Page 123 - Safety Risk Management for Medical Devices
P. 123

102   Safety Risk Management for Medical Devices


                   For Level 1, per EN ISO 14971:2012 [7] for safety-related Failure Modes the RPN
                must be reduced as far as possible, therefore the treatment of RPN is the same as Level
                2. However, for nonsafety related Failure Modes, further action is not required.
                   Reduction of criticality of Failure Modes is achieved via mitigations. Mitigations
                can eliminate the Failure Mode completely, reduce the likelihood of the Failure
                Mode, or diminish the severity of the End Effect of the Failure Mode. Examples of
                design means of mitigating Failure Modes are as follows:
                   • Use of redundancy, or backups
                   • Use of high-reliability parts
                   • Choice of proven, biocompatible materials

                   For the initial ratings, consider the design features that are already included in the
                design and serve to reduce criticality. Include those features in the Existing
                Mitigations column. If the initial criticality rating needs to be further reduced, suggest
                additional mitigations, and after they are implemented, reassess the criticality rating
                under the Final Rating group.
                   The Remarks column can be used to document rationales for the choices of rat-
                ings, or why further mitigations are not done for a Failure Mode with safety impact,
                or anything else that could help future reviewers of the DFMEA gain better under-
                standing of the analysis.
                   In some exceptional cases, the Failure Mode and the End Effect could be the same.
                For an example see Fig. 12.13, which models a surgical robot (the System), that uses
                various Instruments. On some of the Instruments, a temperature sensor is mounted.
                The Instruments just carry the sensor and pass the sensor signal directly to the System
                to display the temperature inside the body. For each Instrument, the sensor becomes a
                component. Let’s say a Failure Mode of the sensor is to fracture under force. When
                that happens, the sensor outputs the wrong voltage. This is reflected in the lower row
                in Fig. 12.13. The End Effect of the Sensor FMEA becomes the Failure Mode of the
                item: Sensor in the Instrument FMEA (dotted arrow). This is reflected on the middle
                row in Fig. 12.13. Now, the End Effect at the Instrument level is still the output of
                the wrong voltage. Continuing up to the System level, the wrong voltage causes inac-
                curate display of temperature. As you see in this example, the Failure Mode and End
                Effect of the sensor are the same in the context of the Instrument FMEA.
                   Although this construct may appear somewhat redundant and laborious—the cita-
                tion of the sensor failure in the FMEA of the Instrument, creates the possibility of
                reusable FMEAs. A shortcut would have been to bypass the Instrument FMEA and
                cite the Sensor directly in the System FMEA. But this would defeat the reusability of
                the Instrument FMEA.
                   With the use of software tools for automation of FMEA work, adherence to the
                BXM method of hierarchical, modular, and reusable FMEAs becomes easier.
   118   119   120   121   122   123   124   125   126   127   128