Risk Management in Medical Devices

DEGREE PROJECT IN MEDICAL ENGINEERING,
SECOND CYCLE, 30 CREDITS

STOCKHOLM, SWEDEN 2019
Risk Management in Medical

Devices: Hazard Identification and
Verification of Mitigation Controls
GISLÉ SEGURA ROCA
KTH ROYAL INSTITUTE OF TECHNOLOGY

SCHOOL OF ENGINEERING SCIENCES IN CHEMISTRY,
BIOTECHNOLOGY AND HEALTH
Risk Management in Medical
Devices: Hazard Identification
and Verification of Mitigation
Controls
GISLÉ SEGURA ROCA
Master in Medical Engineering

Date: March 15, 2020
Supervisor: Detlef Scholle
Examiner: Sebastiaan Meijer
Host company: Alten Sverige
Swedish title: Riskhantering i medicinska apparater: Identifiering
och verifiering av risker för begränsningskontroller
iii
Abstract
During this project, the risk management of a medical device under devel-
opment that deals with drug administration has been done. The aim of the
project is to evaluate if part of the device is safe according to the current reg-
ulations in Sweden.
The complexity of the risk management processes, particularly in health-
care, together with the lack of standardised methods to develop these kind of
processes leads to a need of new tools to reduce the time, resources and com-
plexity in this stage of the development. That is why two tools have been used
and tested in order to assess the suitability under medical device development
regulation conditions: the Hazard Ontology (HO) and a Fault Injection Sys-
tem (FIS). HO is a novel tool used to identify all hazards and threads from a
predefined system in a structured way. On the other hand, FIS is a testing tech-
nique that aims to help with the study of systems when they are under faulty
conditions.
To ensure that the current regulations in Sweden regarding medical device
are fulfilled, the EN ISO 14971 has been used as a guide for the methods
applied during the work.
The results of the project are exposed for every step of the process. At the
end, the main result of the risk management process is a list of the mitigation
measures that must be included as safety specifications of the device.
Both tools, HO and the FIS, have proofed to be suitable with the current
regulations as well as being useful for the process. HO gave as output a list of
the main hazards of the system and the FIS have been used in the verification
step of the mitigation measures. Three mitigation measures to test with the
FIS has been chosen. They deal with faults regarding a speed sensor, a poten-
tiometer and the PWM signal controlling the motor. The mitigation measures
have been verified for both PWM signal and the potentiometer faults. How-
ever, a faulty condition that leads to an unsafe behaviour has been found for
the speed sensor.
Therefore, we demonstrated that the medical system under study has still
many control measures to implement, verify or improve before it can be said
that it is a safe medical device.
iv
Sammanfattning
Under detta projekt, har en riskhantering av medicinsk utrustning som han-
terar läkemedel gjorts. Målet med projektet är att utvärdera om utrustningen
är säker enligt de svenska bestämmelserna.
Komplexiteten med riskhanteringsprocessen, speciellt inom sjukvård, till-
sammans med brist på standardiserade metoder för utveckling av dessa typer
av processer leder till behov av nya verktyg för att minska tiden, resurserna och
komplexiteten i detta skede av utvecklingen. Det är därför två verktyg som har
använts och testats för att bedöma lämpligheten under de bestämmelserna för
medicinsk utrustnings utvecklingsförhållande: Riskontologin (HO) och felin-
jektionssystem (FIS). HO är en ny metod som används för att identifiera alla
faror och hot för ett identifierat system på ett strukturerat sätt. Å andra sidan är
FIS en testteknik vars syfte är att hjälpa att studera systemet när det är under
felaktiga förhållande.
För att försäkra sig att de svenska bestämmelserna rörande medicinsk ut-
rustning är uppfyllda, har EN ISO 1497 använts som en guide för de metoder
som applicerats under projektet.
Resultatet av projektet är synligt för varje steg av processen. Till slut, är
det huvudsakliga resultatet av riskhanteringsprocessen en lista av de mildran-
de åtgärder som måste vara inkluderade som säkerhetsspecifikation av utrust-
ningen.
Båda verktyg, HO och FIS, har visat sig vara lämpliga med nuvarande be-
stämmelser och användbara för processen. HO gav oss, som data en lista med
de huvudsakliga farorna av systemet och FIS användes i verifieringssteget av
de mildrande åtgärder. Tre begränsningsåtgärder att testa med FIS har valts.
De åtgärdar de fel för hastighetssensor, en potentiometer och PWM signalen
som driver motorn. De begränsningsåtgärderna har verifierats för både PWM-
signalen och potentiometerfelen. Emellertid har ett felaktigt tillstånd som leder
till ett osäkert beteende hittats.
Därmed visade vi att det medicinska system som studeras fortfarande har
många kontrollåtgärder för att genomföra, kontrollera eller förbättra Innan det
kan sägas att det är en säker medicinteknisk produkt.
Contents
1 Introduction 1
1.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
1.2 Research Questions . . . . . . . . . . . . . . . . . . . . . . . 2
1.3 Framework . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
1.3.1 HEALTH 5G project . . . . . . . . . . . . . . . . . . 3
1.3.2 AMASS project . . . . . . . . . . . . . . . . . . . . . 3
1.4 Report structure . . . . . . . . . . . . . . . . . . . . . . . . . 3
2 Background 5
2.1 Drug therapy . . . . . . . . . . . . . . . . . . . . . . . . . . 5
2.1.1 Drug therapy misuse: non-adherence and abuse . . . . 6
2.1.2 Dose personalisation . . . . . . . . . . . . . . . . . . 10
2.1.3 The medical device solution . . . . . . . . . . . . . . 11
2.2 Safety and security . . . . . . . . . . . . . . . . . . . . . . . 12
2.2.1 Definitions . . . . . . . . . . . . . . . . . . . . . . . 12
2.2.2 State-of-the-art: Combined development life cycle for
safety and security . . . . . . . . . . . . . . . . . . . 13
2.3 Contribution to the project . . . . . . . . . . . . . . . . . . . 16
2.3.1 Medical device simplification . . . . . . . . . . . . . 16
2.3.2 Development lifecycle simplification - Risk Manage-
ment . . . . . . . . . . . . . . . . . . . . . . . . . . 16
3 Methods 18
3.1 ISO 14971 - Risk Management of Medical Devices . . . . . . 18
3.1.1 Risk analysis . . . . . . . . . . . . . . . . . . . . . . 20
3.1.2 Risk evaluation . . . . . . . . . . . . . . . . . . . . . 24
3.1.3 Risk control . . . . . . . . . . . . . . . . . . . . . . . 25
3.1.4 Evaluation of residual risk . . . . . . . . . . . . . . . 26
3.1.5 Production and post-production information . . . . . . 26
v
vi CONTENTS
3.2 Hazard Ontology tool . . . . . . . . . . . . . . . . . . . . . . 26

3.2.1 System Description Formalisation . . . . . . . . . . . 27
3.2.2 Mishap Victim Identification . . . . . . . . . . . . . . 27
3.2.3 Hazard Population . . . . . . . . . . . . . . . . . . . 28
3.2.4 Causes Exploration . . . . . . . . . . . . . . . . . . . 28
3.3 Fault Injection System . . . . . . . . . . . . . . . . . . . . . 28
3.4 Own contribution clarification . . . . . . . . . . . . . . . . . 29
4 Results 30
4.1 Risk Management - Safety specification for the device . . . . . 30
4.1.1 Risk analysis . . . . . . . . . . . . . . . . . . . . . . 31
4.1.2 Risk evaluation . . . . . . . . . . . . . . . . . . . . . 33
4.1.3 Risk control . . . . . . . . . . . . . . . . . . . . . . . 34
4.2 Testing of mitigation measures . . . . . . . . . . . . . . . . . 35
4.2.1 Design of the Fault Injection System . . . . . . . . . . 35
4.2.2 Implementation . . . . . . . . . . . . . . . . . . . . . 37
4.2.3 Analysis . . . . . . . . . . . . . . . . . . . . . . . . . 40
5 Discussion and Conclusions 45

5.1 Discussion . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
5.1.1 Research question 1 . . . . . . . . . . . . . . . . . . . 45
5.1.2 Research question 2 and 3 . . . . . . . . . . . . . . . 47
5.1.3 Research question 4 . . . . . . . . . . . . . . . . . . . 48
5.2 Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Bibliography 50
List of Figures
2.1 Safety and Security development lifecycle. Figure from [21] . 15

2.2 Scaling-up from the figure 2.2. It defines the scope of the mas-
ter thesis according to the State-of-art defined in the section
2.2.4. Picture exctracted from [21]. . . . . . . . . . . . . . . . 17
3.1 Risk management process. Scheme of the main phases and

main activities. Adaptation from [18] . . . . . . . . . . . . . 20
3.2 Scheme representing the definition of risk of a hazard with
regards to probability and severity. Extracted from [18]. . . . . 22
3.3 Table showing the definition for each level of probability and
severity used during the project. Extracted from [18]. . . . . . 23
3.4 Table showing the final result of the risk estimation step. The
risks found in the risk identification step are sorted according
to their corresponding level of severity and probability. Ex-
tracted from [18]. . . . . . . . . . . . . . . . . . . . . . . . . 23
3.5 Table presenting the expected results after risk evaluation step.
Risks sorted according to probability and severity and the thresh-
old defining which risks are acceptable (white cells) and which
ones are unacceptable (gray cells). Extracted from [18]. . . . . 24
4.1 System Description Formalisation of the system under study. . 31

