Page 127 - Safety Risk Management for Medical Devices
P. 127

106   Safety Risk Management for Medical Devices


                could cascade into another Failure Mode in a later process step, which would have its
                own End Effect. Example: rinse solution is not discarded. If the contaminated rinse
                solution is reused, it could be the Cause for another type of Failure Mode.
                   Note: Limit yourself to the boundary of analysis, e.g., if the boundary of analysis is
                the process for manufacturing of a subassembly, evaluate the End Effect on the subas-
                sembly, not the assembly into which it goes.

                   Safety Impact is a System effect. To be able to determine whether a Failure Mode
                has a safety impact, we need to know how the product of the process fits in the
                System. In the hierarchical multilevel FMEAs, this can be known only after the
                integration of the FMEAs into the System DFMEA. But it may be possible to make
                some estimations of the Safety Impact in advance. For example, if it is certain that
                the Failure Mode would lead to one of the Hazards in the CHL, it would be a
                good guess that the Safety Impact will end up being Y. For example, if a toxic sol-
                vent is used as a process aid to create a part that will contact patient tissue; and the
                failure of a cleaning process step could leave toxic residues on the medical compo-
                nent, likely the Safety Impact of that Failure Mode will be Y. Another way to esti-
                mate the Safety Impact of a process-step failure is if it would violate a System
                requirement which is tagged as Safety.
                   If the Safety Impact of the Failure Mode cannot be determined in advance, you can
                set the Safety Impact to N as a generic setting and use the “No-Safety Impact” column
                in the Ratings tab of the template to determine the Severity rating. As the PFMEA is a
                living process and goes through an iterative process, when the FMEAs are rolled up to
                the System DFMEA, it will become apparent whether a given Failure Mode links up
                to any Hazards. After the integration of the FMEAs and creation of the System
                DFMEA, a cross-check is done to ensure consistency of Safety Impact ratings. Any
                End Effect that traces up to a Hazard must have a Y in the Safety Impact column.
                   Severity is the significance of the worst reasonable consequence of the End Effect
                at the boundary of analysis, and is ranked on two different scales: with a safety impact,
                and without a safety impact. Below, each scale is explained.
                   For nonsafety related Failure Modes, evaluate the severity at the boundary of anal-
                ysis. That is, evaluate the impact of the Failure Mode on the product of the process
                under analysis. Use the column for “Nonsafety” in Table 12.7 to choose a ranking.
                   To rank the severity of an End Effect that has a safety impact, consider the effect at
                the System level. That is because to receive the benefit of a medical device, the users/
                patients interact with the System, not just the individual components of the System.
                As such, if the Failure Mode of the process step under analysis could result in the
                System harming the patient, then the severity of that Harm is attributable to the End
                Effect of the Failure Mode in the PFMEA.
   122   123   124   125   126   127   128   129   130   131   132