An Extended Notation of FTA for Risk Assessment of Software-intensive Medical Devices. - Recognition of The Risk Class Before and After The Risk Control Measure - Yoshio SAKAI Engineering Promotion Center, NIHON KOHDEN CORPORATION Seiko SHIRASAKA The Graduate School of System Design and Management, KEIO University Yasuharu NISHI Department of Systems Engineering, The University of Electro-Communications
34
Embed
An Extended Notation of FTA for Risk Assessment of Software-intensive Medical Devices.
An extended notation of FTA for risk assessment of software-intensive medical devices Yoshio Sakai, Seiko Shirasaka and Yasuharu Nishi It is difficult to assess the risk of software-intensive medical devices. An extended notation of FTA recognizes the risk class before and after the risk control measure and the software in the system affects the top event of FTA.
You can see this content as 6-pages paper from IEEE Website.
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
An Extended Notation of FTA for Risk Assessment of Software-intensive Medical Devices.
- Recognition of The Risk Class Before and After The Risk Control Measure -
Yoshio SAKAI Engineering Promotion Center, NIHON KOHDEN CORPORATION Seiko SHIRASAKA The Graduate School of System Design and Management, KEIO University Yasuharu NISHI Department of Systems Engineering, The University of Electro-Communications
1. Explanation of the traditional FTA which lack consideration of the software. 2. Explanation of the risk assessment method in ISO 14971 which lack consideration of
the software. 3. Explanation of solutions using an extended notation of FTA.
2
1. Traditional FTA 2. Risk Assessment Method in ISO 14971
Fault Tree Analysis (FTA) was originally developed for Minuteman Missile in 1962 at Bell Laboratories by H.A. Watson. At that time, FTA was designed because the electronic system was not able to endure vibration and caused it to break down.
As for the FTA, completeness was raised by BOEING.
1962
1965
NOW The FTA is used widely.
The cause of the trouble was the hardware failure,
The traditional FTA which lacks consideration of the software.
• When FTA was developed, the failure caused by the software was not an element of the failures of FTA.
• The traditional FTA is not comprehensible about – The effectiveness before and after the risk control measure. – The software in the system and the risk control measure affects the top event.
• The calculation of the failure rate on FTA can not use for the failure caused by the software.
The definition and explanation of Systematic Failure
This International Standard NOTE4 : • sets requirements for the avoidance and control of systematic faults, which are based
on experience and judgment from practical experience gained in industry. Even though the probability of occurrence of systematic failures cannot in general be quantified the standard does, however, allow a claim to be made, for a specified safety function, that the target failure measure associated with the safety function can be considered to be achieved if all the requirements in the standard have been met;
SOURCE: IEC 61508-3:2010
Systematic Failure failure, related in a deterministic way to a certain cause, that can only be eliminated by a change of the design or of the manufacturing process, operational procedures, documentation or other relevant factors
Two types of evaluation of the hazard caused by Systematic Software Failure
9
The probability of such failure shall be assumed to be 100 percent. (IEC 62304:2006)
If the hazard could arise from a failure of the software, the risk evaluation should be analyzed by the following two concerns. (IEC 62304:2006 Amd.1 , This Study)
• The probability is 100%. • This 100 percent principle has been chosen for conservative purpose
but not practical in real application.
• 1st concern is the risk level as the severity of the harm before the risk control measures. • 2nd concern is the risk level as the severity of the harm after the risk control measures. • The evaluation of the residual risk is of importance, but under the cause of the software, the
probability of occurrence of harm before the risk control measures is not.
The mode of cut or coagulation is switched by software.
Mode Principles
Cut For cutting, a continuous single frequency sine wave is often employed.
Coagulation For coagulation, the average power is typically reduced below the threshold of cutting. Generally, the sine wave is turned on and off in a rapid succession.
13
The Principles of Electrosurgical Knife
There are the serious hazardous situations in the software system.
