Page 155 - Safety Risk Management for Medical Devices
P. 155
134 Safety Risk Management for Medical Devices
Table 15.1 Definitions of Software Failure Modes and Effects Analysis severity ratings
Severity Criteria (Sev)
Rank Qualitative criteria—no safety impact Qualitative criteria—safety impact
5 Catastrophic: Described failure mode will Catastrophic—Impact of the end-effect at
cause immediate failure of the the System level can be death
Subject. (Total loss of all functions—
primary and secondary)
4 Critical: Described failure mode will Critical—Impact of the end-effect at the
severely impact Subject functionality | System level can be permanent
Complete loss of primary functions impairment or life-threatening injury
3 Serious: Described failure mode will Serious—Impact of the end-effect at the
reduce Subject functionality. (Partial System level can be injury or
loss of primary functions | Complete impairment that requires professional
loss of secondary functions) medical intervention
2 Minor: Described failure mode will have Minor—Impact of the end-effect at the
temporal or self-restoring impact on System level can be temporary injury
functionality | Partial loss of or impairment that does not require
secondary functions professional medical intervention
1 None: Described component failure will Negligible—Impact of the end-effect at
have no impact on functionality the System level can be at most an
inconvenience or temporary
discomfort
Mode links up to any Hazards. After the integration of the FMEAs and creation of
the System DFMEA, a cross-check is done to ensure consistency of Safety Impact
ratings. Any End Effect that traces up to a Hazard must have a Y in the Safety Impact
column.
Cite all the existing mitigations in the “Existing Mitigations” columns. Systemic
Causes should be universally mitigated, and not repeated in every row. When estimat-
ing the ratings, assume the existing mitigations are implemented and effective.
There are three factors that are typically used to estimate the criticality of a Failure
Mode: Severity, Occurrence, and Detectability.
Severity is the significance of the worst reasonable consequence of the End Effect
at the boundary of analysis. Severity Ranking definitions are different depending on
whether the End Effect has a safety impact or not. For End Effects that do not have a
safety impact, use the left column in Table 15.1, and for those with a safety impact
use the right column.
IEC 62304 [9] Annex B, section 4.4 states that unless a quantitative estimation of
the probability of software failure is done, the probability for software failure should
be presumed to be 1. This is true for systemic failures. However, in the SFMEA, we