4.2 Image representing the hazard population step regarding the
"Drug delivery" part of the medical device . . . . . . . . . . . 32
4.3 Schematic showing the main components of the Fault Injec-
tion System. . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
4.4 Image from the front panel of the Fault Injection System. It
can be seen many of the key components such as the failure
switches, the feedback LEDs, the USB for the communica-
tion, the potentiometer, the buttons and the outputs to sense
the signals of the system. . . . . . . . . . . . . . . . . . . . . 38
vii
viii LIST OF FIGURES
4.5 Front view of the Fault Injection System. Front panel with
main control components on the top of the picture and motor,
encoder and electronic circuits inside the box. . . . . . . . . . 39
4.6 Inside view of the Fault Injection System. There is the DC-
motor on the left, the encoder system in the middle and part
of the electronic circuits in the top of the picture. . . . . . . . 39
4.7 Velocity variance in rpm of the motor when no failure is injected. 40
4.8 Velocity variance in rpm of the motor when speed sensor fail-
ure is injected after approximately 4.2 seconds from the start. . 41
4.9 Velocity variance in rpm of the motor when speed sensor fail-
ure is injected from the very beginning. . . . . . . . . . . . . 42
4.10 Velocity variance in rpm of the motor when potentiometer fail-
ure is injected after approximately 6.5 seconds from the start. . 43
4.11 Velocity variance in rpm of the motor when PWM signal fail-
ure is injected after approximately 8 seconds from the start. . . 43
List of Tables
2.1 Current strategies and solutions for measuring adherence to

medication . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
4.1 List of identifies mishap victims in step 2 from the HO. . . . . 32

4.2 Results from "Risk identification" step. List of main causes
found for the "Damaged mechanism" and "Incorrect instruc-
tions from processor" Harm TruthMakers. . . . . . . . . . . . 33
4.3 Results from "Risk estimation" step. . . . . . . . . . . . . . . 33
4.4 Results from "Risk evaluation" step. . . . . . . . . . . . . . . 34
4.5 Results from "Risk control" step. . . . . . . . . . . . . . . . . 35
ix
Chapter 1
Introduction
1.1 Overview
Drug therapy, or pharmacotherapy, is a broadly used term to define the use
of medication to treat a specific disease. While drugs can be categorized ac-
cording to many parameters, all of them have several related problems such as
non-adherence, interaction between medications, lack of efficacy, treatment
duplication and inappropriate drug prescription. Despite the existence in the
market of medical devices dealing with these kind of issues, they have been
proofed insufficient or inefficient. Additionally, patients tend to underestimate
the importance of strictly following the prescription as well as overestimate
their adherence to the treatments [1, 2].
The goal of the master thesis project is to collaborate in a real world en-
vironment project through the development of a medical device dealing with
these problems: the OnDosis medical device. Since it is a project involving a
lot of resources and a high complexity, the specific contribution had to be well
delimited in order to fit in the expectations of a master thesis project.
As all of the medical devices, it is considered a safety-critical system. In
other words, it is a system whose failure may lead to a major consequence
for people, the equipment and/or the environment. Therefore, it is of foremost
importance to be sure that these systems are safe, efficient and reliable. During
this thesis, a risk analysis of the medical device is performed as part of the
safety analysis. In addition, two innovative tools will be evaluated in order
to see if they are suitable tools for risk management according to the current
regulations in Sweden.
1
2 CHAPTER 1. INTRODUCTION
1.2 Research Questions

As mentioned, the master thesis work is focused on the safety analysis of a
medical device system using the state-of-art approach and using some novel
tools in the process. Therefore, the main research question to be answered is:
• Is a motor-encoder system safe in a medical device system dealing

with drug delivery to patients according to the current regulations
applying to Sweden?
During the process of answering the main research question, other ques-
tions will be answered that will help to follow an appropriate direction during
the master thesis development:
• What is the current State-of-art regarding the risk analysis of medical

systems?
• Is Hazard Ontology tool appropriate for the hazard identification in the

Risk Management process according to the current existing regulations
for medical devices in Sweden?
• Is a fault injection system suitable as the verification tool of mitigation

controls in the risk management process of a medical device according
to the current existing regulations for medical devices in Sweden?
1.3 Framework
The implementation of the project has been carried out within the facilities
of Alten Sweden AB which is an engineering and technological consultancy
with a lot of experience in medical technology. Therefore, it has been done
under direct contact with experts that hold a huge experience in similar projects
that contributed with a wide variety of resources such as technical, material
and human. During the process, the project has been supervised and guided
by the Royal Institute of Technology (KTH) in Stockholm.
The master thesis project is framed in two different larger European re-
search projects where the company collaborates: Health 5G and AMASS.
CHAPTER 1. INTRODUCTION 3
1.3.1 HEALTH 5G project

Health 5G is conducted by Celtic-Plus, which is a EUREKA Cluster fo-
cusing on ICT and telecommunication. It is a research project that started on
December 2018 and with a budget above 27 million Euros. The aim of this
huge project according to its own definition is: "to identify novel use cases
of eHealth that take advantage of 5G capabilities, study and develop 5G en-
ablers for the use cases, develop and validate actual eHealth solutions in real
environments and real 5G test networks, and disseminate and exploit the re-
sults"[3]. The project has identified three potential relevant eHealth scenarios
where 5G can be applied in healthcare: healthcare at home, hospital environ-
ment of the future and emergency situations. The next step for Health 5G is to
sharpen the scenarios and use cases in order to enhance the impact and results
of the project. Alten is deeply involved in this project and collaborates with a
company named OnDosis with the development of a medical device based on
one of the above mentioned scenarios: healthcare at home.
1.3.2 AMASS project

AMASS project is a huge project framed inside the biggest European Union
Research programme ever called Horizon 2020. This EU programme is fo-
cused in three main aims: "make Europe into a world-class science performer,
remove obstacles to innovation (such as expensive patenting) and innovate in
the way public and private sectors work together"[4].
Precisely, AMASS stands for Architecture-driven, Multi-concern and Seam-
less Assurance and Certification of Cyber-Physical Systems. As said before,
it is framed in Horizon 2020 and it aims to help removing obstacles to in-
novation. AMASS main goal is to lower certification costs for cyber-physical
systems (CPS)[5]. They will do it through the creation of a European-wide
open source tool and a community for assurance and certification of CPS.
1.4 Report structure

This Master thesis is structured into five chapters, including the present one
which it is the introduction. The project is structured as follows:
• Chapter 2, Background: Explains the theoretical background needed to

be able to follow the project.
4 CHAPTER 1. INTRODUCTION
• Chapter 3, Methods: State and explains the decisions made with regards
to the implementation of the project.
• Chapter 4, Results: Presents the results from the work stated in Meth-
ods.
• Chapter 5, Discussion and Conclusions: Displays the discussion about

the obtained results as well as extracts the general conclusions from the
project.
Chapter 2
Background
In this chapter a deep description of the needed previous knowledge will

be found. It is important to understand all the concepts explained here since
the master thesis work (both literature and practical), the discussion and con-
clusions will be based on it. The knowledge has been grouped in the follow-
ing sections: "Drug therapy", "Safety and security" and "Contribution to the
project"
2.1 Drug therapy

Drug therapy, or pharmacotherapy, is a broadly used term to define the use
of medication to treat a specific disease. It has several applications in most
of the fields in medicine and it can be classified according to different crite-
ria, for instance, the intended use. In line with this example, drugs can be
listed, among other categories, as analgesic if they aim to relieve pain, anti-
inflammatory if they reduce the inflammatory effects and antipyretic if they
aim to decrease the fever. However, drug therapy has several related prob-
lems such as non-adherence, interaction between medications, lack of efficacy,
treatment duplication and inappropriate drug prescription.
The main work in this master thesis is to perform a literature study and a
safety analysis regarding a device that aims to deal with the biggest problems
when it comes to drug related problems: adherence (or compliance), abuse and
dosage personalisation. Despite most of patients are not aware of the impor-
tance of strictly following the prescription, theses misuses lead to a significant
decrease of the effectiveness of drug therapies [1]. That is why it is so impor-
tant to deal with these problems since patients tend to underestimate the rele-
vance of missing sporadically a medication intake. Moreover, patients overrate
5
6 CHAPTER 2. BACKGROUND
their own adherence to the treatments [2]. The abuse problem is mostly related
to those medication treatments with addictive drugs. And, finally, the dosage
personalisation affects to most of the patients receiving treatment since the op-
timal dosage hardly ever matches the available in the market when it comes to
pill medication.
2.1.1 Drug therapy misuse: non-adherence and abuse

