IEC 60601-1 says… Estimate the probability per time pe of an electrical failure and of an oxygen leak po. Determine the accepted probability of dangerous failures [fire] per time r. Calculate the inspection time interval tc = r/(0.5*pe*po).
A friend asked, “What’s the 0.5 for? It doesn’t account for the fire event sequence: leak before spark.” I posted correction tc = r/((po/(po+pe))*pe*po) and notified the IEC committee which acknowledged, “We’ll consider your suggestion for edition 4.”
[An earlier, shorter version of this article on www.LinkedIn.com, July 5, 2018. This version describes an inspection-time and risk-analysis template.]
Risk-Based Inspection (RBI)
Risk is expected cost: P[failure]*(Cost of failure), SUM[P[failure j]*(Cost of failure j); j=1,2,…], INTEGRATE[P[failure j at age t]*(Cost of failure j at age t)dt, t = 0 to ???, j=1,2,…], or discounted costs of future failures. Refer to Jorgenson, McCall, and Radner for inspection policies for randomly failing equipment.
RBI became fashionable in the oil and gas industry where the effects of corrosion or other one-way processes call for periodic inspection. RBI deserves credit for taking into account costs and probabilities [API RP 581]. RBI simplifies the inspection time to avoid some statistics.
There is a lot of guidance for oxygen use and fire risk [EIGA; Fluke; ANSI/AAMI; Ordin; Taghipour et al.; The WHO, ISO 14971:2007; NHS]. For medical equipment that uses oxygen, the IEC misoversimplified the computation of risk-based inspection time.
Standard Error
2013 ANSI/AAMI ES60601-1:2005 & A1:2012 “Medical Electrical Equipment, Oxygen-Rich Environment,” sub-clause 11.2.2.1 b) 3) says,
“The cause of the hazardous situation is: a leak occurs and is not detected, some time later an electrical failure occurs that starts an ignition. The time interval tc for checking the seals can be calculated as follows:
Estimate the probability per time pe of an electrical failure that exceeds the values given in 11.2.2.1 a).
Estimate the probability per time of an oxygen leak po:
Determine the accepted probability of dangerous failures per time r:
Calculate tc = r/(0.5*pe*po).”
In September 2017, I posted a correction, tc = r/((po/(po+pe))*pe*po), and notified the relevant IEC committee representatives, because P[X(leak) < Y(spark)] = po/(po+pe) for independent exponentially distributed time random variables X and Y with means 1/po and 1/pe.
That correction is an oversimplification. It doesn’t account for all possible events before inspection time tc. Both those tc formulas result in too long inspection times, and the probability of “dangerous failure” is greater than “accepted probability” r-value, because P[X(leak) < Y(spark)]*po*pe*tc is not the same as P[X(leak) < Y(spark) < tc].
Multiple Events?
Later the friend said, “… the event [electrical failure] we’re describing is quite complex and may involve multiple events. For example, think about the spark event: we don’t care if any numbers of sparks happen before the oxygen leak occurs, so we have to be careful to exclude those sparks and only consider what happens after the leak.” “But what we actually want is the ‘time it takes to get the first spark after the oxygen leak,’ which is not the same as P[X(leak)<Y(spark)<tc] – the first spark after the leak might be the 100th spark overall, but since the first 99 happened before the leak they had no effect.”
Electrical failures may be recurrent events so “the cause of the hazardous situation” could be the occurrence of at least one spark after O2 leak but before (end of) inspection time interval tc. I.e., under the assumption of constant electrical failure rate, sparks could be events in a Poisson process. Furthermore, the probability of failure depends on proximity of inspection time tc to the time to first leak, time between sparks, and tc.
Alternative “hazardous situation” ignition probabilities in inspection time interval tc are:
0.5*po*pe*tc; (IEC ANSI/AAMI 60601-1 recommendation)
(po /(po+pe))*po*pe*tc; (September 2017 recommendation)
P[X < Y < tc] where X and Y are independent, exponentially distributed times to first O2 leak and first electrical failure; and
P[Leak AND at least one spark after leak AND before tc], the integral from y = 0 to tc of
(1–Exp(pe*(–tc + y)))*po*Exp[–po*y]dy (Sparks are a Poisson process.).
Mathematica gives formulas for P[X < Y < tc] and P[Leak (X) AND at least one spark (Y) after leak AND before tc]. They have been implemented in an Excel workbook IECompar.xlsx in the list of files on https://sites.google.com/site/fieldreliability/. Observations:
0.5*po*pe*tc < (po /(po+pe))*po*pe*tc when po > pe, which means inspection time interval tc = r/(0.5*po*pe) is too long;
P[X < Y < tc] is slightly less than 0.5*po*pe*tc for small po and pe but much greater for larger po and pe relative to tc, which means time interval tc will be too long; and
P[Leak AND at least one spark after leak AND before tc] is greater than P[X < Y < tc].
