DEGREE PROJECT MEDICAL ENGINEERING, SECOND CYCLE, 30 CREDITS
STOCKHOLM SWEDEN 2019,
Risk Management in Medical
Devices: Hazard Identification and Verification of Mitigation Controls
GISLÉ SEGURA ROCA
KTH ROYAL INSTITUTE OF TECHNOLOGY
SCHOOL OF ENGINEERING SCIENCES IN CHEMISTRY, BIOTECHNOLOGY AND HEALTH
Risk Management in Medical Devices: Hazard Identification and Verification of Mitigation Controls
GISLÉ SEGURA ROCA
Master in Medical Engineering Date: March 15, 2020
Supervisor: Detlef Scholle Examiner: Sebastiaan Meijer Host company: Alten Sverige
Swedish title: Riskhantering i medicinska apparater: Identifiering och verifiering av risker för begränsningskontroller
During this project, the risk management of a medical device under devel- opment that deals with drug administration has been done. The aim of the project is to evaluate if part of the device is safe according to the current reg- ulations in Sweden.
The complexity of the risk management processes, particularly in health- care, together with the lack of standardised methods to develop these kind of processes leads to a need of new tools to reduce the time, resources and com- plexity in this stage of the development. That is why two tools have been used and tested in order to assess the suitability under medical device development regulation conditions: the Hazard Ontology (HO) and a Fault Injection Sys- tem (FIS). HO is a novel tool used to identify all hazards and threads from a predefined system in a structured way. On the other hand, FIS is a testing tech- nique that aims to help with the study of systems when they are under faulty conditions.
To ensure that the current regulations in Sweden regarding medical device are fulfilled, the EN ISO 14971 has been used as a guide for the methods applied during the work.
The results of the project are exposed for every step of the process. At the end, the main result of the risk management process is a list of the mitigation measures that must be included as safety specifications of the device.
Both tools, HO and the FIS, have proofed to be suitable with the current regulations as well as being useful for the process. HO gave as output a list of the main hazards of the system and the FIS have been used in the verification step of the mitigation measures. Three mitigation measures to test with the FIS has been chosen. They deal with faults regarding a speed sensor, a poten- tiometer and the PWM signal controlling the motor. The mitigation measures have been verified for both PWM signal and the potentiometer faults. How- ever, a faulty condition that leads to an unsafe behaviour has been found for the speed sensor.
Therefore, we demonstrated that the medical system under study has still many control measures to implement, verify or improve before it can be said that it is a safe medical device.
Under detta projekt, har en riskhantering av medicinsk utrustning som han- terar läkemedel gjorts. Målet med projektet är att utvärdera om utrustningen är säker enligt de svenska bestämmelserna.
Komplexiteten med riskhanteringsprocessen, speciellt inom sjukvård, till- sammans med brist på standardiserade metoder för utveckling av dessa typer av processer leder till behov av nya verktyg för att minska tiden, resurserna och komplexiteten i detta skede av utvecklingen. Det är därför två verktyg som har använts och testats för att bedöma lämpligheten under de bestämmelserna för medicinsk utrustnings utvecklingsförhållande: Riskontologin (HO) och felin- jektionssystem (FIS). HO är en ny metod som används för att identifiera alla faror och hot för ett identifierat system på ett strukturerat sätt. Å andra sidan är FIS en testteknik vars syfte är att hjälpa att studera systemet när det är under felaktiga förhållande.
För att försäkra sig att de svenska bestämmelserna rörande medicinsk ut- rustning är uppfyllda, har EN ISO 1497 använts som en guide för de metoder som applicerats under projektet.
Resultatet av projektet är synligt för varje steg av processen. Till slut, är det huvudsakliga resultatet av riskhanteringsprocessen en lista av de mildran- de åtgärder som måste vara inkluderade som säkerhetsspecifikation av utrust- ningen.
Båda verktyg, HO och FIS, har visat sig vara lämpliga med nuvarande be- stämmelser och användbara för processen. HO gav oss, som data en lista med de huvudsakliga farorna av systemet och FIS användes i verifieringssteget av de mildrande åtgärder. Tre begränsningsåtgärder att testa med FIS har valts.
De åtgärdar de fel för hastighetssensor, en potentiometer och PWM signalen som driver motorn. De begränsningsåtgärderna har verifierats för både PWM- signalen och potentiometerfelen. Emellertid har ett felaktigt tillstånd som leder till ett osäkert beteende hittats.
Därmed visade vi att det medicinska system som studeras fortfarande har många kontrollåtgärder för att genomföra, kontrollera eller förbättra Innan det kan sägas att det är en säker medicinteknisk produkt.
1 Introduction 1
1.1 Overview . . . 1
1.2 Research Questions . . . 2
1.3 Framework . . . 2
1.3.1 HEALTH 5G project . . . 3
1.3.2 AMASS project . . . 3
1.4 Report structure . . . 3
2 Background 5 2.1 Drug therapy . . . 5
2.1.1 Drug therapy misuse: non-adherence and abuse . . . . 6
2.1.2 Dose personalisation . . . 10
2.1.3 The medical device solution . . . 11
2.2 Safety and security . . . 12
2.2.1 Definitions . . . 12
2.2.2 State-of-the-art: Combined development life cycle for safety and security . . . 13
2.3 Contribution to the project . . . 16
2.3.1 Medical device simplification . . . 16
2.3.2 Development lifecycle simplification - Risk Manage- ment . . . 16
3 Methods 18 3.1 ISO 14971 - Risk Management of Medical Devices . . . 18
3.1.1 Risk analysis . . . 20
3.1.2 Risk evaluation . . . 24
3.1.3 Risk control . . . 25
3.1.4 Evaluation of residual risk . . . 26
3.1.5 Production and post-production information . . . 26
3.2 Hazard Ontology tool . . . 26
3.2.1 System Description Formalisation . . . 27
3.2.2 Mishap Victim Identification . . . 27
3.2.3 Hazard Population . . . 28
3.2.4 Causes Exploration . . . 28
3.3 Fault Injection System . . . 28
3.4 Own contribution clarification . . . 29
4 Results 30 4.1 Risk Management - Safety specification for the device . . . 30
4.1.1 Risk analysis . . . 31
4.1.2 Risk evaluation . . . 33
4.1.3 Risk control . . . 34
4.2 Testing of mitigation measures . . . 35
4.2.1 Design of the Fault Injection System . . . 35
4.2.2 Implementation . . . 37
4.2.3 Analysis . . . 40
5 Discussion and Conclusions 45 5.1 Discussion . . . 45
5.1.1 Research question 1 . . . 45
5.1.2 Research question 2 and 3 . . . 47
5.1.3 Research question 4 . . . 48
5.2 Conclusions . . . 48
List of Figures
2.1 Safety and Security development lifecycle. Figure from  . 15 2.2 Scaling-up from the figure 2.2. It defines the scope of the mas-
ter thesis according to the State-of-art defined in the section 2.2.4. Picture exctracted from . . . 17 3.1 Risk management process. Scheme of the main phases and
main activities. Adaptation from  . . . 20 3.2 Scheme representing the definition of risk of a hazard with
regards to probability and severity. Extracted from . . . 22 3.3 Table showing the definition for each level of probability and
severity used during the project. Extracted from . . . 23 3.4 Table showing the final result of the risk estimation step. The
risks found in the risk identification step are sorted according to their corresponding level of severity and probability. Ex- tracted from . . . 23 3.5 Table presenting the expected results after risk evaluation step.
