Prospective Risk Management

Prospective Risk Management
Analysis, Evaluation, and Control

In medical device design and regulation, risk management has been embodied in the ISO 14971 standard: Medical Devices—Application of risk management to medical devices. However, the philosophy and requirements of 14971 can be applied more broadly within the healthcare setting. For example, this type of application is incorporated in draft standard IEC 80001: Application of risk management for IT-networks incorporating medical devices (Gee, 2008). ISO, the International Standards Organization, is a worldwide federation of national standards bodies. IEC, the International Electrotechnical Commission, is a developer of voluntary standards for a wide range of electrotechnology including various medical systems.

As described in 14971, the modern approach to risk management is that it should be a pro-active and systematic method for identifying and controlling risks. “Systematic” here means that there is a defined process, and that this process is routinely applied. This approach recognizes that risk control does not happen by itself but instead must be an overt activity.

Defining Risk Management
ISO 14971 defines risk management as “the systematic application of management policies, procedures, and practices to the tasks of analyzing, evaluating, and controlling risk.” Risk is formally defined for specific adverse events as having two components: the probability of the occurrence of harm and the severity of the occurrence of that harm if it occurs. The general objective in risk management is to identify those risks that must be mitigated, to take steps to mitigate them, and to assess if they have in fact been mitigated. Important here is the realization that risks may not be completely eliminated for a variety of practical reasons, and that therefore there will be residual risks. In this context, safety means the freedom from unacceptable risk.

Risk Management Process
Risk management as defined in 14971 has three main steps: risk analysis, risk evaluation, and risk control.

Risk Analysis
Risk analysis means to identify all hazards associated with the devices, procedures, and other activities of the hospital in both normal and fault conditions. A normal condition is when, for example, equipment is operating properly, while a fault condition is when the equipment has undergone some kind of failure. On the personnel side, a normal condition might be when a nursing unit is fully staffed, while a fault condition might be unplanned for understaffing. Similarly a normal condition is when all nurses have been trained on the brand of infusion pump in use, while a fault condition might be when an agency nurse is brought in who is not familiar with the particular pump in use. Fault conditions are usually considered one at a time in order to avoid the endless permutations of multiple faults. However, multiple faults can of course actually occur, and some multiple fault scenarios should be considered.

Risk Evaluation
Following risk analysis comes risk evaluation in which the risk(s) associated with identified hazardous situations are estimated by giving at least a qualitative scale to the two components of risk: probability and severity. It must then be decided if the risk is acceptable as it currently exists, or if it needs to be reduced. It might be tempting here to assert that all risks should be addressed and minimized with equal attention. However in most cases this is impractical because of the resources that would be required and the possible lack of means to do so. This realization is part of the concept that risk management does not mean the elimination of all risks.

Risk Control
When the estimated risk exceeds the internally determined acceptable limit, the risk needs to be reduced. In order to achieve this, the following approaches are generally considered:
•    Improving inherent safety by (re)design of systems or processes.
•    Adding protective measures through new systems or processes.
•    Focusing on training.

As listed, these approaches are in a hierarchal order of effectiveness. Controlling the risk by improving inherent safety is always the best choice, and reliance on training is always the weakest choice.

An example here is the risk of patient harm from an overdose of a drug from a manually programmed infusion pump where the overdose is a result of the operator inputting a wrong value. While this theoretically should not occur, it not only does occur but it occurs with some frequency. A new pump that has a barcode reader that reads pharmacy supplied drug information can eliminate the programming error because there is then no programming. However the barcode information must of course be correct, which then presents a new potential hazard. “Smart” pumps with dosing libraries fall under protective measures. These pumps can catch some programming errors, but they do not eliminate all such errors, given the multiple proper uses of many drugs and the propensity of users to overrule an alert that is generated. Telling the users to be more careful, or to double check their work, is in the third category.

If hazards are considered instead of harm, then detection before harm occurs can also be included in the analysis. Systems with alarms are a good example here. Assuming that an alarm always works perfectly, and is always responded to in a timely manner, then the hazard that triggers the alarm can be prevented from causing harm. However the likelihood of detection and response must be included in this analysis.

Reassessment of Risk
After a control measure for a specific risk is identified, a further analysis must be done of the expected impact of the control measure. Does the control measure reduce severity or probability, or add detection? In predicting effectiveness, the temptation to be too generous with respect to the degree of improvement must be avoided. It is also appropriate to assess whether the risk control measures can introduce any new hazards.

Once a control method is decided upon, it must of course be implemented. In turn the implementation must be verified to see that it has actually become operational. If there is a significant time element involved in implementation, then interim control measures may also have to be considered. After implementation, additional analysis should be undertaken to see if the risk that was previously identified has actually been affected by the new control measures.
As with all important activities, proper documentation is required as an ongoing record of the process. This serves as a means to control work in progress, to monitor results, and to demonstrate when necessary that there is an ongoing risk management process.

