Page 91 - Safety Risk Management for Medical Devices
P. 91

70    Safety Risk Management for Medical Devices


                sets and components; and sensitivity evaluations. Sensitivity evaluation shows the sen-
                sitivity of the top event to the variations in probabilities of occurrence of basic events
                that lead up to the top event.

                12.1.2.1 Primary, secondary, and command Faults
                Ref. [24] identifies three categories of faults: primary, secondary, and command, and
                describes them as follows:

                   • Primary fault: “Any fault of a component that occurs in an environment for
                      which the component is qualified”; e.g., “a pressure tank, designed to with-
                      stand pressures up to and including a pressure P 0 , ruptures at some pressure
                      p # P 0 because of a defective weld.”
                         A primary fault is inherent to the component and occurs under design con-
                      ditions. A primary fault in one component is presumed to be independent of a
                      primary fault in another component, i.e., a primary fault in component X
                      would not cause a primary fault in component Y.
                   • Secondary fault: “Any fault of a component that occurs in an environment for
                      which it has not been qualified. In other words, the component fails in a situa-
                      tion which exceeds the conditions for which it was designed; e.g., a pressure
                      tank, designed to withstand pressure up to and including a pressure P 0 , ruptures
                      under a pressure p . P 0 .”
                         A secondary fault is due to unforeseen external factors.
                   • Command fault: “Proper operation of a command, but at the wrong time/
                      place.” A command path is a chain of events through the system that culmi-
                      nates in the desired command. In the development of command-faults identify
                      what sequence of faults led to the command fault. The terminus of this chain
                      would be primary/secondary faults.

                12.1.2.2 Immediate, necessary, and sufficient
                In the development of faults, and identifying the contributing lower level events, con-
                sider the following tests. For each lower level event ask if it is:

                Immediate Is the next event on the lower level, immediately preceding the event in question?
                           Benefit: It keeps you from jumping ahead and missing causes. Ref. [24] says
                             “The basic paradigm in constructing a fault tree is ‘think small’, or more
                             accurately ‘think myopically.’”
                Necessary  Is the next event on the lower level necessary to cause the fault in question?
                           Benefit: It helps maintain the cause and effect relationship, and avoids extraneous
                             entries.
   86   87   88   89   90   91   92   93   94   95   96