# Assessing Risk for Medical Device Software

A

#### Agent J

I’m working to update my company’s risk management procedures for our medical device software. I’ve reviewed IEC 80002-1 and I’m not certain how to best integrate the guidance from 4.4.3 Probability.

In our current procedure, we estimate the severity and probability each on a scale of 1-5 and compare the results to a chart to determine if the risk requires risk controls. The higher the probability the less tolerant we are of a given severity. When considering the risk of an anomaly, IEC 80002-1 states that the risk should be considered based on severity alone. Is it common to base the judgment of severity as we might if the probability were the maximum, the minimum, or somewhere in between?

Last edited by a moderator:

#### Marcelo

##### Inactive Registered Visitor
In our current procedure, we estimate the severity and probability each on a scale of 1-5 and compare the results to a chart to determine if the risk requires risk controls. The higher the probability the less tolerant we are of a given severity. When considering the risk of an anomaly, IEC 80002-1 states that the risk should be considered based on severity alone. Is it common to base the judgment of severity as we might if the probability were the maximum, the minimum, or somewhere in between?
IEC 80002-1 4.4.3 talks about different probabilities, and I think you might be confusing them.

The "focus on severity alone" is only applicable if other probabilities in the sequence of events, after the software failure, are not possible to estimate. If they are, the final probability P1 would be different than 1, and after estimating P2, the probability of occurrence of harm (P1xP2) could be estimated.

The scale you mention is probably the scale of P1xP2, not of P1 only.

#### Frodeno

##### Starting to get Involved
Hi Everyone,

I have some follow-on questions from this. So I understand that Prob of Occurance of harm (POH) POH= P1 X P2 and that for software usually P1 cannot be estimated and becomes 1. In a situation where P2 can be estimated then great, one can determine POH. However, when severitiy is used then is it acceptable to use risk controls that reduce severity?

Secondly, in the same context, 80002-1 says on page 11:

"RISK acceptance criteria for RESIDUAL RISK where probability cannot be estimated should take into account the RISK CONTROL measures that have been implemented and the effectiveness of those RISK CONTROL measures in reducing the probability of occurrence of HARM. RISK CONTROL measures should be a combination of all reasonable practicable measures, fulfill applicable standards and regulations, and be state of the art (see Annex D.4 of ISO 14971:2007)."

So, does this mean that eventhough one can estimate Risk based on severity alone that risk reduction can be through a reduction of POH? if this is true can someone help me understand this...this sounds very subjective if it is the case.

Cheers,

Frodo

#### Marcelo

##### Inactive Registered Visitor
So I understand that Prob of Occurance of harm (POH) POH= P1 X P2 and that for software usually P1 cannot be estimated and becomes 1
Nope. The software failure (which is part of the sequence of events that leas to a hazardous situation) usually cannot be estimated, and the probability of this failure usually cannot be estimated and becomes 1. This does not mean that P1 becomes 1 - for example, if there are other events in the sequence of events besides the failure (which is usually the first event).

So, does this mean that eventhough one can estimate Risk based on severity alone that risk reduction can be through a reduction of POH? if this is true can someone help me understand this...this sounds very subjective if it is the case.
As mentioned above, you can have other events in the sequence of events after the software failure, with related probabilities, meaning that P1 won't be 1.

#### Frodeno

##### Starting to get Involved
Aha thanks Marcelo...so in actual fact the P1 = Pa......Pz (potentially) and P2 is probability of a hazardous situation leading to a harm..

It does make me wonder through, at what point does it become appropriate to set P1 to 1 and to what lengths does one go to try to determine the other components of P1...especially if you have 100s of potential hazards to analyze.

#### Marcelo

##### Inactive Registered Visitor
It does make me wonder through, at what point does it become appropriate to set P1 to 1 and to what lengths does one go to try to determine the other components of P1...especially if you have 100s of potential hazards to analyze.
The problem of assuming P1 = 1 is that usually this mean that your device will fall under class C, if they have any possibility of serious injury/death.

As the idea of the safety classification was to enable the manufacturer to reduce the paperwork related to compliance with IEC 62304 if possible, assuming P1 = 1 is a worst case that may create more burden than clearly analyzing P1.

#### Marcelo

##### Inactive Registered Visitor
Anyway, as a general guidance, identifying the probabilities o the sequence of events is more obvious when you have risk control measures external to the software, as they are the only ones that can be counted as feasible. We did made this clear in the 62304 amendment (both IEC 62304 and IEC 80002-1 are not that clear on this regard).