Risks sorted according to probability and severity and the thresh- old defining which risks are acceptable (white cells) and which ones are unacceptable (gray cells). Extracted from . . . 24 4.1 System Description Formalisation of the system under study. . 31 4.2 Image representing the hazard population step regarding the
"Drug delivery" part of the medical device . . . 32 4.3 Schematic showing the main components of the Fault Injec-
tion System. . . 37 4.4 Image from the front panel of the Fault Injection System. It
can be seen many of the key components such as the failure switches, the feedback LEDs, the USB for the communica- tion, the potentiometer, the buttons and the outputs to sense the signals of the system. . . 38
viii LIST OF FIGURES
4.5 Front view of the Fault Injection System. Front panel with main control components on the top of the picture and motor, encoder and electronic circuits inside the box. . . 39 4.6 Inside view of the Fault Injection System. There is the DC-
motor on the left, the encoder system in the middle and part of the electronic circuits in the top of the picture. . . 39 4.7 Velocity variance in rpm of the motor when no failure is injected. 40 4.8 Velocity variance in rpm of the motor when speed sensor fail-
ure is injected after approximately 4.2 seconds from the start. . 41 4.9 Velocity variance in rpm of the motor when speed sensor fail-
ure is injected from the very beginning. . . 42 4.10 Velocity variance in rpm of the motor when potentiometer fail-
ure is injected after approximately 6.5 seconds from the start. . 43 4.11 Velocity variance in rpm of the motor when PWM signal fail-
ure is injected after approximately 8 seconds from the start. . . 43
List of Tables
2.1 Current strategies and solutions for measuring adherence to
medication . . . 9
4.1 List of identifies mishap victims in step 2 from the HO. . . 32
4.2 Results from "Risk identification" step. List of main causes found for the "Damaged mechanism" and "Incorrect instruc- tions from processor" Harm TruthMakers. . . 33
4.3 Results from "Risk estimation" step. . . 33
4.4 Results from "Risk evaluation" step. . . 34
4.5 Results from "Risk control" step. . . 35
Chapter 1 Introduction
Drug therapy, or pharmacotherapy, is a broadly used term to define the use of medication to treat a specific disease. While drugs can be categorized ac- cording to many parameters, all of them have several related problems such as non-adherence, interaction between medications, lack of efficacy, treatment duplication and inappropriate drug prescription. Despite the existence in the market of medical devices dealing with these kind of issues, they have been proofed insufficient or inefficient. Additionally, patients tend to underestimate the importance of strictly following the prescription as well as overestimate their adherence to the treatments [1, 2].
The goal of the master thesis project is to collaborate in a real world en- vironment project through the development of a medical device dealing with these problems: the OnDosis medical device. Since it is a project involving a lot of resources and a high complexity, the specific contribution had to be well delimited in order to fit in the expectations of a master thesis project.
As all of the medical devices, it is considered a safety-critical system. In other words, it is a system whose failure may lead to a major consequence for people, the equipment and/or the environment. Therefore, it is of foremost importance to be sure that these systems are safe, efficient and reliable. During this thesis, a risk analysis of the medical device is performed as part of the safety analysis. In addition, two innovative tools will be evaluated in order to see if they are suitable tools for risk management according to the current regulations in Sweden.
2 CHAPTER 1. INTRODUCTION
1.2 Research Questions
As mentioned, the master thesis work is focused on the safety analysis of a medical device system using the state-of-art approach and using some novel tools in the process. Therefore, the main research question to be answered is:
• Is a motor-encoder system safe in a medical device system dealing with drug delivery to patients according to the current regulations applying to Sweden?
During the process of answering the main research question, other ques- tions will be answered that will help to follow an appropriate direction during the master thesis development:
• What is the current State-of-art regarding the risk analysis of medical systems?
• Is Hazard Ontology tool appropriate for the hazard identification in the Risk Management process according to the current existing regulations for medical devices in Sweden?
• Is a fault injection system suitable as the verification tool of mitigation controls in the risk management process of a medical device according to the current existing regulations for medical devices in Sweden?
The implementation of the project has been carried out within the facilities of Alten Sweden AB which is an engineering and technological consultancy with a lot of experience in medical technology. Therefore, it has been done under direct contact with experts that hold a huge experience in similar projects that contributed with a wide variety of resources such as technical, material and human. During the process, the project has been supervised and guided by the Royal Institute of Technology (KTH) in Stockholm.
The master thesis project is framed in two different larger European re- search projects where the company collaborates: Health 5G and AMASS.
CHAPTER 1. INTRODUCTION 3
1.3.1 HEALTH 5G project
Health 5G is conducted by Celtic-Plus, which is a EUREKA Cluster fo- cusing on ICT and telecommunication. It is a research project that started on December 2018 and with a budget above 27 million Euros. The aim of this huge project according to its own definition is: "to identify novel use cases of eHealth that take advantage of 5G capabilities, study and develop 5G en- ablers for the use cases, develop and validate actual eHealth solutions in real environments and real 5G test networks, and disseminate and exploit the re- sults". The project has identified three potential relevant eHealth scenarios where 5G can be applied in healthcare: healthcare at home, hospital environ- ment of the future and emergency situations. The next step for Health 5G is to sharpen the scenarios and use cases in order to enhance the impact and results of the project. Alten is deeply involved in this project and collaborates with a company named OnDosis with the development of a medical device based on one of the above mentioned scenarios: healthcare at home.
1.3.2 AMASS project
AMASS project is a huge project framed inside the biggest European Union Research programme ever called Horizon 2020. This EU programme is fo- cused in three main aims: "make Europe into a world-class science performer, remove obstacles to innovation (such as expensive patenting) and innovate in the way public and private sectors work together".
