A hazard analysis method for systematic identification of safety requirements for user interface software in medical devices

© Springer International Publishing AG (outside the US) 2017. Formal methods technologies have the potential to verify the usability and safety of user interface (UI) software design in medical devices, enabling significant reductions in use errors and consequential safety incidents with such devices. This however depends on comprehensive and verifiable safety requirements to leverage these techniques for detecting and preventing flaws in UI software that can induce use errors. This paper presents a hazard analysis method that extends Leveson’s System Theoretic Process Analysis (STPA) with a comprehensive set of causal factor categories, so as to provide developers with clear guidelines for systematic identification of use-related hazards associated with medical devices, their causes embedded in UI software design, and safety requirements for mitigating such hazards. The method is evaluated with a case study on the Gantry-2 radiation therapy system, which demonstrates that (1) as compared to standard STPA, our method allowed us to identify more UI software design issues likely to cause use-related hazards; and (2) the identified UI software design issues facilitated the definition of precise, verifiable safety requirements for UI software, which could be readily formalized in verification tools such as Prototype Verification System (PVS).- U.S. Food and Drug Administration(NORTE-01-0145-FEDER-000016)Sandy Weininger (FDA), Scott Thiel (Navigant Consulting, Inc.), Michelle Jump (Stryker), Stefania Gnesi (ISTI/CNR) and the CHI+MED team (www.chi-med.ac.uk) provided useful feedback and inputs. Paolo Masci’s work is supported by the North Portugal Regional Operational Programme (NORTE 2020) under the PORTUGAL 2020 Partnership Agreement, and by the European Regional Development Fund (ERDF) within Project “NORTE-01-0145-FEDER-000016”.info:eu-repo/semantics/publishedVersio

Accident Investigation—Missed Opportunities

After paying the high price of an accident, we often miss opportunities to learn from it:• We find only a single cause, often the final triggering event. • We find only immediate causes and do not look for ways of avoiding the hazards or for weaknesses in the management system. • We list human error as a cause without saying what sort of error though different actions are needed to prevent those accidents due to ignorance, those due to slips or lapses of attention and those due to non-compliance. • We list causes we can do little about. • We change procedures rather than designs. • We do not help others to learn as much as they could from our experiences. • We forget the lessons learned and the accident happens again. We need better training, by describing accidents first rather than principles, as accidents grab our attention; we need discussion rather that lecturing, so that more is remembered; we need databases that can present relevant information without the user having to ask for it. Finally, we ask if legislation can produce improvements