Definitions
The term "adherence" is not easy to define. Nowadays, it is used in most
of the cases as a synonym for "compliance". While the second denotes less
importance for the patient who is a subordinate of a physician that he should
obey, "adherence" entails that both the doctor and the patient are in the same
level and that they take shared decisions. [6] Regardless, in healthcare, both
terms refers to the same problem. In most scientific articles, they concern the
patient who takes at least 80% of the prescribed pills and hence they are un-
derstood as a binary variable (adherent or non-adherent). However, both terms
can be understood also as a discrete variable with more than two possible val-
ues and a patient can be classified, for instance, as partially adherent or can
be assigned a specific percentage [7]. Since both terms are aiming the same
problem, in this report it will always be used the term "adherence" when refer-
ring to this specific problem. Adherence is one of the most important and the
most common drug-related problem according to [7] . In order to visualise the
magnitude of the problem, the World Health Organisation (WHO) stated that
"increasing the effectiveness of adherence interventions may have a far greater
impact on the health of the population than any improvement in specific med-
ical treatment" [8]. There are several risk factors features for non-adherence,
such as age, gender or the medication itself. However, the major predictor for
non-adherence is the number of medication prescribed. An increase of the
amount of the number of medications that a patient must take is directly re-
lated to an increase of the probability of being non-adherent to the treatment
[9]. Another related factor that can affect the drug therapy performance in a
similar way according to [medication compliance and persistence] is the per-
sistence, it can be defined as the act of continuing the prescribed treatment for
the entire duration of the therapy. While the first refers to how well patients
follow the therapy, persistence refers to how long patients follow the treatment
with a minimum level of adherence.
On the other hand, there is another way to fail at following the prescription.
Drug abuse is the other major problem in patients with drug therapy at home.
CHAPTER 2. BACKGROUND 7
It is defined as exceeding the intake prescribed by the physician, whether by

accident or because of other reasons. One of the biggest risk factor and where
special control must be placed is in patients under a therapy with addictive
drugs since patients can become dependants on them. Abuse is also included
as a non-adherence behaviour in the literature about this topic [2].
Impact
As it can be easily deduced, both non-adherence, non-persistence and abuse
have a great impact on the patient therapy. Specifically, non-adherence and
lack of persistence lead to an increase in mortality and morbidity from a large
variety of diseases and, moreover, to an increase of the healthcare cost of the
patients [10].
Regarding the economic impact of non-adherence. While it has been widely
proved that non-adherence is highly correlated with a cost increase for the
healthcare system, it is important to take into consideration each case sepa-
rately. For instance, the overall expenses related to medication non-adherence
is approximately of US$100 billion in the USA, US$1.5 billion in Europe and
US$7 billion in Australia [11][economic impact] .
Risk factors
Like all the medical conditions, these drug related problems have some risk
factors that make easier to identify the group of patients with highest probabil-
ity to undergo non-adherence or abuse of medication. Physicians use the risk
group to prevent patients to experience the problems through some interven-
tions to promote adherence and avoid abuse. According to recent literature
regarding the main predictors and risk factors for non-adherence to medical
treatment they can be sorted in patient factors, prescriber factors, shared fac-
tors and system factors [2, 1, 12]. Patient factors are the ones related to features
that belong to the patient and that cannot be changed by any of the healthcare
actors such as age and disease. Prescriber factors are related to the prescriber
side of the therapy. For instance, poly-pharmacy and the complexity of the
treatment. The shared factors concern issues such as lack of trust from the
patient and bad communication. Finally there are system factors that can be
as important as the other. Clear examples can be found at the healthcare ac-
cessibility and drug costs.
Measurement and quantification techniques

Moreover, the complexity of the problem also concerns to the challenges in
the measurement and quantification of adherence to medication. Measures of
medication usage have been impeded by the absence of uniformed standards
in the field. There are several quantification methods with many subjective
parameters that have been used over the time with no normalisation in the
scientific community [13, 2]No method has been contemplated as the gold
standard for adherence quantification, but all of them have advantages and
disadvantages, variability in costs, validity and feasibility.
As presented in Table 2.2, methods for measuring adherence can be sorted
in two groups: direct and indirect measures [14]. In general, direct meth-
ods are expensive and require considerable time from healthcare providers.
However, they are the most accurate even if sometimes can be distorted by
patients. Directly observed intake of medication and measurement of biologic
markers are examples of direct methods. On the other hand, indirect methods
include patient self-report, performing pill counts, undertake patient question-
naires, reviewing rates of prescription refills, measuring physiologic markers
and electronic medication monitoring system among others. Indirect methods
are, generally, noticeably easier to implement in real life situations that direct
methods, but most of them rely on the patient objectivity. That is why many
time they lead to misrepresentation of results and overestimation of patient’s
adherence by healthcare providers [1]
Current strategies and solutions for measuring adherence to medication[1, 2, 6, 14]

Solution Advantatge Disadvantage
Direct measures
Directly observed therapy Best accuracy Unfeasible in most situations
Measurement of biologic marker Objective Expensive, not always accurate
Indirect measures
Highly subjective and possible
Patient self-report Inexpensive, easiest to implement
errors
Objective, quantifiable, easy Highly subjective and possible
Pill counts
to implement errors
Not directly related to medication
Rates of prescription refills Objective, easy to obtain intake, closed pharmacy system
required
Measurement of physiologic Markers may vary due to other
Easy to implement
markers reasons
Electronic medication
High precision, time monitoring Expensive, not easy to implement
monitoring systems
Table 2.1: Current strategies and solutions for measuring adherence to medi-
cation
The most common used method to assess adherence to medication has

been patient questioning. This method is highly subjective and depends on
the ability of the physician to perform the questionnaire. Pill counts is the
second most broadly method used for quantification of adherence. It is one of
the simplest methods and easiest to interpret. However, it is subject to several
potential issues since patients can perpetrate many errors (intentional and un-
intentional) that would be unnoticeable by the healthcare provider. Moreover,
this method does not provide any information about the timing of the dose in-
take, which it is an important parameter in the clinical outcomes. The most
accurate method is the electronic monitoring because it is able of recording if
there has been a dosage administration as well as the timing of it. The main
drawback is that it is still an indirect method that cannot certify that the pa-
tient has really ingested the dose nor that the administered dose was correct.
In addition, it is the most expensive indirect method and requires of a technical
equipment. As it has been explained, there is no gold standard for measuring
medication intake since each method has its own drawbacks and each one can
be suitable in different situations. Nevertheless, a mixture of measures can
maximize the accuracy of the adherence quantification.
2.1.2 Dose personalisation

Personalised medicine is a broad concept that includes many factors and
it does not have a clear definition. One approach for the definition can be
connected to genomics and the personalised response that patients have to a
specific drug or external agent. However, this approach does not have into
account important aspects such as the delivery of the active molecule [15].
Some other approaches argue that personalised drug therapy must be more
than just improving the matching genetic profile depending on the patients, it
should also embrace the whole system of delivery of these drugs, for instance,
individualised dosing delivery systems.
There are many other factors in drug therapy that can impact the outcome
of a medication treatment. Among them, dose and dosage should be high-
lighted as the ones with the highest repercussion. According to the American
Medical Association (AMA) Manual of Style, dose and dosage allude to very
differentiated concepts. Dose is defined as "the amount of medication taken at
one specific time". On the other hand, dosage refers to the "prescribed admin-
istration of a specific amount, number and frequency of doses over a specific
period of time". In short, a dosage is the amount of medication (dose) that has
to be taken with a certain frequency during a certain period of time.
As an example of the problems we have nowadays in personalising the
drug medications doses, it can be said that mass-manufacturers for solid doses
establish the specific amount of medication of each pill based on the amount
that produces a therapeutic effect in the greatest segment of population. As a
clear example, a manufacturer would choose a certain amount of dose for mass
production with a beneficial effect in 64% of population rather than a smaller
amount that have fewer adverse effects but with a beneficial effect on the 54%
of population. Other examples can be found where particular patients do not
have a beneficial effect with a certain dose and they have inadmissible adverse
effects with the immediate next higher dose available in the market.
Current solutions for the dosage problems do not lead to optimal results.
For instance, regarding solid dosage forms, it is possible to personalise using
splitting technique. However, the existing techniques lead to a high variability
in the amount of medication of each one of the split parts. It has been proved
that pharmacists are not able to split tablets in a way that the outcome medica-
tion has an acceptable dose variation with the current techniques [16]. On the
other hand, liquid dosage forms have been prepared for a better personalised
dose administration. Volume is usually measured using tools provided by the

manufacturer. However, these tools are linked with several difficulties and er-
rors leading to inaccurate personalising of the dose. Moreover, it also requires
ability to be as accurate as possible.
A clear indicator of the importance to find a better solution for this problem
is that prevalence of adverse effects due to untailored drug therapy has been
calculated to be from 75 to 85% [7].
2.1.3 The medical device solution

As it is mentioned in the introduction chapter, the medical device that is
analysed in this project is a product under development that aims to give a
solution to all, or most, of these problems explained in the section. A short
description of the main functions of the device and how they deal with the
main problems regarding drug therapy is listed below:
• Adherence: the device includes a reminder system that could even be

connected to the smart phone of the patient to avoid missing the timing
of the drug intake. Moreover, it is easy to use and helps to simplify the
treatment. Therefore, it reduces one of the main risk factors for adher-
ence, the complexity of the treatment.
• Abuse: the device will reduce drastically the probability to perpetrate

abuse since it will only deliver the prescribed amount in the appropriate
time.
• Monitoring: it will have a communication system that will let the health-
care system to know in real time if the patient is complying with the
prescribed treatment. It will be more objective than most of the current
monitoring techniques and it will help the doctors to understand the level
of adherence of patients.
• Dose personalisation: the device will be able to deliver different amounts

of drug to each patient. It will have a deliver system that will create the
pill every time that a dose is needed. The pill is created from a cartridge
where the drug is stored. The personalisation of the dose will also help
on the adherence of patients since it will reduce the side effects that some
patients suffered because of the lack of dose personalisation.
2.2 Safety and security

2.2.1 Definitions
In this subsection, several concepts are defined according to "Dependability
- Basic Concepts and Terminology" (J.-C. Lapries et al.) and other sources in
order to set some of the basic concepts needed to understand the subsequent
description of knowledge regarding safety and security approaches.
• Dependability: Trustworthiness of a system such that reliance can be

justifiable placed on the service it delivers.
• Safety: Dependability with respect to non-occurrence of catastrophic

failures.
• Security: Dependability with respect to unauthorized access or informa-

tion handling (deliberate action).
• Reliability: Dependability with respect to continuous of service (time

to failure, probability).
• Integrity: property of data, information and software to be accurate and

complete and have not been improperly modified.
• Availability: property of data, information, and systems to be accessible

and usable on a timely basis in the expected manner. Assurance that
information will be available when needed[17].
• Confidentiality: property of data, information, or systems structures to

be accessible only to authorized persons and entities and are processed
at authorized times and in the authorized manner, thereby helping ensure
data and system security[17].
• Safety-critical systems: A safety-critical system or life-critical system is

a system whose failure or malfunction may result in one (or more) of the
following outcomes:
– death or serious injury to people

