIIP). ScopeSafety concerns considered in this article are based on designs generally found in legacy (predicate) devices and devices currently on the market or likely to be on the market in the not too distant future. We identify features common to these devices as part of our generic insulin pump model and intentionally exclude many features being pioneered by specific pump manufacturers, such as embedded glucose meters, built-in infusion sets, and remote controllers. Our work is focused on “standard” electronic personal use insulin pumps with infusion sets only.
Hospital use insulin pumps or implanted insulin pumps are not considered in this work. However, because the model is a design abstraction, its safety-related issues can be mapped to any type of insulin delivery device. For example, insulin pumps without an infusion set still have to deliver the drug. In our model this may be accomplished via the infusion-set component shown in. This component can be implemented as a subcutaneous insulin delivery mechanism that is part of the device versus an external infusion set and reassessed for hazards associated with this design choice.
System architecture of generic insulin infusion pump.We have established a system boundary for our insulin pump model as depicted in —it comprises the GIIP (pump), the user, the infusion set (connection), and the environment. We exclude device accessories such as glucose meters, the infusion sets themselves, and remote controllers.We focus our analysis on software-driven functionality. Hardware issues are raised in only the broadest sense because our insulin pump model has no concrete notion of hardware. For example, we raise the issue of electromagnetic interference as a source of hazards, but offer no in-depth causes of it. CaveatsThe GIIP model is composed of various abstract functional components consistent with the stated scope. There is probably no single device currently on the market that has all of the design features and subsequent safety issues represented in this model. For example, not all insulin pumps provide a food database feature.
This feature was included in our model because it may become a common feature and its use (or lack of use) presents risks that should be considered in a hazard analysis.The hazard analysis results presented are not considered to be exhaustive. An in-depth fault tree analysis and hazard and operability analysis remain to be performed. Additionally, a compendium of use cases is needed to challenge the model architecture and component interaction. By performing these activities it is likely that additional sources of hazardous situations will be revealed.
![Safety hazard analysis template Safety hazard analysis template](http://www.eusprig.org/images/logo.jpg)
However, these activities are beyond the scope of this article.Manufacturers who reference this generic analysis in their design process may benefit from checking their results against this independent work. Manufacturers claiming to use this preliminary hazard analysis in their design process still have to establish sufficient evidence to the FDA that their device is safe and effective. Generic Insulin Infusion Pump ArchitectureThe GIIP administers insulin to the user via a delivery path, composed of a drug reservoir, a drug delivery interface, and the infusion set. Along this path, the drug reservoir acts as a built-in storage unit for insulin that will be monitored and administered. The drug delivery interface represents a segment of concealed tubing connecting insulin flow from the reservoir to the infusion set. A pump delivery mechanism provides the force for moving insulin from the pump to the user at a prescribed rate and for a prescribed duration.The user/patient interacts with the GIIP through the GIIP user interface. The user interface allows the user to receive information from GIIP output devices and input data/commands through GIIP user input devices.The environment (cloud) is constrained to physical properties such as temperature, pressure, sound, and radiation energies.
(Examples of exclusions are enumerated earlier, in the Scope section of this article.)The pump controller component represents an abstraction of generic insulin pump software. It provides the operational “glue” and robustness in the GIIP system. Preliminary Hazard AnalysisThe preliminary hazard analysis provided in the is based on four sources of information:.Domain knowledge from manufacturers, pump users, and clinicians.Adverse event reports collected by the FDA.Workshops sponsored by the Diabetes Technology Society,.International Organization for Standardization (ISO) 14971When receiving therapy from an insulin pump, a user might encounter various hazardous situations in which her/his health is at risk. A hazardous situation, according to the ISO 14971 standard, is a circumstance in which people, property, or the environment is exposed to one or more hazards, where a hazard represents a potential source of harm (i.e., physical injury or damage to the health of people, or damage to property or the environment ). Overdose and underdose are the most likely hazardous situations in insulin pump use resulting in hypoglycemia or hyperglycemia, respectively. In an overdose or under-dose situation, the patient receives more (or less) insulin administration from the pump than required to maintain desirable BG levels.Hazardous situations for the GIIP model are summarized in of the.