Figure 1. Probability of leak followed by electrical failure before tc, for alternative formulas. The last two alternatives are the upper line, practically the same for chosen event rates.
These observations call for correction of IEC/AAMI EC60601-1 sub clause 11.2.2.1 b) 3) to the correct time interval tc and perhaps to recommend detection and reporting when at least one electrical failure has occurred. The IEC and AAMI have acknowledged that “will be considered for edition 4. maybe in 2019” [Weir].
Risk of delay [ISO 14971:2007]
The inspection time interval tc is too long resulting in greater “hazardous situation” probability of dangerous failure than the input “accepted probability” r-value. The workbook IECompar.xlsx includes a risk analysis template [Tables 1 or 2]. Send data if you would like to test the hypotheses of exponential times between events and their independence or if you would like me to compute your products’ risks.
Tables 1 and 2 show spreadsheet risk analysis templates. Risk = E[count*P[Failure per unit time]*cost per failure]. Be realistic. Get inventory counts, event data, and costs. Make event rate estimates, test hypotheses, estimate confidence intervals, and do sensitivity analyses. Adjust inspection time tc based on experience. Consider and evaluate alternatives’ marginal costs (bang-per-buck). Supplement with subjective “analyses”, RPNs, ranks, or categorical ratings a la ISO 14971:2007, FMEA, RCM, etc. Table columns are: Equipment, ignition source(s), inspect, and…
“Count” is the number of medical-electronic oxygen-enhanced equipment units in the field
“r” is the acceptable probability of failure, leak followed by electrical failure before inspection time tc
“po” and “pe” are the leak and electrical failure rates per unit time
“tc” is your current inspection time interval, tc = r/(0.5*po*pe) (table 1) or tc = r/((po/(po+pe))*pe*po) (table 2)
“P{fail}” is the computed probability of failure during inspection interval tc, depending on whether electrical failure is recurrent process
“$/Failure” is the cost of “hazardous situation” (ignition) plus replacement cost
“Risk” formula depends on whether electrical failure is a one-time event or Poisson process.
“Risk per year” converts risk assuming continuous operation and time unit is hours.
Table 1. Risk analysis. Risk = E[Cost] per inspection interval tc. Time units of r, po, and pe must be commensurate; e.g., per hour. tc = r/(0.5*pe*po). Compare computed risk with “accepted probability” r-value times cost per failure = risk). See below this table for the rest of the columns.
| Equipment | Ignition source(s) | Inspect | |
| 1 | Concentrator | Concentrator electrical, external | Concentrator, environ-mental flammables |
| 2 | O2 tank and supply Electro-surgical equipment, O2 masks, ventilators | External | Environment flammables |
| 3 | CPAP+Q2 | CPAP | CPAP |
| 4 | BiPAP+O2 | BiPAP | BiPAP |
| 5 | AEDs and defibrillators in O2 | Defibrillator | Defibrillator |
| 6 | Anesthesia with O2 | External | Environment flammables |
| 7 | Nebulizer with O2 | Nebulizer | Nebulizer |
| 8 | Transcutaneous O2 supplies | Equipment | Equipment |
| 9 | Chemicals with Oxygen peroxides, etc. | Airliner cabin oxygen masks? Other? Airbags? | |
| 10 | O2 reservoir bags | External |
Table 1 continued. Equipment is in same row-order as above.
| Count | R | po | Pe | tc (hrs) | Poisson? | P[Fail] | $/Fail | Risk | Risk/year | |
| 1 | 10000 | 0.0001 | 0.0001 | 0.0001 | 20,000 | TRUE | 0.86460 | $1,000 | $8,645,970 | $3,789,529 |
| 2 | 100 | 0.0001 | 0.0001 | 0.0001 | 20,000 | TRUE | 0.86460 | $1,000 | $86,460 | $37,895 |
| 3 | 10000 | 0.0001 | 0.0001 | 0.0002 | 10,000 | TRUE | 0.39958 | $1,000 | $3,995,764 | $3,502,687 |
| 4 | 10000 | 0.0001 | 0.0001 | 0.0001 | 20,000 | TRUE | 0.86460 | $1,000 | $8,645,970 | $3,789,529 |
| 5 | 10000 | 0.0001 | 0.0001 | 0.0001 | 20,000 | FALSE | 0.37382 | $1,000 | $3,738,225 | $1,638,464 |
| 6 | 100 | 0.0001 | 0.0001 | 0.0001 | 20,000 | FALSE | 0.37382 | $1,000 | $37,382 | $16,385 |
| 7 | 10000 | 0.0001 | 0.0001 | 0.0001 | 20,000 | FALSE | 0.37382 | $1,000 | $3,738,225 | $1,638,464 |
| 8 | 5000 | 0.0001 | 0.0001 | 0.0001 | 20,000 | TRUE | 0.86460 | $1,000 | $4,322,985 | $1,894,764 |
| 9 | 10 | 0.0001 | 0.0001 | 0.0001 | 20,000 | FALSE | 0.37382 | $1,000 | $3,738 | $1,638 |
| 10 | 100 | 0.0001 | 0.0001 | 0.0001 | 20,000 | FALSE | 0.37382 | $1,000 | $37,382 | $16,385 |
Table 2. Same as above except for pe-values, tc = r/((po/(po+pe))*pe*po), and risks.