– loss or severe damage to equipment/property
– environmental harm
• Life-cycle: all phases in the life of a device, from initial conception to

final decommissioning and disposal[18].
• Cybersecurity: process of preventing unauthorized access, modifica-

tion, misuse or denial of use, or the unauthorized use of information
that is stored, accessed, or transferred from a device to an external re-
cipient[17].
• Thread: any circumstance or event with the potential to adversely impact

the device or system[19].
2.2.2 State-of-the-art: Combined development life cy-

cle for safety and security
There are several requirements that a safety and security development life
cycle should accomplish. In the list below [20, 21, 22] these requirements
are stated. Afterwards, the main activities according to [21] of a combined
approach are exposed.
• The development cycle should be generic, not dependent to a specific

domain.
• Security activities should be implemented into already existing safety

lifecycles because most of CPS must be developed under safety stan-
dards.
• Safety and security should be considered synchronously, not sequen-

tially.
• Safety and security should be synchronised in order to identify conflicts
• The lifecycle should be designed in a way that automation is supported.
Taking into consideration both the list of requirements that a combined

approach should have and the main activities and phases in security and safety
development lifecycles, the combined development lifecycle is stated in figure
2.2 below. It is a scheme consisting of the main activities that the process
should have (inside rectangles) and the artefacts produced by these activities
(rectangles with folded corner). Additionally, red arrows represent the inputs
of the activities and green arrows indicate an output.
Thereupon, the most important groups of activities are mentioned with a
short clarification of some important details:
1. Initiation: information and responsibilities collection for safety and se-

curity.
2. Requirement: hazard, threats and risk analysis from a shared point of

view. However, requirements documentation should be done separately.
3. Design: allocation and consolidation of both requirements, safety and

security. Check if there is overlapping, conflict or non-influence be-
tween them. The design of the architecture for the system is iterative
and it is combined with verification processes to check if the require-
ments are fulfilled.
4. Realisation: Implement a safe and secure system. Test if it follows the

specifications and requirements defined previously.
5. Operation: documentation of critical events, monitoring of risks and

incidents must be analysed to improve and modify the safety and security
system.
6. Decommission: system disposed in a safe and secure way. The data

should also be securely saved or erased.
Figure 2.1: Safety and Security development lifecycle. Figure from [21]
2.3 Contribution to the project

Obviously, performing the whole safety lifecycle of the exposed medical
device would be a huge load of work that would required a great amount of
resources such as time, knowledge and manpower with many different skills.
Since it is a master thesis, the work has been focused on the particular phases
that could help me to answer the defined research questions.
Therefore, some delimitation regarding the medical device and the safety
lifecycle has been done.
2.3.1 Medical device simplification

To analyse all the components of the medical device with all their com-
plexity and relations would require to manage a huge amount of data through
all the project. Additionally, it would take too much time for a master thesis.
Therefore, a simplification of the medical device was done. We selected a
component of the device and we did a simplification of the system around it.
The selected component is the DC motor in charge of pushing the drug
from the cartridge, where it is stored, to the dispenser, where the pill is created.
A part from these components, there should be a button to allow the patient to
start the dose administration; a potentiometer, to allow the doctor to select a
target dosage; a micro controller, to control the speed of the motor according to
the variables and parameters of the system; and an encoder sensor and wheel,
to sense the rotation of the motor and give a feedback signal.
2.3.2 Development lifecycle simplification - Risk Man-

agement
Regarding the safety and security lifecycle, it is a long process that it is per-
formed by a large team of professionals during a reasonable period of time.
Moreover, it is also unfeasible to fit in a master thesis. Therefore, the appro-
priate phase of the lifecycle to answer the research questions was selected: the
risk management process.
It can be found under the "Requirement" group of activities defined as
"State-of-art" in the section 2.2.4. A scaling-up of the image can be found
in figure 2.3 below. The activity gives as an output a list of the main poten-
tial hazards and threads which then is used as the input to define the system
requirements for both safety and security.
Additionally, the master thesis project covers part of the "Design" group of
activities. Specifically, the output from the previous activities is used to define
the control measures that are part of the safety and security specifications.
Finally, these control measures are verified as stated in the scaling-up shown
in figure 2.3.
Figure 2.2: Scaling-up from the figure 2.2. It defines the scope of the mas-
ter thesis according to the State-of-art defined in the section 2.2.4. Picture
exctracted from [21].
Chapter 3
Methods
As stated in the previous chapters, the main goal of this thesis is to answer
the defined research questions. In order to do that, the following methods were
defined according to the goal of the project and the delimitation present during
the research.
As one of the main requirements was to conform the current regulations
in Sweden, all the methods are closely related to one of the main standards
dealing with the safety of medical devices, specifically the risk management.
That is, the "EN ISO 14971 - Risk Management for Medical Devices" [18].
Doing that, we are sure that the answer to the main research question complies
with the most demanding regulations of the sector and, hence, it is a valid
answer for our purposes.
Moreover, it will help us to discern if the novel tools under study applied
during the research are suitable to the current regulations for medical devices
in Sweden. Therefore, the secondary research questions will be answered ac-
cordingly.
3.1 ISO 14971 - Risk Management of Medical

Devices
As we have seen, the ISO 14971 is an important document that will guide
most of our methods. Therefore, it is vital to describe all the knowledge ex-
plained in it that will be applied to the project.
First of all, we will describe the basic terminology that is used in the ISO
14971 (and hence in this project) so it is clearly defined the meaning of the
most important concepts.
18
CHAPTER 3. METHODS 19
• Risk: according to the standard, a risk is the combination of the proba-

bility of occurrence of harm and the severity of that harm.
• Risk management: systematic application of management policies, pro-

cedures and practices to the tasks of analysing, evaluating, controlling
and monitoring risk.
• Hazard: a hazard is the potential source of a harm.
• Harm: it is a physical injury or damage to the health of people, or dam-

age to property or the environment.
• Safe medical device: is a medical device that is free from unacceptable

residual risk.
• Residual risk: risk remaining after risk control measures have been
taken.
• Severity: measure of the possible consequences of a hazard.
How to assess the probability, severity or even if a risk is acceptable or it

is not will be explained below, where the risk management process according
to the international standard is explained.
As shown in the figure 3.1 and according the information provided in the
ISO 14971 there are five main steps in the risk management cycle that have
to be considered: Risk analysis, Risk evaluation, Risk control, Evaluation of
residual risk and, finally, Production and post-production information.
The only steps considered in this project was the first three phases, since
the fourth step requires from deeper research and the fifth requires post-market
information of the medical device. The deeper research was not an option due
to time limitations and the post-market information was not an option since
it is a device under development which makes impossible to have this kind
of information. However, a brief explanation of the steps will be provided
anyway to give a general overview of the whole risk management process.
20 CHAPTER 3. METHODS
Figure 3.1: Risk management process. Scheme of the main phases and main
activities. Adaptation from [18]
3.1.1 Risk analysis

The risk analysis is defined as the systematic use of available information
to identify hazards and to estimate the risk. Therefore, it consists of two main
phases: hazard identification and risk estimation.
Hazard identification
Regarding hazard identification, there is some guidance defined in the stan-
dard. Nevertheless, the guidelines are only recommendations and it is up to
the organization to choose the methodology for this step. The main techniques
recommended are Preliminary Hazard Analysis (PHA), Fault Tree Analysis
(FTA), Failure Mode and Effects Analysis (FMEA) and Hazard and Operabil-
ity Study (HAZOP). PHA is used early in the development process to identify
the hazards and events that can induce to a harm. FTA is used for the iden-
tification and prioritization of hazards and for analysing their adverse events.
FMEA is commonly used in more advanced stages of the design and it deals
with identifying an effect or consequences of individual components. Finally,
HAZOP are useful to verify and optimize design concepts or changes. There-
fore, they are used in latter stages of the development.
However, as explained in the introduction and background, a novel tool
will be applied to identify the hazards that will be then analysed during the risk
management process. This tool is an Ontological Approach to Safety Analy-
sis of Safety-Critical Systems [23]. This technique, named Hazard Ontology
(HO), was developed by Jiale Zhou at Mälardalen University Sweden in 2017.
The main motivation for developing such a tool was that the current practice
applied in early stages of safety analysis lacked a common standardised ap-
proach. Therefore, in most of the cases, the identification of hazards and their
causes are identified in accordance to the intuition and experience of the an-
alysts. The HO solution propose an ontological interpretation of the hazard
concept, an approach to identify hazards in early stages of development, an
approach to identify the causes of certain hazards and an heuristic approach to
safety requirements elicitation. All the steps from the HO used in this project
are defined in the section 3.2 below. After applying this tool, we will have a
list of the main risks of the system.
Risk estimation
As explained in the beginning of the section, a risk is the combination of
both the probability of the hazard and the severity of the corresponding harm.
Hence, the risk estimation step is defined in the standard as the process used
to assign values to the probability of occurrence of harm and the severity of
that harm.
Several methods can suffice to estimate risks. Even though the Interna-
tional Standard does not need a specific method to be used for this step, it
requires that risk estimation is considered. Quantitative methods are prefer-
able when proper data are available. However, qualitative methods can suffice
when no suitable data is available.
Regarding the probability estimation, some advice is given in the docu-
mentation. For instance, a list of the most recommended approaches. The
list consists of prediction of probabilities using analytical or simulation tech-
niques; use of experimental data; reliability estimates; production data; post-