They are broadly categorized in terms of therapeutic, energetic, biological/chemical, mechanical, and environmental. CategoryHazardous situation1.
Therapeutic1.1 Overdose: the user receives more insulin than required to maintain desirable BG levels1.2 Underdose: the user receives less insulin than required to maintain desirable BG levels1.3 Incorrect treatment: the user receives either an incorrect drug or a correct drug with incorrect concentration2. Energetic2.1 Excessive thermal energy generation by the pump2.2 Electrical shock: the pump transfers electric current to accessible surfaces during operation2.3 Excessive electromagnetic emissions by the pump: affects the pump itself, other device(s) worn by the user, or other users and their devices2.4 Excessive sound frequencies generated by the pump3. Chemical/biological3.1 User infection3.2 User allergic reaction/rash to pump materials or insulin a4 Mechanical4.1 Presence of sharp edges or scissor points4.2 Excessive pump vibration, e.g., connectors, components stressed5. Environmental5.1 Unsafe disposal of the pump or pump components: user disposes batteries or other pump subassemblies in an unsafe manner. AThe user may also be allergic to infusion set adhesives. However, because such adhesives have been excluded from the GIIP system, we do not consider hazardous situations related to infusion set adhesives here.The creation of a hazardous situation is contingent on certain conditions or combinations of conditions being realized during operation of the pump.
An underdose, for instance, can be caused by air bubbles getting into the delivery path (air in line) of the pump. The presence of air bubbles can be caused by many factors, such as design defects, manufacturing flaws, device failures, misconnections, and use errors.through in the identify a generic set of hazardous situations, their causes and contributing factors, and implicit cause–effect relations among these entities. To facilitate traceability, we categorize the analysis in terms of engineering design considerations, as follows. Each row in the tables establishes a cause–effect relationship (causal chain). This relationship is established in terms of an identified primary cause, the associated hazardous situation(s) resulting from the primary cause, and, when possible, all contributing factors to the primary cause. These tables represent an aggregation of causal chains. If one were to diagram these tables graphically, a tree-like structure would emerge.
We refer to this tree-like structure as a causal tree. It should be noted that the tabular-based causal tree structure presented here represents just one of many arbitrary ways to organize a hazard analysis. Rationale for PHA Table OrganizationTerms associated with a hazard analysis such as hazard, hazardous situation, and event (cause, contributing factor) are rather ambiguous and their description often arbitrary. For example, consider leakage of insulin from the delivery path.
Such an event, if left undetected, could cause an underdose hazardous situation. The event could also cause an incorrect calculation of the amount of insulin to be delivered, which in turn will cause an incorrect calculation of future boluses resulting in an under/overdose hazardous situation. Is the leakage a cause or contributing factor of incorrect future boluses or the initiating event of a sequence of events leading to underdose? The ambiguity in terminology further exacerbates analysis when different levels of design abstraction are being considered. What seems more important than resolving terminology issues is the application of some disciplined method for assessing how a particular design can cause harm.We assemble cause–effect relations identified in our analysis into an aggregated tabular causal tree.
Each edge represents a particular cause–effect relation consisting of two levels: (a) a primary cause and (b) contributing factors to the cause. Cross-cutting edges can exist between branches in the tree. Clearly, cause–effect relations resulting in hazardous situations can be quite complex, even in our rather simple abstract pump architecture.The comprehensiveness of the hazard analysis depends, in part, on the level of design abstraction. As more implementation details are established, additional causes of hazardous situations are manifested. In our GIIP model, no assumption is made about how pump components are implemented or assembled with other components.
