Assessing Risk for Medical Device Software

A

Agent J

#1
I’m working to update my company’s risk management procedures for our medical device software. I’ve reviewed IEC 80002-1 and I’m not certain how to best integrate the guidance from 4.4.3 Probability.

In our current procedure, we estimate the severity and probability each on a scale of 1-5 and compare the results to a chart to determine if the risk requires risk controls. The higher the probability the less tolerant we are of a given severity. When considering the risk of an anomaly, IEC 80002-1 states that the risk should be considered based on severity alone. Is it common to base the judgment of severity as we might if the probability were the maximum, the minimum, or somewhere in between?
 
Last edited by a moderator:
Elsmar Forum Sponsor

Marcelo

Inactive Registered Visitor
#2
In our current procedure, we estimate the severity and probability each on a scale of 1-5 and compare the results to a chart to determine if the risk requires risk controls. The higher the probability the less tolerant we are of a given severity. When considering the risk of an anomaly, IEC 80002-1 states that the risk should be considered based on severity alone. Is it common to base the judgment of severity as we might if the probability were the maximum, the minimum, or somewhere in between?
IEC 80002-1 4.4.3 talks about different probabilities, and I think you might be confusing them.

The "focus on severity alone" is only applicable if other probabilities in the sequence of events, after the software failure, are not possible to estimate. If they are, the final probability P1 would be different than 1, and after estimating P2, the probability of occurrence of harm (P1xP2) could be estimated.

The scale you mention is probably the scale of P1xP2, not of P1 only.
 

Frodeno

Starting to get Involved
#4
Hi Everyone,

I have some follow-on questions from this. So I understand that Prob of Occurance of harm (POH) POH= P1 X P2 and that for software usually P1 cannot be estimated and becomes 1. In a situation where P2 can be estimated then great, one can determine POH. However, when severitiy is used then is it acceptable to use risk controls that reduce severity?

Secondly, in the same context, 80002-1 says on page 11:

"RISK acceptance criteria for RESIDUAL RISK where probability cannot be estimated should take into account the RISK CONTROL measures that have been implemented and the effectiveness of those RISK CONTROL measures in reducing the probability of occurrence of HARM. RISK CONTROL measures should be a combination of all reasonable practicable measures, fulfill applicable standards and regulations, and be state of the art (see Annex D.4 of ISO 14971:2007)."

So, does this mean that eventhough one can estimate Risk based on severity alone that risk reduction can be through a reduction of POH? if this is true can someone help me understand this...this sounds very subjective if it is the case.

Cheers,

Frodo
 

Marcelo

Inactive Registered Visitor
#5
So I understand that Prob of Occurance of harm (POH) POH= P1 X P2 and that for software usually P1 cannot be estimated and becomes 1
Nope. The software failure (which is part of the sequence of events that leas to a hazardous situation) usually cannot be estimated, and the probability of this failure usually cannot be estimated and becomes 1. This does not mean that P1 becomes 1 - for example, if there are other events in the sequence of events besides the failure (which is usually the first event).

So, does this mean that eventhough one can estimate Risk based on severity alone that risk reduction can be through a reduction of POH? if this is true can someone help me understand this...this sounds very subjective if it is the case.
As mentioned above, you can have other events in the sequence of events after the software failure, with related probabilities, meaning that P1 won't be 1.
 

Frodeno

Starting to get Involved
#6
Aha thanks Marcelo...so in actual fact the P1 = Pa......Pz (potentially) and P2 is probability of a hazardous situation leading to a harm..

It does make me wonder through, at what point does it become appropriate to set P1 to 1 and to what lengths does one go to try to determine the other components of P1...especially if you have 100s of potential hazards to analyze.
 

Marcelo

Inactive Registered Visitor
#7
It does make me wonder through, at what point does it become appropriate to set P1 to 1 and to what lengths does one go to try to determine the other components of P1...especially if you have 100s of potential hazards to analyze.
The problem of assuming P1 = 1 is that usually this mean that your device will fall under class C, if they have any possibility of serious injury/death.

As the idea of the safety classification was to enable the manufacturer to reduce the paperwork related to compliance with IEC 62304 if possible, assuming P1 = 1 is a worst case that may create more burden than clearly analyzing P1.
 

Marcelo

Inactive Registered Visitor
#8
Anyway, as a general guidance, identifying the probabilities o the sequence of events is more obvious when you have risk control measures external to the software, as they are the only ones that can be counted as feasible. We did made this clear in the 62304 amendment (both IEC 62304 and IEC 80002-1 are not that clear on this regard).
 