production information and use of expert judgement. To increase the confi-
dence in the results, a combination of approaches is recommended.
Moreover, according to the standard, medical devices can cause harm if a
sequence of events occurs resulting in a hazardous situation that could cause
a harm. A hazardous situation is defined as such when people, property or the
environment are exposed to a hazard. Therefore, as it can be clearly understood
in figure 3.2, probability is the combination of two probabilities: the probabil-
ity to be exposed to a hazard and the probability of the hazardous situation to
lead to a harm.
Figure 3.2: Scheme representing the definition of risk of a hazard with regards
to probability and severity. Extracted from [18].
On the other hand, some recommendations are given regarding estimat-

ing the severity of a harm. Although severity is a continuous variable, it is
encouraged to use a discrete number of severity levels. Both descriptive and
symbolic levels are suitable while they are explicitly defined.
As it has been shown, many methods can be used for this step and it is
up to the manufacturer to choose which one to use. In this project, based on
an example explained in the standard, a qualitative method will be used for
probability estimation. Three levels of probability were defined: low, medium

and high. Then, all risk were sorted based on the recommendations stated in
the ISO.
Regarding the severity, three discrete levels were defined as well: negligi-
ble, moderate and significant. The definitions for each one of the levels can be
found in figure 3.3 below.
Figure 3.3: Table showing the definition for each level of probability and sever-
ity used during the project. Extracted from [18].
A 3x3 risk matrix is then produced using the probability as rows and the
severity of the harm as columns. Then, the risks found in the previous step
(R1, R2, R3,...) are sorted into different kind of risk correlated to the level of
severity and probability assigned.
An example of a potential result is shown in figure 3.4.
Figure 3.4: Table showing the final result of the risk estimation step. The risks
found in the risk identification step are sorted according to their corresponding
level of severity and probability. Extracted from [18].
3.1.2 Risk evaluation

After the risk estimation, the next step is to determine the acceptability of
the estimated risks. The process is done by comparing the estimated risks
against given risk criteria. The ISO does not state particular acceptable risk
criteria, the decision is up to the manufacturer. However, some methods to
determine acceptable risk are defined. These methods are the following:
• Using other proper standards that define requirements which, if imple-

mented, assure an achievement of acceptability regarding a specific type
of medical device or particular risks.
• Contrasting equivalent levels of risk from other medical devices already

in the market.
• Considering clinical study data (especially for new technologies or new

intended uses).
• Using results of accepted scientific research.
A common way described in the standards to apply the acceptability crite-

ria is by using the matrix created in the previous step, the risk estimation. That
is, to determine which combinations of probability and severity are acceptable
and which ones are unacceptable. An example can be seen in the figure 3.5
below.
Figure 3.5: Table presenting the expected results after risk evaluation step.
Risks sorted according to probability and severity and the threshold defining
which risks are acceptable (white cells) and which ones are unacceptable (gray
cells). Extracted from [18].
3.1.3 Risk control

According to ISO 14971, risk control is the "process in which decisions are
made and measures implemented by which risks are reduced to, or maintained
within, specified levels".
For those risk that are within the unacceptable threshold, control measures
are required in order to lower the risk until it is acceptable. Risk control mea-
sures aim to reduce the severity of the harm, the probability associated to this
harm or both.
No specific control measure is suggested, but there is a mandatory priority
order list with regards to the kind of controls that shall be applied. The three
control options listed are: inherent safety by design, protective measures and
information for safety.
Inherent safety must be attempted first and it corresponds with the controls
that eliminate a particular hazard, reduce the probability of occurrence of the
harm or reduce the severity of the harm. Protective measures are controls
such as safety valves, protective globes or alarms to alert the operator to any
hazardous situation. Finally, regarding information for safety, some of the
most commonly used approaches are: using warnings in the medical device,
restricting the use or circumstances of use of the medical device, alerting about
inappropriate use, hazards that can occur, or other information that can reduce
risk, and similar. It is important to say that information for safety controls can
not be used as a justification to lower neither the probability nor the severity.
In many situations, there are standards that help the manufacturer by sim-
plifying the task of risk controls. There are some standards addressing the
control measures regarding a specific kind of medical devices. However, the
final responsibility of the risk acceptability rests always on the manufacturer.
Finally, in this risk control phase, two different verification procedures are
required. The first one is to ensure that the control measure is actually im-
plemented in the final design. The second, is required to demonstrate that the
control measure reduces the risk, demonstrate that it works as expected.
It is in this verification step where the second novel tool under study will
be applied. It consists of a fault injection system which will be able to replicate
part of the medical device. Then, some failures will be injected to check if the
system behaves according to the expected behaviour or it has an unacceptably
safe behaviour. If it behaves as expected, then the risk will be reduced and
can be accepted, otherwise additional control measures will be required. An
explanation of the system can be found in section 3.3 below.
When control measures are accepted, they are converted to inputs for the
design and included as safety specifications.
3.1.4 Evaluation of residual risk

Once risk control measures are implemented, the remaining risk for the
same hazard should be evaluated again. This is called the residual risk.
If the residual risk after the applied control measures is still not acceptable,
further risk control measures must be applied. Notice that this is an iterative
process that should stop when the residual risk is judged acceptable.
However, there can be situations where residual risk is not judged accept-
able and further control measures are not feasible. In this specific case, the
manufacturer can collect information to determine if the benefits of the med-
ical device overcome the residua risk. If it does, then the medical device can
proceed with the development. Otherwise, the residual risk remains unaccept-
able.
3.1.5 Production and post-production information

The last step is to design and implement a system to collect and review
information regarding the medical device, or similar devices in the market, in
the production and post-production stage.
According to the standard, the information is relevant, above all, in two
specific situations:
• if previously unrecognised hazards or hazardous situations are present

or
• if the estimated risk(s) arising from a hazardous situation is/are no longer

acceptable.
When some of the above situations occur, the information should be fed
as input of a new iteration in the risk management process. Therefore, new
changes in the design or other control measures can be implemented during
the post-production stage.
3.2 Hazard Ontology tool

The Hazard Ontology (HO) [23] is a tool used for the identification of haz-
ards in a predefined system or device. Before starting with the steps description
of the HO to identify risks and their causes, few concepts must be defined:
• Kind: it is a rigid object, i.e., an object that is a kind in necessarily every

possible situation.
• Role: non-rigid object.
• Relator: relation of mediation between non-rigid objects.
A good example to see the difference between kind and role is the situation
of being a "person" and a "pilot". A person is necessarily a person during all
the existence. However, a pilot stops being a driver when he/she leaves the
plane. Therefore, "person" is a kind object and "pilot" is a role object that
can be played by the person. On the other hand, if we consider "plane" as
another kind and "being piloted" as a role that it plays, then "piloting" can be
considered the relator connecting them.
3.2.1 System Description Formalisation

The first steps consist of describing all the system to analyse according to
the explained actors above. That is, identify all the kinds, roles and relators of
the system to consider. The System Description formalisation can be done in
four steps:
1. Identify all kind and role objects of the system.
2. For each kind achieved in 1), identify all roles it can play.
3. For each role from 1), identify the relator that connect this role with all
the other suitable roles.
4. For each role obtained in 1), 2) and 3), identify all kind that can play
this role.
3.2.2 Mishap Victim Identification

The second step is the identification of all mishap victims that the system
described in the previous step can have. Mishap victims are roles that have
the potential to receive damage or injuries.
Furthermore, a list of possible harms that the victim can suffer is done. For
instance, physical damage, fatal illness, explosion, chemical damages, etc.
3.2.3 Hazard Population

The third step is about brainstorming hazard situations that can harm the
identified mishap victims from the second step. The next steps describe how
to find and populate a list of hazardous situations based on the previous work
from steps 3.2.1 and 3.2.2:
1. Choose one mishap victim from step 3.2.2.
2. Select the kind objects playing that mishap victim role, the relator con-
nected to the chosen victim and the roles connected to that relator. Ev-
erything, taken into account the system described in 3.2.1.
3. For each role from previous step, find dispositions. If a disposition is

present, a mishap victim can suffer a harm. Additionally, name the
roles as Hazard Elements, the dispositions as Harm TruthMakers and
the relator as Exposure.
4. For each Hazard Element from 3), identify the kind elements that can
play it. It will be identified as environmental object.
5. Finally, select the next victim until all of them are analysed and go back
to step 1.
3.2.4 Causes Exploration

The fourth and last step consists of finding the possible causes for each one
of the populated hazards. In order to do that, pre-initiating event for Harm
TruthMakers will be identified.
3.3 Fault Injection System

As explained, this system aims to help with the verification of the control
measures defined in the control step of the risk management process.
Since it completely depends on the control measures to verify, there is no
predefined or standard way to design the system. However, there are three
mandatory requirements for the system. The system must:
- replicate the system under study.
- have a way to inject failures or failure modes into the replicated device.
- have a monitoring of all the vital parameters of the system that describe
the behaviour of it in terms of performance and safety.
3.4 Own contribution clarification

