ISO 14971 fundamentals: understanding sequence of events
It helps to keep the big picture in mind when identifying foreseeable sequence or combination of events.
A common challenge for risk practitioners in the medical device industry during risk analysis is to identify foreseeable sequences and combinations of events leading to a hazardous situation as required by ISO 14971:20191:
For each identified hazard, the manufacturer shall consider the reasonably foreseeable sequences or combinations of events that can result in a hazardous situation, and shall identify and document the resulting hazardous situation(s).
One reason this exercise becomes difficult in practice is because a single initial event can lead to many different sequences or combinations of events and outcomes.
A second challenge is when practitioners try to identify sequences or combinations of events during Failure Modes and Effects Analysis (FMEA). This is because an individual failure mode in an FMEA may manifest itself as an initial event, or maybe involved in another sequence of event triggered by a different initial event.
Consider the following example from the guidance document ISO/TR 24971:20202, which analyzes the situation of a line voltage (220V) of an insulated wire beneath a cover of a medical device. One specific sequence of events leading to the exposure to line voltage may include the following events:
Insulation material is damaged by cracks
Insulation material falls off the wire
User connects and turns on the device
User remove the cover
User touches the wire
Here, only the first event is the effect of a specific failure mode, which may itself be due to one or more causes. Cracks in the insulation may be due to inadequate material selection, or deterioration in material properties due to environmental conditions outside the design specifications. We generally identify a specific failure mode and all potential causes in separate lines within an FMEA.
We cannot directly link the subsequent events in this sequence of events to the specific failure mode in an FMEA. That is why, FMEA is not the right tool to outline the many different sequence or combination of events that may lead to hazardous situations.
Let us understand the big picture first - why care about foreseeable sequence of events?
Keeping the end goal in mind, we need to develop a sequence or combination of event only to the extent that it allows us to clearly define one or more hazardous situations.
As noted above, an FMEA is not suitable for outlining these foreseeable sequences or combinations of events.
A more suitable technique for this purpose is Event Tree Analysis (ETA). According to ISO/TR 24971:2020:
ETA is a causal analytical technique that is based on an analysis of a sequence of actions and events that lead to a negative outcome. ETA considers the impact of the failure of a particular component or item in the system, and works out the effect of such a failure can have on the overall system and on the users and patients. ETA uses an inductive approach whereas FTA (Fault Tree Analysis) is deductive.
In short, each line item in an FMEA, representing an individual failure mode/cause combination can lead to an event tree that leads to a system level effect, for example, a hazardous situation and/or harm.
Let us dig deeper to understand this concept and develop a practical approach for risk analysis.
Let us now understand the concept of reasonably foreseeable sequence or combination of events in more detail. First, we will look into each term to clearly understand how it may be defined and/or understood according to the Merriam-Webster dictionary.
Reasonable: being in accordance with reason; not extreme or excessive; moderate, fair; inexpensive; having the faculty of reason; possessing sound judgment.
Foreseeable: being such as may be reasonably anticipated; lying within the range for which forecasts are possible.
Sequence: a continuous or connected series; order of succession; a consequence, result; continuity of progression.
Combination: a result or product of combining; an ordered sequence; a subset of a set considered without regard to order within the subset; the act or process of combining.
Event: something that happens; an adverse or damaging medical occurrence; a postulated outcome, condition or eventuality; a subset of the possible outcomes of an experiment.
Clearly, there is a lot to the notion of reasonably foreseeable sequence or combination of events, and it is open to interpretation. There is an element of judgment involved in outlining a reasonably foreseeable sequence or combination of events, especially when it can lead to a hazardous situation with a potential for harm.
How to think about sequence of events
In her book "Engineering a Safer World", Nancy Leveson links conditions and events through a cause-and-effect relationship as shown in the following figure. This concept is useful to understand the relationships between events, whether in a specific sequence, or in a combination of events with many different branches.
Let us take the following example:
Initial Condition: A rapid antigen test for COVID-19 gives a false negative result to a person who has no symptoms but is infected
Event A = Negative COVID-19 result
New condition - an infected person is now a carrier of the virus which may infect another person
Event F = second person infected who comes in contact with this individual
Events B, D, E= the first individual develops symptoms, their condition worsens and they are taken to the hospital
Event E - second person who was infected also develops strong symptoms and they are taken to the hospital
Event C - the first person develops symptoms, but is able to recover with minimal treatment
Note that we can estimate the probability of each event, based on the prior event(s) if we are able to outline the event tree structure in this analysis.
