The above question was posed by one of the delegates at a recent Quality Risk Management and ISO 14971:2019 virtual training course delivered by our expert Tutor John Lafferty
John reviews the requirements for Single-fault and Multiple-Fault conditions in ISO 14971, the EU MDR/IVDR and related standards such as IEC 62304 and IEC 62033, and draws a conclusion as to whether or not analysis of Multiple-Fault conditions is a requirement.
“In order to fully investigate the question, a review of the relevant standards and websites which provide information on medical device risk management was carried out. In all, I found only three references to multiple-fault or multiple failure conditions or interactions between hazards in the standards I reviewed.
1. Annex A of ISO 14971:2019 – a reference to risk arising from a combination of risk control measures
2. IEC 62304:2006 – only in a circumstance where the first failure cannot be detected
3. IEC/TR 80002-1:2009 – refers to dealing with multiple failures arising from one hazard and to dealing with multiple alarms; but none of these constitute an actual requirement to conduct analysis of multiple-fault conditions.
Examination of each standard’s references to Multiple-Fault Conditions:
In this section, I examine each of the following standards for references to Multiple-Fault Conditions:
1) ISO 14971:2019 – Medical Devices – Application of Risk Management to Medical Devices
2) ISO TR 24971:2020 – Medical Devices – Guidance on the application of ISO 14971
3) The EU MDR/IVDR: – EU Regulation concerning Medical Devices 2017/745 and EU Regulation concerning In Vitro Diagnostic Medical Devices 2017/746
4) IEC 60601-1:2015 – Medical electrical equipment — Part 1: General requirements for basic safety and essential performance
5) ICE 62304:2006 Medica Device Software -Software Life Cycle Processes
6) IEC/TR 80002-1:2009 Medica Device Software -Guidance on the application of ISO 14971 to medical device software
7) ICE 62366:2007 – Medical Devices Application of Usability Engineering to Medical Devices
1) ISO 14971 ISO 14971:2019 does not mention the term ‘multiple-fault condition’; however, Informative Annex A Rationale for Requirements, paragraph A.2.7.5 Risks arising from risk control measures contains the following statement; ‘This subclause recognises that risk control measures alone or in combination might introduce a new and sometimes quite different hazard, and that risk control measures introduced to reduce one risk might increase another risk’. Informative Annex A suggests that failures arising from interactions between controls should be analysed; however, this is not referred to in the corresponding clause of the standard clause 7.5 Risks Arising from Risk Control Measures therefore there is no actual requirement to do so.
2) ISO TR 24971 ISO 14971:2019 does not mention the term ‘multiple-fault condition’.
3) The EU MDR/IVDR The Medical Devices Regulation MDR 2017/745 Annex 1 mentions the term ‘single-fault condition’ in four clauses 14.3 (risk of fire and explosion),17.1 (software) 18.1 (non-implantable active devices) and 18.7 (electric shock) but the term ‘multiple-fault condition’ does not appear anywhere in the regulation. Similar references are contained in Annex 1 of the In Vitro Diagnostic Medical Devices Regulation IVDR 2017/746.
4) IEC 60601 IEC 60601-1:2006 includes a total of 294 incidences of the term ‘single-fault’ but no incidence of the term ‘multiple-fault’. During my research on this subject I came across an article on medical device functional safety ( TodaysMedicalDevelopments.com ) which refers to the requirements of IEC 60601-1 Medical Electrical Equipment and Systems. This article suggests that analysis of multiple faults is required if the first fault cannot be detected. This suggestion arises from Clause 4.7 Single Fault Condition of ME Equipment, which states; ‘ME EQUIPMENT is considered SINGLE FAULT SAFE if ……. b) a SINGLE FAULT CONDITION occurs, but: – the initial fault will be detected during the EXPECTED SERVICE LIFE of the ME EQUIPMENT and before a second means for reducing a RISK fails …. or ….’ My reading of the above is that whilst analysis of multiple faults in the circumstance where a fault cannot be detected may be an implication of IEC 60601-1 Clause 4.7, there is no direct requirement for analysis of multiple faults in general in IEC 60601-1.
5) ICE 62304 IEC 62304:2006 does not make reference to multiple software failures.
6) IEC/TR 80002-1 IEC/TR 80002-1:2009 Paragraph 6.2.1.3 Protective Measures states; ‘In choosing protective measures that are implemented in software and applied to software, it is important to avoid the possibility of multiple failures arising from one cause’. Annex B: Table B.1 Examples of causes by software function, includes the question; ‘Do specifications identify how the SYSTEM reacts to multiple alarm conditions?’ IEC/TR 80002-1 is a guidance standard and does not specify requirements for risk assessment.
7) ICE 62366 IEC 62366:2015 does not make reference to multiple use faults by a user.
Conclusions:
There are no actual requirements for the analysis of multiple-fault conditions in relation to medical device safety in any of the medical device standards that I reviewed nor do the EU MDR or EU IVDR require this. There are a small number of related references in guidance documents but, taken together, these do not make strong case for an imperative to analyse multiple-fault conditions. The EU MDR and IVDR require medical device manufacturers to reduce all risks as far as possible given the state of the art. In this case, the state of the art is defined (for the most part) in the standards referred to above, none of which require the analysis of multiple conditions with respect to device safety. The reasoning behind the absence of requirements for the analysis of multiple-fault conditions is that the probability of occurrence of multiple-fault conditions is considered to be far lower than that of the corresponding single faults.
However, it should be remembered in any case where there is a high probability of a multiple-fault failure and if that failure will cause injury to patients or users then the intent of all medical device regulations is that such as risk should be considered unacceptable. Such risk must be eliminated or reduced as far as possible and can only be accepted if the benefits of the device use outweigh the risk.”
You can follow the SQT LinkedIn page for regular updates. For dates and details of upcoming training courses in this area, please see our Life Science programme category.
We offer public and in-house training options to suit an organisations needs and most of our courses are now delivered through virtual training. Please contact us anytime and we will be delighted to help you in your training journey.
Sign up to receive the latest industry and company news direct to your inbox.