Log in Article Discussion Edit History Go to the site toolbox

HTM ComDoc 3

From HTMcommunityDB.org

Contents

Risk assessment: Determining which medical devices can be made safer (but only a little safer) by PM

(This document was last revised on 9-3-18)

3.1 Introduction

Concern about the safety of medical equipment first appeared in the standards of The Joint Commission in the 1970s when Ralph Nader and others published claims - later found to be false (see HTM ComDoc 12.) - that hundreds and possibly thousands of hospital patients were being electrocuted every year. Poor equipment maintenance was alleged to be the culprit. From this point on, equipment maintenance practices have received intensive scrutiny from all of the nation’s hospital regulatory and accreditation bodies. It is an emphasis that continues to this day. However, the widely-held belief that all medical equipment needs regular preventive maintenance to ensure that it remains completely safe is a stubborn holdover from the past when the equipment was much more mechanical than it is today. Although hospitals in the industrialized parts of the world are being increasingly provided with more and more medical equipment, most of it is now powered by reliable digital electronics.

While it is true that many medical devices come with written recommendations from the manufacturer for some kind of periodic “preventive maintenance”, in many instances those recommendations are simply for inspections or checks that have absolutely no impact on preventing failures that might cause a patient injury. For reasons that we will explain shortly, only a very small number of those manufacturer-provided procedures are capable of making the devices any safer than they would be without having those procedures performed. However, determining which medical devices need this care and attention, and devising strategies to make sure this care and attention is provided, is one of the foremost professional responsibilities of the healthcare technology management community.

This observation that PM is only beneficial to a few of the many, many devices in use every day in the nation's hospitals is extremely important in light of the action by the Centers for Medicare and Medicaid Services (CMS) in December 2013 (see HTM ComRef 28.) that re-emphasized a longstanding but now outdated mandate in their regulations that all of the manufacturer-recommended PM procedures be implemented for every single medical device in use throughout the nation’s hospitals. While this may be a well-intentioned precaution, it is unnecessarily burdensome. Performing PM on every piece of equipment adds significantly to the cost of the nation’s healthcare - without providing any improvement in patient safety whatsoever.

So how did this seemingly irrational situation come about? The mandate to implement any and all of the manufacturer-recommended procedures for maintaining medical equipment was embedded in the nation’s CMS regulations for a long time - going back to the times when medical devices were predominantly mechanical and typically needing periodic attention to keep them operating properly. However, the nature of medical equipment has evolved over the years and today most medical devices are primarily electronic. Generally, electronic devices do not need any kind of periodic attention to keep them operating properly.

Recognizing that this was the case, The Joint Commission (TJC) – the organization that in effect enforces the CMS regulations in a large number of the nation’s hospitals - in 1989 embraced an equipment prioritization process that became known as 'the risk-based approach”. This method filtered out from the hospital’s medical equipment inventory a subset inventory of what were considered to be those “high-risk” devices that would be made safer by being subjected to periodic, planned maintenance. The need for this more selective approach was driven primarily by simple economics. The latter part of the twentieth century was a time of significant cost cutting in healthcare and this new risk-based approach enabled hospitals to achieve significant, but responsible, efficiencies in maintaining the typical hospital’s ever increasing inventory of medical devices.

3.2 The 1989 Fennigkoh-Smith risk prioritization method

The original method for prioritizing the different types of medical devices according to which would benefit most from periodic PM was described in a publication by Larry Fennigkoh and Brigid Smith who were then at St Luke’s Medical Center in Milwaukee (HTM ComRef 6). The Fennigkoh-Smith method used a simple prioritization metric the authors called the EM (equipment management) number, which is derived by quantifying and compounding together four other descriptors (equipment function, clinical application, maintenance requirements and equipment incident history). The EM number is then used as an indicator for which types of device would benefit from some kind of planned maintenance. Items with a higher EM number were considered to benefit more than those with lower numbers and device types with an EM number above a certain value were required to be included in a documented "equipment management program" where they were subjected to certain control measures such as being maintained according to manufacturer's recommendations.

The apparent disadvantage with the Fennigkoh-Smith method is that some individuals and some organizations, including perhaps the CMS, do not seem to believe that this essentially qualitative analysis provides enough assurance that everything that can be done to improve the safety of medical equipment is being done, and when the CMS discovered that the Joint Commission was not enforcing the longstanding CMS requirement they made it clear that this alternative was not acceptable. See HTM ComDoc 11. for more on this.