2nd column from the bottom and on the left side of FTA Example a. The right basic event is an abnormal monitoring failure. b. This event is caused by the software. c. It is described with Class Bs as impact level of risk Class
B and with “s” as the effect of the software. d. The abnormal monitoring inhibits and controls the output
hardware failure. This is indicated by AND function as AND(C, --Bs). The stage of inhibit is shown by the number of the minus. In this case, the risk control measure goes down the risk level by two stages from C to A.
1st column from the bottom and On the right side of FTA Example. a. The abnormal monitoring failure is caused by the
software.
b. The A/D convertor failure is caused by hardware.
c. If the basic event does not inhibit the other basic event, the highest risk class is adopted by the AND function. (This method is inspired by the notation of ASIL decomposition in ISO 26262-9)
d. The subscript “s” is inherited from the left side to the right side through the function as the affect of the software to the system.
These are the following effectiveness of this notation. • The safety analysts can recognize
– the risk class before and after the risk control measure. – the software in the system and the risk control measure affects the top event. – the effect of the risk control by the minus mark in the AND function.
• When there is the mark "s" of the event in the fault tree, the safety analysts find the start point of the effect of the software for the system safety.
• When there is the mark "s" and the minus mark, the safety analysts can recognize the risk which is given by changing software of the risk control measure.
Attention! • FTA is an excellent way to show the structure of the mechanism that
Top Event as "undesired state of the system" is generated. • On the other hand, the calculation of the failure rate on FTA has a
dangerous feature too.
21
1.The evaluation of the residual risk is of importance. 2.We can evaluate the severity of the harm before and after the risk control measures. Therefore, we should focus on the architecture of the software system and the structure of the risk control measures.
When Systematic Software Failure has not been recognized, the analysis of a radiation therapy machine named Therac-25 included the software in the fault trees but used a “generic failure rate” of 10-4 for software events.
This number was justified based on the historical performance of the Therac-25 software.(This source is from SAFEWARE by Pf. Nancy Leveson)
But now, we understand the features of the software well, and recognize it is not realistic.
REFERENCES [1] Dolores R. Wallace, D. Richard Kuhn, “Failure Modes In Medical Device Software:An
Analysis Of 15 Years Of Recall Data” , 2001 [2] S.Shirasaka, Y.Sakai, Y.Nishi, “Feature Analysis of Estimated Causes of Failures in Medical
Device Software and Proposal of Effective Measures” , ISSRE 2011, [3] ISO 14971:2007 Medical devices - Application of risk management to medical devices [4] ISO 26262-1:2011 Road vehicles - Functional safety - Part 1: Vocabulary [5] IEC/TR 80001-2-1 Application of risk management for IT-networks incorporating medical
devices – Part 2-1: Step-by-step risk management of medical IT-networks – practical applications and examples
[6] IEC 62304:2006 Medical device software - Software life cycle processes [7] “Katerina Goseva-Popstojanova, Ahmed Hassan, Ajith Guedem, Walid Abdelmoez, Diaa Eldin
M. Nassar, Hany Ammar, Ali Mili, “Architectural-Level Risk Analysis Using UML”, IEEE TRANSACTIONS ON SOFTWARE ENGINEERING, VOL. 29 NO. 10 OCTOBER 2003
[8] Sherif M. Yacoub, Hany H. Ammar, “A Methodology for Architecture-Level Reliability Risk Analysis”, IEEE TRANSACTIONS ON SOFTWARE ENGINEERING VOL. 28 NO. 6 JUNE 2002
Probability should be replaced to Effect of Risk Control Measure (e.g. Major/Moderate/Minor)
If there is the combination of the hardware faults and the software errors, we should have separation of the concern which is Hardware or Usability or Software.
Add “Risk Control Measure Type of Concern” SOFTWARE, USABILITY, HARDWARE, CONBINATION of ・・・
Probability should be replaced to Probability or Likelihood or NA(Software): Not Applicable.
• If the basic event does not inhibit the other basic event, the highest risk class is adopted by the AND function. (This method is inspired by the notation of ASIL decomposition in ISO 26262-9)
AND function without the element of the risk control as inhibit should select the maximum level of failures. Because it focus on the risk class before and after the risk control measures.