Is foreseeable misuse considered as single fault condition?

MediKit

Starting to get Involved
#21
Hi Peter, actually, how does the checks you mentioned and other software techniques fit into IEC62304? And how does class C compliance fit into single fault / safety evaluation? If I understand correctly, IEC62304 is about process without specific requirement on software implementation, but it mentions that by using process control it is possible to treat software as high integrity. Let's say I am designing a high risk device e.g. infant incubator, and I decide to use software as risk control for patient burn and the development process for the whole software complies to class C. Does it mean the software is now treated as high integrity and considered single fault safe?

It does not make sense and I would have thought a standard that specify certain characteristics of the software would be more useful. Such as the checks you mentioned, certain scheduling schemes, identification of critical code and data and ensure protection, clear redundancy in software etc. But currently the IEC62304 does not seem to enforce any of these and even segregation is not compulsory if whole software is treated as class C. What are your thoughts?

Thanks.
 
Elsmar Forum Sponsor

david316

Involved In Discussions
#22
In terms of 63204, my understanding is that clause 4.3 requires you to determine your software classification class for all software that could lead to patient harm. This includes software that controls the device as well as software that is contained in risk control measures (e.g. alarms). Once you have determined your software class you develop your software inline with 63204. Post development of the software with the appropriate processes, you are not required to assume your software will fail with 100% certainly and can make a more reasonable estimate inline with the previous posts by you and Peter. Note, this is hinted at in the Annexs of 63204 which talks about how the processes in the standard reduce the probability of software failure.
 

VinceTech

Involved In Discussions
#23
Hi all, my first post on this forum. I understand this is an old thread but interesting.

Peter, you mention the following which makes sense.



However, what about a misuse that can disable a risk control? For example, consider the followings:
1) A device (with software) controls heating to the patient.
2) It has a temperature sensor to detect overheating of patient and cut off heating to prevent patient burn (serious harm)
3) However, the temperature sensor is a detachable probe, which rely on the nurse to plug it in.
4) Because this relies on the user action, the probability of the risk control being disabled is ~1 time / year.
5) To mitigate against the misuse, the software continuously monitor the probe connection during operation and alarm if disconnection detected.

The probe connection monitor is also implemented in the same software as the control system. This type of configuration seems reasonably common and it seems safe to me. But if we consider the disconnection as a misuse, then the probability of harm would be something like control software failure (0.001/year) x probe disconnection (1/year) = 0.001/year, which is unacceptable for a serious injury.

Is the above analysis correct? Would you consider the system be unsafe and further control is required? Or would you consider the probe connection monitor algorithm is independent from the control although they are implemented in the same software? Or would you consider the probe disconnection as a single fault instead of misuse?

Thanks.
It's depending on if 1/1000 per year is acceptable for the serious harm? if so, this is ok then.
 

VinceTech

Involved In Discussions
#24
Hi Peter, actually, how does the checks you mentioned and other software techniques fit into IEC62304? And how does class C compliance fit into single fault / safety evaluation? If I understand correctly, IEC62304 is about process without specific requirement on software implementation, but it mentions that by using process control it is possible to treat software as high integrity. Let's say I am designing a high risk device e.g. infant incubator, and I decide to use software as risk control for patient burn and the development process for the whole software complies to class C. Does it mean the software is now treated as high integrity and considered single fault safe?

It does not make sense and I would have thought a standard that specify certain characteristics of the software would be more useful. Such as the checks you mentioned, certain scheduling schemes, identification of critical code and data and ensure protection, clear redundancy in software etc. But currently the IEC62304 does not seem to enforce any of these and even segregation is not compulsory if whole software is treated as class C. What are your thoughts?

Thanks.
IEC62304 has requirement 5.3.5 Identify segregation necessary for RISK CONTROL. I think the 'certain scheduling schemes ' is the risk control.
 

Apex Hao

Starting to get Involved
#25
Hi, I have found this thread very useful on single fault discussion and would like to get some opinions on following case.

1. For a critical function, in order to fulfill the requirement that "product shall remain single fault safe after a single fault has occurred", three independent layers of protection have been implemented. However, all those three layers have relatively low reliability, let's say each layer has a R(t) of 0.90. Calculation shows that system R(t) = 0.999, which means the probability of failure is 0.1%. This does not sound sufficient for a critical function.