Precisely, AMASS stands for Architecture-driven, Multi-concern and Seam- less Assurance and Certification of Cyber-Physical Systems. As said before, it is framed in Horizon 2020 and it aims to help removing obstacles to in- novation. AMASS main goal is to lower certification costs for cyber-physical systems (CPS). They will do it through the creation of a European-wide open source tool and a community for assurance and certification of CPS.
1.4 Report structure
This Master thesis is structured into five chapters, including the present one which it is the introduction. The project is structured as follows:
• Chapter 2, Background: Explains the theoretical background needed to be able to follow the project.
4 CHAPTER 1. INTRODUCTION
• Chapter 3, Methods: State and explains the decisions made with regards to the implementation of the project.
• Chapter 4, Results: Presents the results from the work stated in Meth- ods.
• Chapter 5, Discussion and Conclusions: Displays the discussion about the obtained results as well as extracts the general conclusions from the project.
Chapter 2 Background
In this chapter a deep description of the needed previous knowledge will be found. It is important to understand all the concepts explained here since the master thesis work (both literature and practical), the discussion and con- clusions will be based on it. The knowledge has been grouped in the follow- ing sections: "Drug therapy", "Safety and security" and "Contribution to the project"
2.1 Drug therapy
Drug therapy, or pharmacotherapy, is a broadly used term to define the use of medication to treat a specific disease. It has several applications in most of the fields in medicine and it can be classified according to different crite- ria, for instance, the intended use. In line with this example, drugs can be listed, among other categories, as analgesic if they aim to relieve pain, anti- inflammatory if they reduce the inflammatory effects and antipyretic if they aim to decrease the fever. However, drug therapy has several related prob- lems such as non-adherence, interaction between medications, lack of efficacy, treatment duplication and inappropriate drug prescription.
The main work in this master thesis is to perform a literature study and a safety analysis regarding a device that aims to deal with the biggest problems when it comes to drug related problems: adherence (or compliance), abuse and dosage personalisation. Despite most of patients are not aware of the impor- tance of strictly following the prescription, theses misuses lead to a significant decrease of the effectiveness of drug therapies . That is why it is so impor- tant to deal with these problems since patients tend to underestimate the rele- vance of missing sporadically a medication intake. Moreover, patients overrate
6 CHAPTER 2. BACKGROUND
their own adherence to the treatments . The abuse problem is mostly related to those medication treatments with addictive drugs. And, finally, the dosage personalisation affects to most of the patients receiving treatment since the op- timal dosage hardly ever matches the available in the market when it comes to pill medication.
2.1.1 Drug therapy misuse: non-adherence and abuse
The term "adherence" is not easy to define. Nowadays, it is used in most of the cases as a synonym for "compliance". While the second denotes less importance for the patient who is a subordinate of a physician that he should obey, "adherence" entails that both the doctor and the patient are in the same level and that they take shared decisions.  Regardless, in healthcare, both terms refers to the same problem. In most scientific articles, they concern the patient who takes at least 80% of the prescribed pills and hence they are un- derstood as a binary variable (adherent or non-adherent). However, both terms can be understood also as a discrete variable with more than two possible val- ues and a patient can be classified, for instance, as partially adherent or can be assigned a specific percentage . Since both terms are aiming the same problem, in this report it will always be used the term "adherence" when refer- ring to this specific problem. Adherence is one of the most important and the most common drug-related problem according to  . In order to visualise the magnitude of the problem, the World Health Organisation (WHO) stated that
"increasing the effectiveness of adherence interventions may have a far greater impact on the health of the population than any improvement in specific med- ical treatment" . There are several risk factors features for non-adherence, such as age, gender or the medication itself. However, the major predictor for non-adherence is the number of medication prescribed. An increase of the amount of the number of medications that a patient must take is directly re- lated to an increase of the probability of being non-adherent to the treatment . Another related factor that can affect the drug therapy performance in a similar way according to [medication compliance and persistence] is the per- sistence, it can be defined as the act of continuing the prescribed treatment for the entire duration of the therapy. While the first refers to how well patients follow the therapy, persistence refers to how long patients follow the treatment with a minimum level of adherence.
On the other hand, there is another way to fail at following the prescription.
Drug abuse is the other major problem in patients with drug therapy at home.
CHAPTER 2. BACKGROUND 7
It is defined as exceeding the intake prescribed by the physician, whether by accident or because of other reasons. One of the biggest risk factor and where special control must be placed is in patients under a therapy with addictive drugs since patients can become dependants on them. Abuse is also included as a non-adherence behaviour in the literature about this topic .
As it can be easily deduced, both non-adherence, non-persistence and abuse have a great impact on the patient therapy. Specifically, non-adherence and lack of persistence lead to an increase in mortality and morbidity from a large variety of diseases and, moreover, to an increase of the healthcare cost of the patients .
Regarding the economic impact of non-adherence. While it has been widely proved that non-adherence is highly correlated with a cost increase for the healthcare system, it is important to take into consideration each case sepa- rately. For instance, the overall expenses related to medication non-adherence is approximately of US$100 billion in the USA, US$1.5 billion in Europe and US$7 billion in Australia [economic impact] .
Like all the medical conditions, these drug related problems have some risk factors that make easier to identify the group of patients with highest probabil- ity to undergo non-adherence or abuse of medication. Physicians use the risk group to prevent patients to experience the problems through some interven- tions to promote adherence and avoid abuse. According to recent literature regarding the main predictors and risk factors for non-adherence to medical treatment they can be sorted in patient factors, prescriber factors, shared fac- tors and system factors [2, 1, 12]. Patient factors are the ones related to features that belong to the patient and that cannot be changed by any of the healthcare actors such as age and disease. Prescriber factors are related to the prescriber side of the therapy. For instance, poly-pharmacy and the complexity of the treatment. The shared factors concern issues such as lack of trust from the patient and bad communication. Finally there are system factors that can be as important as the other. Clear examples can be found at the healthcare ac- cessibility and drug costs.
8 CHAPTER 2. BACKGROUND
Measurement and quantification techniques
Moreover, the complexity of the problem also concerns to the challenges in the measurement and quantification of adherence to medication. Measures of medication usage have been impeded by the absence of uniformed standards in the field. There are several quantification methods with many subjective parameters that have been used over the time with no normalisation in the scientific community [13, 2]No method has been contemplated as the gold standard for adherence quantification, but all of them have advantages and disadvantages, variability in costs, validity and feasibility.
As presented in Table 2.2, methods for measuring adherence can be sorted in two groups: direct and indirect measures . In general, direct meth- ods are expensive and require considerable time from healthcare providers.
