is Safety Engineering?
is a process used to determine how a device can cause hazards to occur and
then reducing the risks to an acceptable level. The process consists of: (1)
the developer of the system determining what could go wrong with the device,
(2) determining how the effects of the failure can be
mitigated, and (3) implementing and testing mitigations.
The analysis must start with the system level and include the device, the
patient, operator, and environment hazards. Once the hazards are determined
and the risk assessment (with predefined quantitative definitions) is assigned, the hazards can be assigned to hardware
and/or software as appropriate.
The software hazards are then further broken down into a Fault Tree, which is
a top-down approach to determining the functions which cause and the ones which mitigate the associated hazards. At the end of
the fault tree analysis, the safety engineer needs to show the risk is lower
due to the mitigations in place. The mitigations must be testable in order
for the developer to demonstrate to the FDA that they have installed the
mitigation and it is effective.
Performing Hazard Analysis
There are several methods available for performing the hazard analysis.
The most common types are Failure Mode and Effects Analysis (FMEA) and Fault
Tree Analysis (FTA). Since the software does not have a meantime between
failures (MTBF), CriTech has found the FTA method to be superior in the
software safety analysis.
Levels of Risk
CriTech uses a
three-range process for determining acceptable levels of risks. The three
ranges are acceptable, ALARP, and unacceptable, which are defined below:
– The risk is low
enough that no further mitigation is required. Generally, the acceptable
range has a very low probability of occurrence and also
does not have a severe hazard associated with it.
ALARP (As Low As Reasonably Possible) – The risks associated with the
ALARP range are of the type which the developer should lower the risk as far
as reasonable with management input. The cost of lowering these risks needs
to be weighed against the cost of leaving the risk
as it is.
Unacceptable – All risk factors in the unacceptable range must be mitigated into at least the ALARP region. If any
hazards are still in this range at the end of the project, they must be listed as Safety Concerns in the final hazards
report. The management of the company selling the product needs to include an
explanation of why it is left in the
"UNACCEPTABLE" region to the FDA.
determination of how faults can occur requires an individual or team of
people with extensive experience in the development of similar types of
systems such as real-time embedded systems, PC systems, workstations, or
other like processes. CriTech Research uses a structured process for the
development of software, which greatly enhances the ability of the safety
engineers in the performance of hazard analysis.