There is, however, an alternative method that is just as simple to implement but which is much more robust and defensible because it is based on the modern risk management principles embodied in the widely accepted, scientific methodology known as Reliability-Centered Maintenance (HTM ComRef 1, HTM ComRef 26). This new RCM-based approach is simple, logical and scientifically rigorous. It also offers a potential solution to the quite challenging requirement in the revised CMS regulations (HTM ComRef 28) for some kind of credible risk assessment to support the selection of which types of devices could be included in the facility’s Alternate Equipment Management (AEM) program.

3.3 The Task Force's modern, RCM-based risk prioritization method

The Joint Commission is no stranger to RCM. It was first mentioned in their standards in 2002. At that time they explicitly adopted the concept of Failure Mode and Effects Analysis (FMEA) which is one of the widely-respected analytical building blocks on which RCM is based. The full FMEA process involves a thorough characterization of all of the device’s failure modes, then an analytical determination of which mitigation and prevention strategies, including PM, will be the most cost-effective (HTM ComRef 7). We discuss this modern way of investigating the risks associated with medical device failures in some detail in HTM ComDoc 13. ("The application of Failure Mode and Effects Analysis to medical device-related processes"). However, as the article shows, such investigations are lengthy, detailed and can be quite onerous. Fortunately, since we are currently interested in a quite narrow segment of the range of possible causes of device failures - those listed in Section 1.4 of HTM ComDoc 1 - we can use a much less burdensome version of this method. The Task Force has developed a narrower version of the full FMEA, in which we limit the investigation to considering just the risks associated with PM-preventable failures. The Task Force calls this new tool a PM-focused risk assessment. This abbreviated version uses the same analytical principles but it ignores all except the device's PM-related failure modes.(See HTM ComRef 26)

Although it does not state so explicitly, the language in the CMS memo strongly implies that items that it characterizes as “critical equipment” should be included in the equivalent of a Fennigkoh-Smith era equipment control program (i.e. not permitted to be included in an AEM program). The regulation defines "critical equipment" as devices "for which there is a risk of serious injury or death to a patient or staff person should the equipment fail.” (HTM ComRef 28) However, this definition is problematic primarily because it does not limit the definition to just devices vulnerable to critical failures that are PM-preventable. Nor does it take into account that some devices that may have critical PM-preventable failure modes may be sufficiently reliable that these failure modes are very rarely encountered in everyday use. The Task Force believes that neither of these ambiguities was intended and is proposing to base its risk assessment on criteria that assume they were not intended.

3.3.1 Which devices does CMS intend to include under its definition of "critical equipment"?

If we take into account the many ways in which medical equipment can fail (see below) and the subject line of the 2013 CMS memo ("Hospital Equipment Maintenance Requirements"), the definition of devices that cannot be included in an AEM program (as devices "for which there is a risk of serious injury or death to a patient or staff person should the equipment fail.” (HTM ComRef 28) appears to be insufficiently precise. This is important because this definition directly affects the scope of the risk assessment that the regulation requires before an AEM program can be implemented.

As stated in Section 1.4 of HTM ComDoc 1) medical equipment failures have a variety of causes but they can be grouped into three general categories:

  1. Failures attributable to the device’s inherent reliability, including the random failure of its components, as well as poor design or poor construction of the device itself
  2. Process-related failures attributable to causes such as use errors, physical damage, environmental stress, accessory problems, tampering, and connected network issues
  3. Maintenance-related failures attributable to causes such as inadequately restored nondurable parts or delayed re-calibrations, as well as intrusive maintenance and poor initial set up of the device itself

And there are only four ways in which medical device failures can be hazardous.

  1. When a device on which a patient's well-being is dependent experiences a complete loss of function
  2. When a device on which a patient's well-being is dependent develops a failure that reduces its performance or safety to an unacceptable level and the failure is not likely to be obvious to the device user (often called a "hidden" failure)
  3. When a device is damaged in such a way that it presents some type of direct physical threat to the safety of patients or staff (e.g. the damage leaves an exposed sharp edge)
  4. When the device is used improperly

Of these four ways, only two can be prevented by timely PM:

  1. Failures resulting in a complete loss of device function that are caused by the premature deterioration of a part that is usually restored during periodic PM
  2. "Hidden" failures that reduce the device's the device's performance or safety below a critical level that would be discovered by performance and/or safety verification testing during periodic PM as recommended by the manufacturer

And as we described in Section 1.7 of HTM ComDoc 1 not all of these failures will necessarily result in outcomes that could result in serious injury or death. There are less severe outcomes of PM-preventable failures.