However, they are the most accurate even if sometimes can be distorted by patients. Directly observed intake of medication and measurement of biologic markers are examples of direct methods. On the other hand, indirect methods include patient self-report, performing pill counts, undertake patient question- naires, reviewing rates of prescription refills, measuring physiologic markers and electronic medication monitoring system among others. Indirect methods are, generally, noticeably easier to implement in real life situations that direct methods, but most of them rely on the patient objectivity. That is why many time they lead to misrepresentation of results and overestimation of patient’s adherence by healthcare providers 
CHAPTER 2. BACKGROUND 9
Current strategies and solutions for measuring adherence to medication[1, 2, 6, 14]
Solution Advantatge Disadvantage
Directly observed therapy Best accuracy Unfeasible in most situations Measurement of biologic marker Objective Expensive, not always accurate
Patient self-report Inexpensive, easiest to implement Highly subjective and possible errors
Pill counts Objective, quantifiable, easy to implement
Highly subjective and possible errors
Rates of prescription refills Objective, easy to obtain
Not directly related to medication intake, closed pharmacy system required
Measurement of physiologic
markers Easy to implement Markers may vary due to other reasons
monitoring systems High precision, time monitoring Expensive, not easy to implement
Table 2.1: Current strategies and solutions for measuring adherence to medi- cation
The most common used method to assess adherence to medication has been patient questioning. This method is highly subjective and depends on the ability of the physician to perform the questionnaire. Pill counts is the second most broadly method used for quantification of adherence. It is one of the simplest methods and easiest to interpret. However, it is subject to several potential issues since patients can perpetrate many errors (intentional and un- intentional) that would be unnoticeable by the healthcare provider. Moreover, this method does not provide any information about the timing of the dose in- take, which it is an important parameter in the clinical outcomes. The most accurate method is the electronic monitoring because it is able of recording if there has been a dosage administration as well as the timing of it. The main drawback is that it is still an indirect method that cannot certify that the pa- tient has really ingested the dose nor that the administered dose was correct.
In addition, it is the most expensive indirect method and requires of a technical equipment. As it has been explained, there is no gold standard for measuring medication intake since each method has its own drawbacks and each one can be suitable in different situations. Nevertheless, a mixture of measures can
10 CHAPTER 2. BACKGROUND
maximize the accuracy of the adherence quantification.
2.1.2 Dose personalisation
Personalised medicine is a broad concept that includes many factors and it does not have a clear definition. One approach for the definition can be connected to genomics and the personalised response that patients have to a specific drug or external agent. However, this approach does not have into account important aspects such as the delivery of the active molecule .
Some other approaches argue that personalised drug therapy must be more than just improving the matching genetic profile depending on the patients, it should also embrace the whole system of delivery of these drugs, for instance, individualised dosing delivery systems.
There are many other factors in drug therapy that can impact the outcome of a medication treatment. Among them, dose and dosage should be high- lighted as the ones with the highest repercussion. According to the American Medical Association (AMA) Manual of Style, dose and dosage allude to very differentiated concepts. Dose is defined as "the amount of medication taken at one specific time". On the other hand, dosage refers to the "prescribed admin- istration of a specific amount, number and frequency of doses over a specific period of time". In short, a dosage is the amount of medication (dose) that has to be taken with a certain frequency during a certain period of time.
As an example of the problems we have nowadays in personalising the drug medications doses, it can be said that mass-manufacturers for solid doses establish the specific amount of medication of each pill based on the amount that produces a therapeutic effect in the greatest segment of population. As a clear example, a manufacturer would choose a certain amount of dose for mass production with a beneficial effect in 64% of population rather than a smaller amount that have fewer adverse effects but with a beneficial effect on the 54%
of population. Other examples can be found where particular patients do not have a beneficial effect with a certain dose and they have inadmissible adverse effects with the immediate next higher dose available in the market.
Current solutions for the dosage problems do not lead to optimal results.
For instance, regarding solid dosage forms, it is possible to personalise using splitting technique. However, the existing techniques lead to a high variability in the amount of medication of each one of the split parts. It has been proved that pharmacists are not able to split tablets in a way that the outcome medica- tion has an acceptable dose variation with the current techniques . On the other hand, liquid dosage forms have been prepared for a better personalised
CHAPTER 2. BACKGROUND 11
dose administration. Volume is usually measured using tools provided by the manufacturer. However, these tools are linked with several difficulties and er- rors leading to inaccurate personalising of the dose. Moreover, it also requires ability to be as accurate as possible.
A clear indicator of the importance to find a better solution for this problem is that prevalence of adverse effects due to untailored drug therapy has been calculated to be from 75 to 85% .
2.1.3 The medical device solution
As it is mentioned in the introduction chapter, the medical device that is analysed in this project is a product under development that aims to give a solution to all, or most, of these problems explained in the section. A short description of the main functions of the device and how they deal with the main problems regarding drug therapy is listed below:
• Adherence: the device includes a reminder system that could even be connected to the smart phone of the patient to avoid missing the timing of the drug intake. Moreover, it is easy to use and helps to simplify the treatment. Therefore, it reduces one of the main risk factors for adher- ence, the complexity of the treatment.
• Abuse: the device will reduce drastically the probability to perpetrate abuse since it will only deliver the prescribed amount in the appropriate time.
• Monitoring: it will have a communication system that will let the health- care system to know in real time if the patient is complying with the prescribed treatment. It will be more objective than most of the current monitoring techniques and it will help the doctors to understand the level of adherence of patients.
• Dose personalisation: the device will be able to deliver different amounts of drug to each patient. It will have a deliver system that will create the pill every time that a dose is needed. The pill is created from a cartridge where the drug is stored. The personalisation of the dose will also help on the adherence of patients since it will reduce the side effects that some patients suffered because of the lack of dose personalisation.
12 CHAPTER 2. BACKGROUND
2.2 Safety and security
In this subsection, several concepts are defined according to "Dependability - Basic Concepts and Terminology" (J.-C. Lapries et al.) and other sources in order to set some of the basic concepts needed to understand the subsequent description of knowledge regarding safety and security approaches.
• Dependability: Trustworthiness of a system such that reliance can be justifiable placed on the service it delivers.
• Safety: Dependability with respect to non-occurrence of catastrophic failures.
• Security: Dependability with respect to unauthorized access or informa- tion handling (deliberate action).
• Reliability: Dependability with respect to continuous of service (time to failure, probability).
• Integrity: property of data, information and software to be accurate and complete and have not been improperly modified.
• Availability: property of data, information, and systems to be accessible and usable on a timely basis in the expected manner. Assurance that information will be available when needed.
• Confidentiality: property of data, information, or systems structures to be accessible only to authorized persons and entities and are processed at authorized times and in the authorized manner, thereby helping ensure data and system security.
