软件风险管理安全特征问题清单IECTR80002-1

1、Appendix 2 List of Safety Characteristics of XXXXXXThe list is based on the list of questions in Appendix B of the IEC TR 80002-1-2009. The intended use and safety-related characteristics of the medical device are judged. The safety characteristics of the product are known. Further risk analysis lay

2、s the foundation.ItemQuestionDetermine safety featuresPotential hazardHarm No.The following questions are based on Appendix B of the IEC TR 80002-1-2009B.1 Alarms and alerts:B1.1Do specifications identify howthe SYSTEM reacts to multiplealarm conditions?B1.1.1Are there multiple levels of alarms?Do h

3、igher level alarms override the audio for lower level alarms?B1.1.2Should any of the alarms persist until the user can acknowledge the alarm?B.1.2Does the protective action create a usability problem, i.e. can the user safely navigate from the protective action?B.1.3Is safe mode action appropriate f

4、or INTENDED USE?Has the clinical staff reviewed safe mode scenarios?Is safe mode state apparent to the user？B.1.4Has the clinical staff reviewed protective measures for usability?B.1.5Are detected errors logged? Is log large enough?Is log storage reliable? How is log cleared?B.1.6Has INTENDED USE en

5、vironment been considered for audible alarm design?B.1.6.1Have users been involved in developing requirements for user interface design?B.1.6.2How is audio SYSTEM verified per power up or per patient?B.2 Critical power cycle statesB.2.1What happens to a memory1/ 7ItemQuestionDetermine safety feature

6、sPotential hazardHarm No.write that was in progress when power was lost?B.2.1.1Is the software made aware of impending power loss?B.2.1.2Is non-volatile storage verified on power up?B.2.1.3Are critical parameters checked before use?B.2.2Is reset being used as a RISK CONTROL measure?B.2.2.1Will input

7、/output control be compromised during reset cycle?B.2.2.2Is user made aware of resets?B.2.3Is recovery time a SAFETY issue?B.2.3.1Is availability of the MEDICAL DEV ICE a SAFETY issue?B.2.3.2How is non-volatile storage impacted by failsafe protective measure?B.2.4Are any RISK CONTROL measures compro

8、mised during low power modes?B.2.4Has software recovery from low power modes been considered as a possible start-up state for VERIFICATION andvalidation activities?B.3 Critical user controls/UsabilityB.3.1Is user notified if adjustment is made to a new value but never selected or confirmed ？B.3.1.1S

9、hould the parameter being adjusted require a two-step operation for change?B.3.2Should user be prompted for confirmation?B.3.2.1Does software check data entry for validity?B.3.2.2Does it require supervisory user login to confirm highly critical inputs or error overrides?B.3.3How many “ layers ” must

10、 us navigate to access SAFETY- related function?erB.3.4Have all automatic screen switches been evaluated?B.3.5How will color blind operator interpret error message?ItemQuestionDetermine safety featuresPotential hazardHarm No.B.3.5.1Have users been involved in developing requirements for user interfa

11、ce design?B.4 DisplayB.4.1Is there a technique being used to ensure correct orientation of image?B.4.1.1How are images associated with patient?B.4.2What frequency content is required for display?B.4.2.1Has the clinical staff reviewed that requirement?B.4.2.2Has display filter been fullycharacterized

12、, i.e. what is rejected and what is passed, over full range of inputs?B.5 Hardware controlsB.5.1What is the sampling rate?B.5.1.1If PID control, is integral gain limited? Has algorithm been characterized over the full variation of manufactured hardware?B.5.1.2If feedback control, what checks are mad

13、e to the validity of the feedback signal?B.5.1.3Have all data types been evaluated for the microprocessor and compiler in use?B.5.2Are all assertions continuously verified on a scheduled basis?B.5.2.1Could a “ common mode” err exist in therapy control software and SAFETY monitor software?orB.5.2.2Ar

14、e SAFETY monitors verified per power up or per patient?B.5.3Does software detect that bit is stuck (never changes)?B.5.3.1Has polling rate been discussed with SYSTEM or hardware engineer?B.5.4Does software perform a reasonableness or validity check ofcalibration values i.e. slope or offset?B.5.4.1Is

15、 user aware of auto-cal or auto- zero?B.5.5Are all hardware faultsItemQuestionDetermine safety featuresPotential hazardHarm No.reported to user?B.5.5.1Should hardware fault be checked at power-up, before each treatment or session or on a continuous basis such as once per second?B.5.6Does software en

16、force completion of cycle?B.5.7Can software detection of incomplete cleaning or disinfection cycle be defeated?B.5.8Are all assertions continuously verified on a scheduled basis?B.5.8.1Can SAFETY SYSTEMS be defeated, i.e. pump operated without tube in SAFETY clamp?B.5.9Have SAFE STATES been defined

17、and analyzed thoroughly including impact of delay of treatment and safe shutdown sequences for the range of target populations (e.g. adults, neonates)?B.5.9.1Can software support a limited functionality m”od e and inform user of situation?B.6 MonitoringB.6.1Has therapy control and therapy monitor so

18、ftware been developed independently?B.6.1.1Has software design eliminated or minimized possibility for racecondition for this decision point?B.6.2Is control subsystem aware of monitor subsystem actions ？B.6.2.1How are deactivated parameters communicated to user or networked SYSTEMS?B.6.3How is the u

19、ser made aware of “ frozen ” display?B.6.3.1Is video “ context ”sa ved before pre- emption?B.6.4Is sampling rate appropriate for frequency content of signal?B.6.4.1Is the measurement value stored in consistent units throughout software layers?B.7 InterfacesB.7.1Does each software function verify pas

20、sed parameters?ItemQuestionDetermine safety featuresPotential hazardHarm No.B.7.1.1Does software language support more robust type checking?B.7.1.2Is software designed with consistent units for values throughout the software package?B.7.1.3Are arguments modified at higher priority processing layer?B

21、.7.2Has software been designed to tolerate any physical network connection condition?B.7.2.1Can remote connection degrade SYSTEM performance by repeatedly sending commands Or bogus data?B.7.2.2Does the MEDICA L DEVICE check that the network name is not already in use ？B.8 DataB.8.1Can there be displ

22、ay of multiple independent identifiers to put the user in the loop of detecting mix-ups?B.8.1.1Can critical identifiers be embedded with actual data as a cross-check?B.8.2What reports will be used for clinical purposes?B.8.2.1What is the SEVERITY of HARM if the data is incorrect? How likely is it th

23、at a clinician would notice the problem?B.8.3How can data corruption be detected prior to use of the data?B.8.3.1Can this be done with each use instead of only at start-up?B.9 DiagnosticB.9.1Has the alarm indication hierarchy been thoroughly reviewed and also reviewed with clinical staff?B.9.1.1What

24、 arithmetic precision is required?B.9.1.2How should mathematical formulas be coded to ensure adequate precision?B.9.2Are application PROCESSES locked out during diagnostics at appropriate times?ItemQuestionDetermine safety featuresPotential hazardHarm No.B.9.2.1Are diagnostics locked out during critical timed cycles?B.10 SECURITYB.10.1What data is critical and should not be modifiable by the user or shouldrequire superviso