Also, rather than include in the definition of "critical equipment" (and therefore make ineligible for inclusion in AEM programs) devices that might fail and result in a serious, life-threatening outcome from non PM-preventable causes (such as the device's inherent unreliability and its vulnerability to being damaged or misused) it seems more reasonable to take the position that the intent in the CMS memo is to disqualify from inclusion in an AEM program, just those devices whose failure could present “a risk of serious injury or death to a patient should the equipment fail” from causes that can be prevented by competent and timely PM.

However, to the best of our knowledge no one has yet created a list of devices, or device types for which there is a consensus that they all meet the CMS definition of “critical equipment”. There is no general consensus for either this term, or the similar term - “high-risk medical equipment” - which is used by The Joint Commission (TJC). The only examples of “critical equipment” provided in the regulation are ventilators, defibrillators, and robotic surgery devices.

The objective of the AEM option is to permit changes to the default planned maintenance program mandated by CMS (which is following the manufacturer’s PM recommendations for every piece of medical equipment) that will not increase the risk to patients or the attending staff. Therefore, a logical place to start would be to determine which devices could result in some kind of serious, life-threatening outcome if they should fail - from any cause, not just a PM-preventable cause. According to the current language in the revised CMS regulation, all such devices would meet the current definition of critical equipment. There is however, a great deal of uncertainty about the extent to which the items bullet-listed below were intended to be classified as “critical equipment” and thus excluded from the AEM program. Items that:

  • demonstrate a relatively high level of inherent unreliability, or
  • are relatively easy to misuse in a way that makes them hazardous, or
  • are unusually prone to becoming damaged in a way that can become dangerous

The Task Force has taken the position that this ambiguity in the CMS definition of "critical equipment" was not intended and, for the specific purpose of creating a compliant AEM program, only devices with failures that have potentially high severity consequences and that can be prevented by competent and timely planned maintenance should be excluded from AEM programs. To make this interpretation absolutely clear the Task force has chosen to use an alternate, more specific term than "critical equipment", such as “potential high PM risk device”, “potential PM-critical device” or "potential PM Priority 1 device". The qualifying term "potential" is needed because the CMS term "critical equipment" is defined as only posing the threat of a high severity outcome. As explained just above, a device that is vulnerable to failures with high severity consequences but which has a very low probability of failing will not be a "high-risk" device.

3.3.2 The regulation seems to reflect a poor understanding of the concept of risk

It is important to distinguish between the terms "risk" and "severity" (as in "failure outcome severity"). For example, concluding that a device that has PM-preventable failure modes that have potentially high-severity (LOS 3) adverse outcomes is not sufficient to classify it as a potentially hazardous, high-risk device. According to modern reliability and risk management theory (see, for example HTM ComRef 1., HTM ComRef 2.), risk has two components:

  • The severity of the outcome of the event (in this context a PM-preventable device failure); and
  • The likelihood that the event (the PM-preventable device failure) will actually occur.

This required combination of two factors means that devices that have a manufacturer-recommended PM procedure with one or more device restoration or safety verification tasks that could have a high severity (LOS 3) failure outcome will not necessarily make it a high-risk (or "critical") device. If the likelihood of any PM-preventable failures actually occurring is very low - with a mean time between failures (MTBFs) of, say, 50-75 years or more - then the corresponding risk of the device failing from a PM-preventable cause and harming the patient is reduced from being a high risk to something much lower.

The actual risk of sustaining a high severity injury is, in fact, accurately represented by the likelihood that the device will actually fail, from either a wear-related failure or from a hidden failure. This is why traveling on a commercial airliner is considered to be safe. While there is a theoretical potential for a high-severity outcome if the plane should crash, the likelihood that this will actually happen is very low. This very low probability of the aircraft crashing makes the risk of sustaining a life-threatening injury when flying on a commercial airliner correspondingly low.

3.4 Recommended risk criteria

Based on this foregoing discussion the Task force believes that devices meeting either or both of the criteria listed below are devices that are made safer by competent and timely planned maintenance. Devices meeting the first criterion are what the Task Force believes are those that CMS originally intended to be considered "critical devices".