Thread starter Similar threads Forum Replies Date
R FOD Risk Assessment - What tools would you recommend for assessing FOD risk? AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 1
J Discrepancies - Determine the Magnitude and Assessing the Risk Nonconformance and Corrective Action 2
T Assessing Hazard-Related Use Scenarios where control measures exist through standards IEC 62366 - Medical Device Usability Engineering 25
R Assessing Pipette Calibration Failures General Measurement Device and Calibration Topics 5
B Interpreting "misuse" when assessing Hazardous Situations ISO 14971 - Medical Device Risk Management 2
A Escalation to CAPA - Assessing if an NC warrants a CAPA Nonconformance and Corrective Action 4
A Assessing/Mapping Employee Attitude during Competency Mapping (Assessment) IATF 16949 - Automotive Quality Systems Standard 15
J Assessing compliance with ISO 13485 Section 6.1 ISO 13485:2016 - Medical Device Quality Management Systems 10
A Assessing a Preventive Maintenance Strategy - Reliability or Maintenance Statistics Reliability Analysis - Predictions, Testing and Standards 2
D Assessing the Validity of Previous Measuring Results? General Measurement Device and Calibration Topics 8
L Assessing Corrosion Damages on Steel finished externally with Epoxical Paint Various Other Specifications, Standards, and related Requirements 1
Mikey324 Assessing Potential Field Failures (TS 16949 Requirements) Quality Manager and Management Related Issues 5
G Assessing Process Capability on Variation (Hardware Adjustment Mean Shift) Capability, Accuracy and Stability - Processes, Machines, etc. 4
B Assessing a Suppliers Technical Capabilities Supplier Quality Assurance and other Supplier Issues 6
S Objectives and Targets - Assessing a rate of achieving a goal Reliability Analysis - Predictions, Testing and Standards 7
J Assessing the understanding of occupational health and safety requirements Occupational Health & Safety Management Standards 3
T Assessing actuality to apply ISO 14001 ISO 14001:2015 Specific Discussions 12
Douglas E. Purdy Storage & Inventory - Assessing Stock for Deterioration at Planned Intervals 7.5.5.1 IATF 16949 - Automotive Quality Systems Standard 9
B ISO10012:2003 Question - Choosing or assessing the capability of a piece of equipment Other ISO and International Standards and European Regulations 1
A Assessing and managing monopolist suppliers Supplier Quality Assurance and other Supplier Issues 6
L Internal Auditing & Assessing Effectiveness Internal Auditing 8
L Internal Auditing & Assessing Effectiveness Internal Auditing 8
T Assessing Customer SPECIFIED Suppliers Supplier Quality Assurance and other Supplier Issues 9
R Risk assessment on IT containers and the information they contain IEC 27001 - Information Security Management Systems (ISMS) 4
B Threat/Vulnerability Catalogue for risk assessment IEC 27001 - Information Security Management Systems (ISMS) 2
R Opportunity For Improvement vs Opportunity (Positive Risk) ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 18
R Identify Medical Device characterstics as Annex C of ISO 14971 Risk Management ISO 14971 - Medical Device Risk Management 5
A ISO 14971 PFMEA Manufacturing Risk ISO 14971 - Medical Device Risk Management 2
Q Example of the Risk Template Document Control Systems, Procedures, Forms and Templates 1
K Overall residual risk according to ISO 14971:2019 ISO 14971 - Medical Device Risk Management 5
A Risk Number for each software requirement IEC 62304 - Medical Device Software Life Cycle Processes 7
A IEC 60601 11.2.2.1 Risk of Fire in an Oxygen Rich Environment, Source of Ignition IEC 60601 - Medical Electrical Equipment Safety Standards Series 0
D Importing a general wellness low risk product Other US Medical Device Regulations 3
C Quantifying risk in choosing the number of parts, operators and replicates in a GR&R Gage R&R (GR&R) and MSA (Measurement Systems Analysis) 4
R AQL, Consumer Risk and MA Statistical Analysis Tools, Techniques and SPC 2
M Risk managment report of Surgical Mask Example ISO 14971 - Medical Device Risk Management 14
M Risk Analysis Flow - Confusion between ISO 14971 and IEC 62304 IEC 62304 - Medical Device Software Life Cycle Processes 8
R ECG Risk Analysis Standards ISO 14971 - Medical Device Risk Management 2
N Device Labeling - Medtronic Ventilator Files (Risk Management documents) Coffee Break and Water Cooler Discussions 2
A 5 x 5 Risk Matrix - Looking for a good example Manufacturing and Related Processes 2
F Risk for Quality Assurance Department in a Hospital - Hospital Incident Reporting ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 7
M Should volume of sales be factored into risk probability assessments? ISO 14971 - Medical Device Risk Management 33
T How do you define your Hazards? <a Risk Management discussion> ISO 14971 - Medical Device Risk Management 16
adir88 Documenting Risk Control Option Analysis ISO 14971 - Medical Device Risk Management 8
B Risk Assessment Checklist for Non product Software IEC 62304 - Medical Device Software Life Cycle Processes 1
MrTetris Should potential bugs be considered in software risk analysis? ISO 14971 - Medical Device Risk Management 5
K Identification of hazards and Risk file IEC 62366 - Medical Device Usability Engineering 7
S Risk based internal auditing Internal Auditing 6
Robert Stanley I'm @ RISK of not showing my RISKS! ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 20
M Estimating the benefit-risk ration under MDR EU Medical Device Regulations 1

Similar threads

Top Bottom