Infusion Pump Medication Overdose — Fault Tree
A worked medical-device fault tree for an infusion pump delivering a medication overdose to the patient. Aligned to ISO 14971 risk management, IEC 60601-1 essential performance, and IEC 62304 software safety classification.
The scenario
An infusion pump delivers a programmed dose of a high-alert medication (insulin, opioid, chemotherapeutic agent) to a patient at a controlled rate over hours. The top event of this fault tree is delivery of a medication overdose with severity classed Catastrophic — typically a programming error or hardware fault that produces a free-flow or step-change in flow rate at orders of magnitude above prescribed.
Top event and decomposition
The top OR gate captures three orthogonal pathways that ISO 14971 risk analysis surfaces for infusion devices:
- Flow control mechanism failure — peristaltic rotor stall with valve open, anti-free-flow clamp failure, or pressure-sensor mis-reading that lets the pump command excessive flow. Each leaf has a hardware λ.
- Programming error pathway — clinician keys a wrong rate or concentration, and (the AND) neither the drug-library limit nor the nurse double-check intercepts it. Modelled with a human-error rate from a clinical-task HFE study.
- Drug library integrity failure — corrupt or out-of-date drug library accepts a dose outside safe limits. Software-introduced; classified Class C under IEC 62304.
The risk-reduction measures (the IPL layers — drug library limits, occlusion sensors, infusion logs, nurse verification) are explicitly modelled so the residual risk per ISO 14971 Clause 6 is quantified, not merely asserted.
Standards alignment
ISO 14971 Annex G recommends FTA as a top-down technique for medical-device hazard analysis when the hazard has multiple credible causes. This template is the deliverable a regulator (FDA QSR, EU MDR Article 10) typically expects to see in the risk-management file when a Class IIb / III device has Catastrophic severity hazards. The IEC 62304 software safety classification is set to Class C on the basis of the top-event severity.
Use this template
Open in FTA Studio, replace generic component λ data with your supplier reliability data, refine human-error rates with site-specific HFE evidence, and export for inclusion in the risk-management file (ISO 14971) submitted as part of a 510(k), De Novo or MDR technical file.