Since the risk management of a medical device is a really complex process
and the amount of information to manage is exponentially increasing in every
step, the work in this project has prioritised to go through all the steps rather
than go into the maximum detail for every individual step. Another reason to
do that, was the time limitation of a master thesis project. Moreover, the need
to finish the whole procedure to evaluate the innovative tools also had a great
impact in the decision.
Therefore, each step is executed partially to avoid a situation where we
were managing too much information. This could cause troubles in the ex-
position of results and divert the attention from the main goal of the master
thesis: answer the research questions.
Chapter 4
Results
The results chapter is divided in two main parts. In the first section 4.1, the
results from the risk management process according to ISO 14971 is exposed.
This section includes detailed results from the Hazard Ontology tool since it is
an important part to answer the corresponding research question. The output
of the process that concludes in 4.1 is a list of mitigation measures to reduce the
risk estimation of the unacceptable risks. The second part, 4.2, corresponds
to the description and results from all the verification process regarding three
particular mitigation measures obtained in 4.1.
It is important to state that not all the results obtained during the project
are presented. Only the results from part of the work are presented. That is
because, similar to what explained in 3.4 above, a greater exposition of results
would not have lead to different answer of the research question, but only to a
poorer understanding of the main outcomes of the work. Therefore, the main
results or an extract of them are presented for each step of the process.
4.1 Risk Management - Safety specification

for the device
In this chapter, the results regarding the risk management process will be
presented. It will be exposed following the same guideline as explained in
methods, so it will be easier to follow the evolution through the process. The
final results from the risk management process is a list of the mitigation mea-
sures that should be taken into account when designing and developing the
device. This list can be named as the safety specifications for the medical
device.
30
CHAPTER 4. RESULTS 31
4.1.1 Risk analysis

In this step, hazards were identified and severity and probability for each of
them were estimated.
Hazard identification - Hazard Ontology

As explained, we used the Hazard Ontology for the hazard identification
step. It consists in four main steps: System Description Formalization (SDF),
Mishap Victim Identification, Hazard population and Causes Exploration.
The results of the SDF can be seen in figure 4.1 below. The system un-
der study defined in the background section, chapter 2.1.3, and delimited in
section 2.3 has been described according to the definitions of kind, role and
relator. The three type of objects were identified following the steps explained
in methods, section 3.2.1.
Figure 4.1: System Description Formalisation of the system under study.

32 CHAPTER 4. RESULTS
The second step was to identify all mishap victims among the roles defined
in the previous steps. The identified mishap victims are:
Identified mishap victims

being pushed being consumed being sensed being controlled
receive information being modified code consumer electricity consumer
Table 4.1: List of identifies mishap victims in step 2 from the HO.
Regarding the third step, the results for the "Drug delivery" activity are
shown in figure 4.2. The output from this step is a list of the Harm TruthMakers
for each identified hazard element in the whole system.
Figure 4.2: Image representing the hazard population step regarding the "Drug
delivery" part of the medical device
Finally, the last step corresponded to the causes exploration. As en exam-

ple, the possible causes for each one of the Harm TruthMakers of the "push
drug" hazard element are listed below:
"Damaged mechanism" "Incorrect instructions from processor"

R4: Lack of signal from the processor
R1: Failure during manufacturing
due to wire breakage
R5: Lack of signal from the processor
R2: Physical damage due to deterioration
due to lack of power supply
R6: Incorrect signal due to
R3: Physical damage due to hit or strong acceleration
system deterioration
R7: Incorrect signal due to
wrong data from sensors
Table 4.2: Results from "Risk identification" step. List of main causes found
for the "Damaged mechanism" and "Incorrect instructions from processor"
Harm TruthMakers.
Each one of these causes (and all the other causes from other Harm Truth-
Makers) are the output of the HO and are used the list of risks for the next step:
risk estimation.
Risk estimation
After identifying the maximum number of hazards of the system and their
possible causes, the risk estimation for each one of them was performed. Risk
by risk, severity and probability was guessed according to the methods de-
scribed in chapter 3.1.1. The result regarding the explained risks from above
can be found in the following table:
Severity
Negligible Moderate Significant
High
Probability Medium R2, R6 R3, R4, R7
Low R5 R1
Table 4.3: Results from "Risk estimation" step.
4.1.2 Risk evaluation

After the risk estimation, the next step was to determine the acceptability
of the previously estimated risks. The results can be seen in table below ac-
cording to the same acceptability rule defined in section 3.1.2 from methods
chapter. We can see in red those risk that are not acceptable. The acceptable
risks are shown in black.
Severity
Negligible Moderate Significant
High
Probability Medium R2, R6 R3, R4, R7
Low R5 R1
Table 4.4: Results from "Risk evaluation" step.
4.1.3 Risk control

In this step, mitigation measures for the main risks of the system are pro-
posed. Since the risk analysis was performed in a complex system, many risks
were found (in the order of hundreds). However, only some of the most im-
portant issues according to the risk estimation were chosen to be shown in the
report as a justification for the testing and verification step. In the table below,
it can be seen a selection of the more important risks of the overall system and
their proposed mitigation measures. All the mitigation measures found dur-
ing the process should be included as the safety specifications in the design
process of the medical device.
As it is shown, all the control measures aim to lower either the probability
or the severity. Therefore, if the mitigation controls are verified, the risk can
be evaluated again with lower parameters and they might be accepted.
The verification of the mitigation controls M5, M6 and M7 is explained in
the section 4.2 below. The mitigation measure consists of a Failure Detection
System, in other words, if the system is able to detect the failure, alert the
user and stop the device, then the severity can be lowered and the risk can be
accepted.
Risk Mitigation
R1: Patient do not press the button in
M1: Reminder system
scheduled time (forgets intake time)
R2: Patient introduces incorrect drug to the device M2: ID check system
R3: Wrong data sent from sensor
M3: Check up system before dose administration
(wrong calibration or misalignment)
R4: Excessive power supply M4: ISO 60601 - I
R5: Failure in encoder sensor transmission
M5: Failure detection system
(no data received)
R6: Error in the communication
with potentiometer
R7: Lack of signal from
the controller due to wire breakage
Table 4.5: Results from "Risk control" step.
4.2 Testing of mitigation measures

In this section, the results from the verification of mitigations 5, 6 and 7 are
exposed. Additionally, the process and tool of the verification is explained as
it will help to answer the last research question regarding the suitability of a
fault injection system in this phase of the risk management. This is the very
last step in the risk management before designing the device and all the verified
control measures must be included as an input to the design.
4.2.1 Design of the Fault Injection System

The first step when verifying mitigation measures is to design and develop
a system which is able to replicate the system under study, monitor the main
parameters of the system and study the behaviour of the system when a haz-
ardous situation occurs.
Our solution is a Fault Injection System where the main functions of the
device are replicated and an additional system to inject failures is inserted.
Moreover, a communication channel is implemented to enable the monitoring
of the main parameters of the system and analyse the behaviour.
Functional specifications
The designed system will replicate the main components from the system un-
der study and the main functionalities are:
• The system should replicate the motor-encoder system in charge of push-

ing the drug from the cartridge to the dispenser.
• The system should be able to simulate the action of a patient pressing a

button to initiate the process of dose administration.
• The system should have a way to modify external variables such as the
amount of dose prescribed by the doctor.
• The system should have a method to inject the selected failures into the
system.
• The system should have a communication channel to monitor the interest

variables and parameters.
In short, the system should be able to start when a person presses the start
button. Then, the motor should start rotating at the desired speed. The desired
speed is the variable simulating the prescribed dose. During the performance
of the motor, failures can be injected. And finally, the researcher can see if
the system is able to detect the failures and stop the system as it is required
from the safety specifications or, otherwise, it has an undesired and unsafe
behaviour.
Component specifications
According to the functional specifications and like it can be seen in figure 4.3,
the designed system has:
• STM32F407G: micro-controller with the firmware controlling all the

components as the medical device does and with additional code for
adapting the system to the fault injection system. From this micro-
controller all the input signals (brown color in the figure) are received
and managed so the output signals (blue color in the figure) controlling
the motor are sent in concordance.
• Motor: DC-motor simulating the rotation of the motor in the medical

device in charge of pushing the drug from the cartridge to the dispenser.
• Encoder wheel and sensor: they simulate the same wheel-sensor system
implemented in the medical device. It is used as a feedback signal to
have a better control of the motor performance.
• Potentiometer: variable resistor that simulates the input signal corre-

sponding to the amount of dose prescribed by the doctor.
• Start/Stop buttons: component simulating the button from the medical

