Page 117 - Safety Risk Management for Medical Devices
P. 117

96    Safety Risk Management for Medical Devices


                internal Causes, such as aging of a part, as well as external Causes such as environ-
                mental temperature. Include failures in the interactions/interfaces among the elements
                within the scope of analysis.
                   Identify Local, and End Effects of the Failure Modes. An End Effect is that which
                is observable from outside of the boundary of analysis. A Local Effect is that which is
                not observable from outside of the boundary of analysis. It is possible for a Local-
                Effect to become the Cause for another Failure Mode. This is also referred to as
                Failure Mode interaction. In such cases, it is helpful to write a causal chain in the
                “Causes/Mechanisms of Failure” column, so it can be used again and built upon.
                Table 12.2 shows a snippet of a DFMEA where a Local Effect from row ID 1
                becomes a Cause for the Failure Mode in row ID 2.
                   It is possible that a Failure Mode has only an End Effect, and no Local
                Effect. Denote this by entering N/A, none, or some notation to indicate the
                absence of a Local Effect. Leaving the cell blank could be misconstrued as
                incomplete analysis.


                    Tip   It is advisable to include in the cell for End Effects, any requirements that would be
                    violated. For example, in Table 12.2, row ID 2, let’s say there is a System requirement:
                    Req123, that requires output pulses to be regular. Then cite Req123 in the cell for End
                    Effects. This is a convenience for the design team that would help them with the mitiga-
                    tion of the Failure Modes. And also, if a design change is proposed they can easily trace
                    it back to the FMEAs.


                   Safety Impact is a System effect. To be able to determine whether a Failure Mode
                has a safety impact, we need to know how the subject of the analysis fits in the
                System. In the hierarchical multilevel FMEAs this can be known only after the inte-
                gration of the FMEAs into the System DFMEA. But it may be possible to make some
                estimations of the Safety Impact in advance. For example, if it is certain that the
                Failure Mode would lead to one of the Hazards in the CHL, it would be a good guess
                that the Safety Impact will end up being Y. For instance, if the charging circuit in a
                defibrillator fails to charge the shock capacitor, likely the Safety Impact of that Failure
                Mode will be Y. Another way to estimate the Safety Impact of a Failure Mode is if it
                would violate a System requirement which is tagged as Safety.
                   If the Safety Impact of the Failure Mode cannot be determined in advance, you
                can set the Safety Impact to N as a generic setting and use the “No-Safety Impact”
                column in the Ratings tab of the template to determine the Severity rating. As the
                DFMEA is a living process and goes through an iterative process, when the FMEAs
                are rolled up to the System DFMEA, it will become apparent whether a given Failure
                Mode links up to any Hazards. After the integration of the FMEAs and creation of
                the System DFMEA, a cross-check is done to ensure consistency of Safety-Impact
   112   113   114   115   116   117   118   119   120   121   122