  1. The device can fail from a PM-preventable cause (i.e. a wear-related failure or a hidden failure) and that failure will result in an adverse outcome that is potentially life-threatening. (This criterion is what the Task Force calls the "severity of PM-related harm" criterion)
  2. The failure of the device from a PM-preventable cause is quite likely to occur. (This second criterion is what the Task Force calls the "likelihood of PM-related failure" criterion)

It is important to note that a list of devices that do not meet the "severity of PM-related harm" criterion can be used to define an inventory of devices that are eligible to be included in an AEM program. Devices that do have a potentially life-threatening outcome when they fail are critical by definition. And the same is true of the "likelihood of PM-related failure" criterion; a list devices that do not meet this particular criterion could also be used to define an inventory of devices that are eligible to be included in the facility's AEM program. However, choosing the first option (using just the "severity of PM-related harm" criterion) provides every healthcare facility with an immediate opportunity to to create a very simple but highly efficient AEM program. This would constitute what the Task Force is calling a Phase 1 AEM Program. This opportunity can be seized immediately because the Task Force has already documented (see below) a credible risk assessment using just the first criterion. (Also see HTM ComDoc 16 Implementing a simple CMS-compliant Alternate Equipment Management (AEM) program. or HTM ComRef 35)

The Task Force's suggestions for implementing an efficient risk-based AEM program that will be compliant with the current CMS regulation using one or both of these two criteria are contained in a recently-published two-part article in AAMI"s BI&T journal (HTM ComRef 35 and HTM ComRef 36). Much of that material is also contained in HTM ComDoc 16 "Implementing a simple CMS-compliant Alternate Equipment Management (AEM) program."

Since the earlier Fennigkoh-Smith method used "inclusion criteria" to define which devices should be included in the facility's "managed" inventory, these new risk criteria can be restated as follows. Devices meeting either one, or both, of the two following inclusion criteria can be included in an AEM program.

  • The device is highly unlikely to cause a serious injury or death to a patient or staff person if it should fail in a way that could have been prevented by the device having been subjected to appropriate PM ("severity of PM-related harm" criterion)
  • The device is highly unlikely to fail from a PM-preventable cause ("likelihood of PM-related failure" criterion)

See also ... The Task Force’s four PM-focused risk criteria from Section 16.7 in HTM ComDoc 16

3.5 The full PM-focused risk assessment consists of two phases


Phase 1 will identify the device types that have PM-preventable failure modes (ways of failing) and project what could be the worst-case severity of the adverse outcomes of those failures. The Task Force has completed a first cut at this analysis (see Section 3.6 et seq. below).
Phase 2 will attempt to determine how likely it is that these theoretical ways of failing will actually occur in normal, everyday use. (see HTM ComDoc 4. Determining the likelihood of PM-preventable failures) As we have noted elsewhere, a device that has the theoretical potential to fail and cause a patient injury is not hazardous if that failure can be shown to occur very infrequently, say, only once in 50 or more years. This part of the assessment is currently underway. Some data has already been contributed to the HTM Community database.

{The material on this website, as well as two publications by several members of the Task Force (HTM ComRef 35 and HTM ComRef 36 provides a complete blueprint for implementing both a Phase 1 AEM program (using just the first criterion) and, eventually, a Phase 2 AEM program that will add consideration of the second criterion.

To make this added consideration (of limiting the assessment to considering only failures from PM-preventable causes) absolutely clear, the MPTF is calling the analysis using this particular criterion a "PM-focused risk assessment." The option to use this more limited assessment is not specifically called out in the CMS regulation; however, as the sole topic of the CMS memo is PM, it seems reasonable to assume that the risk assessment being called for should consider only PM-preventable failures.

Changing the way that a facility performs PM on its medical equipment by implementing an AEM program based on a PM-focused risk assessment will not do anything, intentionally, to reduce failures resulting from other causes, such as physical damage and use errors. These are process-related failures, and making changes to only the PM program is unlikely to prevent such failures. Although most PM procedures include a physical inspection of the device, a long period could pass before the next PM, and during that time, patients and staff may be exposed to potentially hazardous physical damage.

The Task Force labels the second AEM program inclusion criterion as “likelihood of PM-preventable failures.” This criterion will be used in phase 2 to identify specific manufacturer-model versions of the various device types that have demonstrated having an acceptably low likelihood of failing from a PM-preventable cause.

This second criterion is logically consistent with a key statement in Appendix A of the CMS memo: “Multiple factors must be considered, since different types of equipment present different combinations of severity of potential harm and likelihood of failure.” (see ref ...) This recognition by CMS that the level of risk associated with a device failure consists of a combination of the severity of potential harm resulting from the failure and the likelihood of the failure occurring is extremely important. It is a key element of the FMEA method, which was first introduced as a part of the RCM approach pioneered in the 1960s.

The second criterion potentially is helpful because it will allow even more devices to be included in the facility’s AEM program, even though they could cause serious harm if they do fail. Devices meeting this criterion will have demonstrated an acceptably low likelihood of failing from a PM-preventable cause (i.e., a high level of PM-related reliability).