device that the patient should press when a dose administration is desired
• Fault injection switch: system responsible to inject failures into the sys-
tem. They are removable switches that, when removed, introduce the
failure into the system.
• Feedback LEDs: component that helps with the visualization of the cur-
rent state of the system. They show if the system is running as expected
(green), degraded (yellow) or if there is a detected failure (red).
• Fault reset button: component that resets the system after a failure is
detected and the system stops.
Figure 4.3: Schematic showing the main components of the Fault Injection
System.
4.2.2 Implementation
In order to build the designed system, many techniques were used. In the
beginning, electronic knowledge was used to solder and connect all the compo-
nents properly. CAD knowledge was also used to design, for instance, brackets
for the motor and the metal axis. At the end of the implementation, program-
ming skills in C++ were used in order to integrate the controlling firmware
into the testing box with all the components and their input and output signals.
Pictures of the fault injection embedded test workbench are shown below.
Figure 4.4: Image from the front panel of the Fault Injection System. It can be
seen many of the key components such as the failure switches, the feedback
LEDs, the USB for the communication, the potentiometer, the buttons and the
outputs to sense the signals of the system.
Figure 4.5: Front view of the Fault Injection System. Front panel with main
control components on the top of the picture and motor, encoder and electronic
circuits inside the box.
Figure 4.6: Inside view of the Fault Injection System. There is the DC-motor
on the left, the encoder system in the middle and part of the electronic circuits
in the top of the picture.
4.2.3 Analysis
Finally, after the implementation of the system was done, the real testing
of the mitigation measures started. The performance of the motor was anal-
ysed in four different situations: during normal behaviour and when injecting
three different failures. The failures injected are the failures found in the risk
management process and selected in section 4.1.3: speed sensor failure (R5),
potentiometer communication failure (R6) and signal from controller to motor
failure (R7).
The selected variable to analyse the performance of the motor was the
speed in terms of revolutions per minute (rpm). We chose this variable since
it is the greatest indicator of the behaviour of a motor and it will indicate how
well is the performance when injecting a failure compared to the normal and
expected behaviour.
Normal behaviour
To begin with, a test of the performance of the motor under normal cir-
cumstances was done. It is an important test since it will be our reference to
compare the behaviour when injecting the failures. The result can be seen in
the figure 4.8 below.
Figure 4.7: Velocity variance in rpm of the motor when no failure is injected.
As shown in the plot, the normal behaviour of the motor when no failures
are injected is the one that could be expected. The motor accelerates until
it reaches a velocity close to the desired speed and then the acceleration de-
creases as it is closer to the target speed. Once the motor reaches the target, it
keeps an almost constant velocity with soft fluctuations through the time.
Speed sensor fault injection - Mitigation measure 5

The first test performed regarding the verification of the mitigation controls
was the speed sensor fault injection. The behaviour of the system can be seen
below in figure 4.9.
Figure 4.8: Velocity variance in rpm of the motor when speed sensor failure
is injected after approximately 4.2 seconds from the start.
The first test regarding the speed sensor signal shows that when the failure
is injected after some seconds of normal functioning, the system was able to
detect the failure and stop the motor. It has to be said that the system, not only
stopped the motor, but it also turned on the red LED showing that a failure was
detected.
However, an additional test was performed with the results presented in
figure 4.10. The test consisted on injecting the failure from the beginning,
simulating a failure before the execution of the action, i.e. before the patient
presses the button.
In this case, the system was not able to detect the failure. The behaviour
observed openly, was an acceleration of the motor until it reached top speed.
However, in the plot we are not able to see it because the actual speed was
bigger than the capacity of the encoder system to sense it. That is why we
obtained undefined values in the beginning. After approximately 7 seconds

of performance, the failure was removed and the system was able to sense an
abnormal and unexpected speed and, hence, stopped the motor.
Figure 4.9: Velocity variance in rpm of the motor when speed sensor failure
is injected from the very beginning.
In this case, the system was not able to detect the failure. The behaviour
observed openly, was an acceleration of the motor until it reached top speed.
However, in the plot we are not able to see it because the actual speed was
bigger than the capacity of the encoder system to sense it. That is why we
obtained undefined values in the beginning. After approximately 6.5 seconds
of performance, the failure was removed and the system was able to sense an
abnormal and unexpected speed and, hence, stopped the motor.
In this case, the failure was detected, the feedback LED turned on and the
motor stopped.
In the test where the failure was injected from the beginning, the system
was also able to detect it and the motor did not start rotating.
Potentiometer fault injection - Mitigation measure 6

The second test was on mitigation measure 6. That is, analysing the be-
haviour when a failure in the potentiometer occurs. The result is presented in
figure 4.11.
Figure 4.10: Velocity variance in rpm of the motor when potentiometer failure
is injected after approximately 6.5 seconds from the start.
Motor signal fault injection - Mitigation measure 7

Finally, some tests were performed regarding the failure from the PWM signal
sent to the motor. The behaviour can be seen in figure 4.12 below.
Figure 4.11: Velocity variance in rpm of the motor when PWM signal failure
is injected after approximately 8 seconds from the start.
In this test, the motor stopped right after the injection of the failure, because
of the missing signal. However, the system was able to detect the failure and
the LED was turned on. When the failure was injected before starting the
action, the system was also able to detect the failure and the motor stood still.
Chapter 5
Discussion and Conclusions
5.1 Discussion
This chapter will be organized according to the research questions presented
in the introduction. The discussion will go through all the raised questions and
it will try to validate the answer based on the results presented in the previous
chapter.
5.1.1 Research question 1

• Is a motor-encoder system safe in a medical device system dealing
with drug delivery to patients according to the current regulations
applying to Sweden?
The answer to this question is not straightforward. However, if we an-

swer the question based on the analysis performed in the existing device, the
answer is negative. At this point of the development, the device is still not a
safe medical device according to the current regulations applying to Sweden.
As we have seen in the report, there is an international standard regarding the
risk management regarding medical devices that must be fulfilled in order to
say that a device is safe in the healthcare environment: The EN ISO 14971.
Through the previous chapter, we have seen the main results of this process
and we can assert several facts from that.
First of all, we identified the main risks of the defined system. From that,
we evaluated them and we identified the non-acceptable risks. Then, we chose
some of the major non-acceptable risks and we found possible mitigation mea-
sures that, if implemented and verified, could make the risks acceptable.
45
46 CHAPTER 5. DISCUSSION AND CONCLUSIONS
If the final result of the process would have been that the mitigation prob-
lems were mitigated and, hence, the probability or severity lowered, the risks
would have been accepted. Even in this case, we would not have been able to
say that the system is safe because there are many more mitigation measures
to verify.
The point is that this was not the case. During the verification of the mit-
igation measure 5, we found a case where a failure was not detected by the
detection system of the device. Therefore, we were not able to verify the miti-
gation control for that hazardous situation. Hence, neither the probability nor
severity could be lowered and the pertinent risk remained unacceptable.
On the other hand, mitigation controls 6 and 7 were completely verified.
However, as explained in methods, there is a last step needed before accepting
the risks: validating that the control measure is included in the device.
Nevertheless, if we answer the question in a general way without being spe-
cific to the particular example, the answer would be probably positive. We can
say that because the system that we analysed is a system that is currently being
developed and this kind of analysis are made, precisely, to identify the weak-
nesses of the design and improve it. Moreover, all the mitigations proposed
and the fault of the mitigation 5 are problems that do not have any reason for
not being solved. They are engineering problems that, based on other similar
cases and similar medical devices with similar technologies, we can be pretty
much sure that can be solved. Therefore, we have no reason to think that the
final design of a medical device with such characteristics cannot be safe.
CHAPTER 5. DISCUSSION AND CONCLUSIONS 47
5.1.2 Research question 2 and 3

• What is the current State-of-art regarding the risk analysis of medical
systems?
The current State-of-art when it comes to risk analysis to medical device

is what is defined in the ISO 14971 and has been explained in chapter 3. It
consists of two main parts: risk identification and risk estimation.
The second step is significantly more detailed and it gives instructions and
recommendations on how to perform it. Most of the companies follow strictly
the instructions and there are no major problems. The main inconvenience
might be in the quantification of the risk probabilities. However, the post-
production control measures to monitor new possible hazards or miscalculated
probabilities help the companies to have more confidence in this step because it
gives them the possibility to adjust the calculations and rectify possible errors.
On the other hand, the hazard or risk identification is more troublesome.
In the ISO 14971 there is less information regarding this particular step and,
regardless of the recommended techniques proposed in the document, the pro-
cess relies mostly on the experience of the engineers working in the project.
That is why in this project we decided to evaluate the suitability of a new tool
specialized in this particular step: the Hazard Ontology.
Indeed, the third research question was about this topic:
• Is Hazard Ontology tool appropriate for the hazard identification in the

Risk Management process according to the current existing regulations
for medical devices in Sweden?
Based on the experience of this project we can openly say that Hazard
Ontology tool is completely appropriate as a method for the identification of
hazards according to the ISO 14971. We can say that because the main goal of
this phase is to "systematically use available information to identify hazards".
Moreover, during the project we have seen how this methodology allowed us
to identify possible harms and hazards of a predefined system in a methodical
way. Additionally, the output of this tool has been used as the input for the
next step according to the ISO, making obvious the suitability of the tool with
respect to the current existing regulations in Sweden. Therefore, we can say
that it is a method as valid as any of the ones described and recommended in
the standard.
48 CHAPTER 5. DISCUSSION AND CONCLUSIONS
5.1.3 Research question 4

• Is a fault injection system suitable as the verification tool of mitigation
controls in the risk management process of a medical device according
to the current existing regulations for medical devices in Sweden?
Finally, we will discuss about the suitability of the fault injection system
used to verify the mitigation measures selected in the control step of the risk
management process.
According to the results obtained, we can clearly say that the Fault Injec-
tion System is suitable as a verification tool of the risk management according
to the ISO 14971. The verification process is used to determine if a control
measure is actually lowering the probability or severity of a particular risk.
Moreover, using this tool we have been able to verify that control measures 6
and 7 fulfill the requirements to say that the corresponding risk are acceptable.
Additionally, the tool permitted the identification of a particular case where the
mitigation control 5 was not acting as expected. Therefore, we can say that the
tool can be used to verify and test the mitigation controls and, hence, it is a
suitable tool that can be used in the verification phase of the risk management
process for medical devices described in the ISO 14971.
5.2 Conclusions
Based on the experience of this project, many conclusions can be stated.
We demonstrated that the safety and development lifecycle, particularly
the risk management, is a tedious and really complex process that takes many
resources as time, manpower and effort. Additionally, the current standards
regarding this topic are mostly recommendations and requirements with no
helps on the procedures. Therefore, it is not yet a greatly efficient field and
companies spend a lot of resources in this stage of the development of medical
devices.
That is why there is a need of tools that help companies to undertake these
tasks in the most efficient possible way. For this reason, we tested two tools
that we expected to be suitable with the process: the Hazard Ontology and
the Fault Injection System. At the end of the project, we can say that both
tools have demonstrated to improve the process by making it more efficient
and straightforward.
Regarding the risk management of the medical system, the conclusions are
that many control measures have been defined as safety requirements. From
CHAPTER 5. DISCUSSION AND CONCLUSIONS 49
those, only three were tested and two of them (detection system for motor
and potentiometer signal) successfully passed the test. The third one, dealing
with the speed sensor fault, have been demonstrated to be deficient and further
development needs to be done.
Finally, we can say that additional work has to be done in the same direc-
tion before we can assure that the analysed system is a safe medical device.
Specifically, all the mitigation measures for the identified risks must be veri-
fied and the residual risk must be accepted.
Bibliography
[1] Lars Osterberg and Terrence Blaschke. “Adherence to Medication”. In:

