Page 92 - Safety Risk Management for Medical Devices
P. 92

Risk Analysis Techniques  71


                   Sufficient  Do you have all the necessary events to cause the fault in question?

                              Benefit: Ensures the higher event can actually happen, given the cited lower-level
                                events.
                      For the purposes of risk management, we can presume that the design has already
                   been peer reviewed, analyzed, modeled, and tested. Therefore faults due to designer
                   errors can be excluded.


                   12.1.2.3 State of Component State of System
                   A fault can be a State of Component, or State of System. Ref. [24] defines “A ‘state
                   of component’ fault is a fault is associated uniquely with one component. A ‘state of
                   system’ fault is a fault not uniquely associated with one component. The immediate
                   cause of a ‘state of system’ fault involves more than one component.”


                   12.1.2.4 Common Cause Failures
                   CCFs describe situations where two or more component failures occur due to a com-
                   mon cause. In the paradigm of immediate-necessary-sufficient logic, common causes
                   of the failures are not explicitly modeled in the FT. Instead, common causes describe
                   an implicit dependency where multiple faults are triggered when the common cause
                   occurs. Once the CCFs are identified, they should be included in the FT to raise
                   awareness to their contribution.
                      Examples of CCF are as follows:

                      •  Environmental factors, e.g., temperature, humidity, pressure, and vibration
                      •  Faulty calibration
                      •  Error in manufacturing, causing all copies of a product to be faulty
                      •  Erroneous work instruction causing all users to operate the device incorrectly
                      CCFs are particularly important in redundant systems, where safety is based on the
                   presumption of unlikelihood of simultaneous failure of the redundant systems. In such
                   cases, a single cause would simultaneously defeat all of the redundant systems.



                   12.1.3 Symbols
                   FTs are constructed from logical connection of nodes. The nodes represent various
                   events such as a basic event, an undeveloped event, etc. The nodes are connected to
                   each other using logic gates. Special symbols are used to represent different types of
                   nodes and gates. Some of the most common symbols are presented in Fig. 12.2.
                      For convenience in labeling the events and gates, sometimes the style in Fig. 12.3
                   is used, where the descriptive text is entered in the rectangles above the FT symbol.
   87   88   89   90   91   92   93   94   95   96   97