May 25·edited May 25Liked by Naveen Agarwal, Ph.D.
"This is because an individual failure mode in an FMEA may manifest itself as an initial event, or maybe involved in another sequence of event triggered by a different initial event." The "initiating event" and the system reliability have a special connection in protection engineering (for details see: Wortman, Martin, Ernie Kee, and Pranav Kannan. "The Role of Protective System Reliability Analysis in the Study of System Safety." In ASME International Mechanical Engineering Congress and Exposition, vol. 85697, p. V013T14A032. American Society of Mechanical Engineers, 2021.) The bottom line is that the initiating event must arrive concurrently with failed protection otherwise a consequential breakdown will not result. As you correctly point out, this fact must be understood in risk management oversight. One should not fall into a sense of complacency regarding protection when accidents have not been observed. Protection readiness should be tested and inspected much more frequently than the expected initiating event interarrival time.
"Nancy Leveson links conditions and events through a cause-and-effect relationship as shown in the following figure." Leveson's method is a good one but may lead one to believe that risk or failure probability can be quantified. Managing safety as you correctly point out will often be frustrated by the unexpected observation of a sequence or singular event that leads to a consequential outcome. Because these unexpected event lie in the future, Leveson's method should never be used to manage protections based on a quantified probability or frequency (for example, see: Wortman, Martin, Ernie Kee, Pranav Kannan, and HazTechRisk Org. "On the Optimistic Bias of Core Damage Frequency." (2021).
My experience is in the nuclear power domain. However many of the protection risk management principles promulgated by the Nuclear Regulatory Commission in that domain are generally applicable elsewhere. FMEA is an important first step in protection system design. Successful protection requires ongoing testing, inspection, and efficacious corrective action when unexpected protection breakdowns are observed.
Re "Analysis of sequence of events is useful only to the extent that . . . it allows us to identify opportunities where we can break the chain of events with additional mitigation":
When you write "break the chain of events", most people will think of stopping the chain of events from occurring and, while this is useful when it can be done, this view is too limiting an interpreation of when analyzing a sequence of events is useful.
First, many chains of events can not be stopped, but that hardly means we shouldn't mitigate them. Most common mitigations reduce the likelihood of harm, but do not stop the chain of events leading to harm.
Second, there is also a means of reducing harm that doesn't stop the chain of events and doesn't reduce the probability of the chain of events occurring: We can mitigate the occurrence of the harmful event so the severity of harm is reduced. The car industry is the king of mitigations that reduced the severity of harm:
Seat belts do not reduce the frequency of accidents, but they reduce the severity of harm that occurs from an accident.
In the 1050s and 1960, head trauma during automobile accidents frequently included holes punched through the victim's skull from the shiny, metal knobs that adorned the dashboards of vehicles of this time. These dashboard knobs have given way to switches that are flat to the dashbaord (e.g., toggle switches) because these switches do not punch holes in people's skulls - flat-to-the-panel switches do not stop accidents or reduce their frequency, but they do reduce the severity of harm when an accident happens.
The same mitigations should be used far more often in medical devices; e.g., a catheter sometimes breaks into pieces during use. The typical mitigation for this risk is open surgery, where the surgeon guesses where the end of the catheter is stuck, cuts the patient open at this location, and cuts progressively longer stretches along an artery or vein until the end of the catheter is found and succesfully pulled out.
Instead of this mitigation, an alternative after a catheter breaks is to insert a 'salvage catheter' that is specifically designed to grab the broken end of a catheter and pull it down the patient's artery or vein until the broken end of the catheter is outside the patient and can be pulled the rest of the way out by hand. This mitigation does not stop, or reduce the probability of catheters breaking, but it mitigates the significant risk of an open surgery with a minimally invasive 'salvage operation'.
The Medical Device industry needs to embrace reducing the severity of harm as thoroughly as they have embraded reducing the likelihood of harm or as they have embraced redesigning a process to eliminate a harm.
