Using what we have. Sherman Eagles SoftwareCPR.

Similar documents
Safety-Critical Systems

Essential Performance for MED rd ed. PSES San Diego chapter meeting December 11, 2012

Traditional Approaches to Risk Management and Medical Device Software. Are They Good Enough? Can We Do Better?

The Safety Case. The safety case

The Safety Case. Structure of Safety Cases Safety Argument Notation

Understanding safety life cycles

Real-Time & Embedded Systems

Reliability of Safety-Critical Systems Chapter 3. Failures and Failure Analysis

Safety Critical Systems

Critical Systems Validation

Every things under control High-Integrity Pressure Protection System (HIPPS)

innova-ve entrepreneurial global 1

Safety-critical systems: Basic definitions

Hazard analysis. István Majzik Budapest University of Technology and Economics Dept. of Measurement and Information Systems

LECTURE 3 MAINTENANCE DECISION MAKING STRATEGIES (RELIABILITY CENTERED MAINTENANCE)

DETERMINATION OF SAFETY REQUIREMENTS FOR SAFETY- RELATED PROTECTION AND CONTROL SYSTEMS - IEC 61508

The Best Use of Lockout/Tagout and Control Reliable Circuits

Safety Management in Multidisciplinary Systems. SSRM symposium TA University, 26 October 2011 By Boris Zaets AGENDA

Risk Management Qualitatively on Railway Signal System

Safety Risk Assessment Worksheet Title of Risk Assessment Risk Assessment Performed By: Date: Department:

PL estimation acc. to EN ISO

ALIGNING MOD POSMS SAFETY AND POEMS ENVIRONMENTAL RISK APPROACHES EXPERIENCE AND GUIDANCE

Reliability of Safety-Critical Systems Chapter 4. Testing and Maintenance

FP15 Interface Valve. SIL Safety Manual. SIL SM.018 Rev 1. Compiled By : G. Elliott, Date: 30/10/2017. Innovative and Reliable Valve & Pump Solutions

Marine Risk Assessment

New Thinking in Control Reliability

'Dipartimento di Ingegneria Elettrica, Universita di Genova Via all 'Opera Pia, lla Genova, Italy

C. Mokkapati 1 A PRACTICAL RISK AND SAFETY ASSESSMENT METHODOLOGY FOR SAFETY- CRITICAL SYSTEMS

Section 1: Multiple Choice Explained EXAMPLE

Safety Manual VEGAVIB series 60

FLIGHT TEST RISK ASSESSMENT THREE FLAGS METHOD

A study on the relation between safety analysis process and system engineering process of train control system

QUANTIFYING THE TOLERABILITY OF POTENTIAL IGNITION SOURCES FROM UNCERTIFIED MECHANICAL EQUIPMENT INSTALLED IN HAZARDOUS AREAS

A GUIDE TO RISK ASSESSMENT IN SHIP OPERATIONS

Session: 14 SIL or PL? What is the difference?

Solenoid Valves used in Safety Instrumented Systems

Hydraulic (Subsea) Shuttle Valves

Safety Manual VEGAVIB series 60

Review and Assessment of Engineering Factors

Understanding the How, Why, and What of a Safety Integrity Level (SIL)

Eutectic Plug Valve. SIL Safety Manual. SIL SM.015 Rev 0. Compiled By : G. Elliott, Date: 19/10/2016. Innovative and Reliable Valve & Pump Solutions

Transformational Safety Leadership. By Stanley Jules

Purpose. Scope. Process flow OPERATING PROCEDURE 07: HAZARD LOG MANAGEMENT

Session One: A Practical Approach to Managing Safety Critical Equipment and Systems in Process Plants

Managing for Liability Avoidance. (c) Lewis Bass

international Engineering Safety Management

Failure modes and models

Pneumatic QEV. SIL Safety Manual SIL SM Compiled By : G. Elliott, Date: 8/19/2015. Innovative and Reliable Valve & Pump Solutions

Lecture 04 ( ) Hazard Analysis. Systeme hoher Qualität und Sicherheit Universität Bremen WS 2015/2016

