Is Analysis of Multiple-Fault Conditions a Requirement of ISO14971?
Is Analysis of Multiple-Fault Conditions a Requirement of ISO14971? Written by: John Lafferty. Read time: 5 minutes
The above question was posed by one of the delegates at one of my recent Quality Risk Management and ISO 14971:2019 training courses.
In this article, I review the requirements for Single-fault and Multiple-Fault conditions in ISO 14971, the EU MDR/IVDR and related standards such as IEC 62304 and IEC 62033, and draw a conclusion as to whether or not analysis of Multiple-Fault conditions is a requirement.
In order to fully investigate this question, I carried out a review of the relevant standards and websites which provide information on medical device risk management. In all, I found only three references to multiple-fault or multiple failure conditions or interactions between hazards in the standards I reviewed.
Three references to multiple-fault conditions in medical device standards:
The only references that I found which refer to multiple-fault or multiple failure conditions or interactions between hazards were as follows;
1. Annex A of ISO 14971:2019 – a reference to risk arising from a combination of risk control measures
2. IEC 62304:2006 - only in a circumstance where the first failure cannot be detected
3. IEC/TR 80002-1:2009 - refers to dealing with multiple failures arising from one hazard and to dealing with multiple alarms;
but none of these constitute an actual requirement to conduct analysis of multiple-fault conditions.
In this section, I examine each of the following standards for references to Multiple-Fault Conditions:
Examination of each standard’s references to Multiple-Fault Conditions:
1) ISO 14971:2019 – Medical Devices – Application of Risk Management to Medical Devices
2) ISO TR 24971:2020 - Medical Devices – Guidance on the application of ISO 14971
3) The EU MDR/IVDR: - EU Regulation concerning Medical Devices 2017/745 and EU Regulation concerning In Vitro Diagnostic Medical Devices 2017/746
4) IEC 60601-1:2015 - Medical electrical equipment — Part 1: General requirements for basic safety and essential performance
5) ICE 62304:2006 Medica Device Software -Software Life Cycle Processes
6) IEC/TR 80002-1:2009 Medica Device Software -Guidance on the application of ISO 14971 to medical device software
7) ICE 62366:2007 – Medical Devices Application of Usability Engineering to Medical Devices
1) ISO 14971
ISO 14971:2019 does not mention the term ‘multiple-fault condition’; however, Informative Annex A Rationale for Requirements, paragraph A.2.7.5 Risks arising from risk control measures contains the following statement;
‘This subclause recognises that risk control measures alone or in combination might introduce a new and sometimes quite different hazard, and that risk control measures introduced to reduce one risk might increase another risk’.
Informative Annex A suggests that failures arising from interactions between controls should be analysed; however, this is not referred to in the corresponding clause of the standard clause 7.5 Risks Arising from Risk Control Measures therefore there is no actual requirement to do so.
2) ISO TR 24971
ISO 14971:2019 does not mention the term ‘multiple-fault condition’.
3) The EU MDR/IVDR
The Medical Devices Regulation MDR 2017/745 Annex 1 mentions the term ‘single-fault condition’ in four clauses 14.3 (risk of fire and explosion),17.1 (software) 18.1 (non-implantable active devices) and 18.7 (electric shock) but the term ‘multiple-fault condition’ does not appear anywhere in the regulation.
Similar references are contained in Annex 1 of the In Vitro Diagnostic Medical Devices Regulation IVDR 2017/746.
4) IEC 60601
IEC 60601-1:2006 includes a total of 294 incidences of the term ‘single-fault’ but no incidence of the term ‘multiple-fault’.
During my research on this subject I came across an article on medical device functional safety ( TodaysMedicalDevelopments.com
) which refers to the requirements of IEC 60601-1 Medical Electrical Equipment and Systems. This article suggests that analysis of multiple faults is required if the first fault cannot be detected. This suggestion arises from Clause 4.7 Single Fault Condition of ME Equipment, which states; ‘ME EQUIPMENT is considered SINGLE FAULT SAFE if …….
b) a SINGLE FAULT CONDITION occurs, but:
– the initial fault will be detected during the EXPECTED SERVICE LIFE of the ME EQUIPMENT and before a second means for reducing a RISK fails ….
