Page 122 - Safety Risk Management for Medical Devices
P. 122

Risk Analysis Techniques  101


                   then the new design with the counteracting mechanism becomes the subject of the
                   DFMEA. This means internal detection is already built into the design. Example: a
                   medical device is mains powered. If the leakage current exceeds a certain amount, the
                   user will receive an electric shock. The excessive current leakage is detectable. The
                   designer designs-in a circuit breaker that senses current leakage and cuts off the power
                   to the medical device to prevent electric shock. The new design, including the circuit
                   breaker, is now the target of analysis for the DFMEA.
                      The next point to notice is that “risk of Harm” is mentioned. Because we are
                   using DFMEA at the service of safety, the focus is on the reduction of harm, not nec-
                   essarily improvements on reliability, customer satisfaction, etc. For example, consider
                   an electrosurgical device fails and delivers too much energy to the surgical site. If the
                   End Effect of the Failure Mode is detectable by the surgeon, e.g., by an alarm in the
                   device itself, or by observation of burning of patient tissue, then the surgeon can
                   immediately disengage the device and apply medical care to the wound.
                      For Failure Modes that do not have a safety impact Detection is irrelevant from
                   the risk management perspective. For such Failure Modes set the Det rating to 1.
                      Refer to Table 12.5 for definitions of detectability rankings. Use quantitative data
                   if available. Otherwise use the qualitative criteria to determine the Detectability
                   rankings.
                      RPN is a measure of criticality of a Failure Mode. RPN is the product of the
                   rankings of Severity, Occurrence, and Detection. This number is used to prioritize
                   the Failure Modes and determine the degree of compensation that must be exercised.
                   Table 12.6 offers a suggested stratification of compensating actions based on the criti-
                   cality of the Failure Mode. The boundaries in Table 12.6 are selected at 12 and 52.
                   But it is up to the manufacturer to decide where to draw the boundaries. Table 12.6
                   says that for the highest segment of RPN ratings, Level 3, the RPN must be reduced.
                      For Level 2, RPN should be reduced as far as possible, for safety-related Failure
                   Modes. But for nonsafety related Failure Modes, the decision as to how far to reduce
                   the RPN is a business decision and depends on the feasibility of the actions needed to
                   reduce the RPN.

                                  Table 12.6 Design Failure Modes and Effects Analysis RPN table
   117   118   119   120   121   122   123   124   125   126   127