Page 185 - Safety Risk Management for Medical Devices
P. 185

164   Safety Risk Management for Medical Devices


                For example, if the failure of a device’s user interface (fault #1) will certainly lead to
                the inability of the user to operate the device (fault #2), then these count as one fault.
                   A common interpretation of “single-fault-safe” is that as long as a medical device
                is safe under a single fault condition, the device risks are acceptable. But in fact, this is
                not true. Consider a device that can fail due to a single fault, and whose failure creates
                an unsafe condition. Assume the likelihood of occurrence of the single fault is high.
                Now a secondary means of protection is added, such that when the primary fault hap-
                pens, the secondary means would transition the device to a safe state. Theoretically
                this device is single-fault-safe because it takes two independent faults to create an
                unsafe condition. But what if the likelihood of failure of the secondary means is also
                high? Can you envisage a situation where both the primary fault and the failure of the
                secondary means have occurred simultaneously? Given the knowledge that the likeli-
                hood of both the primary fault and the failure of the secondary means is high, you
                can surmise that the safety risk of the device would not be low.
                   A closer scrutiny of IEC 60601-1 [8] y4.7 reveals that Ref. [8] accepts a single
                means of risk reduction as single-fault-safe, if the probability failure of that single
                means is negligible. In the designs where arriving at an unsafe condition requires two
                faults, Ref. [8] clarifies that single-fault-safe is met, if the initial fault is detected before
                the secondary fault has occurred. Single-fault-safe is also met if the probability of fail-
                ure of the secondary means is negligible, during the expected service life of the
                device. From the risk management perspective, what matters is that the overall resid-
                ual risk of the device be acceptable, irrespective of one, two, or more faults.
                   In summary, the risk of the medical device must be acceptable during the mission
                of the device. Mission could be the expected service-life of the device. Or, if routine
                maintenance is done during which the failure of the secondary means would be
                detected, mission would be the time between maintenance events. Note the assump-
                tion of detection of failure of the secondary means, and the implicit repair/replace-
                ment of a failed secondary means during the maintenance event.
                   With this interpretation, we can compute the device risk based on the probability
                of occurrence of both the primary fault and the failure of the secondary means of pro-
                tection during the mission of the device.



                18.2 RISK CONTROL OPTION ANALYSIS

                The Standard [3,7] identifies three methods of controlling risk as listed below in
                decreasing order of preference.
                   1. Inherent safety by design
                   2. Protective measures in the medical device itself or in the manufacturing process
                   3. Information for safety
   180   181   182   183   184   185   186   187   188   189   190