| Count | R | Po | Pe | tc (hrs) | Poisson? | P[Fail] | $/Fail | Risk | Risk/year | |
| 1 | 10000 | 0.0001 | 0.0001 | 0.001 | 11,000 | TRUE | 0.63015 | $1,000 | $6,301,451 | $5,021,684 |
| 2 | 100 | 0.0001 | 0.0001 | 0.0001 | 20,000 | TRUE | 0.86460 | $1,000 | $86,460 | $37,895 |
| 3 | 10000 | 0.0001 | 0.0001 | 0.0002 | 15,000 | TRUE | 0.60353 | $1,000 | $6,035,267 | $3,527,010 |
| 4 | 10000 | 0.0001 | 0.0001 | 0.005 | 10,200 | TRUE | 0.63205 | $1,000 | $6,320,460 | $5,431,878 |
| 5 | 10000 | 0.0001 | 0.0001 | 0.0001 | 20,000 | FALSE | 0.37382 | $1,000 | $3,738,225 | $1,638,464 |
| 6 | 100 | 0.0001 | 0.0001 | 0.0001 | 20,000 | FALSE | 0.37382 | $1,000 | $37,382 | $16,385 |
| 7 | 10000 | 0.0001 | 0.0001 | 0.0001 | 20,000 | FALSE | 0.37382 | $1,000 | $3,738,225 | $1,638,464 |
| 8 | 5000 | 0.0001 | 0.0001 | 0.0001 | 20,000 | TRUE | 0.86460 | $1,000 | $4,322,985 | $1,894,764 |
| 9 | 10 | 0.0001 | 0.0001 | 0.0001 | 20,000 | FALSE | 0.37382 | $1,000 | $3,738 | $1,638 |
| 10 | 100 | 0.0001 | 0.0001 | 0.0001 | 20,000 | FALSE | 0.37382 | $1,000 | $37,382 | $16,385 |
Shocks?
What if shock causes both O2 leak and electrical failure? Shocks (internal or external) could cause simultaneous O2 leak and electrical failure. Then failure probability is P[X <= Y < tc]. The additional failure mode is shock before O2 leak or inspection. Suppose times X(leak) = min(X1, X3) and Y(spark) = min(X2, X3) where X1 is distributed exponential(po), X2 is distributed exponential(pe), X3 is distributed exponentially (at rate pboth), and all three are independent. Then X and Y have the Marshall-Olkin bivariate exponential distribution. This distribution provides a convenient alternative hypothesis to independence of leak and shock; independence is pboth º 0.
P[X<=Y<tc] = P[fail] = P[X1<X2<tc AND X3>X2] + P[X3<tc AND X1>X3] because X1<X2 and X3< tc are mutually exclusive events. Mathematica computes approximations and exact formulas. Workbook IECompar.xlsx compares exact vs. approximate and P[X<=Y<tc] vs. P[X<Y<tc]. There is no need for approximation with exact formulas. The difference between P[X<=Y<tc] and P[X<Y<tc] depends on pboth.
There are other bivariate Poisson models, but it seems excessive to extend the analyses to Poisson shocks AND leaks. On the other hand, there are numerical methods to estimate and evaluate the failure probabilities if event times have distributions other than exponential. Send data to pstlarry@yahoo.com, and I will test hypotheses, estimate distributions, and evaluate failure probabilities.
