C.

1 General
This document requires the manufacturer to compile a list of known and foreseeable hazards
associated
with the medical device in both normal and fault conditions and to consider the foreseeable
sequences
of events that can produce hazardous situations and harm. According to the definitions, a hazard
cannot
result in harm until such time as a sequence of events or other circumstances (including normal
use)
lead to a hazardous situation. At this point, the risk can be assessed by estimating both severity and
probability of occurrence of harm that could result (see Figure C.1). The probability of occurrence of
harm can be expressed as a combination of separate probabilities (P1, P2) or as a single probability
(P).
A decomposition into P1 and P2 is not mandatory

Fundamental risk concepts

Depending on the complexity

of the medical device, a hazard
can lead to multiple
NOTE 1 hazardous
situations, and each hazardous
situation can lead to multiple
harms.
The probability of occurrence
NOTE 2 of harm (P) can be composed
of separate P1 and P2 values.
NOTE 3 The thin arrows represent
 elements of risk analysis and
the thick arrows depict how
a hazard
can lead to harm
Figure C.1 — Pictorial example of the relationship between hazard, sequence of events,
hazardous situation and harm (from ISO/IEC Guide 63:2019[2])
A good starting point for this compilation is a review of experience with the same and similar
types of medical devices. The review should take into account a manufacturer’s own experience and,
where appropriate, the experience of other manufacturers as reported in adverse event databases,
publications, scientific literature and other available sources. This type of review is particularly
useful
for the identification and listing of typical hazards and hazardous situations for a medical device and
the
associated harm that can occur. Next, this listing and aids such as the list of examples in Table C.1
can be
used to compile an initial list of hazards.
It is then possible to begin identification of some of the sequences of events that together with
hazards
could result in hazardous situations and harm. Since many hazards might never result in harm and
can
be eliminated from further consideration, it could be useful to perform this analysis by starting with
the harm that the medical device might cause and work backwards to the hazardous situations,
hazards
and initiating causes. However, although this approach is useful for the reason described, it should
be
recognised that it is not a thorough analysis. Many sequences of events will only be identified by the
systematic use of risk analysis techniques (such as those described in ISO/TR 24971 [9]). Analysis
and
identification are further complicated by the many events and circumstances that have to be taken
into
consideration such as those listed in Table C.2. Thus, more than one risk analysis technique, and
especially
complementary techniques, are often used to complete a comprehensive analysis. Table C.3
provides
examples of the relationship between hazards, sequences of events, hazardous situations, and harm.
Although compilation of the lists of hazards, hazardous situations and sequences of events should
be completed as early as possible in the design and development process to facilitate risk control, in
practice identification and compilation is an ongoing activity that continues throughout the life
cycle of
the medical device through post-production to disposal.
This annex provides a non-exhaustive list of possible hazards that can be associated with different
medical devices (Table C.1) and a list of events and circumstances (Table C.2) that can result in
hazardous situations, which can result in harm. Table C.3 provides examples in a logical progression
of
how a hazard can be transformed into a hazardous situation and produce harm by a sequence of
events
or circumstances.
Recognising how hazards progress to hazardous situations is critical for estimating the probability
of occurrence and severity of harm that could result. An objective of the process is to compile a
comprehensive set of hazardous situations. The identification of hazards and sequences of events are
stepping stones to achieve this. The lists in the tables in this annex can be used to aid in the
identification
of hazardous situations. What is called a hazard needs to be determined by the manufacturer to suit
the
particular analysis.
C.2 Examples of hazards
The list in Table C.1 can be used to assist in the identification of hazards associated with a particular
medical device, which could ultimately result in harm.
Table C.1 — Examples of hazards

Energy hazards Biological and chemical hazards Performance-related

hazards

Acoustic energy Biological agents Data

— infrasound Bacteria — access
— sound pressure Fungi — availability
— ultrasonic Parasites — confidentiality
Electric energy Prions — transfer
Electric fields Toxins — integrity
Leakage current Viruses Delivery
— earth leakage Chemical agents — quantity
— enclosure leakage Carcinogenic, mutagenic, reproduc — rate
Magnetic fields tive Diagnostic information
Static discharge Caustic, corrosive — examination result
Voltage — acidic — image artefacts
Mechanical energy — alkaline — image orientation
Kinetic energy — oxidants — image resolution
— falling objects Flammable, combustible, explosive — patient identity /
information
— high pressure fluid Fumes, vapors Functionality
injection
— moving parts Osmotic — alarm
— vibrating parts Particles (including micro- and nano — critical performance
Potential (stored) energy particles) — measurement
— bending Pyrogenic
— compression Solvents
— cutting, shearing Toxic
— gravitational pull — asbestos
— suspended mass — heavy metals
— tension — inorganic toxicants
— torsion — organic toxicants
 Radiation energy — silica
Ionizing radiation Immunological agents
— accelerated particles Allergenic
(alpha particles, electrons, — antiseptic substances
protons, neutrons) — latex
— gamma Immunosuppressive
— x-ray Irritants
Non-ionizing radiation — cleaning residues
— infrared Sensitizing
— laser
— microwave
— ultraviolet
Thermal energy
Cryogenic effects
Hyperthermic effects

C.3 Examples of events and circumstances

n order to identify foreseeable sequences of events, it is often useful to consider events and
circumstances that can cause them. Table C.2 provides examples of events and circumstances,
organized
into general categories. Although the list is certainly not exhaustive, it is intended to demonstrate
the
many different types of events and circumstances that need to be taken into account to identify the
foreseeable sequences of events for a medical device.