CT433 - Machine Safety

Section 1: Multiple Choice

IIUM EVENT SAFETY RISK ASSESSMENT

Solenoid Valves For Gas Service FP02G & FP05G

To comply with the OHS Act, the responsible manager must carry out and document the following:

PROCEDURE. April 20, TOP dated 11/1/88

3. Real-time operation and review of complex circuits, allowing the weighing of alternative design actions.

Partial Stroke Testing. A.F.M. Prins

Presented by John Whale Control Banding as a Potential Alternative to Risk Assessment

1309 Hazard Assessment Fundamentals

D-Case Modeling Guide for Target System

On proof-test intervals for safety functions implemented in software

SPR - Pneumatic Spool Valve

Achieving Compliance in Hardware Fault Tolerance

Safety of railway control systems: A new Preliminary Risk Analysis approach

Adaptability and Fault Tolerance

Bespoke Hydraulic Manifold Assembly

PREDICTING HEALTH OF FINAL CONTROL ELEMENT OF SAFETY INSTRUMENTED SYSTEM BY DIGITAL VALVE CONTROLLER

Safety Standards Acknowledgement and Consent (SSAC) CAP 1395

Work Health and Safety Risk Management Procedures

Hazard Identification

Calibration Requirements for Direct Reading Confined Space Gas Detectors

Safety assessments for Aerodromes (Chapter 3 of the PANS-Aerodromes, 1 st ed)

Safety Manual. Process pressure transmitter IPT-1* 4 20 ma/hart. Process pressure transmitter IPT-1*

Advanced LOPA Topics

Risk Management Series Article 8: Risk Control

-JHA- Job. For Science and Engineering. Hazard Assessment

Sharing practice: OEM prescribed maintenance. Peter Kohler / Andy Webb

SIL explained. Understanding the use of valve actuators in SIL rated safety instrumented systems ACTUATION

Distributed Control Systems

Reliability of Safety-Critical Systems Chapter 10. Common-Cause Failures - part 1

EMERGENCY SHUT-DOWN RELIABILITY ADVANTAGE

Implementing IEC Standards for Safety Instrumented Systems

TRI LOK SAFETY MANUAL TRI LOK TRIPLE OFFSET BUTTERFLY VALVE. The High Performance Company

Safety Manual OPTISWITCH series relay (DPDT)

Safety Requirement Specification

Safety Guidelines for Live Entertainment and Events I Part 2. Hazard Identification and Risk Management 1

Hazard Training Guide

Risk Management. Definitions. Principles of Risk Management. Types of Risk

Accelerometer mod. TA18-S. SIL Safety Report

RESILIENT SEATED BUTTERFLY VALVES FUNCTIONAL SAFETY MANUAL

Procedure: Work health and safety hazard management

Technical Standards and Legislation: Risk Based Inspection. Presenter: Pierre Swart

This manual provides necessary requirements for meeting the IEC or IEC functional safety standards.

Gamma-ray Large Area Space Telescope

SAFE WORK METHOD STATEMENT SWMS No Version

Assurance Cases for Medical Devices

Hands-On System Safety Basics, Focused on FHA

5.1 Introduction. Learning Objectives

Ultima. X Series Gas Monitor

Systems Theoretic Process Analysis (STPA)

Transcription:

Using what we have Sherman Eagles SoftwareCPR seagles@softwarecpr.com

2 A question to think about Is there a difference between a medical device safety case and any non-medical device safety case? Are the grounds required to justify the conclusion that a medical device is safe any different than the grounds required to justify the conclusion that an air traffic control system is safe?

What do we know about medical devices that may influence arguing about their safety?