Although the threshold of acceptable PM-related reliability has not been set, the second phase of the MPTF’s project, which is currently underway, will provide information on the levels of PM-related reliability that are achieved when devices are maintained strictly according to manufacturer recommendations. This information will provide a rational basis for determining acceptable levels of PM-related reliability.

Based on these logical arguments, devices meeting one or both of the MPTF’s recommended inclusion criteria can be moved into an appropriately documented AEM program — a program that the MPTF believes will be in full compliance with the CMS regulation.}

3.6 The Phase 1 Risk Assessment. The potential severity of PM-preventable failures

During the first phase of the RCM project, the Task Force undertook a two-part risk analysis that examined the more than 70 device types that are considered most likely to be “potentially high PM-risk devices.” This initial group of candidate device types is listed in Table 1 "Devices most likely to benefit from PM - specifically with respect to reliability and patient safety". Note that this is a tentative list and subject to modification based on feedback from other members of the HTM community.

Because PM procedures are typically made up of two different kinds of tasks (Section 1.3 in HTM ComDoc 1), devices can fail as a result of inadequate PM in two possible ways:

  1. Premature deterioration of a component that the manufacturer has specified as needing periodic restoration during the working lifetime of the device. (What the Task Force calls a wear-related failure).
  2. Some type of imperceptible deterioration (not obvious to the user) that is causing the device to no longer meet its critical performance and safety specifications. (What the Task Force calls a hidden failure).

Because both these possible types of failures need to be considered, the risk analysis has to be performed in two steps. First, any device restoration tasks in the manufacturer’s recommended PM procedure (or the equivalent generic version of the procedure) are examined and a judgment made about the level of severity (LOS) of the worst-case adverse outcome that could result if the device stopped working while in use because one or more of the device’s non-durable parts were not restored properly or in a timely manner. However, these potentially harmful adverse outcomes can cover a wide range of severity, from trivial to life threatening, and for the purposes of this analysis, the Task Force has chosen to separate this continuum into four categories (see Section 1.7 in HTM ComDoc 1).

3.7 Ranking each device type that is vulnerable to PM-preventable failures according to its worst-case failure outcome severity

In general - as we described in Section 1.3 of HTM ComDoc 1, there are two kinds tasks in a medical device’s PM procedure.

  • The first kind is what the Task Force calls device restoration tasks. Theses are intended to restore the device to something close to its original, like-new condition. They are tasks in which components that are subject to deterioration during the useful lifetime of the device, such as batteries, cables, fasteners, gaskets and tubing, are periodically refurbished or replaced. Device failures attributable to late or incompetent device restoration are called device wear-related failures.
  • The second kind is what the Task Force calls safety verification tasks. These are intended to detect (then repair) any hidden degradation in the functional performance or safety of the device that is sufficiently serious to require immediate correction. Device failures attributable to late or incompetent safety verification are simply called hidden failures.

The two short questionnaires described below are used to assess the worst-case outcome severity of these two types of PM-preventable failures for each type of device. The results of these two assessments will enable us to rank the various device types according to their potential to create an adverse outcome with some level of severity when they experience a PM-preventable failure (Table 4). {Those in the highest severity category that also demonstrate a high likelihood of succumbing to PM-related failures (to be determined in Phase 2) will be placed in the highest category of PM-related risk (PM Priority 1).}

Each questionnaire addresses:

  • the nature of the outcome of the failure,
  • any possible mitigating factors, and
  • the projected worst-case severity of the outcome of the failure.

The assessments are carried out in two steps, first looking at possible wear-related failures, then looking at possible hidden failures. The preliminary results are shown in Table 2 and Table 3. The result of combining these two sets of findings is presented in Table 4.

3.7.1 The wear-related failures severity questionnaire (Results shown in Table 2)


1.1 - Does the manufacturer's recommended PM procedure for this device (or the corresponding HTMC generic PM procedure) include one or more device restoration tasks?
Response: yes or no
1.2 - If yes, is it reasonably possible that the device will stop working properly if one (or more) of these device restoration tasks is not completed in a competent and timely manner?
Response: yes or no
1.3 - If yes, is it reasonably possible that there could be some kind of non-negligible adverse outcome if this device stops working while being used on a patient?
Response: yes or no
1.4 - If yes, briefly describe the nature of the worst-case adverse outcome
Response: Enter this scenario in column 6 of Table 2
1.5 - Identify any possible mitigating factors that might reduce the severity of the expected outcome.
Response: Enter this information in column 8 of Table 2
1.6 - After considering the possible mitigating factors noted in response to question 1.5 above, project the worst-case Level of Severity (LOS) of the outcome of the failure and enter it in column 7 of Table 2
Response: LOS 0, LOS 1, LOS 2, or LOS 3