Why does this matter?
A clearly outlined sequence/combination of events helps us to estimate P1, the probability of occurrence of a hazardous situation. Once a hazardous situation has occurred, P2 is the probability of harm due to that specific hazardous situation.
In order to estimate risk due to a specific hazardous situation, as required by ISO 14971:2019, we need to accurately estimate P1 and P2. As shown in the Figure below, the overall probability of occurrence of harm (POH) is then estimated as the product of P1 and P2.
As an example, two different hazardous situations are illustrated in Figure 3. We can estimate P1 for each by combined probabilities of the two sequences of events starting from Event A.
Hazardous situation 1: Event A → Event B → Event C → Event C
Hazardous situation 1: Event A → Event F → Event E, OR, Event A → Event B → Event D → Event E
If we know the individual probabilities of each event, we can estimate the combined probability using the AND and OR rules of probability.
In practice, however, it is not always feasible to have a reasonably accurate estimate of individual events involved in the full sequence or combination of events leading up to a hazardous situation.
Let us revisit the big picture again
First, it is important to realize that building an ETA is only a means to an end, not the end by itself. What we need is a reasonably accurate estimate of P1 and P2 to be able to estimate the risk associated with each hazardous situation.
Therefore, it is important to appreciate that ISO 14971:2019 asks us to only consider, and not necessarily document, the reasonably foreseeable sequences or combinations of events. What is required is documentation of each hazardous situation.
A second point to note is that we need to consider only those events that are reasonably foreseeable and probable. We don’t have to imagine all potential scenarios that may or may not occur. It is always best to use clinical judgment when trying to decide if a potential scenario is foreseeable and reasonably likely.
Our end goal is a reasonably accurate estimate of P1 and P2, and the overall probability of occurrence of harm (POH).
Therefore, as noted in Figure 4 above:
Analysis of sequence of events is useful only to the extent that:
it allows us to identify opportunities where we can break the chain of events with additional mitigation;
by doing so, we can lower P1, and therefore, the overall POH
If not, then it is purely an academic exercise, and we are better served by:
assuming that if a hazard is activated, for example as a result of a component or device failure, then exposure is certain to occur;
and the combined probability of occurrence of all potential events in the sequence or combination can be treated as 1.
Note that when following the approach outlined in point number 2 above, we will still need to estimate the probability of the initial event. A Fault Tree Analysis (FTA) can be used for this purpose. Alternately, we can use the probability of occurrence of a specific failure mode for this purpose.
Want to learn more? Watch this recording a live discussion on this topic:
One final point
It is very important to appreciate that our foresight of potential events leading to one or more hazardous situations is limited by our combined experience. Generally speaking, we have limited knowledge of the real-world clinical experience with a medical device during design and development. We may consider publicly available information on other similar devices, but we don’t have a lot of direct information about our own medical device during development.
Our foresight and awareness of reasonably foreseeable events with relevance to safety will improve over time during the post-market phase. That is why we must diligently monitor and review all available information during post-market surveillance. Risk analysis, including identification of sequence of events is considered to be an ongoing activity throughout the lifecycle of a medical device.
In conclusion
When analyzing risk of harm, ISO 14971:2019 requires us to consider reasonably foreseeable sequences or combinations of events when a hazard is activated due to one or more underlying events.
The key point here is that identification of reasonably foreseeable sequence of events helps is to identify the link between hazard(s) and hazardous situation(s), so that we can accurately estimate the probability of occurrence of harm.
Event Tree Analysis (ETA) technique is more effective for identifying the reasonably foreseeable sequence of events. Failure Modes and Effects Analysis (FMEA) technique is not useful for this purpose.
Analysis of sequence of events is useful to the extent that it allows us to identify identify opportunities where we can break the chain of events with additional mitigation. Otherwise, it is purely an academic exercise and we are better served by assuming the combined probability of the entire sequence of events as 1 when estimating P1, the probability of occurrence of a hazardous situation.