Table C.2 — Examples of events and circumstances

General category Events and circumstances

 Inadequate specification of:
— design parameters
— operating parameters
— performance requirements
— in-service requirements (e.g. maintenance, reprocessing)
— end of life
Requirements

Insufficient control of:

— manufacturing processes
— changes to manufacturing processes
— materials
Manufacturing — materials compatibility information
processes — subcontractors
Inadequate packaging
Transport and
Contamination or deterioration
storage
Inappropriate environmental conditions

Physical factors (e.g. heat, pressure, time)

Chemical factors (e.g. corrosion, degradation, contamination)
Environmental
Electromagnetic fields (e.g. susceptibility to electromagnetic disturbance)
factors
Inadequate supply of power
Inadequate supply of coolant

Cleaning, Lack of validated procedures

disinfection and Inadequate specification of requirements
sterilization Inadequate performance of cleaning, disinfection or sterilization

Disposal and No or inadequate information provided

scrapping Use error

Biodegradation
Biocompatibility
Formulation No information or inadequate specification provided
Incorrect formulations
Use error
 Confusing or missing instructions for use
Complex or confusing control system
Ambiguous or unclear state of the medical device
Ambiguous or unclear presentation of settings, measurements or other
information
Misrepresentation of results
Insufficient visibility, audibility or tactility
Poor mapping of controls to actions, or of displayed information to actual
state
sability
Controversial modes or mapping as compared to existing equipment
Use by unskilled or untrained personnel
Insufficient warning of side effects
Inadequate warning of hazards associated with re-use of single-use medical
devices
Incorrect measurement and other metrological aspects
Incompatibility with consumables, accessories, other medical devices
Incorrect patient identification
Slips, lapses and mistakes

Loss of electrical or mechanical integrity

Deterioration in performance (e.g. gradual occlusion of fluid or gas path,
change
Functionality in resistance to flow, electrical conductivity) as result of ageing, wear and
re
peated use
Failure of a component due to ageing, wear or fatigue

Unsecured data ports that are externally accessible (e.g. network, serial or
USB ports)
Security Data without encryption
Software vulnerabilities that can be exploited
Software updates without authenticity confirmation

C.4 Examples of relationships between hazards, foreseeable sequences of events,

hazardous situations and the harm that can occur
Table C.3 illustrates the relationship between hazards, foreseeable sequences of events, hazardous
situations and harm for some simplified examples. Remember that one hazard can result in more
than
one harm and that more than one sequence of events can give rise to a hazardous situation.
The decision on what constitutes a hazardous situation needs to be made to suit the particular
analysis
being carried out. In some circumstances it can be useful to describe a cover being left off a high
voltage
terminal as a hazardous situation, in other circumstances the hazardous situation can be more
usefully
described as when a person is in contact with the high voltage terminal.

Hazard Foreseeable sequence of Hazardous situation Harm

events
Electromagnetic (1) Electrode cable Line voltage appears on Serious
energy unintentionally electrodes burns
(high voltage) plugged into power line Heart
receptacle fibrillation

Chemical (vol (1) Incomplete removal of Development of gas Infarct

atile solvent, volatile embo Brain
embolus) solvent used in manufacturing lism (bubbles in the damage
(2) Solvent residue converts to blood
gas at stream) during dialysis
body temperature
Biological (mi (1) Inadequate instructions Bacteria released into Bacterial
crobial contam provided airway of patient infection
ination) for decontaminating re-used during
anaesthesia tubing anaesthesia
(2) Contaminated tubing used
during
anaesthesia
Functionality (1) Electrostatically charged Failure to deliver Minor
(no delivery) patient insulin organ
touches infusion pump to patient with damage
(2) Electrostatic discharge (ESD) elevated Decreased
causes blood glucose level, no conscious
pump and pump alarms to fail warning given ness
Functionality (1) Implantable defibrillator Defibrillator cannot Death
(no output) battery deliver shock when an
reaches the end of its useful life arrhythmia occurs
(2) Inappropriately long interval
between clinical follow-up visits
Measurement (1) Measurement error Incorrect information Progression
(incorrect in (2) No detection by user reported to clinician, of disease
formation) lead Serious
ing to misdiagnosis injury
and/
or lack of proper
therapy