3.7.2 The hidden failures severity questionnaire (Results shown in Table 3)


2.1 - Does the manufacturer's recommended PM procedure for this device (or the corresponding HTMC generic PM procedure) include one or more device performance verification or safety verification tasks?
Response: yes or no
2.2 - If yes, is it reasonably possible that there could be some kind of non-negligible adverse outcome if one or more of those tests showed that the device is no longer meeting the relevant performance or safety specification?
Response: yes or no
2.3 - If yes, briefly describe the nature of the worst-case adverse outcome
Response: Enter this scenario in column 5 of Table 3
2.4 - Identify any possible mitigating factors that might reduce the severity of the expected outcome.
Response: Enter this information in column 7 of Table 3
2.5 - After considering the possible mitigating factors listed in response to question 2.4 above, project the worst-case Level of Severity (LOS) of the outcome of the failure and enter in in column 6 of Table 3
Response: LOS 0, LOS 1, LOS 2, or LOS 3

3.8 Preliminary findings from the failure severity assessments

The preliminary results of the questionnaire-based analyses are shown in Table 2 (wear-out failures) and Table 3 (hidden failures).

  • Table 1. (Devices most likely to be PM-critical) - Lists the 70+ device types that the Task Force considers to be the devices that would benefit the most from receiving regular PM. Although this list represents only about 5-10% of the 700 to 1500 different types of medical equipment found in most modern hospitals, we believe that it represents every one of the device types that could seriously injure a patient if it experiences a PM-preventable failure.
  • Table 2. (Wear-out failures) - Of the 70+ device types analyzed using the wear-out failures questionnaire, eleven are judged to have the potential for the most severe (LOS 3) outcome from a PM-preventable wear-out failure.
  • Table 3. (Hidden failures) - Of the 70+ device types analyzed using the hidden failures questionnaire, sixteen are judged to have the potential for the most severe (LOS 3) outcome from a PM-preventable hidden failure.
  • Table 4. (PM-related Failure Severity Index) - Shows the result of combining the findings shown in Tables 2 and 3. Of the 70+ device types analyzed, twenty are judged to have the potential to expose the patient to the most severe (LOS 3) outcome if they should experience a PM-preventable failure. These are the device types that these initial assessments indicate will receive the greatest benefit in terms of improved reliability and safety from regular PM.

The concise scenarios described in the sixth and fifth columns of Table 2 and Table 3, respectively, make the categorization process logical and quite transparent since the judgements are there to be challenged or critiqued by other members of the HTM community. This Delphi-like process should allow better consistency than the broad, potentially subjective generalizations of earlier methods.

It is important to point out that not every possible wear-out failure and hidden failure have been addressed so far in column 6 of Table 2 and column 5 of Table 3. In many cases there will be other possible PM-preventable failures. The best way of identifying all possible PM-preventable failures is to review all of the tasks listed in the device restoration (DR) and safety verification (SV) sections of the device's generic PM procedure.

For example:

  • By looking at the SV section of the generic PM procedure for a defibrillator-monitor (click on the PM Code in the 3rd column of Table 3 - or here DEF-01) you can see that tasks SV4 thru SV7 have been labelled as "Serious failure is potentially life-threatening". The scenario cited in the fifth column of Table 3 is that some kind of "hidden failure caused the unit to under-deliver" which would correspond to a PM finding that Task SV7 indicated that the delivered energy was significantly less than the energy level selected. According to the extent to which the device is found to be out-of-spec the adverse outcome should be judged to be either level of severity (LOS) 2, or 3.
  • If a critical care (life-supporting) ventilator suddenly stops working because of the premature failure of a non-durable part it is possible that the patient will be deprived of oxygen for an extended period while the device is down. Critical care ventilators usually have one or more device restoration tasks in their PM procedures that could cause the device to stop working if the device restoration is not done at the right time. See, for example, Task DR1 for C.VEN-01.
  • If the air flow detector in an infant apnea monitor degenerates to the point that it would fail to detect the cessation of the infant breathing the outcome of this hidden failure could well be be at level of severity (LOS 3). For this reason infant apnea monitors usually have a safety verification task to confirm the proper functioning of the flow detector included in the PM procedure.

3.8.1 Two special cases; non-PM critical devices and APMs

Non PM-critical devices can be identified as follows.

