Book review - Hazard Analysis Primer
I like this book so much I am offering a free copy!
At first glance, the term hazard sounds quite intuitive and easy to understand. According to the dictionary, it is a source of danger. Hazard analysis, by extension then, should be pretty straightforward, right?
Well, it doesn’t turn out that way in practice. Understanding the term hazard simply as a “source of danger”, or a “potential source of harm1” is not sufficient to correctly identify hazards in a system and to precisely describe their relationship to risk.
Medical device industry, in particular, continues to struggle with correctly identifying hazards and hazardous situations2 that may lead to harm. Although additional guidance is provided in Annex C of ISO 14971:2019 and section 5.4 of ISO/TR 24971:2020, there is still a lot of confusion in the industry about these basic concepts.
It is important to note that hazard analysis is not an explicit requirement of ISO 14971. However, identification of hazards and hazardous situations, and estimation of risk associated with each hazardous situation are required as part of risk analysis according to clauses 5.4 and 5.5.
A common industry practice is to almost exclusively use an FMEA3 to satisfy the requirements for risk analysis according to ISO 14971. However, an FMEA is only partially useful in identifying hazards because this analysis is limited to single failure modes of a medical device. As an example, an FMEA is not useful to identify hazards in the normal mode of operation. Certainly, there is more to hazard analysis than FMEA!
A consequence of this practice in the medical device industry is incomplete, and often inaccurate, analysis of risk of harm from the patient and/or the user perspective.
We can learn from best practices developed in other industries where safety is more critical. In particular, the knowledge of system safety is more mature in defense, aerospace and automotive industries, which has led to significant gains in overall safety.
The Hazard Analysis Primer by Clifton A. Ericson II is a good starting point for understanding concepts and techniques of hazard analysis and applying them to medical devices.
If you are interested in learning more, you can request a free copy of this book here (Note: US only, S/H fee applies)
Let us take a closer look:
What this book is about
This book is an introduction to hazard analysis in the context of system safety engineering. Most importantly, it offers a better understanding of the hazard concept and how it links to risk. It describes the hazard analysis process and provides an overview of various tools, techniques and checklists. It outlines common mistakes in hazard analysis, discusses common questions and offers practical examples.
At less than 200 pages and only 18 short chapters, this is not a thick, dense handbook. Overall, it is a good starting point to understand the conceptual framework for hazard analysis and common techniques.
Who this book is for
This book is most suitable for engineers, analysts and managers, who according to Ericson, “are confronted with the responsibility of developing safe systems and products through the process of hazard analysis”.
In the medical device industry, anyone involved in the design and development process will find this book very useful. In particular, this book in an excellent resource for quality engineers, product development engineers, risk management specialists and project managers.
Why I like this book
This book has changed my thinking about hazard and hazard analysis in a significant way.
I have practiced risk management in the medical device industry for more than 10 years. Like many of my colleagues, I have struggled with some of the key terms and concepts such as hazards, foreseeable sequence of events and hazardous situations. I have read the ISO 14971 standard and its companion guidance ISO/TR 24971 many times. I have read other textbooks and talked to many experts in the industry. However, I have always felt that something has been missing from our collective understanding, an evidence of which is our over-reliance on the use of FMEAs for risk management.
It is interesting to note that Ericson also highlights his own experience with this confusion and devotes an entire chapter to recognizing hazard ambiguity:
The confusion over what constitutes a hazard has been a major drawback to meaningful HA (Hazard Analysis) for some time. In order to identify hazards the concept of hazard must be clearly and precisely understood. There are many factors causing confusion, however, one of the biggest confusion is the definition of a hazard.
Ericson attempts to resolve this confusion by providing a more precise definition of a hazard comprising three essential components:
Hazard Source (HS): a basic source of danger
Initiating Mechanisms (IM): initiating/causal events that transition a hazard from its dormant state to an active state (leading to a mishap)
Target-Threat-Outcome (TTO): consequences resulting from a mishap event.
These 3 elements of a hazard form the so called “hazard triangle”, which can be used to unambiguously define an individual risk.
Ericson’s conceptual framework of a hazard offers a good foundation for building a clear and more nuanced understanding of hazard risk, system mishap model and hazard analysis. He does not use complicated technical jargon, which makes this book easy to read and understand without any prior knowledge of system safety engineering.
Overall, it is an excellent starting point for anyone trying to build a deeper understanding of these key concepts.
What this book is missing
This book is not a how-to manual or a handbook. Although it does provide an overview of tools and techniques commonly used in hazard analysis, it is intended as an introductory text in the general domain of system safety engineering. It describes the link to systems engineering in a general way, but does not address system safety in significant detail.
Second, this book is not about compliance with standards and regulatory requirements. It uses the MIL-STD-8824 approach to characterizing risk, mainly to illustrate a methodology rather than as a means to achieving compliance to specific requirements.
How you can use it for medical device risk management
Although some of the terminology used in this book is not the same, risk practitioners in the medical device industry will find many similarities in the conceptual framework.
As an example, the term mishap is not used in the medical device industry. In Ericson’s model, hazard and mishap are two sides of the same coin - hazard is the dormant condition, which is activated through the initiating mechanisms into a mishap with the associated target-threat-outcomes (TTO). He uses the terms hazard risk and mishap risk, associated with each of these two conditions. However, they are identical from a mathematical point of view.
In the medical device industry, an individual risk (of harm) is associated with a specific hazardous situation where a specific hazard is active as a result of a sequence of events. In this context, the term hazard used in the medical industry can be viewed as the hazard source (HS), the sequence of events as the initiating/causal mechanisms (IM) and the hazardous situation as the overall hazard itself. The harm resulting from a hazardous situation can be viewed as the target-threat-outcome (TTO) in Ericson’s model.
The main point is to recognize the need to define the hazard-sequence of events-hazardous situation combination for each individual risk in an unambiguous way so that the causal linkages are clear. Here, it is important to realize that a hazardous situation, and therefore an individual risk, can occur even when the device is operating normally as intended. This level of clarity is needed to accurately estimate each risk and to ensure completeness of risk analysis.
Another key point to recognize is that FMEA is not sufficient for risk analysis. Ericson recognizes FMEA as secondary analysis technique in Chapter 10 where he presents different types of hazard analysis (HA) techniques:
FMEA is not a formal HA technique and does not suffice for one. It can be used as a resource for a primary HA technique for the identification of critical component failure modes and failure rates.
Finally, there are many useful helpful examples and illustrations in this book. In particular, mind mapping techniques in Appendix A can be very useful in hazard identification and definition during brainstorming.
As defined in clause 3.4 of ISO 14971:2019.
Clause 3.5 of ISO 14971:2019 defines the term hazardous situation as “circumstance in which people, property or the environment is/are exposed to one or more hazards”.
FMEA: Failure Modes and Effects Analysis. See IEC 60812:2018.
Department of Defense standard practice for system safety. Currently, rev E of the MIL-STD-882 is active as of 11 May 2012.