We must continue to improve our foresight of events during the post-market phase, especially when we become aware of new hazards and/or hazardous situations associated with the clinical use of our medical device.
ISO 14971:2019 - Medical devices — Application of risk management to medical devices
ISO/TR 24971:2020 - Medical devices — Guidance on the application of ISO 14971
"This is because an individual failure mode in an FMEA may manifest itself as an initial event, or maybe involved in another sequence of event triggered by a different initial event." The "initiating event" and the system reliability have a special connection in protection engineering (for details see: Wortman, Martin, Ernie Kee, and Pranav Kannan. "The Role of Protective System Reliability Analysis in the Study of System Safety." In ASME International Mechanical Engineering Congress and Exposition, vol. 85697, p. V013T14A032. American Society of Mechanical Engineers, 2021.) The bottom line is that the initiating event must arrive concurrently with failed protection otherwise a consequential breakdown will not result. As you correctly point out, this fact must be understood in risk management oversight. One should not fall into a sense of complacency regarding protection when accidents have not been observed. Protection readiness should be tested and inspected much more frequently than the expected initiating event interarrival time.
"Nancy Leveson links conditions and events through a cause-and-effect relationship as shown in the following figure." Leveson's method is a good one but may lead one to believe that risk or failure probability can be quantified. Managing safety as you correctly point out will often be frustrated by the unexpected observation of a sequence or singular event that leads to a consequential outcome. Because these unexpected event lie in the future, Leveson's method should never be used to manage protections based on a quantified probability or frequency (for example, see: Wortman, Martin, Ernie Kee, Pranav Kannan, and HazTechRisk Org. "On the Optimistic Bias of Core Damage Frequency." (2021).
My experience is in the nuclear power domain. However many of the protection risk management principles promulgated by the Nuclear Regulatory Commission in that domain are generally applicable elsewhere. FMEA is an important first step in protection system design. Successful protection requires ongoing testing, inspection, and efficacious corrective action when unexpected protection breakdowns are observed.
Re "Analysis of sequence of events is useful only to the extent that . . . it allows us to identify opportunities where we can break the chain of events with additional mitigation":
When you write "break the chain of events", most people will think of stopping the chain of events from occurring and, while this is useful when it can be done, this view is too limiting an interpreation of when analyzing a sequence of events is useful.
First, many chains of events can not be stopped, but that hardly means we shouldn't mitigate them. Most common mitigations reduce the likelihood of harm, but do not stop the chain of events leading to harm.
Second, there is also a means of reducing harm that doesn't stop the chain of events and doesn't reduce the probability of the chain of events occurring: We can mitigate the occurrence of the harmful event so the severity of harm is reduced. The car industry is the king of mitigations that reduced the severity of harm:
Seat belts do not reduce the frequency of accidents, but they reduce the severity of harm that occurs from an accident.
In the 1050s and 1960, head trauma during automobile accidents frequently included holes punched through the victim's skull from the shiny, metal knobs that adorned the dashboards of vehicles of this time. These dashboard knobs have given way to switches that are flat to the dashbaord (e.g., toggle switches) because these switches do not punch holes in people's skulls - flat-to-the-panel switches do not stop accidents or reduce their frequency, but they do reduce the severity of harm when an accident happens.
The same mitigations should be used far more often in medical devices; e.g., a catheter sometimes breaks into pieces during use. The typical mitigation for this risk is open surgery, where the surgeon guesses where the end of the catheter is stuck, cuts the patient open at this location, and cuts progressively longer stretches along an artery or vein until the end of the catheter is found and succesfully pulled out.
Instead of this mitigation, an alternative after a catheter breaks is to insert a 'salvage catheter' that is specifically designed to grab the broken end of a catheter and pull it down the patient's artery or vein until the broken end of the catheter is outside the patient and can be pulled the rest of the way out by hand. This mitigation does not stop, or reduce the probability of catheters breaking, but it mitigates the significant risk of an open surgery with a minimally invasive 'salvage operation'.
The Medical Device industry needs to embrace reducing the severity of harm as thoroughly as they have embraded reducing the likelihood of harm or as they have embraced redesigning a process to eliminate a harm.