Devices that do not have either a potentially critical device restoration task or a potentially critical safety verification task in their manufacturer-recommended PM procedure cannot be a potentially PM-critical device. These non-PM critical devices are more commonly known as non-critical devices. This complete immunity to PM-preventable failures makes them legitimate candidates for inclusion in an AEM program the so-called light maintenance strategy which simply allows the device to be used – regulatory constraints permitting - without any kind of periodic maintenance. In some cases an argument might be made for periodic PM interventions on the grounds that they would reduce the net cost of maintaining the device, but - as of this time - we know of no studies that have documented such a finding for any type of medical device. For more details on the possible business and economic impact of planned maintenance. (See HTM ComDoc 9.)

Automatic protection mechanisms (APMs)

Perhaps because of their increasing complexity and a heightened concern about patient safety, more and more medical devices are being provided with some kind of automatic protection mechanism. There are several different kinds:

  1. Automatic warning devices - to alert the operators to the onset of a potentially serious hidden failure, such as the warning lights and audible alarms found on many patient monitoring systems intended to indicate when there is some kind of degradation, such as a monitoring lead that needs to be adjusted.
  2. Automatic equipment shut-down devices - such as the resistance sensors found on all modern powered x-ray tables that are similar to those found on elevator doors.
  3. Automatic relief devices - such as the over-pressure pop-off valves found on most sterilizers.
  4. Dual components or dual devices set up in parallel - to provide automatic functional redundancy.
  5. Guard mechanisms - to physically eliminate or preclude the possibility of a catastrophic failure from occurring, such as particulate filters in channels circulating fluids that are lubricating wearing parts.

The presence of some kind of critical APM triggers the need for an appropriate periodic performance or safety verification test, and such devices should be automatically considered potentially PM priority 1 devices.

3.8.2 A device's PM-related Failure Severity Index as a measure of its worst-case failure outcome severity

The result of these failure severity assessments is a ranking (see Table 4) of the various types of medical devices that are likely to present some level of PM-related risk) into the five categories shown in the left hand column of the AEM eligibility based on outcome severity of failure graphic. The device types in the first three categories can be identified by consulting column 6 in Table 4. All three categories are vulnerable to inadequate PM but present different levels of potential harm to the patient.

1. Potentially high PM risk devices - this category includes 20 device types that present possible failure outcomes at the most severe (LOS 3) level
2. Potentially moderate PM risk devices - this category includes 46 device types that present possible failure outcomes at the moderately severe (LOS 2) level
3. Potentially low PM risk devices - this category includes 5 device types that present possible failure outcomes at the least severe (LOS 1) level
4. Negligible PM risk devices - this category includes numerous device types. The table identifies a few (but certainly not all) device types that present possible failure outcomes at a level that is judged to be negligible. Examples include an exercise ergometer (EX.ER-01) and a set of patient scales (PA.SC-01).
5. Zero PM risk devices - this category, also known as non-critical devices, also includes numerous device types that have no potentially critical PM-preventable failure modes and therefore zero potential for any PM-related adverse outcomes. Some of these are non-clinical devices such as bedside lamps, printers or other device accessories that do not even fall into the formal category of medical devices that is regulated by the FDA. And, as we have pointed out just above, non-critical devices are readily identified through their responses to the two failure severity questionnaires. The Task Force believes that a very large percentage of the estimated remaining balance of at least 700 device types will similarly prove to be non-critical devices when they are analyzed.

3.8.3 Implementing a Phase 1 AEM Program will permit a very significant reduction in the PM workload

The risk assessment described above implementing just the first of the Task Force's two recommended risk criteria provides a solid, logical justification for allowing all except the top 20 device types listed in Table 4 to be transferred into an AEM program. All of the other device types listed in Table 4, as well as the numerous device types in categories 4 and 5 of the AEM eligibility based on outcome severity of failure graphic can be safely transferred into the AEM program where they will be legitimate candidates for the so-called light maintenance strategy (HTM ComRef 26) which - regulatory constraints permitting - simply lets the device run to failure without any kind of periodic maintenance.

In some cases an argument might be made for periodic PM interventions on the grounds that they would reduce the net cost of maintaining the device, but - as of this time - we know of no studies that have documented such a finding for any type of medical device. For more on this topic, see HTM ComDoc 9. "Medical devices that may benefit from PM from a business/ economics viewpoint". See also HTM ComDoc 16 "Implementing a simple RCM-based Alternate Equipment Management (AEM) program". Recommendations for alternate maintenance strategies can be found in HTM ComDoc 10. "Alternate Maintenance Strategies and Maintenance Program Optimization".

