Assessing Risk for Medical Device Software

A

Agent J

#1
I’m working to update my company’s risk management procedures for our medical device software. I’ve reviewed IEC 80002-1 and I’m not certain how to best integrate the guidance from 4.4.3 Probability.

In our current procedure, we estimate the severity and probability each on a scale of 1-5 and compare the results to a chart to determine if the risk requires risk controls. The higher the probability the less tolerant we are of a given severity. When considering the risk of an anomaly, IEC 80002-1 states that the risk should be considered based on severity alone. Is it common to base the judgment of severity as we might if the probability were the maximum, the minimum, or somewhere in between?
 
Last edited by a moderator:
Elsmar Forum Sponsor

Marcelo

Inactive Registered Visitor
#2
In our current procedure, we estimate the severity and probability each on a scale of 1-5 and compare the results to a chart to determine if the risk requires risk controls. The higher the probability the less tolerant we are of a given severity. When considering the risk of an anomaly, IEC 80002-1 states that the risk should be considered based on severity alone. Is it common to base the judgment of severity as we might if the probability were the maximum, the minimum, or somewhere in between?
IEC 80002-1 4.4.3 talks about different probabilities, and I think you might be confusing them.

The "focus on severity alone" is only applicable if other probabilities in the sequence of events, after the software failure, are not possible to estimate. If they are, the final probability P1 would be different than 1, and after estimating P2, the probability of occurrence of harm (P1xP2) could be estimated.

The scale you mention is probably the scale of P1xP2, not of P1 only.
 
F

Frodeno

#4
Hi Everyone,

I have some follow-on questions from this. So I understand that Prob of Occurance of harm (POH) POH= P1 X P2 and that for software usually P1 cannot be estimated and becomes 1. In a situation where P2 can be estimated then great, one can determine POH. However, when severitiy is used then is it acceptable to use risk controls that reduce severity?

Secondly, in the same context, 80002-1 says on page 11:

"RISK acceptance criteria for RESIDUAL RISK where probability cannot be estimated should take into account the RISK CONTROL measures that have been implemented and the effectiveness of those RISK CONTROL measures in reducing the probability of occurrence of HARM. RISK CONTROL measures should be a combination of all reasonable practicable measures, fulfill applicable standards and regulations, and be state of the art (see Annex D.4 of ISO 14971:2007)."

So, does this mean that eventhough one can estimate Risk based on severity alone that risk reduction can be through a reduction of POH? if this is true can someone help me understand this...this sounds very subjective if it is the case.

Cheers,

Frodo
 

Marcelo

Inactive Registered Visitor
#5
So I understand that Prob of Occurance of harm (POH) POH= P1 X P2 and that for software usually P1 cannot be estimated and becomes 1
Nope. The software failure (which is part of the sequence of events that leas to a hazardous situation) usually cannot be estimated, and the probability of this failure usually cannot be estimated and becomes 1. This does not mean that P1 becomes 1 - for example, if there are other events in the sequence of events besides the failure (which is usually the first event).

So, does this mean that eventhough one can estimate Risk based on severity alone that risk reduction can be through a reduction of POH? if this is true can someone help me understand this...this sounds very subjective if it is the case.
As mentioned above, you can have other events in the sequence of events after the software failure, with related probabilities, meaning that P1 won't be 1.
 
F

Frodeno

#6
Aha thanks Marcelo...so in actual fact the P1 = Pa......Pz (potentially) and P2 is probability of a hazardous situation leading to a harm..

It does make me wonder through, at what point does it become appropriate to set P1 to 1 and to what lengths does one go to try to determine the other components of P1...especially if you have 100s of potential hazards to analyze.
 

Marcelo

Inactive Registered Visitor
#7
It does make me wonder through, at what point does it become appropriate to set P1 to 1 and to what lengths does one go to try to determine the other components of P1...especially if you have 100s of potential hazards to analyze.
The problem of assuming P1 = 1 is that usually this mean that your device will fall under class C, if they have any possibility of serious injury/death.

As the idea of the safety classification was to enable the manufacturer to reduce the paperwork related to compliance with IEC 62304 if possible, assuming P1 = 1 is a worst case that may create more burden than clearly analyzing P1.
 

Marcelo

Inactive Registered Visitor
#8
Anyway, as a general guidance, identifying the probabilities o the sequence of events is more obvious when you have risk control measures external to the software, as they are the only ones that can be counted as feasible. We did made this clear in the 62304 amendment (both IEC 62304 and IEC 80002-1 are not that clear on this regard).
 