3. On the other hand, another option is to have only a single layer of protection, but with much high reliability, which gives the probability of failure at about 0.01%. However, this system will not be single fault safe.

How would you propose to tackle such situation?
Appreciate your input. Please let me know if i should open a new thread.
 

VinceTech

Involved In Discussions
#26
Hi, I have found this thread very useful on single fault discussion and would like to get some opinions on following case.

1. For a critical function, in order to fulfill the requirement that "product shall remain single fault safe after a single fault has occurred", three independent layers of protection have been implemented. However, all those three layers have relatively low reliability, let's say each layer has a R(t) of 0.90. Calculation shows that system R(t) = 0.999, which means the probability of failure is 0.1%. This does not sound sufficient for a critical function.

3. On the other hand, another option is to have only a single layer of protection, but with much high reliability, which gives the probability of failure at about 0.01%. However, this system will not be single fault safe.

How would you propose to tackle such situation?
Appreciate your input. Please let me know if i should open a new thread.
It depends on how reliable is your control. What is the probability of control failure? If it is obvious to user?
 

Apex Hao

Starting to get Involved
#27
It depends on how reliable is your control. What is the probability of control failure? If it is obvious to user?
1. For the 1st option, any fault on those layers of protection can only be identified if a system check is carried out, but there is no signal or alert to warn the user to conduct system check. So i wouldn't consider them as "obvious failure".

2. For the 2nd option, failure to the only protection layer causes malfunction of the appliance and results in obvious (and harmful) failure.
 

VinceTech

Involved In Discussions
#28
If the “protection" is the only mean
1. For the 1st option, any fault on those layers of protection can only be identified if a system check is carried out, but there is no signal or alert to warn the user to conduct system check. So i wouldn't consider them as "obvious failure".

2. For the 2nd option, failure to the only protection layer causes malfunction of the appliance and results in obvious (and harmful) failure.
My opinion is neither case is single fault safe.
Case 1, fault is not detectable. It needs to be evaluated as dual fault condition.
Case 2, a single fault causes unacceptable risk (e.g. death with probability 0.01%). Not single fault safe.
 

Apex Hao

Starting to get Involved
#29
If the “protection" is the only mean

My opinion is neither case is single fault safe.
Case 1, fault is not detectable. It needs to be evaluated as dual fault condition.
Case 2, a single fault causes unacceptable risk (e.g. death with probability 0.01%). Not single fault safe.
Thank you for the opinion. I agree with you on Case #2.

However, for Case #1, the system itself does fulfilled the requirement of "remaining single fault safe after a single fault has occurred". I am trying to find more justifications to push for design changes.
1. Is there any specific requirement dictating how to evaluate a system with single fault or dual fault? In fact, i have rarely came across dual fault analysis.
2. I have read sometime ago in Tuv Sud website that states "the occurrence of three independent random hardware failures is usually not assumed within the typical lifetime of an electrical medical device". Is this applicable? And is there any specific reliability or probability of failure threshold to meet?
 

VinceTech

Involved In Discussions
#30
If 1st failure is not obvious (hidden), second failure is assumed. This is dual fault condition to be evaluated. If dual fault is not safe (e.g. probability is too high), you may need to consider one more protection or fault detection.

Threshold is depending on the severity of harm. For critical, such as multiple death, 0.0001% is normally expected.
 
