Appendix D


Example of Risk Analysis and Risk Mitigation for a Medical Device Using a Wireless Network

Continuous monitoring of the network is an effective way to mitigate risks by detecting issues before they result in a loss of communication. This monitoring should be done at the wired network and the wireless controller (including its coverage mapping tools). The data rates, retry rates, channel utilization, and performance of the wireless APs should be trended.

A manual site survey is an effective way to ensure that the SNR in the environment is high enough to support required bandwidth. It supplements what the wireless controller can see, as its view is limited by the position of the APs. Review of the signal and noise levels should be performed periodically and also upon major changes. When trends are in the wrong direction, proactively respond to increase the SNR and/or capacity before communication failures occur. For example, removing interfering devices decreases the system noise. Increasing AP density improves capacity and signal strength.

Mitigating risk for a medical device should start with identifying the hazard. The hazard could be defined as “not being able to send important alarm status to nursing work station.” Once the hazard is defined, describe the possible harm and resulting patient outcome. Next you will need to determine the probability of this occurrence, or how often this will occur. The combination of harm and probability of occurrence is the risk, which is used to triage the most important items to address.

An example of risk analysis for a wireless patient monitor is given below. In some cases, statistical analysis may be used. When this is not available, seek input from experts.

a. Hazard: Patient monitor unable to transmit clinically important data such as alarm status.

b. Possible harm: Delay in treatment, which may lead to morbidity/mortality.

c. Probability of occurrence

Primary flow (network operating as designed): Assume that the medical-IT network is designed and tested to support 99.9% successful packet transmission. Assuming 10,000 alarm packets are transmitted each day (average of 50 per patient, multiplied by 200 patients being monitored), then 10 packets would be missed. If patient monitors automatically retransmit alarm packets within a few seconds, typically the second transmission would mitigate the loss of the first packet. Assuming packet losses are independent of each other, one alarm in 1,000,000 would be missed after the first retransmission and one alarm in 1,000,000,000 would be missed after the second retransmission. The probability of occurrence of a missed alarm in this situation is so low that the risk (probability multiplied by harm) is acceptably low and no mitigation is required.

In the case of primary AP failure: If there is no backup RF coverage, then all alarms for the patient area covered by the failed AP will not be transmitted to the central station. AP mean time between failures is 200,000 hours, so the annual failure rate is 1 – exp([24*365]/200000) or 3.13%. One expects 3.13% of APs to fail annually. Repair time is typically one to six hours, and an AP covers about 10 patients. This lack of coverage is determined to be unacceptable.

Mitigation: Install APs for redundant RF coverage so that if one fails, the backup AP provides coverage. Probability of two neighboring APs failing in the same year is 0.1% and failing on the same day is much lower.

d. RF Interference blocks transmissions

Mitigation: Conduct a site survey to ensure the system noise floor is low enough to support required bandwidth. Perform periodic (every six months) review of the noise level and upon major changes. Monitor the RF performance of APs and proactively respond to increases in noise floor (e.g., removing noise source, installing additional APs, etc.).

e. Other possible reasons for loss of data packets include overloaded network; interference from patient devices brought into the hospital; failure of IT switch, router, or wireless controller; AP’s Ethernet cable unplugged; configuration changes to network incompatible with patient monitor; or firmware upgrade to network incompatible with patient monitor.

f. Other hazards include poorly protected data intercepted by a hacker, patient monitor’s wireless interface is vulnerable to attack, patient moves into an area outside the AP’s coverage, patient roams from one AP to another, or AP is on a DFS channel (see also Question 59) and a radar event is detected, causing the AP to change channels.