4 Not using a medical device may result in harm to an individual (the patient) If a device does not meet safety goals, it may be determined to be adequately safe (risk is acceptable) based on a risk-benefit analysis Safety of a medical device is relative The safety of a medical device may change even though the medical device does not change

5 Use of medical devices is generally under the direction of a medical practitioner The manufacturer s intended purpose for the device must be stated very specifically for safety evaluation purposes But how a device is used after it is purchased is not regulated (directly) or controlled

6 The medical device business model is a consumer product model The manufacturer of the medical device determines the requirements for it, not the purchaser or the regulator. The regulator is a gatekeeper who evaluates whether the manufacturer has met the rules to sell the medical device Safety is only one of the rules a manufacturer must meet to sell a device

7 The regulator may only allow or not allow the sale of the product after the development is complete. May force the product off the market later based on actual performance Regulations in different parts of the world will differ for the same medical device

The same device may be used in many different areas of care (use environment) Situations in which it is not safe to use the device must be identified (contra-indications) If a care area is not contra-indicated, it is assumed the device will be safe in that use environment Medical devices are developed using a risk management process based on ISO 14971 ISO 14971 requires that risk be acceptable ISO 14971 requires all safety documentation to be collected in a risk management file 8

9 Few medical device projects start with a blank page. Many new projects are adding functionality to existing products, or creating a new platform for the same intended purpose as an existing product. Incidents where a patient is harmed because of a medical device must be reported to the regulator Information on hazards and hazardous situations of previous versions or similar products is available

What do we already do that we can use in a medical device safety assurance case?

11 Medical device risk management Safety is freedom from unacceptable risk Under 14971, the manufacturer specifies what is unacceptable Where risk is The combination of The probability of occurrence of harm The consequences of that harm (severity)

12 Probability Probability is a qualified assertion made when we cannot say for certain that something will happen ISO 14971 requires a measure of the probability that harm will occur The quality of the evidence determines the confidence or trustworthiness of the qualifier

13 Harm Physical injury or damage to the health of people, or damage to property or the environment Harm is the consequence Severity is a measure of harm Probability is the likelihood of harm For an insulin delivery system, harm will include Hypoglycemia Hyperglycemia

14 Hazard Potential source of harm In ISO 14971, it is the thing that actually results in harm High temperature Electrical energy line voltage, leakage current Incorrect transfer of a substance overdose, underdose In ISO 14971 terminology, software is not a hazard If a hazard is possible, it is always present

15 Hazardous situation Circumstance in which people, property or the environment are exposed to one or more hazards A sequence of events leads to a hazardous situation Software may contribute to the sequence of events A hazardous situation must be present before harm can occur

Table E.3 from ISO 14971:2007

17 Components of medical device safety Basic safety freedom from unacceptable risk directly caused by physical hazards when medical devices are used under normal condition and single fault condition Essential performance Performance of a clinical function, other than that related to basic safety, the loss or degradation of which beyond the limits specified by the manufacturer results in an unacceptable risk

18 Risk analysis Hazard identification What hazards can be present with the device ISO 14971 has a list to consider Hazardous situation identification How can a person be exposed to the hazard Estimation of severity of harm Estimation of probability of harm Contributing factors (causes) identification

Context Diagram (from AAMI TIR32) Medical Device/System Data entry Sensor Reading Keyboard User Interface Software Software Hardware Interface Software User Monitor Information Display Hardware Control Patient 19

Increasing Severity 20 Risk evaluation Risk is compared to the risk acceptability criteria established by the manufacturer Risk level matrix Increasing Probability Improbable Remote Occasional Probable Frequent Catastrophic High Unacceptable Medium Needs justification Low Acceptable Negligible

21 Controlling risk Eliminate the hazardous situation from the design Recognize the sequence of events leading to a hazardous situation and prevent them from causing harm Last point of control Detect a hazardous situation and notify user to take action to prevent harm Instruct the user on how to prevent harm from occurring

Causal chains (from AAMI TIR 32) Hazardous Output Causal Chains Hazardous Output First Points of Control (FPOC) Other Points of Control 22 Last Points of Control (LPOC)

23 Random and systematic failures Random - Individual devices or parts fail Numerical probability can often be determined Systematic all devices fail under some particular combination of inputs or conditions All software faults are systematic Systematic fault rates are laborious and expensive to measure Consensus does not exist for a method of estimating systematic fault rates quantitatively

24 Probability Probability of a fault is not necessarily the same as probability of harm A fault may always occur under identical conditions, but A fault will not always lead to a hazardous situation A hazardous situation will not always lead to harm

Initiating event Sequence of events Hazard P 1 Hazards are always present The probability that a sequence of events will expose a hazard and create a hazardous situation is P 1 Hazardous situation P 2 The probability that a hazardous situation will lead to harm is P 2 Harm The probability of harm being caused by a sequence of events is P h = P 1 X P 2

26 Example of P2 In 2000-2001, 28 patients in Panama received an overdose of radiation because of an error in an automated treatment planning system. US medical physicists stated that it could not happen here because of standard practice treatment protocols that require an independent manual calculation to check dosage. This check is a clinical procedure done outside of the device.