• Safety-critical systems: A safety-critical system or life-critical system is a system whose failure or malfunction may result in one (or more) of the following outcomes:
– death or serious injury to people
– loss or severe damage to equipment/property – environmental harm
• Life-cycle: all phases in the life of a device, from initial conception to final decommissioning and disposal.
CHAPTER 2. BACKGROUND 13
• Cybersecurity: process of preventing unauthorized access, modifica- tion, misuse or denial of use, or the unauthorized use of information that is stored, accessed, or transferred from a device to an external re- cipient.
• Thread: any circumstance or event with the potential to adversely impact the device or system.
2.2.2 State-of-the-art: Combined development life cy- cle for safety and security
There are several requirements that a safety and security development life cycle should accomplish. In the list below [20, 21, 22] these requirements are stated. Afterwards, the main activities according to  of a combined approach are exposed.
• The development cycle should be generic, not dependent to a specific domain.
• Security activities should be implemented into already existing safety lifecycles because most of CPS must be developed under safety stan- dards.
• Safety and security should be considered synchronously, not sequen- tially.
• Safety and security should be synchronised in order to identify conflicts
• The lifecycle should be designed in a way that automation is supported.
Taking into consideration both the list of requirements that a combined approach should have and the main activities and phases in security and safety development lifecycles, the combined development lifecycle is stated in figure 2.2 below. It is a scheme consisting of the main activities that the process should have (inside rectangles) and the artefacts produced by these activities (rectangles with folded corner). Additionally, red arrows represent the inputs of the activities and green arrows indicate an output.
Thereupon, the most important groups of activities are mentioned with a short clarification of some important details:
1. Initiation: information and responsibilities collection for safety and se- curity.
14 CHAPTER 2. BACKGROUND
2. Requirement: hazard, threats and risk analysis from a shared point of view. However, requirements documentation should be done separately.
3. Design: allocation and consolidation of both requirements, safety and security. Check if there is overlapping, conflict or non-influence be- tween them. The design of the architecture for the system is iterative and it is combined with verification processes to check if the require- ments are fulfilled.
4. Realisation: Implement a safe and secure system. Test if it follows the specifications and requirements defined previously.
5. Operation: documentation of critical events, monitoring of risks and incidents must be analysed to improve and modify the safety and security system.
6. Decommission: system disposed in a safe and secure way. The data should also be securely saved or erased.
CHAPTER 2. BACKGROUND 15
Figure 2.1: Safety and Security development lifecycle. Figure from 
16 CHAPTER 2. BACKGROUND
2.3 Contribution to the project
Obviously, performing the whole safety lifecycle of the exposed medical device would be a huge load of work that would required a great amount of resources such as time, knowledge and manpower with many different skills.
Since it is a master thesis, the work has been focused on the particular phases that could help me to answer the defined research questions.
Therefore, some delimitation regarding the medical device and the safety lifecycle has been done.
2.3.1 Medical device simplification
To analyse all the components of the medical device with all their com- plexity and relations would require to manage a huge amount of data through all the project. Additionally, it would take too much time for a master thesis.
Therefore, a simplification of the medical device was done. We selected a component of the device and we did a simplification of the system around it.
The selected component is the DC motor in charge of pushing the drug from the cartridge, where it is stored, to the dispenser, where the pill is created.
A part from these components, there should be a button to allow the patient to start the dose administration; a potentiometer, to allow the doctor to select a target dosage; a micro controller, to control the speed of the motor according to the variables and parameters of the system; and an encoder sensor and wheel, to sense the rotation of the motor and give a feedback signal.
2.3.2 Development lifecycle simplification - Risk Man- agement
Regarding the safety and security lifecycle, it is a long process that it is per- formed by a large team of professionals during a reasonable period of time.
Moreover, it is also unfeasible to fit in a master thesis. Therefore, the appro- priate phase of the lifecycle to answer the research questions was selected: the risk management process.
It can be found under the "Requirement" group of activities defined as
"State-of-art" in the section 2.2.4. A scaling-up of the image can be found in figure 2.3 below. The activity gives as an output a list of the main poten- tial hazards and threads which then is used as the input to define the system requirements for both safety and security.
CHAPTER 2. BACKGROUND 17
Additionally, the master thesis project covers part of the "Design" group of activities. Specifically, the output from the previous activities is used to define the control measures that are part of the safety and security specifications.
Finally, these control measures are verified as stated in the scaling-up shown in figure 2.3.
Figure 2.2: Scaling-up from the figure 2.2. It defines the scope of the mas- ter thesis according to the State-of-art defined in the section 2.2.4. Picture exctracted from .
Chapter 3 Methods
As stated in the previous chapters, the main goal of this thesis is to answer the defined research questions. In order to do that, the following methods were defined according to the goal of the project and the delimitation present during the research.
As one of the main requirements was to conform the current regulations in Sweden, all the methods are closely related to one of the main standards dealing with the safety of medical devices, specifically the risk management.
That is, the "EN ISO 14971 - Risk Management for Medical Devices" .
Doing that, we are sure that the answer to the main research question complies with the most demanding regulations of the sector and, hence, it is a valid answer for our purposes.
Moreover, it will help us to discern if the novel tools under study applied during the research are suitable to the current regulations for medical devices in Sweden. Therefore, the secondary research questions will be answered ac- cordingly.
3.1 ISO 14971 - Risk Management of Medical Devices
As we have seen, the ISO 14971 is an important document that will guide most of our methods. Therefore, it is vital to describe all the knowledge ex- plained in it that will be applied to the project.
First of all, we will describe the basic terminology that is used in the ISO 14971 (and hence in this project) so it is clearly defined the meaning of the most important concepts.
CHAPTER 3. METHODS 19
• Risk: according to the standard, a risk is the combination of the proba- bility of occurrence of harm and the severity of that harm.
• Risk management: systematic application of management policies, pro- cedures and practices to the tasks of analysing, evaluating, controlling and monitoring risk.
• Hazard: a hazard is the potential source of a harm.
• Harm: it is a physical injury or damage to the health of people, or dam- age to property or the environment.
• Safe medical device: is a medical device that is free from unacceptable residual risk.
• Residual risk: risk remaining after risk control measures have been taken.
• Severity: measure of the possible consequences of a hazard.
How to assess the probability, severity or even if a risk is acceptable or it is not will be explained below, where the risk management process according to the international standard is explained.
As shown in the figure 3.1 and according the information provided in the ISO 14971 there are five main steps in the risk management cycle that have to be considered: Risk analysis, Risk evaluation, Risk control, Evaluation of residual risk and, finally, Production and post-production information.
