Health care facilities view risk assessment as a top priority, but how can they ensure that no risk is overlooked? The seven HACCP principles may provide answers.

HACCP, an acronym for hazard analysis and critical control points, is a risk-management technique to systematically investigate hazards and then implement appropriate controls.

The use of HACCP in issues related to medical care and medical devices has not yet seen widespread adoption, but its use in medical-device design and manufacturing, clinical engineering, and hospital risk management has advocates, as reflected in part by the Medical HACCP Alliance (

Before HACCP can be applied to any system, the scope of the HACCP plan must be clearly defined so that it is known what activities are included and what related activities will be covered by other control systems. For example, in a service HACCP plan, it may be specified that the service personnel are to be adequately trained to perform individual service tasks. The validity of this assumption must be assured by some other system. Alternatively, technical training could be made part of the HACCP plan and handled within the context of the plan. As with many management systems, there is considerable flexibility in defining scope, and no methodology can be a substitute for knowledgeable and thoughtful implementation.

Another prerequisite to the use of HACCP is establishment of a trained HACCP team. Training is available from the Medical HACCP Alliance or from previously trained individuals. In-house group training by a previously trained staff member also might be considered. Obtaining management support for the initial effort to create the HACCP plan is also important and is enhanced if management understands that putting any effective system in place requires a front-end cost that will be repaid with subsequent benefits. In general, the goals of the HACCP plan are also prerequisites, that is, HACCP is a means to implement goals rather than a means to create goals

 Process Flow Diagram
All sensible activities or processes have a logical sequence of actions that can be represented as a process-flow diagram (PFD). The PFD must reflect how things really get done, as opposed to how they might get done under ideal circumstances. This is especially true when applying HACCP to an already existing system. HACCP can also be part of the planning of a new system, in which the PFD will reflect how the system is expected to function.

The PFD becomes the basis for determining where in the process hazards exist and where control must be applied to mitigate these hazards. In some cases, recognizing the need to exercise control may result in a modification of the PFD to create control opportunities that might not exist. (An example of a PFD for a generic scheduled service function is shown in the Figure.)

The Seven Principles of HACCP
HACCP has seven distinct principles: (1) hazard identification and analysis; (2) determination of critical control points; (3) establishing control limits at each critical control point; (4) monitoring the critical control points to assure control is maintained; (5) establishing predetermined corrective actions to be taken if control is not maintained; (6) establishing verification procedures; and (7) establishing documentation procedures.

Hazard Analysis
Before hazards can be controlled, they must be anticipated. In many cases the hazards associated with an activity are well known or easily identified. Past incident experience, information in the literature, and internal and external expertise can help identify hazards. Hazard Analysis must include normal and predictable abnormal conditions, and a “what can go wrong" instead of a “things will go right" attitude. The identification of hazards must be structured, thorough, and documented—something the team regularly does as an assigned and recognized task.

As classically defined, hazards are conditions that could lead to harm or system failure. This often includes well-defined technical issues such as “not sterile,” or “failure-to-operate-as-intended.” These are somewhat indirect compared to the actual corresponding harm such as infection or incorrect diagnosis leading to delayed treatment. Even more generic situations that could lead to potentially harmful conditions are sometimes cited as shorthand for the actual hazard. For example, if putting a part of a ventilator in backward would result in excessive pressure on the lungs, the true hazard is the excessive pressure, but it might be useful to identify “part A backward" as the hazard since this focuses on the actual item to be controlled and infers the result. The use of such indirect hazard identification requires that the personnel using the plan understand the shorthand, or the significance of the consequences may be lost.

In the service-management environment hazards could be further generalized to include such outcomes as service procedure not followed, device returned to service but not adequately repaired, inadequate documentation, or customer dissatisfaction.

Hazards are often ranked for significance on the basis of severity, probability of occurrence, and the ability to mitigate the hazard before it causes an adverse outcome. This ranking leads to estimates of relative risk as opposed to an unranked list of the hazards themselves. In this approach, and in consideration of finite time and resources, only hazards with an unacceptably high relative risk are deemed necessary to address. Despite quantitative methods that can be used to calculate a “risk index," the level of risk that is acceptable or unacceptable remains a local and subjective judgment.

Critical Control Points
While hazard identification is generally understood, the identification of critical control points may be a newer concept. The idea is that for any hazard that needs to be controlled, there either must be some place in the process to control it, or it must be accepted that the hazard is uncontrollable. There may also be more than one opportunity in a process to control a particular hazard. In order to exercise control and avoid redundancy, it is necessary to identify where in the process hazard control is going to occur. One important requirement of selecting the critical control point is that the hazard cannot be reintroduced later in the process, since if this were possible, then it could not have been controlled earlier. A critical control point can address more than one hazard, and broadly defined hazards may require more than one critical control point if the hazard can arise from multiple sources.