Estimating risk due to a software fault 27 A software fault occurs in the sequence of events If a hazard is present, and there is a software fault, P 1 = 1, a hazardous situation will occur It may be possible to determine P 2 the likelihood that the hazardous situation leads to harm. If P 2 can be determined, then the risk resulting from the software fault can be estimated If P 2 cannot be determined, then the risk is unknown and the software fault needs to be addressed

28 Criteria for acceptable risk Established by the manufacturer May be based on number of failures, failures per patient, failures per hour of device use, etc. Rationale for the criteria should be part of the confidence case

29 Risk Control

Preferred order of Risk Control Measures 30 Inherent Safe design Protective Measures Detection and Notification Labeling & Training

31 Inherent safe design Fail-safe philosophy unique to intended use: life sustaining, diagnostic, therapeutic Prevent hazardous situations by changing software architecture Isolate safety functions and data Firewalls Simplify the user interface Use defensive design and programming Use static memory structures instead of dynamic Use a restricted version of a programming language that prohibits structures likely to lead to programming errors

32 Protective measures Must be independent of the function they are being applied to Segregation between the protective measure and the feature Fault tolerance Redundancy Diversity Memory protection, correction

33 Detection and notification Applied at system boundaries Checking for correct inputs Range checks on outputs Limits on transfer of energy or substance to the patient Safe operating envelope (interlocks) Applied to interfaces between software items Inconsistencies between inputs and outputs

34 Labeling and training Least desirable risk control measures because it is difficult to show effectiveness Warnings and confirmation

35 Residual risk Risk remaining after risk control measures have been applied Documented in a risk assessment register Hazard Hazardous situation Causes Initial severity, P(1), P(2), P(h) Risk control measures Residual severity, P(1), P(2), P(h) Link to requirement for risk control measures

Safety case using risk control concepts

37 A medical device safety assurance case Top level claim Device is reasonably safe (residual risk is acceptable) Context For the intended use in the intended use environment Assumptions Legislation sets the standard that medical devices must be reasonably safe. The manufacturer s policy for acceptable risk meets the legislative intent. The residual risk is acceptable if the residual risk of each hazardous situation is acceptable and the overall residual risk of all hazardous situations combined is acceptable.

38 First level sub-claims are that the top level hazardous situations from risk analysis have a residual risk that is acceptable and that the total residual risk from these hazardous situations is acceptable Hazardous situations may be a lack of essential performance or exposure to a basic safety hazard Strategy argue by addressing each of the hazardous situations and the total residual risk from all of the hazardous situations.

41 The residual risk of each hazardous situation is maintained in the risk management file. The risk management file information can be used in the safety assurance case if the risk management was done carefully and probability estimates were based on evidence.

42 A passionate feeling that the probability of harm occurring is low is not evidence! The opinions that are held with passion are always those for which no good ground exists; indeed the passion is the measure of the holder s lack of rational conviction. - Bertrand Russell

43 Can we just reference the RMF? Other than the intended purpose, 14971 does not require recording of context, assumptions or strategy These elements of a safety assurance case are usually necessary to ensure correct communication

44 Why we need context A hazard for an infusion pump is air embolism The hazardous situation is air gets in the line and is infused into the patient The infusion pump manufacturer claims the risk of this hazardous situation is acceptable because the pump detects the air in the line and alarms Assuming everything works as intended, has the risk been made acceptable?

45 What s an alarm? Webster s - 1. a signal (as a loud noise or flashing light) that warns or alerts 2. A device that signals IEC 60601-1-8 does not define alarm Alarm condition Alarm signal Alarm system What did the manufacturer mean?