The only steps considered in this project was the first three phases, since the fourth step requires from deeper research and the fifth requires post-market information of the medical device. The deeper research was not an option due to time limitations and the post-market information was not an option since it is a device under development which makes impossible to have this kind of information. However, a brief explanation of the steps will be provided anyway to give a general overview of the whole risk management process.
20 CHAPTER 3. METHODS
Figure 3.1: Risk management process. Scheme of the main phases and main activities. Adaptation from 
3.1.1 Risk analysis
The risk analysis is defined as the systematic use of available information to identify hazards and to estimate the risk. Therefore, it consists of two main phases: hazard identification and risk estimation.
Regarding hazard identification, there is some guidance defined in the stan- dard. Nevertheless, the guidelines are only recommendations and it is up to the organization to choose the methodology for this step. The main techniques recommended are Preliminary Hazard Analysis (PHA), Fault Tree Analysis
CHAPTER 3. METHODS 21
(FTA), Failure Mode and Effects Analysis (FMEA) and Hazard and Operabil- ity Study (HAZOP). PHA is used early in the development process to identify the hazards and events that can induce to a harm. FTA is used for the iden- tification and prioritization of hazards and for analysing their adverse events.
FMEA is commonly used in more advanced stages of the design and it deals with identifying an effect or consequences of individual components. Finally, HAZOP are useful to verify and optimize design concepts or changes. There- fore, they are used in latter stages of the development.
However, as explained in the introduction and background, a novel tool will be applied to identify the hazards that will be then analysed during the risk management process. This tool is an Ontological Approach to Safety Analy- sis of Safety-Critical Systems . This technique, named Hazard Ontology (HO), was developed by Jiale Zhou at Mälardalen University Sweden in 2017.
The main motivation for developing such a tool was that the current practice applied in early stages of safety analysis lacked a common standardised ap- proach. Therefore, in most of the cases, the identification of hazards and their causes are identified in accordance to the intuition and experience of the an- alysts. The HO solution propose an ontological interpretation of the hazard concept, an approach to identify hazards in early stages of development, an approach to identify the causes of certain hazards and an heuristic approach to safety requirements elicitation. All the steps from the HO used in this project are defined in the section 3.2 below. After applying this tool, we will have a list of the main risks of the system.
As explained in the beginning of the section, a risk is the combination of both the probability of the hazard and the severity of the corresponding harm.
Hence, the risk estimation step is defined in the standard as the process used to assign values to the probability of occurrence of harm and the severity of that harm.
Several methods can suffice to estimate risks. Even though the Interna- tional Standard does not need a specific method to be used for this step, it requires that risk estimation is considered. Quantitative methods are prefer- able when proper data are available. However, qualitative methods can suffice when no suitable data is available.
Regarding the probability estimation, some advice is given in the docu- mentation. For instance, a list of the most recommended approaches. The list consists of prediction of probabilities using analytical or simulation tech-
22 CHAPTER 3. METHODS
niques; use of experimental data; reliability estimates; production data; post- production information and use of expert judgement. To increase the confi- dence in the results, a combination of approaches is recommended.
Moreover, according to the standard, medical devices can cause harm if a sequence of events occurs resulting in a hazardous situation that could cause a harm. A hazardous situation is defined as such when people, property or the environment are exposed to a hazard. Therefore, as it can be clearly understood in figure 3.2, probability is the combination of two probabilities: the probabil- ity to be exposed to a hazard and the probability of the hazardous situation to lead to a harm.
Figure 3.2: Scheme representing the definition of risk of a hazard with regards to probability and severity. Extracted from .
On the other hand, some recommendations are given regarding estimat- ing the severity of a harm. Although severity is a continuous variable, it is encouraged to use a discrete number of severity levels. Both descriptive and symbolic levels are suitable while they are explicitly defined.
As it has been shown, many methods can be used for this step and it is up to the manufacturer to choose which one to use. In this project, based on an example explained in the standard, a qualitative method will be used for
CHAPTER 3. METHODS 23
probability estimation. Three levels of probability were defined: low, medium and high. Then, all risk were sorted based on the recommendations stated in the ISO.
Regarding the severity, three discrete levels were defined as well: negligi- ble, moderate and significant. The definitions for each one of the levels can be found in figure 3.3 below.
Figure 3.3: Table showing the definition for each level of probability and sever- ity used during the project. Extracted from .
A 3x3 risk matrix is then produced using the probability as rows and the severity of the harm as columns. Then, the risks found in the previous step (R1, R2, R3,...) are sorted into different kind of risk correlated to the level of severity and probability assigned.
An example of a potential result is shown in figure 3.4.
Figure 3.4: Table showing the final result of the risk estimation step. The risks found in the risk identification step are sorted according to their corresponding level of severity and probability. Extracted from .
24 CHAPTER 3. METHODS
3.1.2 Risk evaluation
After the risk estimation, the next step is to determine the acceptability of the estimated risks. The process is done by comparing the estimated risks against given risk criteria. The ISO does not state particular acceptable risk criteria, the decision is up to the manufacturer. However, some methods to determine acceptable risk are defined. These methods are the following:
• Using other proper standards that define requirements which, if imple- mented, assure an achievement of acceptability regarding a specific type of medical device or particular risks.
• Contrasting equivalent levels of risk from other medical devices already in the market.
• Considering clinical study data (especially for new technologies or new intended uses).
• Using results of accepted scientific research.
A common way described in the standards to apply the acceptability crite- ria is by using the matrix created in the previous step, the risk estimation. That is, to determine which combinations of probability and severity are acceptable and which ones are unacceptable. An example can be seen in the figure 3.5 below.
Figure 3.5: Table presenting the expected results after risk evaluation step.
Risks sorted according to probability and severity and the threshold defining which risks are acceptable (white cells) and which ones are unacceptable (gray cells). Extracted from .
CHAPTER 3. METHODS 25
3.1.3 Risk control
According to ISO 14971, risk control is the "process in which decisions are made and measures implemented by which risks are reduced to, or maintained within, specified levels".
For those risk that are within the unacceptable threshold, control measures are required in order to lower the risk until it is acceptable. Risk control mea- sures aim to reduce the severity of the harm, the probability associated to this harm or both.
No specific control measure is suggested, but there is a mandatory priority order list with regards to the kind of controls that shall be applied. The three control options listed are: inherent safety by design, protective measures and information for safety.
Inherent safety must be attempted first and it corresponds with the controls that eliminate a particular hazard, reduce the probability of occurrence of the harm or reduce the severity of the harm. Protective measures are controls such as safety valves, protective globes or alarms to alert the operator to any hazardous situation. Finally, regarding information for safety, some of the most commonly used approaches are: using warnings in the medical device, restricting the use or circumstances of use of the medical device, alerting about inappropriate use, hazards that can occur, or other information that can reduce risk, and similar. It is important to say that information for safety controls can not be used as a justification to lower neither the probability nor the severity.
