Hi all, my first post on this forum. I understand this is an old thread but interesting.
Peter, you mention the following which makes sense.
Misuse normally falls in a probability range that is below normal use but above typical single fault conditions: e.g. 0.01 times / procedure, but if there are 200 procedures / year, it means it happens 2 times / year. SFC rates are typically 0.01~0.001/device/year.
However, what about a misuse that can disable a risk control? For example, consider the followings:
1) A device (with software) controls heating to the patient.
2) It has a temperature sensor to detect overheating of patient and cut off heating to prevent patient burn (serious harm)
3) However, the temperature sensor is a detachable probe, which rely on the nurse to plug it in.
4) Because this relies on the user action, the probability of the risk control being disabled is ~1 time / year.
5) To mitigate against the misuse, the software continuously monitor the probe connection during operation and alarm if disconnection detected.
The probe connection monitor is also implemented in the same software as the control system. This type of configuration seems reasonably common and it seems safe to me. But if we consider the disconnection as a misuse, then the probability of harm would be something like control software failure (0.001/year) x probe disconnection (1/year) = 0.001/year, which is unacceptable for a serious injury.
Is the above analysis correct? Would you consider the system be unsafe and further control is required? Or would you consider the probe connection monitor algorithm is independent from the control although they are implemented in the same software? Or would you consider the probe disconnection as a single fault instead of misuse?
Thanks.