"This is because an individual failure mode in an FMEA may manifest itself as an initial event, or maybe involved in another sequence of event triggered by a different initial event." The "initiating event" and the system reliability have a special connection in protection engineering (for details see: Wortman, Martin, Ernie Kee, and Pranav Kannan. "The Role of Protective System Reliability Analysis in the Study of System Safety." In ASME International Mechanical Engineering Congress and Exposition, vol. 85697, p. V013T14A032. American Society of Mechanical Engineers, 2021.) The bottom line is that the initiating event must arrive concurrently with failed protection otherwise a consequential breakdown will not result. As you correctly point out, this fact must be understood in risk management oversight. One should not fall into a sense of complacency regarding protection when accidents have not been observed. Protection readiness should be tested and inspected much more frequently than the expected initiating event interarrival time.
"Nancy Leveson links conditions and events through a cause-and-effect relationship as shown in the following figure." Leveson's method is a good one but may lead one to believe that risk or failure probability can be quantified. Managing safety as you correctly point out will often be frustrated by the unexpected observation of a sequence or singular event that leads to a consequential outcome. Because these unexpected event lie in the future, Leveson's method should never be used to manage protections based on a quantified probability or frequency (for example, see: Wortman, Martin, Ernie Kee, Pranav Kannan, and HazTechRisk Org. "On the Optimistic Bias of Core Damage Frequency." (2021).
My experience is in the nuclear power domain. However many of the protection risk management principles promulgated by the Nuclear Regulatory Commission in that domain are generally applicable elsewhere. FMEA is an important first step in protection system design. Successful protection requires ongoing testing, inspection, and efficacious corrective action when unexpected protection breakdowns are observed.
Re "Analysis of sequence of events is useful only to the extent that . . . it allows us to identify opportunities where we can break the chain of events with additional mitigation":
When you write "break the chain of events", most people will think of stopping the chain of events from occurring and, while this is useful when it can be done, this view is too limiting an interpreation of when analyzing a sequence of events is useful.
First, many chains of events can not be stopped, but that hardly means we shouldn't mitigate them. Most common mitigations reduce the likelihood of harm, but do not stop the chain of events leading to harm.
Second, there is also a means of reducing harm that doesn't stop the chain of events and doesn't reduce the probability of the chain of events occurring: We can mitigate the occurrence of the harmful event so the severity of harm is reduced. The car industry is the king of mitigations that reduced the severity of harm:
Seat belts do not reduce the frequency of accidents, but they reduce the severity of harm that occurs from an accident.
In the 1050s and 1960, head trauma during automobile accidents frequently included holes punched through the victim's skull from the shiny, metal knobs that adorned the dashboards of vehicles of this time. These dashboard knobs have given way to switches that are flat to the dashbaord (e.g., toggle switches) because these switches do not punch holes in people's skulls - flat-to-the-panel switches do not stop accidents or reduce their frequency, but they do reduce the severity of harm when an accident happens.
The same mitigations should be used far more often in medical devices; e.g., a catheter sometimes breaks into pieces during use. The typical mitigation for this risk is open surgery, where the surgeon guesses where the end of the catheter is stuck, cuts the patient open at this location, and cuts progressively longer stretches along an artery or vein until the end of the catheter is found and succesfully pulled out.
Instead of this mitigation, an alternative after a catheter breaks is to insert a 'salvage catheter' that is specifically designed to grab the broken end of a catheter and pull it down the patient's artery or vein until the broken end of the catheter is outside the patient and can be pulled the rest of the way out by hand. This mitigation does not stop, or reduce the probability of catheters breaking, but it mitigates the significant risk of an open surgery with a minimally invasive 'salvage operation'.
The Medical Device industry needs to embrace reducing the severity of harm as thoroughly as they have embraded reducing the likelihood of harm or as they have embraced redesigning a process to eliminate a harm.