In many situations, there are standards that help the manufacturer by sim- plifying the task of risk controls. There are some standards addressing the control measures regarding a specific kind of medical devices. However, the final responsibility of the risk acceptability rests always on the manufacturer.
Finally, in this risk control phase, two different verification procedures are required. The first one is to ensure that the control measure is actually im- plemented in the final design. The second, is required to demonstrate that the control measure reduces the risk, demonstrate that it works as expected.
It is in this verification step where the second novel tool under study will be applied. It consists of a fault injection system which will be able to replicate part of the medical device. Then, some failures will be injected to check if the system behaves according to the expected behaviour or it has an unacceptably safe behaviour. If it behaves as expected, then the risk will be reduced and can be accepted, otherwise additional control measures will be required. An explanation of the system can be found in section 3.3 below.
When control measures are accepted, they are converted to inputs for the
26 CHAPTER 3. METHODS
design and included as safety specifications.
3.1.4 Evaluation of residual risk
Once risk control measures are implemented, the remaining risk for the same hazard should be evaluated again. This is called the residual risk.
If the residual risk after the applied control measures is still not acceptable, further risk control measures must be applied. Notice that this is an iterative process that should stop when the residual risk is judged acceptable.
However, there can be situations where residual risk is not judged accept- able and further control measures are not feasible. In this specific case, the manufacturer can collect information to determine if the benefits of the med- ical device overcome the residua risk. If it does, then the medical device can proceed with the development. Otherwise, the residual risk remains unaccept- able.
3.1.5 Production and post-production information
The last step is to design and implement a system to collect and review information regarding the medical device, or similar devices in the market, in the production and post-production stage.
According to the standard, the information is relevant, above all, in two specific situations:
• if previously unrecognised hazards or hazardous situations are present or
• if the estimated risk(s) arising from a hazardous situation is/are no longer acceptable.
When some of the above situations occur, the information should be fed as input of a new iteration in the risk management process. Therefore, new changes in the design or other control measures can be implemented during the post-production stage.
3.2 Hazard Ontology tool
The Hazard Ontology (HO)  is a tool used for the identification of haz- ards in a predefined system or device. Before starting with the steps description of the HO to identify risks and their causes, few concepts must be defined:
CHAPTER 3. METHODS 27
• Kind: it is a rigid object, i.e., an object that is a kind in necessarily every possible situation.
• Role: non-rigid object.
• Relator: relation of mediation between non-rigid objects.
A good example to see the difference between kind and role is the situation of being a "person" and a "pilot". A person is necessarily a person during all the existence. However, a pilot stops being a driver when he/she leaves the plane. Therefore, "person" is a kind object and "pilot" is a role object that can be played by the person. On the other hand, if we consider "plane" as another kind and "being piloted" as a role that it plays, then "piloting" can be considered the relator connecting them.
3.2.1 System Description Formalisation
The first steps consist of describing all the system to analyse according to the explained actors above. That is, identify all the kinds, roles and relators of the system to consider. The System Description formalisation can be done in four steps:
1. Identify all kind and role objects of the system.
2. For each kind achieved in 1), identify all roles it can play.
3. For each role from 1), identify the relator that connect this role with all the other suitable roles.
4. For each role obtained in 1), 2) and 3), identify all kind that can play this role.
3.2.2 Mishap Victim Identification
The second step is the identification of all mishap victims that the system described in the previous step can have. Mishap victims are roles that have the potential to receive damage or injuries.
Furthermore, a list of possible harms that the victim can suffer is done. For instance, physical damage, fatal illness, explosion, chemical damages, etc.
28 CHAPTER 3. METHODS
3.2.3 Hazard Population
The third step is about brainstorming hazard situations that can harm the identified mishap victims from the second step. The next steps describe how to find and populate a list of hazardous situations based on the previous work from steps 3.2.1 and 3.2.2:
1. Choose one mishap victim from step 3.2.2.
2. Select the kind objects playing that mishap victim role, the relator con- nected to the chosen victim and the roles connected to that relator. Ev- erything, taken into account the system described in 3.2.1.
3. For each role from previous step, find dispositions. If a disposition is present, a mishap victim can suffer a harm. Additionally, name the roles as Hazard Elements, the dispositions as Harm TruthMakers and the relator as Exposure.
4. For each Hazard Element from 3), identify the kind elements that can play it. It will be identified as environmental object.
5. Finally, select the next victim until all of them are analysed and go back to step 1.
3.2.4 Causes Exploration
The fourth and last step consists of finding the possible causes for each one of the populated hazards. In order to do that, pre-initiating event for Harm TruthMakers will be identified.
3.3 Fault Injection System
As explained, this system aims to help with the verification of the control measures defined in the control step of the risk management process.
Since it completely depends on the control measures to verify, there is no predefined or standard way to design the system. However, there are three mandatory requirements for the system. The system must:
- replicate the system under study.
- have a way to inject failures or failure modes into the replicated device.
- have a monitoring of all the vital parameters of the system that describe the behaviour of it in terms of performance and safety.
CHAPTER 3. METHODS 29
3.4 Own contribution clarification
Since the risk management of a medical device is a really complex process and the amount of information to manage is exponentially increasing in every step, the work in this project has prioritised to go through all the steps rather than go into the maximum detail for every individual step. Another reason to do that, was the time limitation of a master thesis project. Moreover, the need to finish the whole procedure to evaluate the innovative tools also had a great impact in the decision.
Therefore, each step is executed partially to avoid a situation where we were managing too much information. This could cause troubles in the ex- position of results and divert the attention from the main goal of the master thesis: answer the research questions.
Chapter 4 Results
The results chapter is divided in two main parts. In the first section 4.1, the results from the risk management process according to ISO 14971 is exposed.
This section includes detailed results from the Hazard Ontology tool since it is an important part to answer the corresponding research question. The output of the process that concludes in 4.1 is a list of mitigation measures to reduce the risk estimation of the unacceptable risks. The second part, 4.2, corresponds to the description and results from all the verification process regarding three particular mitigation measures obtained in 4.1.
It is important to state that not all the results obtained during the project are presented. Only the results from part of the work are presented. That is because, similar to what explained in 3.4 above, a greater exposition of results would not have lead to different answer of the research question, but only to a poorer understanding of the main outcomes of the work. Therefore, the main results or an extract of them are presented for each step of the process.
