Regulatory Open Forum

There is a lot going on here, so let me break it into pieces. First, any review should use ISO 14971:2019, not ISO 14971:2007.

Second, "mitigation" is the wrong word. The process reduces risks. Mitigation has the sense that the harm occurred and the effort is to reduce (mitigate) its effect. You won't find the word mitigate in either version of 14971.

This is an area in which simplicity has given way to complexity. I will try to reset.

There are no "use related hazards". The distinction occurs at a different point in the process. Second, there is nothing "special" about usability. It is a straight forward application of ISO 14971:2019.

Start with ISO 14971:2019 Table C.3. It is the correct layout for the start of the process. In particular, notice the Foreseeable sequence of events. This is very important, and, in my opinion, under-emphasized in the standard.

Now turn to IEC 62366-1:2015 Table B.2. The authors of the table took, in my opinion, a strange approach. They should have used the ISO 14971:2019 Table C.3 layout (which was also in ISO 14971:2007). (I had an opportunity to review the draft changes and they introduce an error in this table.)

In any case the basic elements are in Table B.2. There is a hazard, a sequence of events, a hazardous situation, a harm, and risk control measures. The table buries the hazard situation in italics.

The essential point, however, is that the sequence of events contains at least one use error. This is the distinguishing feature between a Use Scenario IEC 62366-1:2015 Figure A.2 and a Hazard Related Use Scenario IEC 62366-1:2015 Figure A.3. Notice that the distinguishing feature is in the sequence of events, not the hazard.

The task is to introduce risk reduction measures that address the Hazard Related Use Scenario. Here, the PCA model helps. Information for safety must be perceivable, understandable, and support correct use. Perceivable relates to perception and understandable relates to cognition.

Distinguish between perception and cognition to plan the risk reduction measure. (I drive through the intersection without stopping because I didn't perceive the STOP sign. I sped along the highway because I'm Canadian and misunderstood (cognition) the sign in miles per hour.)

The standard says that there could be more hazard related use scenarios than is practicable to test. IEC 62366-1:2015, 5.5 says the manufacturer may select "the subset of the hazard-related use scenarios based on the severity of the potential harm that could be caused by use error".

In my opinion, the switch to formative and summative evaluation was a step backwards. It really causes confusion in FDA guidance document, since, following QSR, it must use the standard terms – verification and validation.

In any case the designers perform the formative evaluation and the users perform the summative evaluation. In educational circles (which is the origin of the phrases) people say, "In formative evaluation the cook tastes the soup while in summative evaluation the guests taste the soup".

There is a lot going on here, so let me break it into pieces. First, any review should use ISO 14971:2019, not ISO 14971:2007.

Second, "mitigation" is the wrong word. The process reduces risks. Mitigation has the sense that the harm occurred and the effort is to reduce (mitigate) its effect. You won't find the word mitigate in either version of 14971.

This is an area in which simplicity has given way to complexity. I will try to reset.

There are no "use related hazards". The distinction occurs at a different point in the process. Second, there is nothing "special" about usability. It is a straight forward application of ISO 14971:2019.

Start with ISO 14971:2019 Table C.3. It is the correct layout for the start of the process. In particular, notice the Foreseeable sequence of events. This is very important, and, in my opinion, under-emphasized in the standard.

Now turn to IEC 62366-1:2015 Table B.2. The authors of the table took, in my opinion, a strange approach. They should have used the ISO 14971:2019 Table C.3 layout (which was also in ISO 14971:2007). (I had an opportunity to review the draft changes and they introduce an error in this table.)

In any case the basic elements are in Table B.2. There is a hazard, a sequence of events, a hazardous situation, a harm, and risk control measures. The table buries the hazard situation in italics.

The essential point, however, is that the sequence of events contains at least one use error. This is the distinguishing feature between a Use Scenario IEC 62366-1:2015 Figure A.2 and a Hazard Related Use Scenario IEC 62366-1:2015 Figure A.3. Notice that the distinguishing feature is in the sequence of events, not the hazard.

The task is to introduce risk reduction measures that address the Hazard Related Use Scenario. Here, the PCA model helps. Information for safety must be perceivable, understandable, and support correct use. Perceivable relates to perception and understandable relates to cognition.