Thread starter Similar threads Forum Replies Date
O Safety Classification and Reasonably Foreseeable Misuse IEC 62304 - Medical Device Software Life Cycle Processes 3
B Interpreting "misuse" when assessing Hazardous Situations ISO 14971 - Medical Device Risk Management 2
A Should Intentional Misuse be covered in the Risk Analysis under ISO 62366? IEC 62366 - Medical Device Usability Engineering 3
C Medical Device Malfunction during misuse - Does this need to be reported to the FDA? Other US Medical Device Regulations 5
U The Misuse of Lean Principles Lean in Manufacturing and Service Industries 12
D Another binomial use/misuse question Inspection, Prints (Drawings), Testing, Sampling and Related Topics 6
Le Chiffre Misuse of the ISO name! ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 39
Marc ISO Gets Tough - Cracks down on misuse of the ISO name by web sites World News 1
Y Software updates considered servicing (7.5.4) ISO 13485:2016 - Medical Device Quality Management Systems 4
J Should a Class 1 medical device with an option to measure body weight be considered Class 1m? EU Medical Device Regulations 0
D CB and customer audits considered as internal audits? General Auditing Discussions 9
U NOC - What is considered a "design change" EU Medical Device Regulations 5
S What is considered a "core algorithm"? (From an FDA guidance document) Medical Information Technology, Medical Software and Health Informatics 4
MrTetris Should potential bugs be considered in software risk analysis? ISO 14971 - Medical Device Risk Management 5
D CE Marked product considered a Drug in India Other Medical Device Regulations World-Wide 0
J Are DAM tools, Mobile application, clinical dashboard, etc. considered accessories to medical device or supportive functions? Manufacturing and Related Processes 4
S Is any dissatisfaction over a Medical Device considered as a complaint? 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 5
I Is highlighting on a printed document considered a change? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 4
M Are mortuary/autopsy tables considered to be medical devices EU Medical Device Regulations 7
K AS9100D Clause 7.5.2.a) - What is considered to be "documented information"? AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 5
V Which batches should or could be considered for design validation and design verification? 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 0
M Professional Use Medical Software French Labeling for Canada -- Not Considered Medical Device Canada Medical Device Regulations 2
S Tools and equipment provided by customer - Considered as external provider? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 4
S What is considered the complete software medical device? Medical Information Technology, Medical Software and Health Informatics 6
D Risk Register - have we considered enough and is the format acceptable? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 8
E Are EEG electrodes considered as one applied part? IEC 60601 - Medical Electrical Equipment Safety Standards Series 2
R Can a Attribute Study be considered a Visual Inspection? Reliability Analysis - Predictions, Testing and Standards 6
M What is considered an "Audit Day" for OASIS AEA application? AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 1
K What can be considered a "Post Delivery Activity" (ISO 9001:2015 Clause 8.5) ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 18
C What is considered a "Critical" Raw Material? (Re: DNA Synthesis) Misc. Quality Assurance and Business Systems Related Topics 3
F Is Training Material Considered Labeling - FDA 21 CFR 801 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 3
C DFAR 252.225-7008 - Is aluminum, say T6061, considered specialty metal (i) steel? AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 6
I What are considered next generation ITSM tools? IT (Information Technology) Service Management 1
J Can a Surge test fail to a test level and still considered as Compliant? IEC 60601 - Medical Electrical Equipment Safety Standards Series 3
Y Which version of ISO 13485 would be considered for MDSAP certificate? Canada Medical Device Regulations 8
L AIs the R&R study a training evidence considered ? Gage R&R (GR&R) and MSA (Measurement Systems Analysis) 2
C When is a device considered "sold to the general public?" Canada Medical Device Regulations 2
M Is Pain considered Harm in ISO 14971? ISO 14971 - Medical Device Risk Management 11
F Can be several measurement in a repl considered as nested factor in Minitab analysis Using Minitab Software 14
J Can some measurements be considered information only and not need calibration? General Measurement Device and Calibration Topics 7
M Is a computer used in hospitals considered a medical device? ISO 13485:2016 - Medical Device Quality Management Systems 17
S Are Polyethylene-folie gloves considered Medical Device ? EU Medical Device Regulations 4
T Has anyone considered what logic is? Coffee Break and Water Cooler Discussions 23
D Identification and Traceability 7.5.3 - What is considered Traceable? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 12
J Is Metals Analysis of Water Samples considered "sampling"? Inspection, Prints (Drawings), Testing, Sampling and Related Topics 15
J Is painting considered a Special Process as defined by ISO 9001 7.5.2? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 5
E Extent of modification to be considered as Modified Adoption Other ISO and International Standards and European Regulations 1
R How much Protective Current Rating of Building Branch Circuit should be considered? IEC 60601 - Medical Electrical Equipment Safety Standards Series 2
O Is this considered Design and Development in ISO9001? Mushroom Farming ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 4
V What are Basic Dimensions about and why are they considered basic? Inspection, Prints (Drawings), Testing, Sampling and Related Topics 2

Similar threads

Top Bottom