4.1 Risk Management - Safety specification for the device
In this chapter, the results regarding the risk management process will be presented. It will be exposed following the same guideline as explained in methods, so it will be easier to follow the evolution through the process. The final results from the risk management process is a list of the mitigation mea- sures that should be taken into account when designing and developing the device. This list can be named as the safety specifications for the medical device.
CHAPTER 4. RESULTS 31
4.1.1 Risk analysis
In this step, hazards were identified and severity and probability for each of them were estimated.
Hazard identification - Hazard Ontology
As explained, we used the Hazard Ontology for the hazard identification step. It consists in four main steps: System Description Formalization (SDF), Mishap Victim Identification, Hazard population and Causes Exploration.
The results of the SDF can be seen in figure 4.1 below. The system un- der study defined in the background section, chapter 2.1.3, and delimited in section 2.3 has been described according to the definitions of kind, role and relator. The three type of objects were identified following the steps explained in methods, section 3.2.1.
Figure 4.1: System Description Formalisation of the system under study.
32 CHAPTER 4. RESULTS
The second step was to identify all mishap victims among the roles defined in the previous steps. The identified mishap victims are:
Identified mishap victims
being pushed being consumed being sensed being controlled receive information being modified code consumer electricity consumer
Table 4.1: List of identifies mishap victims in step 2 from the HO.
Regarding the third step, the results for the "Drug delivery" activity are shown in figure 4.2. The output from this step is a list of the Harm TruthMakers for each identified hazard element in the whole system.
Figure 4.2: Image representing the hazard population step regarding the "Drug delivery" part of the medical device
Finally, the last step corresponded to the causes exploration. As en exam- ple, the possible causes for each one of the Harm TruthMakers of the "push drug" hazard element are listed below:
CHAPTER 4. RESULTS 33
"Damaged mechanism" "Incorrect instructions from processor"
R1: Failure during manufacturing R4: Lack of signal from the processor due to wire breakage
R2: Physical damage due to deterioration R5: Lack of signal from the processor due to lack of power supply
R3: Physical damage due to hit or strong acceleration R6: Incorrect signal due to system deterioration R7: Incorrect signal due to wrong data from sensors Table 4.2: Results from "Risk identification" step. List of main causes found for the "Damaged mechanism" and "Incorrect instructions from processor"
Each one of these causes (and all the other causes from other Harm Truth- Makers) are the output of the HO and are used the list of risks for the next step:
After identifying the maximum number of hazards of the system and their possible causes, the risk estimation for each one of them was performed. Risk by risk, severity and probability was guessed according to the methods de- scribed in chapter 3.1.1. The result regarding the explained risks from above can be found in the following table:
Negligible Moderate Significant
Medium R2, R6 R3, R4, R7
Low R5 R1
Table 4.3: Results from "Risk estimation" step.
4.1.2 Risk evaluation
After the risk estimation, the next step was to determine the acceptability of the previously estimated risks. The results can be seen in table below ac- cording to the same acceptability rule defined in section 3.1.2 from methods
34 CHAPTER 4. RESULTS
chapter. We can see in red those risk that are not acceptable. The acceptable risks are shown in black.
Negligible Moderate Significant High
Medium R2, R6 R3, R4, R7
Low R5 R1
Table 4.4: Results from "Risk evaluation" step.
4.1.3 Risk control
In this step, mitigation measures for the main risks of the system are pro- posed. Since the risk analysis was performed in a complex system, many risks were found (in the order of hundreds). However, only some of the most im- portant issues according to the risk estimation were chosen to be shown in the report as a justification for the testing and verification step. In the table below, it can be seen a selection of the more important risks of the overall system and their proposed mitigation measures. All the mitigation measures found dur- ing the process should be included as the safety specifications in the design process of the medical device.
As it is shown, all the control measures aim to lower either the probability or the severity. Therefore, if the mitigation controls are verified, the risk can be evaluated again with lower parameters and they might be accepted.
The verification of the mitigation controls M5, M6 and M7 is explained in the section 4.2 below. The mitigation measure consists of a Failure Detection System, in other words, if the system is able to detect the failure, alert the user and stop the device, then the severity can be lowered and the risk can be accepted.
CHAPTER 4. RESULTS 35
R1: Patient do not press the button in
scheduled time (forgets intake time) M1: Reminder system R2: Patient introduces incorrect drug to the device M2: ID check system
R3: Wrong data sent from sensor
(wrong calibration or misalignment) M3: Check up system before dose administration
R4: Excessive power supply M4: ISO 60601 - I
R5: Failure in encoder sensor transmission
(no data received) M5: Failure detection system
R6: Error in the communication
with potentiometer M6: Failure detection system
R7: Lack of signal from
the controller due to wire breakage M7: Failure detection system Table 4.5: Results from "Risk control" step.
4.2 Testing of mitigation measures
In this section, the results from the verification of mitigations 5, 6 and 7 are exposed. Additionally, the process and tool of the verification is explained as it will help to answer the last research question regarding the suitability of a fault injection system in this phase of the risk management. This is the very last step in the risk management before designing the device and all the verified control measures must be included as an input to the design.
4.2.1 Design of the Fault Injection System
The first step when verifying mitigation measures is to design and develop a system which is able to replicate the system under study, monitor the main parameters of the system and study the behaviour of the system when a haz- ardous situation occurs.
Our solution is a Fault Injection System where the main functions of the device are replicated and an additional system to inject failures is inserted.
Moreover, a communication channel is implemented to enable the monitoring of the main parameters of the system and analyse the behaviour.
36 CHAPTER 4. RESULTS
The designed system will replicate the main components from the system un- der study and the main functionalities are:
• The system should replicate the motor-encoder system in charge of push- ing the drug from the cartridge to the dispenser.
• The system should be able to simulate the action of a patient pressing a button to initiate the process of dose administration.
• The system should have a way to modify external variables such as the amount of dose prescribed by the doctor.
• The system should have a method to inject the selected failures into the system.
• The system should have a communication channel to monitor the interest variables and parameters.
In short, the system should be able to start when a person presses the start button. Then, the motor should start rotating at the desired speed. The desired speed is the variable simulating the prescribed dose. During the performance of the motor, failures can be injected. And finally, the researcher can see if the system is able to detect the failures and stop the system as it is required from the safety specifications or, otherwise, it has an undesired and unsafe behaviour.
According to the functional specifications and like it can be seen in figure 4.3, the designed system has:
• STM32F407G: micro-controller with the firmware controlling all the components as the medical device does and with additional code for adapting the system to the fault injection system. From this micro- controller all the input signals (brown color in the figure) are received and managed so the output signals (blue color in the figure) controlling the motor are sent in concordance.
• Motor: DC-motor simulating the rotation of the motor in the medical device in charge of pushing the drug from the cartridge to the dispenser.