The New England Journal of Medicine 353.5 (2005), pp. 487–497. issn:
0028-4793.
[2] David Lawrence, James H. Miller, and Charles W. Flexner. “Medica-
tion Adherence”. In: Journal of Clinical Pharmacology 57.4 (2017),
pp. 422–427. issn: 0091-2700.
[3] Health 5G - Future eHealth powered by 5G. https://www.celticnext.
eu/project-health5g/. Accessed: 2019-01-28.
[4] Horizon 2020 - The EU framework programme for Research and Inno-
vation. https://ec.europa.eu/programmes/horizon2020/.
Accessed: 2019-01-29.
[5] AMASS - (Architecture-driven, Multi-concern and Seamless Assurance
and Certification of Cyber-Physical Systems). https://www.amass-
ecsel.eu/. Accessed: 2019-01-28.
[6] Konstantin Mechler and Alexander Häge. ““Drugs Don’t Work in Pa-
tients Who Don’t Take Them”: Medication Adherence in Adolescents
with Mental Illness”. In: Zeitschrift für Kinder- und Jugendpsychiatrie
und Psychotherapie (Jan. 2019), pp. 1–5. doi: 10 . 1024 / 1422 -
4917/a000645.
[7] Sandra Vezmar Kovačević et al. “Evaluation of drug-related problems
in older polypharmacy primary care patients”. In: Journal of Evaluation
in Clinical Practice 23.4 (2017), pp. 860–865. issn: 1356-1294.
[8] Eduardo Sabaté. Adherence to long-term therapies : evidence for action.
Geneva: World Health Organization, 2003. isbn: 9241545992.
[9] David Hyman J. “Hypertension: Does Polypharmacy Lead to Nonad-
herence or Nonadherence to Polypharmacy?” In: Hypertension 69.6
(2017), pp. 1017–1018. issn: 0194-911X.
50
BIBLIOGRAPHY 51
[10] M. Robin Dimatteo J. et al. “Patient Adherence and Medical Treatment

Outcomes: A Meta-Analysis”. In: Medical Care 40.9 (2002), pp. 794–
811. issn: 0025-7079.
[11] Rachelle Louise Cutler et al. “Economic impact of medication non-
adherence by disease groups: a systematic review.” eng. In: BMJ open
8.1 (2018), e016982–e016982. issn: 2044-6055. url: http://search.
proquest.com/docview/1990489540/.
[12] Pankaj Gupta Y. et al. “Risk Factors for Nonadherence to Antihyperten-
sive Treatment”. In: Hypertension 69.6 (2017), pp. 1113–1120. issn:
0194-911X.
[13] Gerald Phillips and J Jones. “Medical Compliance”. eng. In: The Amer-
ican Behavioral Scientist 34.6 (1991), p. 756. issn: 00027642. url:
http://search.proquest.com/docview/214763591/.
[14] Wai Yin Lam and Paula Fresco. “Medication Adherence Measures: An
Overview”. eng. In: BioMed Research International 2015 (2015). issn:
2314-6133.
[15] Pooneh Salari and Bagher Larijani. “Ethical Issues Surrounding Person-
alized Medicine: A Literature Review”. In: Acta Medica Iranica 55.3
(Mar. 2017), pp. 209–217. url: http : / / acta . tums . ac . ir /
index.php/acta/article/view/6215.
[16] Diana A. van Riet-Nales et al. “The accuracy, precision and sustain-
ability of different techniques for tablet subdivision: Breaking by hand
and the use of tablet splitters or a kitchen knife”. In: International Jour-
nal of Pharmaceutics 466.1 (2014), pp. 44–51. issn: 0378-5173. doi:
https : / / doi . org / 10 . 1016 / j . ijpharm . 2014 . 02 .
031. url: http : / / www . sciencedirect . com / science /
article/pii/S0378517314001240.
[17] FDA. “Content of Premarket Submissions for Management of Cyber-
security in Medical Devices”. eng. In: U.S. Department of Health and
Human Services, Food and Drug Administration 2018 (2018).
[18] ISO. “SS-EN ISO 14971:2012, Medical devices – Application of risk
management to medical devices”. eng. In: ISO 2012 (2012).
[19] FDA. “Postmarket Management of Cybersecurity in Medical Devices”.
eng. In: U.S. Department of Health and Human Services, Food and
Drug Administration 2018 (2018).
52 BIBLIOGRAPHY
[20] Erwin Schoitsch. “Design for Safety and Security of Complex Embed-
ded Systems: A Unified Approach”. In: (Jan. 2005). doi: 10.1007/1-
4020-3381-8_9.
[21] Zhendong Ma and Erwin Schoitsch. “Combined safety and security de-
velopment lifecylce”. In: (July 2015). doi: 10.1109/INDIN.2015.
7281940.
[22] L. Piètre-Cambacédès and M. Bouissou. “Cross-fertilization between
safety and security engineering”. eng. In: Reliability Engineering and
System Safety 110.C (2013), pp. 110–126. issn: 0951-8320.
[23] Jiale Zhou. “AN ONTOLOGICAL APPROACH TO SAFETY ANAL-
YSIS OF SAFETY-CRITICAL SYSTEMS”. eng. In: Mälardalen Uni-
versity Press Dissertations 251 (2017).
TRITA TRITA-CBH-GRU-2019:139
www.kth.se

Risk Management in Medical Devices

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Risk Management in Medical Devices

Uploaded by

Copyright:

Available Formats

DEGREE PROJECT IN MEDICAL ENGINEERING,

SECOND CYCLE, 30 CREDITS

Risk Management in Medical

GISLÉ SEGURA ROCA

KTH ROYAL INSTITUTE OF TECHNOLOGY

GISLÉ SEGURA ROCA

Master in Medical Engineering

3.2 Hazard Ontology tool . . . . . . . . . . . . . . . . . . . . . . 26

5 Discussion and Conclusions 45

2.1 Safety and Security development lifecycle. Figure from [21] . 15

3.1 Risk management process. Scheme of the main phases and

4.1 System Description Formalisation of the system under study. . 31

2.1 Current strategies and solutions for measuring adherence to

4.1 List of identifies mishap victims in step 2 from the HO. . . . . 32

1.2 Research Questions

• Is a motor-encoder system safe in a medical device system dealing

• What is the current State-of-art regarding the risk analysis of medical

• Is Hazard Ontology tool appropriate for the hazard identification in the

• Is a fault injection system suitable as the verification tool of mitigation

1.3.1 HEALTH 5G project

1.3.2 AMASS project

1.4 Report structure

• Chapter 2, Background: Explains the theoretical background needed to

• Chapter 5, Discussion and Conclusions: Displays the discussion about

In this chapter a deep description of the needed previous knowledge will

2.1 Drug therapy

2.1.1 Drug therapy misuse: non-adherence and abuse

It is defined as exceeding the intake prescribed by the physician, whether by

Measurement and quantification techniques

Current strategies and solutions for measuring adherence to medication[1, 2, 6, 14]

The most common used method to assess adherence to medication has

maximize the accuracy of the adherence quantification.

2.1.2 Dose personalisation

dose administration. Volume is usually measured using tools provided by the

2.1.3 The medical device solution

• Adherence: the device includes a reminder system that could even be

• Abuse: the device will reduce drastically the probability to perpetrate

• Dose personalisation: the device will be able to deliver different amounts

2.2 Safety and security

• Dependability: Trustworthiness of a system such that reliance can be

• Safety: Dependability with respect to non-occurrence of catastrophic

• Security: Dependability with respect to unauthorized access or informa-

• Reliability: Dependability with respect to continuous of service (time

• Integrity: property of data, information and software to be accurate and

• Availability: property of data, information, and systems to be accessible

• Confidentiality: property of data, information, or systems structures to

• Safety-critical systems: A safety-critical system or life-critical system is

– death or serious injury to people

• Life-cycle: all phases in the life of a device, from initial conception to

• Cybersecurity: process of preventing unauthorized access, modifica-

• Thread: any circumstance or event with the potential to adversely impact

2.2.2 State-of-the-art: Combined development life cy-

• The development cycle should be generic, not dependent to a specific

• Security activities should be implemented into already existing safety

• Safety and security should be considered synchronously, not sequen-

• Safety and security should be synchronised in order to identify conflicts

• The lifecycle should be designed in a way that automation is supported.

Taking into consideration both the list of requirements that a combined

1. Initiation: information and responsibilities collection for safety and se-

2. Requirement: hazard, threats and risk analysis from a shared point of

3. Design: allocation and consolidation of both requirements, safety and

4. Realisation: Implement a safe and secure system. Test if it follows the