Thread starter Similar threads Forum Replies Date
T Assessing risk where harm is indirect - Generic devices / accessories / intermediates ISO 14971 - Medical Device Risk Management 8
R FOD Risk Assessment - What tools would you recommend for assessing FOD risk? AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 1
J Discrepancies - Determine the Magnitude and Assessing the Risk Nonconformance and Corrective Action 2
T Assessing Hazard-Related Use Scenarios where control measures exist through standards IEC 62366 - Medical Device Usability Engineering 32
R Assessing Pipette Calibration Failures General Measurement Device and Calibration Topics 5
B Interpreting "misuse" when assessing Hazardous Situations ISO 14971 - Medical Device Risk Management 2
A Escalation to CAPA - Assessing if an NC warrants a CAPA Nonconformance and Corrective Action 4
A Assessing/Mapping Employee Attitude during Competency Mapping (Assessment) IATF 16949 - Automotive Quality Systems Standard 15
J Assessing compliance with ISO 13485 Section 6.1 ISO 13485:2016 - Medical Device Quality Management Systems 10
A Assessing a Preventive Maintenance Strategy - Reliability or Maintenance Statistics Reliability Analysis - Predictions, Testing and Standards 2
D Assessing the Validity of Previous Measuring Results? General Measurement Device and Calibration Topics 8
L Assessing Corrosion Damages on Steel finished externally with Epoxical Paint Various Other Specifications, Standards, and related Requirements 1
Mikey324 Assessing Potential Field Failures (TS 16949 Requirements) Quality Manager and Management Related Issues 5
G Assessing Process Capability on Variation (Hardware Adjustment Mean Shift) Capability, Accuracy and Stability - Processes, Machines, etc. 4
B Assessing a Suppliers Technical Capabilities Supplier Quality Assurance and other Supplier Issues 6
S Objectives and Targets - Assessing a rate of achieving a goal Reliability Analysis - Predictions, Testing and Standards 7
J Assessing the understanding of occupational health and safety requirements Occupational Health & Safety Management Standards 3
T Assessing actuality to apply ISO 14001 ISO 14001:2015 Specific Discussions 12
Douglas E. Purdy Storage & Inventory - Assessing Stock for Deterioration at Planned Intervals 7.5.5.1 IATF 16949 - Automotive Quality Systems Standard 9
B ISO10012:2003 Question - Choosing or assessing the capability of a piece of equipment Other ISO and International Standards and European Regulations 1
A Assessing and managing monopolist suppliers Supplier Quality Assurance and other Supplier Issues 6
L Internal Auditing & Assessing Effectiveness Internal Auditing 8
L Internal Auditing & Assessing Effectiveness Internal Auditing 8
T Assessing Customer SPECIFIED Suppliers Supplier Quality Assurance and other Supplier Issues 9
T AS9100D Risk-Based Internal Audit Schedule AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 10
thisby_ Installation Related Issues and Risk Management ISO 14971 - Medical Device Risk Management 5
W Reconciling FMEA RPN ratings with Risk Acceptability ISO 14971 - Medical Device Risk Management 11
D How to address the content deviation of 'cannot apply criteria of risk acceptability prior to...' ISO 14971 - Medical Device Risk Management 1
Doninina Risk management file according MDR or ISO 14971:P2019 ? EU Medical Device Regulations 2
T Risk based CA AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 5
T IVD Risk - destruction of patient samples - Harm to property? ISO 14971 - Medical Device Risk Management 5
E Do anyone have document of automotive production risk and control of risk? Lean in Manufacturing and Service Industries 1
R Using RPN to Confirm Risk Reduced to an Acceptable Level Risk Management Principles and Generic Guidelines 12
T IVD Device Software - Risk Classification IEC 62304 - Medical Device Software Life Cycle Processes 16
G Help:Risk Management - Accessories US Food and Drug Administration (FDA) 1
N Writing Risk Management procedure for small manufacturing and we don't know where to start. Manufacturing and Related Processes 9
E How to risk assess tooling? For a medical device and is it needed??? Manufacturing and Related Processes 2
M Clinical evaluation interface with the risk management process EU Medical Device Regulations 9
L Risk analysis Manufacturing and Related Processes 4
J Risk Analysis for Proficiency Testing Reliability Analysis - Predictions, Testing and Standards 1
J ISO 10993-1:2018 Format to Perform Risk Management Process US Food and Drug Administration (FDA) 1
B Risk Management Procedure updates needed for 14971:2019 ISO 14971 - Medical Device Risk Management 11
M What is the Risk of Using Obsolete Versions of C=0 & ANSI/ ASQ Z1.4 Sampling Plans? ISO 13485:2016 - Medical Device Quality Management Systems 8
D AS9100D 8.4.2 Note 2 Significant Operational Risk AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 1
A Calculating Risk Estimation ISO 14971 - Medical Device Risk Management 29
M Intended Use vs Actual Use and Scope of Risk Management EU Medical Device Regulations 8
S IDCB 0129/0160 Clinical Risk Management ISO 14971 - Medical Device Risk Management 2
H At what level (harm, hazardous situation, seq. of events, etc) is "risk" estimated? ISO 14971 - Medical Device Risk Management 12
A Risk Management Team IEC 60601 - Medical Electrical Equipment Safety Standards Series 11
S Risk Management File - Procedure Packs ISO 14971 - Medical Device Risk Management 3

Similar threads

Top Bottom