Methods Used in the Risk Management Process
ISO 14971 includes a discussion of several relatively standard techniques for analyzing risks. These techniques or tools can be combined with others to create a systematic assessment. However it must be remembered that tools are not a substitute for intelligent thoughtfulness; they are only an application guide.

A valuable first step is the Preliminary Hazard Analysis (PHA) during which hazards and hazardous situations are first identified based on generally known hazards, personal and professional experience, and local conditions of activities, equipment, staffing, and adverse events. An effective PHA requires a good deal of pessimism (or reality). It also sets the tone of risk management by not allowing an overly rosy perspective to lead to outright rejection of a hazard.

Fault Tree Analysis (FTA) is a powerful tool that does not seem to be widely used in healthcare, although there are some published examples (Hyman & Johnson, 2008). An FTA is based on a specific hypothetical negative event. For this “top event” a number of possible causes are then identified. Some of these may be able to cause the top event by themselves, and thus they are a set of “or” events.

Others may have to occur in combination; these are “and” events. The analysis is then continued to additional layers of causation. This has some similarity to a Five Whys type of root cause analysis except that FTA is applied prospectively to cover many possible causes while the Five Whys is generally applied retrospectively after a specific event. There is a clear link however. If an FTA is complete, then any root cause analysis of a specific event should be a specific path in the FTA. Once an FTA is constructed it can be used as a graphic tool to illustrate and discuss the associated risks, and to identify ways to control causation pathways. Any proposed control measure must impact the FTA by either eliminating a cause, or by reducing the probability of that cause occurring.

Another risk analysis method is Failure Mode and Effects Analysis (FMEA). This approach is based on “What happens if…?” questions to analyze specific potential faults. In engineering, this is often a specific component of a design, but here it can be a broader system or human failure. As the name suggests, the first step is to consider the various ways in which a specific system can fail. These are the failure modes. The next step is to assess the effects of each specific failure mode with respect to both hazard and harm. The risks of these hazards are then assessed for severity and probability. Mitigation methods can then be identified to address either the failure mode or the effects. Healthcare FMEA (HFMEA®), developed by the Veterans Administration, is a form of FMEA that is specific to healthcare. HFMEA begins with developing an understanding of the multiple steps in a process and then applies FMEA to each of these steps. This process approach makes HFMEA similar to HACCP.

Hazard Analysis and Critical Control Points (HACCP) also addresses processes. Hazards linked to the steps of the process are then identified. For each hazard, a list of preventive measures is then developed. Points in the process where the hazard can best be controlled are identified as critical control points (CCP). At the CCP, control is identified, and then implemented and monitored.
As described in 14971, Hazard and Operability Study (HAZOP) is similar to FMEA. This technique focuses on people by studying the failures that can be caused by an incorrect operation of the device. Since people and error can be readily included in any FMEA (or HFMEA), HAZOP does not add a unique perspective.

Prospective risk management is becoming an integral part of patient safety activities. As with most effective management activities, risk management benefits from the application of specific methodologies that guide, but do not replace, thoughtful and professional consideration of patient risks and how to control them.

Begoña Narvaez was a visiting scholar in the department of biomedical engineering at Texas A&M University in College Station, Texas from January to June, 2010. She is an undergraduate student of biomedical engineering at the Universidad Iberoamericana in Mexico City. Her research interests include risk management in medical devices and clinical engineering.

William Hyman is a professor of biomedical engineering at Texas A&M University in College Station, Texas. His primary areas of professional activity are in medical device design, system safety, and human factors. He is president of the Healthcare Technology Foundation, an editor of the Journal of Clinical Engineering, and received the ACCE’s Lifetime Achievement Award in 2009. He has served as a consultant for FDA, the National Science Foundation, the National Institutes of Health, and medical device companies. He holds memberships in the American Society for Testing and Materials (ASTM), the American College of Clinical Engineering, the Association for the Advancement of Medical Instrumentation, the Biomedical Engineering Society, and the Human Factors and Ergonomics Society technical group on medical systems and functionally impaired populations. Hyman may be contacted at

Gee, T. (2008, June 16). IEC 80001 to impact providers. Available at
Hyman, W. A., (2003). The application of HACCP in clinical engineering. Journal of Clinical Engineering, 28(3), 158-162.
Hyman, W. A., & Johnson, E., (2008). Fault tree analysis of clinical alarms. Journal of Clinical Engineering, 33, 85-94.
ISO 14971 (2007) Medical devices- Application of risk management to medical devices, Revised, International Standards. International Standards Organization. Available in the US from ANSI.
VA National Center for Patient Safety. Using healthcare failure modes and effects analysis. Available at,