Reduce risks as far as possible - Quartz Crystal

loewph

Registered
Hello,

I am in the process of minimizing risks for a medical product based on ISO 14971. The norm states that I have to reduce each risk as far as possible, which leads to quite absurd cases where it is really hard for me to determine whether I have to perform mitigation actions.
I am working on the case, that a quartz crystal that provides the time base for a microcontroller might fail. Based on its nature, an integrated quartz crystal should pretty much never fail or oscillate with the wrong frequency. However, the probability is not zero (it never is). In this improbable case, risk mitigation is possible, but excessively difficult and complex. Do I have to perform such mitigation actions or can I argue that the likelihood of a quartz crystal failing or being out of tune is inconceivable? I do not know if there is any possibility of seeing the use of quartz crystals without monitoring the output as state of the art.

Thank you for any input, I am happy for each idea or discussion.
 
Last edited:

yodon

Leader
Super Moderator
Back in 2014, the NBs got together and discussed this very issue. They published a "Consensus Paper for the Interpretation and Application of Annexes Z in EN ISO 14971:2012" (copy attached). In essence, they say economic considerations will always be relevant but to just be transparent and document the endpoint criteria of risk reduction.
 

Attachments

  • 14971-2012_AnnexesZ-Interpretation.pdf
    178.9 KB · Views: 135

Tidge

Trusted Information Resource
Specifically with respect to quartz crystals as timekeepers:
  1. They are industry-standard, state-of-the-art, accepted components for the task identified.
  2. They typically fail in catastrophic ways
On the second point, as far as I know the failure mode of the technology is "not working" as opposed to "drifting accuracy". It is possible to have a discrete crystal oscillator fail in an intermittent way; every time I have observed this (and it has been rare) it was from a physical shock to the (powered) PCBA with the crystal that caused imperfections/defects in the oscillator to stop oscillating (when the shock was applied).
 

loewph

Registered
Thank you very much for the provided information! I just read the Consensus Paper, which is quite an important piece of information.

Concerning the quartz as a timekeeper: the state-of-the-art argument is always nice, but does it conclude that the use of one quartz without some kind of redundant quartz is sufficient? I simply do not know, if other manufacturers maybe have two crystals built into a device and compare the time base. In that case, this is the state-of-the-art, which I then need to fulfill, or am I mistaken?
 

ThatSinc

Quite Involved in Discussions
I'm currently being asked, for each risk identified, to justify how it has been reduced as far as possible.

The procedure, and policy, for risk reduction includes the requirement to reduce as far as possible, taking into consideration state of the art.

If you have determined that the probability of harm and overall risk is acceptable, are using industry standard methodologies, and you can justify that further controls wouldn't make the risk any lower in any meaningful way you should be okay.

Where a technological standard is used, it is relatively easy to show that you are meeting what is considered state of the art, but even in those situations you *can* reduce risk further, so I can understand your concern and I'm trying to figure out how to document it myself.
 

Ninja

Looking for Reality
Trusted Information Resource
I am not in medical...but I am a ceramic engineer and a mineralogist...

A quartz crystal failing in a timing application...that ain't gonna happen...period.
You have a much higher chance of the device being confiscated by aliens.
Quartz oscillation is a fundamental property of matter and vibration...the metal contact will turn into grape jelly first.

Other parts of the timing circuit failing, sure...like not being able to use or sense the oscillation.
The crystal itself will oscillate at the same frequency until it is broken...then the pieces will oscillate at that frequency but you won't know it.

If it were me, I would not even list that as a failure mode unless you list spontaneous metal jelly-fication too.

HTH
 

Tidge

Trusted Information Resource
Concerning the quartz as a timekeeper: the state-of-the-art argument is always nice, but does it conclude that the use of one quartz without some kind of redundant quartz is sufficient? I simply do not know, if other manufacturers maybe have two crystals built into a device and compare the time base. In that case, this is the state-of-the-art, which I then need to fulfill, or am I mistaken?
You cannot implement two "sources of authority". Even attempting to arbitrate/switch between them would introduce more failure modes.
 

loewph

Registered
Thanks again, that is really good input for my problems! I was simply not sure how "safe" a quartz can be. And the arguments you list are probably sufficient for arguing about the benefit-risk-ratio, or as proposed, I will drop the quartz failure, because it is as irrelevant as the failure of a resistor, which I would never consider. And the two "sources of authority" also shows me, that mitigation actions would not be productive, but impeding.
It is superb that I can receive that kind of information from you guys, thank you a lot! Especially because I can apply these concepts to many other problems!
 

Ninja

Looking for Reality
Trusted Information Resource
LOL...Resistors are often ceramic (typically RuO2 based)...
I, personally, WOULD list resistor drift if the device were to operate at any temp above ~40C for any long period of time (years)...but I would give it the minimum likelihood. Electronics inside passively heat-sinked enclosures (no fan) can run at 40C easily.
 

loewph

Registered
Alright, then I will take this into consideration. Maybe the required amount of work for covering all resistors is not that big, in case that most of them will not impede with the device functionality in case there is a drift. I mean I already thought through failure of all components on an abstract level, a faulty resistor will also lead to a faulty component, so this should be covered quite fast. The same should hold for ceramic capacitors, I guess.
 
Top Bottom