Safe Software: A Sample Application

Originally Published MDDI January 2003SOFTWARE SAFETY

January 1, 2003

2 Min Read
Safe Software: A Sample Application

Originally Published MDDI January 2003

SOFTWARE SAFETY

The example application of a medical pump illustrates a safety strategy that can be incorporated in a software design. The primary hazard posed here is pump operation running uncontrolled, resulting in excess solution being delivered to the patient.

The preliminary hardware suite consists of a microcontroller (with limited input-output capability), a pump, a motor-control subsystem, and a limited user interface. As shown in the figure, Motor Manager is the gatekeeper for commanding the motor on; it separates Motor Control and Motor Safety. Motor Manager receives an on request and forwards it to both Motor Control and Motor Safety. Motor Manager does not form an opinion on whether the motor should be on; it checks if Motor Control and Motor Safety agree on whether the motor should be on.

Motor Manager is the gatekeeper, which commands the motor on by forwarding a request to Motor Control and Motor Safety.(click to enlarge)

Motor Control regulates the voltage to the motor and monitors the motor safety circuit, which is a switch from the motor to the ground voltage. The circuit times out to an open position if it is not continually ordered to switch closed. Motor Control verifies that the on/off command passed in from Motor Manager agrees with the motor safety circuit.

Motor Safety is the counterpart to Motor Control. That is, Motor Safety controls the motor safety circuit and monitors the motor voltage signal, which is commanded by Motor Control.

If the motor is commanded off, the software should not assume that the motor has actually turned off, but should instead verify it—by listening for feedback from the motor position sensor, for example.

The motor is critical to the safe operation of the pump. The hazard analysis states that the software shall not fail when the motor is in the on position. In order for the motor to operate, all three modules must agree. A failure or corruption of any of the software or hardware elements means that the motor will not operate. In addition to the motor module set, the pump's main-state machine maintains a gross check on whether the motor should be in operation.

Copyright ©2003 Medical Device & Diagnostic Industry

Sign up for the QMED & MD+DI Daily newsletter.

You May Also Like

Editors' Choice

TGA approval
Regulatory & Quality
Axonics F15 Recharge-Free SNM Nabs Australian TGA Approval
Axonics F15 Recharge-Free SNM Nabs Australian TGA Approval

May 17, 2024

Plastic Syringe
Medical Device Regulations
FDA Adds Two New Chinese Manufacturers to Do Not Use Plastic Syringe List
FDA Adds Two New Chinese Manufacturers to Do Not Use Plastic Syringe List

May 17, 2024

miniature parts for medical devices
Manufacturing
Accumold Brings Medical Micro Molding to MD&M South
Accumold Brings Medical Micro Molding to MD&M South

May 17, 2024

Recent Headlines