Nevertheless, the safety-related issues established here can be mapped easily to most real-world insulin pump implementations because the analysis is at a high system level. Using and Extending PHA TablesSpecific insulin pump devices may or may not have design features that are instantiated from the GIIP safety model. Manufacturers using our PHA results in their development process should consider the following criteria:.If certain design features included in the GIIP are not implemented in the device, related causes or contributing factors are not applicable to the device and should be ignored.If a design feature addressed by the GIIP is implemented in the device, relevant factors presented in the PHA tables can (and should) be used to assess the safety properties of the device. Any side or collateral effects introduced by the GIIP PHA should be appropriately considered and dealt with as well.If the device includes a design feature outside the GIIP system boundary, then two possibilities need to be considered.The design feature can be modeled as a new component in the (necessarily expanded) GIIP system. Remote controllers, as now seen in use with some modern insulin pumps, provide an example of such a feature. If a new remote control component is incorporated in the GIIP model, analysis would then need to consider safety issues associated with this remote control component and its interactions with other GIIP components.This design feature cannot be modeled as a new functional GIIP component, but it may affect the safety properties of one or more GIIP components. An example of this case is pump miniaturization, i.e., design or implementation efforts to make insulin pumps smaller and more compact.
As a system-level feature, pump miniaturization will obviously affect all aspects of the device. If such a design feature is introduced, the PHA tables will likely need to be updated—eliminating elements invalidated by the new feature(s) and adding elements introduced by the new feature(s). Human Factors ConsiderationsReferring to the, one causal factor worth calling special attention to is in, cause 8.10.13, which deals with “human factors issues.” It is meant to be a placeholder for all possible pump-user interface issues that can affect users' easy, safe, and comfortable use of the device. Because of a lack of design and implementation details, we do not elaborate on this particular cause in the analysis. However, we encourage manufacturers to analyze their pump-user interface design comprehensively and correct any design feature that does not comply with the intended users of their devices. In order to do this, manufacturers need to identify the user population of their devices; fully understand physical, psychological, social, cultural, and biological characteristics of the population; and apply this understanding in the analysis.
For example, if an insulin pump is intended to be used by senior citizens, then it should not incorporate a small display with unreadable fonts or a keypad with buttons bearing small symbols that cannot be read or interpreted easily. More broadly, the notion of information overload merits special attention. In this situation, the pump can be performing correctly, but the user becomes overwhelmed by all the information being presented and ultimately does something incorrect.
Mobility ConsiderationsAdvances in insulin pump design permit greater user mobility, which in turn is believed to improve the user's quality of life. This “mobility” property can cause the pump to be exposed to environmental conditions that can affect pump operation and patient safety. In the home use environment, the pump might be exposed to electromagnetic emissions from cell phones, microwave ovens, or even other medical devices that could upset device operation. Similarly, exposure to X-rays (airport security), radio frequency identification readers, magnetic resonance imaging (medical imaging), or combinations of radiations is possible. The mobility property might encourage the user to use an insulin pump in environments that have subtle safety implications. A camping site is an example of such an environment—there may be limited user access to sufficient pump supplies, such as batteries, insulin, or infusion sets.Mobility factors can often affect the design of multiple device components in subtle ways. If miniaturization is used as a means of improving mobility, the pump might become more susceptible to electromagnetic disturbances or other types of radiations or introduce new circuit design issues.
Manufacturers need to give careful thought to possible hazardous situations caused by pump mobility factors.Our PHA addresses a number of mobility conditions, but is not exhaustive. This is in part due to the level of device abstraction being modeled. ConclusionThis article introduced a generic insulin pump model and a preliminary hazard analysis based on this model.
The model is an abstraction of real-world insulin pumps, encapsulating common design features. Issues such as the selection and integration of electrical, material, mechanical, and chemical elements are not relevant to the abstraction. Rather, we concern ourselves with system-level safety issues that are manifested at the pump user interface.We believe that there is considerable value in having the diabetes and academic communities and manufacturers consider and discuss these preliminary hazards in order to extend them, to make them more complete, to experiment with them, and to reference them in insulin pump designs. By doing so in an open forum, it may be possible to establish an open system insulin pump safety reference model that can be most helpful in improving the safety and effectiveness of insulin pumps and in streamlining the regulatory process for placing them on the market.
We encourage those interested in establishing such a reference model to contact the authors. The authors thank the following people for their contributions to this article:ASHVINS Group Technology ProfessionalsLynn Hilt, Thomas Love and Alin Andea Miami, FloridaDavid C. Klonoff, M.D., FACPMedical Director, Diabetes Research Institute Mills-Peninsula Health Services San Mateo, CaliforniaLt Col Mark W.