safety, installation and commissioning
file: n:\article\cos14310m5-v1_08hpc-en\20150130_cos14310m5-v1.08hpc-en_instructions_for_use_h-p-cosmos_treadmill.doc
© 2015 h/p/cosmos sports & medical gmbh author: fh [email protected] created 30.01.2015 printed 30.01.2015 page: 88 of 216
7.3
Medical device software classification
Software safety classification according to
IEC/EN 62304 medical device software; software lifecycle processes
:
The manufacturer has to assign a software safety class to any software, according to possible dangers the software might
impose to the patient, the user or third parties.
Based on degree of severity, the software safety classes are assigned as follows:
Class A:
No injury or damage to health possible
Class B:
No SERIOS INJURY possible
Class C:
DEATH or SERIOS INJURY possible
Without risk reducing measurements and risk reducing design, a software for treadmills and interface protocols would have
to be classified as class C, i.e. most dangerous including the risk of death because undesired and uncontrolled acceleration
of the running belt can always cause the subject to fall off the belt with the possible result of a broken neck or other serious
injuries. Due to a possible technical malfunction of a measurement (e.g. heart rate measurement), which is a theoretical
possibility, the patient may be overloaded with the possible risk of death.
It should be mentioned that medical treadmill ergometers and their software use SOUP (software of unknown provenance)
components. Thus, the frequency inverter, motor regulation, firmware and parts of the PC software are components of
medical treadmill ergometers and the treadmill manufacturer has no access to design, validation and maintenance of these
supplier’s components. For this reason the worst case malfunction scenario has to be taken into account.
h/p/cosmos classifies the internal firmware and software components as
class B
due to a number of risk reducing design
features and measurements.
Healthy people who practice sports are usually able to activate the emergency stop button of the treadmill and in this way
switch off the treadmill quickly in case of emergency caused by malfunction. Thus, the emergency switch off has to work
completely without software and has to interrupt the power supply of the treadmill. For patients and medical users fast
reactions of the patient cannot be ensured, since a very light acceleration may also cause the subject to fall off.
To control risk for patients and persons with disabilities, a fall prevention system
(e.g. safety arch with chest belt,
harness and fall stop rope),
which catches the patient in the event of a fall, is to be used for applications with a higher
risk of falling
(e.g. hip replacement patients, neurologic patients, cardiac patients, maximum load tests, etc.)
or when
falling could result in serious injuries, for example when the patient is connected to invasive probes.
For the acceleration of the drive motor and running belt safety delay, design measures have been incorporated, which
prevent extreme fast acceleration in case of malfunction.
Warning labels based on EN 957-6 regarding possible malfunction and inaccuracy of heart rate sensors and displays are
placed on the treadmill and in the operation manual.
Furthermore, the patient on the medical treadmill has to be observed permanently; the medical staff has to be within
1.5 m radius around the patient.
Risk analysis and risk control are included in risk management according to EN 14971.
Firmware development and documentation for internal treadmill-related firmware is applied according to EN 62304 medical
device software; software lifecycle processes.