Distinguish between perception and cognition to plan the risk reduction measure. (I drive through the intersection without stopping because I didn't perceive the STOP sign. I sped along the highway because I'm Canadian and misunderstood (cognition) the sign in miles per hour.)

The standard says that there could be more hazard related use scenarios than is practicable to test. IEC 62366-1:2015, 5.5 says the manufacturer may select "the subset of the hazard-related use scenarios based on the severity of the potential harm that could be caused by use error".

In my opinion, the switch to formative and summative evaluation was a step backwards. It really causes confusion in FDA guidance document, since, following QSR, it must use the standard terms – verification and validation.

In any case the designers perform the formative evaluation and the users perform the summative evaluation. In educational circles (which is the origin of the phrases) people say, "In formative evaluation the cook tastes the soup while in summative evaluation the guests taste the soup".

There is a lot going on here, so let me break it into pieces. First, any review should use ISO 14971:2019, not ISO 14971:2007.

Second, "mitigation" is the wrong word. The process reduces risks. Mitigation has the sense that the harm occurred and the effort is to reduce (mitigate) its effect. You won't find the word mitigate in either version of 14971.

This is an area in which simplicity has given way to complexity. I will try to reset.

There are no "use related hazards". The distinction occurs at a different point in the process. Second, there is nothing "special" about usability. It is a straight forward application of ISO 14971:2019.

Start with ISO 14971:2019 Table C.3. It is the correct layout for the start of the process. In particular, notice the Foreseeable sequence of events. This is very important, and, in my opinion, under-emphasized in the standard.

Now turn to IEC 62366-1:2015 Table B.2. The authors of the table took, in my opinion, a strange approach. They should have used the ISO 14971:2019 Table C.3 layout (which was also in ISO 14971:2007). (I had an opportunity to review the draft changes and they introduce an error in this table.)

In any case the basic elements are in Table B.2. There is a hazard, a sequence of events, a hazardous situation, a harm, and risk control measures. The table buries the hazard situation in italics.

The essential point, however, is that the sequence of events contains at least one use error. This is the distinguishing feature between a Use Scenario IEC 62366-1:2015 Figure A.2 and a Hazard Related Use Scenario IEC 62366-1:2015 Figure A.3. Notice that the distinguishing feature is in the sequence of events, not the hazard.

The task is to introduce risk reduction measures that address the Hazard Related Use Scenario. Here, the PCA model helps. Information for safety must be perceivable, understandable, and support correct use. Perceivable relates to perception and understandable relates to cognition.

Distinguish between perception and cognition to plan the risk reduction measure. (I drive through the intersection without stopping because I didn't perceive the STOP sign. I sped along the highway because I'm Canadian and misunderstood (cognition) the sign in miles per hour.)

The standard says that there could be more hazard related use scenarios than is practicable to test. IEC 62366-1:2015, 5.5 says the manufacturer may select "the subset of the hazard-related use scenarios based on the severity of the potential harm that could be caused by use error".

In my opinion, the switch to formative and summative evaluation was a step backwards. It really causes confusion in FDA guidance document, since, following QSR, it must use the standard terms – verification and validation.

In any case the designers perform the formative evaluation and the users perform the summative evaluation. In educational circles (which is the origin of the phrases) people say, "In formative evaluation the cook tastes the soup while in summative evaluation the guests taste the soup".

I've broken you post into parts and then put my response under each part. This will keep the context clear.

Dan when you say: The "task" is to introduce risk reduction... are you talking about what FDA calls "critical tasks" or in general about the goal of the analysis?

The task is my term for what you want to achieve by risk management. Making the risk acceptable and as low as reasonably practicable. Do this by introducing risk reduction measures. The risk reduction measures will (in the best case) break the chain in the sequence of events. When a step in the sequence of events is a user error, the PCA model helps. For example, a warning sign has poor (ambiguous) wording. If the assumption were perception, the action would make it bigger, but leave the same words. However, the problem is cognition, so the action is to reword the sign.


When we look at table B.2 of IEC 62366-1:2015, how would you convert for example the first row " Physician accidentally activates unguarded fire control" in a "task".