Critical control points in technical operations may be more readily identified than those in managerial operations, yet every activity that has a hazard-avoidance component must have specific points at which that hazard can be controlled.

Critical Limits
In many manufacturing operations the idea of a critical limit is quite clear. It might be the temperature range of a machine required to control a hazard, or the allowable number of burrs on a part. Preventative maintenance (PM) and repair closely parallel manufacturing and also have clear critical limits for some aspects of the process, such as leakage current less than a specified level.

For management processes, the concept of a critical limit has to be viewed more broadly, and may include operational limits as distinct from critical limits. Here any measurable level of accomplishment should have an operational limit (a performance standard) and an outer bound (the critical limit). Another form of business critical limit might be customer satisfaction. While perfect satisfaction is laudable, it may not be achievable, especially for some customers. But “high satisfaction" might be an operational limit with “satisfied" a business critical limit.

If it is sensible to control anything relative to pre-established limits, then it must be possible to monitor, or measure, the parameter of interest relative to the limits. Without such monitoring the point of identifying a critical control point and applicable limits is completely lost. Monitoring may be done by the personnel actually doing the work (for example, the service technician) or it may be a managerial function. In either case the purpose of monitoring is to determine when there is a loss of control with respect to either an operational limit or a critical limit. Monitoring frequency is a challenging issue since excessive monitoring is a waste of time and resources, while inadequate monitoring may lead to a failure of control. Frequency should generally be a dynamic variable adjusted to reflect actual experience in the variability of the parameter being monitored.

Corrective Actions
The corrective action principle requires that there be predetermined actions that will be taken when a monitored critical variable violates its established critical limit. At a minimum this means that there is a standard procedure to follow whenever a critical control failure occurs. Ideally, a specific action plan should already be established for anticipated events. In medical equipment service an interesting failure event is a short interval callback on a recently serviced item. This means either an inadequate repair, a repeated failure, or a new and unrelated failure. The appropriate response might depend on whether the failure resulted in a patient incident, an unavailability crisis, or simply an dissatisfied customer. Of course the patient injury event is the most critical and procedures should be in place to include isolation of the equipment that was in use at the time of the incident. It is also important for an outside provider to have an agreement with the hospital that it be part of the further evaluation of the incident. More generally, responses would be immediate dispatch of a manager or technician or a slower response by a technician. It is also important to capture the underlying cause of the callback, since inadequate service is a high-risk event. Follow-up to the equipment owner is also important, either with an apology at one end of the spectrum, or a patient and polite explanation that pouring coffee into the device is to be avoided. Of course if there was an injury, follow-up would include participation in the post-injury risk management. And perhaps even in the subsequent litigation.

For PM generally, a critical limit could be percent completion. If this limit is violated, the predetermined procedure might be to review and prioritize incomplete PMs, pull personnel from other activities that are not time critical, or authorize overtime.

Verification is confirming that a HACCP plan is appropriate before it is implemented and relied on and confirming that an existing HACCP plan is functioning correctly and effectively. Initially, a HACCP plan technical review is useful to double-check the facts and thinking that went into its development. The review should be done by someone, or a small group, not involved in the plan’s development. The key elements of the HACCP plan review reflect the key elements of the plan itself: hazard identification, critical control points, limits, corrective actions, and the ongoing verification plan.

Once established, the HACCP plan should be reviewed periodically, whenever external changes occur that might affect the plan, or when there is evidence that the plan is failing to achieve its goals. Other details might be appropriate for specific types of plans (for example, a HACCP-based plan for PM procedures might include checking for test-equipment calibrations, proper completion of forms, or actual performance of required monitoring internal to the plan).

Record Keeping
The goal here is to create records that are necessary and useful, not records that fill files with material that is never reviewed. Therefore, the key questions are (1) how will the record be used; (2) who will review it; (3) who will complete the record; (4) how much detail is required; and (5) what would be the consequence of not having the record.

A clear principle of effective management is that there be established procedures that address the real issues and purposes of the activity, while avoiding meaningless procedures and paperwork that diminish resources and enthusiasm. While there are many approaches to undertaking organized risk management activities, HACCP has proven to be effective in organizing the effort and focusing attention on critical activities. Equally important, HACCP is a team effort that results in collective understanding of the objectives of the tasks under study, the relevant hazards, and the best way to control them. HACCP can actually reduce risk, but it is not a panacea for risk, and it is important not to exaggerate what HACCP can accomplish. HACCP does not create zero risk. Promises or implications that it does can lead to loss of vigilance in other loss-control measures. Exaggeration can also lead to the erroneous logic that risk can be eliminated, and if an injury incident occurs, then risk control must not have been applied effectively. This problem also occurs in retrospective analyses when it is “demonstrated" that risk management would “definitely" have prevented some event that has already occurred.

William A. Hyman, ScD, PE is professor and interim head of biomedical engineering at Texas A&M University in College Station. He is also chair of the Medical HACCP Alliance.