As best we can estimate there are, in round numbers, between 750 and 1500 different types of healthcare-related devices in use in today’s healthcare facilities so this one single change will undoubtedly represent a very significant reduction in the PM workload. But a word of caution here .... see Section 16.11 in HTM ComDoc 16.

In summary:

  • Less than ten percent of the device types used in healthcare (about 70 of the more than 750 different device types) are potentially PM-critical. And, although there is virtually no hard data to prove it at the moment, there are also strong indications (see Table 13) that most of those PM-critical devices have good PM-related reliability (making them either unlikely, or highly unlikely to fail from a PM-preventable cause). Continuing to collect the data needed to prove this should be a high priority.
  • There should be no more "magical thinking" about the "power" of PM. It is extremely important to recognize what PM cannot, and does not, do with respect to patient safety. PM performed on non-critical equipment has absolutely no impact on patient safety. And, even in the case of the PM-critical devices, performing periodic PM has absolutely no impact on >95% of the failures of those devices. The leading causes of failure are (1) unpredictable, random component failures (40-50%) and (2) process-related failures such as user problems, battery management shortcomings, physical damage due to dropping, accessory problems, environmental issues, etc. These are failures that are completely unaffected by PM.

3.9 Determining the device's actual level of PM criticality (See HTM ComDoc 4 "Consideration of the device's PM-related reliability")

As stated in Section 3.5 above, the full PM-focused risk assessment consists of two phases. Phase 2 will consist of determinations of how likely it is that a device's theoretical ways of failing actually do occur in normal, everyday use. (see HTM ComDoc 4 "Consideration of the device's PM-related reliability"). As we have noted elsewhere, a device that has the theoretical potential to fail and cause a patient injury is not hazardous if that failure can be shown to occur very infrequently, say, only once in 50 or more years. This part of the assessment is currently underway. Some data has already been contributed to the HTM Community database. A more complete description of this ongoing work can be found in HTM ComDoc 4 "Consideration of the device's PM-related reliability"

3.10 Monitoring levels of PM-related patient safety

It is a primary expectation that a well executed medical equipment maintenance program will result in a high level of patient safety - a level that is at least as high as would be achieved by maintaining the devices according to the manufacturer's recommendations. A very good way to generate confidence that the PM program is meeting its safety objective is to monitor and regularly report on the following three statistics:

  • Routinely document all corrective maintenance (repair) calls that are judged to be “PM-preventable”, and periodically report on how many of these involved “potentially high PM risk” devices (devices that the CMS regulations call "critical equipment"). A low count would indicate that the devices in question are demonstrating that they are acceptably safe with respect to PM-preventable failures.
  • Routinely report on how frequently the “potentially high PM risk” devices were reported as failing one or more of their PMs - either because the device failed a performance or safety verification test, or because a critical non-durable part was found to be well past the time that it should have been restored. A low count here would similarly indicate that the devices in question are demonstrating that they are acceptably safe with respect to PM-preventable device failures.
  • Routinely provide statistics on any device-related patient incidents in which harm was attributed to a PM-preventable device failure.


For further discussion of these techniques and suggested ways of coding maintenance calls, see Section 15.3 of HTM ComDoc 15. " Why we need to standardize the format of our maintenance reports".

Measuring an individual device's level of PM-related safety (i.e. its level of PM-related risk)

A very good measure of an individual device's level of PM-related safety is provided by its level of PM-related risk. A device's level of PM-related risk is determined first by the LOS of its worst case failure (see column 6 of Table 4), and then by its level of PM-related reliability (see columns C8 and C9 of Table 13).

The device's PM-related reliability is the lesser (the one representing the lower level of reliability) of the following two MTBFs:

  • The MTBF based on the total of (1) any overt MR1 failures caused by inadequate device restoration (from the repair cause coding) and (2) any PM Code 9 findings (which are immediate precursors of the overt MR1 failures caused by inadequate restoration).
  • The MTBF based on the total of any hidden performance and safety degradations detected by the safety verification tasks (PM Code F findings)

A device's Level of PM-related risk is determined by combining the projected worst case severity of the outcome of a PM-related failure and the projected or demonstrated likelihood that the failure will actually occur. The Task Force has defined five levels for a device's level of PM-related risk (i.e. level of priority for timely PM) in Table 12 "Definitions of the different levels of a device's priority for PM".

  1. High PM-related risk
  2. Moderate PM-related risk
  3. Low PM-related risk
  4. Very low PM-related risk
  5. Extremely low PM-related risk


Site Toolbox:

Personal tools
This page was last modified 19:55, 25 October 2018. - This page has been accessed 448 times. - Disclaimers - About HTMcommunityDB.org