First, start with IEC 62366-1:2015, Figure A.2. The physician (user) performs a sequence of tasks in order to obtain the intended result. However, the physician performs a use error, which takes us to IEC 62366-1:2015, Figure A.3. In this case the erroneous interaction is "accidental activation of the unguarded fire control". In other words, the physician flipped the wrong switch. In the PCA model, this is perception. The risk control measure is a guard over the toggle switch. (When I worked on surface to air missile systems there were plenty of these guards. They are red and you have to lift the cover before you could flip the toggle switch. You often see them in movies involving technology.)


Also, when selecting critical tasks, is the severity threshold up to the manufacturer?

It is important to realize that IEC 62366-1:2015 does not have a definition of a critical task. This is in the FDA guidance document. It is a user task performed incorrectly or not performed at all. The FDA guidance document, section 8 says, "The human factors validation testing should be designed [such that] all critical tasks are performed during the test".

IEC 62366-1:2015 uses Hazard-Related Use Scenarios. In section 5.5 the standard says that as part of summative evaluation the manufacturer may select either all the Hazard-Related Use Scenarios or a subset based on risk.


The problem is that one cannot estimate the frequency of occurrence (probability) of a use error. ISO 14971:2019 covers this case in section 4.4.d, "criteria for accepting risks when the probability of occurrence of harm cannot be estimated".

The common approach is a 5 by 5 risk matrix that defines acceptability. One dimension is severity and the other is probability. Use the severity scale only.


Thanks again. This discussion is being extremely helpful. I feel for both 62366-1 and 14971, it is easy to get confused about many concepts and steps that look and sound "almost the same" but they are actually "slightly different".

IEC 62366-1:2015 is an application ISO 14971:2019. The process steps are same. The difference is in IEC 62366-1:2015 some of steps in the sequence of events are use errors. Make them the same in you mind by following the one process. Identify every step in the sequence of events that is a use error.

There is a lot going on here, so let me break it into pieces. First, any review should use ISO 14971:2019, not ISO 14971:2007.

Second, "mitigation" is the wrong word. The process reduces risks. Mitigation has the sense that the harm occurred and the effort is to reduce (mitigate) its effect. You won't find the word mitigate in either version of 14971.

This is an area in which simplicity has given way to complexity. I will try to reset.

There are no "use related hazards". The distinction occurs at a different point in the process. Second, there is nothing "special" about usability. It is a straight forward application of ISO 14971:2019.

Start with ISO 14971:2019 Table C.3. It is the correct layout for the start of the process. In particular, notice the Foreseeable sequence of events. This is very important, and, in my opinion, under-emphasized in the standard.

Now turn to IEC 62366-1:2015 Table B.2. The authors of the table took, in my opinion, a strange approach. They should have used the ISO 14971:2019 Table C.3 layout (which was also in ISO 14971:2007). (I had an opportunity to review the draft changes and they introduce an error in this table.)

In any case the basic elements are in Table B.2. There is a hazard, a sequence of events, a hazardous situation, a harm, and risk control measures. The table buries the hazard situation in italics.

The essential point, however, is that the sequence of events contains at least one use error. This is the distinguishing feature between a Use Scenario IEC 62366-1:2015 Figure A.2 and a Hazard Related Use Scenario IEC 62366-1:2015 Figure A.3. Notice that the distinguishing feature is in the sequence of events, not the hazard.

The task is to introduce risk reduction measures that address the Hazard Related Use Scenario. Here, the PCA model helps. Information for safety must be perceivable, understandable, and support correct use. Perceivable relates to perception and understandable relates to cognition.

Distinguish between perception and cognition to plan the risk reduction measure. (I drive through the intersection without stopping because I didn't perceive the STOP sign. I sped along the highway because I'm Canadian and misunderstood (cognition) the sign in miles per hour.)

The standard says that there could be more hazard related use scenarios than is practicable to test. IEC 62366-1:2015, 5.5 says the manufacturer may select "the subset of the hazard-related use scenarios based on the severity of the potential harm that could be caused by use error".

In my opinion, the switch to formative and summative evaluation was a step backwards. It really causes confusion in FDA guidance document, since, following QSR, it must use the standard terms – verification and validation.

In any case the designers perform the formative evaluation and the users perform the summative evaluation. In educational circles (which is the origin of the phrases) people say, "In formative evaluation the cook tastes the soup while in summative evaluation the guests taste the soup".