46 The importance of context Context when the pump detects air in the line, the alarm stops the infusion and sounds an alert to notify the caregiver that infusion has been halted While this description will surely be somewhere in the documentation, it is seldom found in a risk management document

Lower level claims that support the acceptable risk of the hazardous situation are that the causes of the hazardous situation have been mitigated to an acceptable level The argument strategy is to argue that risk control measures control the hazard causes effectively The solutions are the risk control measures or mitigations The evidence shows that the risk control measure has been implemented and is effective 47

Example 48

49 Conclusions Much of what is already being done for risk management by medical device manufacturers can be used in a safety assurance case. Strategy, context, assumptions and rationale need to be added to current risk management practices to make safety assurance cases effective communication tools

50 Final conclusion What you do is more important than how you represent it. What you do will make the device safe How you represent what you did will explain it

51

Residual risk R(1) is acceptable GOAL Is solved by Causes of hazardous situation have been identified and controlled STRATEGY Is solved by Is solved by Risk from cause A has been reduced to an acceptable level GOAL Is solved by Risk from cause B has been reduced to an acceptable level GOAL Is solved by Show that risk control measures reduce the risk to an acceptable level STRATEGY Show that risk control measures reduce the risk to an acceptable level STRATEGY Is solved by Is solved by Is solved by Is solved by Is solved by RCM M has been implemented SOLUTION RCM N has been implemented SOLUTION Residual risk is xyz SOLUTION RCM S has been implemented SOLUTION Residual risk is uvw SOLUTION

Initiating event Sequence of events Hazard P 1 Hazards are always present The probability that a sequence of events will expose a hazard and create a hazardous situation is P 1 The residual risk due to P 1 is R 1 Hazardous situation The probability that a hazardous situation will lead to harm is P 2 P 2 Harm The residual risk due to P 2 is R 2 The probability of harm being caused by a sequence of events is P h = P 1 X P 2 The residual risk due to this hazardous situation is R h

54 Risk from a hazardous situation The residual risk of a hazardous situation is acceptable if: R 1 is acceptable, or R 2 is acceptable, or R h is acceptable

Risk from hazardous situation n is acceptable GOAL Is solved by CONTEXT The residual risk of a hazardous situation is acceptable if: R(1) is acceptable or R(2) is acceptable or R(h) is acceptable In context of STRATEGY Show that residual risk is acceptable or that risk control measures reduce it to acceptable Is solved by Residual risk R(1) is acceptable GOAL

56 Overall residual risk The overall residual risk is acceptable if the combination of all R h from all hazardous situations is acceptable

Overall residual risk from all hazardous situations is acceptable GOAL Is solved by STRATEGY Determine the combination of all residual risk from hazardous situations In context of The manufacturer selects an appropriate method for combining the residual risk from hazardous situations CONTEXT Is solved by Overall residual risk is abc SOLUTION

Risk of harm is acceptable GOAL Is solved by Probability of residual risk P(h) is residual risk P(1) times residual risk P(2) CONTEXT In context of After risk control, all hazardous situations result in residual risk that falls within the acceptable range STRATEGY In context of The policy that defines acceptable risk can be used to evaluate risk for hazardous situations ASSUMPTION A Is solved by Is solved by Is solved by Risk due to hazardous situation 1 is acceptable GOAL Risk from hazardous situation n is acceptable GOAL Overall residual risk from all hazardous situations is acceptable GOAL Is solved by Is solved by Is solved by Show that residual risk is acceptable or that risk control measures reduce it to acceptable STRATEGY. Show that residual risk is acceptable or that risk control measures reduce it to acceptable STRATEGY STRATEGY Show that the total of all residual risk from hazardous situations is acceptable

Risk Haz Situation Cause Severity P1 P2 Ph Risk level Risk control P1 (M) P2 (M) Ph (M) Residual risk level 59 Air embol ism Air in line Impro per primin g 5 3 2 2 U Manu als and trainin g 2 1 1 A

60 ce to RESPONSIBLE ATION S specifications, or test reports or to m in this document er is applicable for ility) RESIDUAL RISK

2024 © sportdocbox.com Privacy Policy | Terms of Service | Feedback