References:
EIGA, “Fire Hazards of Oxygen and Oxygen-Enhanced Atmospheres,” IGC Doc 04/09/E
Fluke, “Medical Equipment QA Inspection Program Development and Procedures”
ANSI/AAMI, “Guidance for the use of medical equipment maintenance strategies and procedures,” EQ89:2015
Paul M. Ordin, “Mishaps with Oxygen in NASA Operations,” NASA TM X 67953,(1971) https://ntrs.nasa.gov/search.jsp?R=19720004407 2018-06-22T21:51:22+00:00Z
Sharareh Taghipour, Dragan Banjevic, Andrew K.S. Jardine, “Reliability Analysis of Maintenance Data for Medical Devices,” Quality and Reliability Engineering International, Volume 27, Issue 1, pp. 71-84, 2011
The WHO, “Medical Device Regulations…,” www.who.int, 2003
ISO 14971:2007,“…Application of Risk Management to Medical Devices,” 2007-03-01
NHS, Scotland, “Risk of Fire When Using Defibrillators in an Oxygen Enriched Atmosphere,” SAN(SC)95/03, May 1995
American Petroleum Institute, API RP 581 Risk-Based Inspection Technology 2nd ed., Washington, D.C.: American Petroleum Institute, 2008
D. W. Jorgenson, J. J. McCall, and R. Radner, Optimal Replacement Policy, North-Holland Publishing, 1967
Marshall, A.W., Olkin, I., “A Multivariate Exponential Distribution”, J. Amer. Statist. Assoc., 62, 30-44, 1967
Weir, Rob, “How to Write a Standard (If You Must)”, https://www.robweir.com/blog/2006/12/how-to-write-standard-if-you-must.html
Darn. I’ve done it again; I submitted a symbol that didn’t translate…
“What if shock causes both O2 leak and electrical failure? Shocks (internal or external) could cause simultaneous O2 leak and electrical failure. Then failure probability is P[X £ Y < tc]" should have ended with P[X<=Y<tc] several places in the section starting with that sentence. You could have a spark at the same time as the oxygen leak, before inspection, and you get fire or worse.
I’ve updated the text to replace the pound(?) symbol with the <= - I think I caught them all cheers, Fred
I am guessing the equation is based on a simple ratio, i.e.: t1/t2 = p1/p2, where t2 = 1 year (time-period for a normalised risk assessment and equal to the time-period for defining po and pe and r). If p2 is the probability of a fire, and if po << 1 (i.e. no more than 1 oxygen leak per year) and pe << 1 (i.e. no more than 1 spark per year), then it follows that in approx. 50% of scenarios the oxygen leak occurs before the spark, and hence p2 = 0.5*po*pe. Hence, at the end we have tc = r/(0.5*pe*po).
However, the article is a good example to demonstrate that our tools that make assumptions that we often do not understand and in many cases are not 100% applicable to our particular case. In such cases, an "optimal" design cannot be realized. And it is increasingly our task to find an optimal solution. Perhaps the biggest assumption made by the above equation is that the inspection task will be 100% effective (i.e. probability of detection = 1) in finding the oxygen leak or the electrical fault.
If you have a particular standard scenario that you would like to "model" to achieve an optimal result, contact me via http://www.rams-mentat.com and we can build the model together.
Thanks for explaining the assumption for the formula tc = r/(0.5*pe*po). Table 1 was computed using that formula, to compare with table 2 using the correct formula tc = r/((po/(po+pe))*pe*po). Unfortunately, both tables were cut off on the right so the cost comparison was missing. I will think how to fix. Meanwhile, I will a version of the article and workbook to anyone who asks.
ASQ Inspection Division, Toronto chapter invited me to give presentation June 11, 2024 on IEC inspection time error and my correction(s), where risk, r, in IEC 60601-1 is probability of O2 leak followed by electrical spark before inspection…
Inspection time tc=r/(0.5*pe*po) is wrong
Inspection time tc=r/((po/(po+pe)*pe*po) is wrong too
P[O2 Leak < Spark AND Spark <tc] where Q2 leaks and sparks are assumed to have constant rates po and pe. That implies exponential distributions of times to events.
P[O2 Leak < Spark AND Spark <tc] ~= P[Xo<Ye AND Ye<tc] for exponential Xo and Ye. Could also have better approximation by adding
P[Ye(1) < Xo AND Xo<Ye(1)+Ye(2) AND Ye(1)+Ye(2)<tc]
Here are first few entries in table for comparisons with po=pe=0.01.
tc IEC risk P[X<Y&Y<tc] P[Y1<X&Xo<Y1+Y2&Y1+Ye2<tc]
0.5*tc*po*pe
10 0.0005 0.00453 0.000147
20 0.001 0.0164 0.00104
30 0.0015 0.0336 0.00311
The IEC 60601-1 formula is off by an order of magnitude.
I couldn't paste table from Toronto presentation. If you want the *.PPT, let me know.