My reading of the above is that whilst analysis of multiple faults in the circumstance where a fault cannot be detected may be an implication of IEC 60601-1 Clause 4.7, there is no direct requirement for analysis of multiple faults in general in IEC 60601-1.
5) ICE 62304
IEC 62304:2006 does not make reference to multiple software failures.
6) IEC/TR 80002-1
IEC/TR 80002-1:2009 Paragraph 220.127.116.11 Protective Measures states; ‘In choosing protective measures that are implemented in software and applied to software, it is important to avoid the possibility of multiple failures arising from one cause’.
Annex B: Table B.1 Examples of causes by software function, includes the question; ‘Do specifications identify how the SYSTEM reacts to multiple alarm conditions?’
IEC/TR 80002-1 is a guidance standard and does not specify requirements for risk assessment.
7) ICE 62366
IEC 62366:2015 does not make reference to multiple use faults by a user.
Conclusions: There are no actual requirements for the analysis of multiple-fault conditions in relation to medical device safety in any of the medical device standards that I reviewed nor do the EU MDR or EU IVDR require this. There are a small number of related references in guidance documents but, taken together, these do not make strong case for an imperative to analyse multiple-fault conditions. The EU MDR and IVDR require medical device manufacturers to reduce all risks as far as possible given the state of the art. In this case, the state of the art is defined (for the most part) in the standards referred to above, none of which require the analysis of multiple conditions with respect to device safety.
The reasoning behind the absence of requirements for the analysis of multiple-fault conditions is that the probability of occurrence of multiple-fault conditions is considered to be far lower than that of the corresponding single faults.
However, it should be remembered in any case where there is a high probability of a multiple-fault failure and if that failure will cause injury to patients or users then the intent of all medical device regulations is that such as risk should be considered unacceptable. Such risk must be eliminated or reduced as far as possible and can only be accepted if the benefits of the device use outweigh the risk.
Share your thoughts with us
Your comments are invited in relation to this article. If anyone is working with a standard or subpart of a standard that refers to a requirement for the analysis of multiple fault conditions not mentioned above then I would be delighted to hear from you.
ISO 14971:2019 Training Course Information
Northridge Quality & Validation and our training partners, SQT Training run a comprehensive training course on ISO 14971:2019. Note: This course is delivered via a Virtual Classroom (not in person)
Quality Risk Management and ISO 14971:2019 Course Content:
The course will cover the principles and practices of Risk Management and the actions that Medical Device Manufacturers need to do to comply with ISO 14971:2019 and the Medical Devices Regulations. Course Date and Booking:
This course is delivered by virtual classroom delivery so that you can attend the course without leaving your office or home. See details and book the course here.
Ongoing updates on ISO 14971:2019
In the months ahead, Northridge Quality & Validation and our training partners SQT Training Ltd. will bring you further updates on the topics discussed above. You can follow the Northridge Quality & Validation LinkedIn company page here.
If you wish to get our updates sent directly to your inbox, please sign up for our eNewsletter.
About the Author - John Lafferty
John Lafferty is the owner of the Northridge Quality & Validation which provides consultancy to the Medical Device industry.
Specialities His specialities include Software Validation, MDSAP, ISO 13485, ISO 14971 and MDR. John is the holder of a Degree in Manufacturing Technology, Certificate in Training & Continuing Education, Certificate in Quality Management.
He has over 25 years’ experience in the medical device and pharmaceutical industry. He was a Senior Manager of a multinational Medical Devices plant where he managed the Quality, Regulatory, Environmental and Health & Safety Management Systems. He has successfully completed numerous consultancy projects with medical device manufacturers in Ireland and throughout Europe.
SQT Training Tutor
John is also a Life Sciences Tutor with SQT Training