FOD Risk Assessment - What tools would you recommend for assessing FOD risk? AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 1
J Discrepancies - Determine the Magnitude and Assessing the Risk Nonconformance and Corrective Action 2
Assessing Hazard-Related Use Scenarios where control measures exist through standards IEC 62366 - Medical Device Usability Engineering 32
Assessing Pipette Calibration Failures General Measurement Device and Calibration Topics 5
Interpreting "misuse" when assessing Hazardous Situations ISO 14971 - Medical Device Risk Management 2
A Escalation to CAPA - Assessing if an NC warrants a CAPA Nonconformance and Corrective Action 4
Assessing/Mapping Employee Attitude during Competency Mapping (Assessment) IATF 16949 - Automotive Quality Systems Standard 15
J Assessing compliance with ISO 13485 Section 6.1 ISO 13485:2016 - Medical Device Quality Management Systems 10
A Assessing a Preventive Maintenance Strategy - Reliability or Maintenance Statistics Reliability Analysis - Predictions, Testing and Standards 2
Assessing the Validity of Previous Measuring Results? General Measurement Device and Calibration Topics 8
L Assessing Corrosion Damages on Steel finished externally with Epoxical Paint Various Other Specifications, Standards, and related Requirements 1
Assessing Potential Field Failures (TS 16949 Requirements) Quality Manager and Management Related Issues 5
G Assessing Process Capability on Variation (Hardware Adjustment Mean Shift) Capability, Accuracy and Stability - Processes, Machines, etc. 4
Assessing a Suppliers Technical Capabilities Supplier Quality Assurance and other Supplier Issues 6
Objectives and Targets - Assessing a rate of achieving a goal Reliability Analysis - Predictions, Testing and Standards 7
J Assessing the understanding of occupational health and safety requirements Occupational Health & Safety Management Standards 3
T Assessing actuality to apply ISO 14001 ISO 14001:2015 Specific Discussions 12
Storage & Inventory - Assessing Stock for Deterioration at Planned Intervals 7.5.5.1 IATF 16949 - Automotive Quality Systems Standard 9
ISO10012:2003 Question - Choosing or assessing the capability of a piece of equipment Other ISO and International Standards and European Regulations 1
A Assessing and managing monopolist suppliers Supplier Quality Assurance and other Supplier Issues 6
L Internal Auditing & Assessing Effectiveness Internal Auditing 8
L Internal Auditing & Assessing Effectiveness Internal Auditing 8
T Assessing Customer SPECIFIED Suppliers Supplier Quality Assurance and other Supplier Issues 9
Security Risk Assessment Tool IEC 27001 - Information Security Management Systems (ISMS) 0
21 CFR 820 - Risk Management - Looking for some guidance US Food and Drug Administration (FDA) 3
Contract Review and risk managment AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 2
Risk Analysis using Monte Carlo Simulation instead of Scoring and Heat Map Risk Management Principles and Generic Guidelines 2
Software Risk Management & probability of occurrence as per IEC 62304 IEC 62304 - Medical Device Software Life Cycle Processes 8
Normal Condition Hazards in Risk Analysis ISO 14971 - Medical Device Risk Management 3
Rationalising the level of effort and depth of software validation based on risk ISO 13485:2016 - Medical Device Quality Management Systems 10
Risk assessment on IT containers and the information they contain IEC 27001 - Information Security Management Systems (ISMS) 4
Threat/Vulnerability Catalogue for risk assessment IEC 27001 - Information Security Management Systems (ISMS) 4
Opportunity For Improvement vs Opportunity (Positive Risk) ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 18
Identify Medical Device characterstics as Annex C of ISO 14971 Risk Management ISO 14971 - Medical Device Risk Management 5
ISO 14971 PFMEA Manufacturing Risk ISO 14971 - Medical Device Risk Management 2
Example of the Risk Template Document Control Systems, Procedures, Forms and Templates 1
Overall residual risk according to ISO 14971:2019 ISO 14971 - Medical Device Risk Management 5
Risk Number for each software requirement IEC 62304 - Medical Device Software Life Cycle Processes 7
IEC 60601 11.2.2.1 Risk of Fire in an Oxygen Rich Environment, Source of Ignition IEC 60601 - Medical Electrical Equipment Safety Standards Series 0
Importing a general wellness low risk product Other US Medical Device Regulations 3
Quantifying risk in choosing the number of parts, operators and replicates in a GR&R Gage R&R (GR&R) and MSA (Measurement Systems Analysis) 4
AQL, Consumer Risk and MA Statistical Analysis Tools, Techniques and SPC 2
Risk managment report of Surgical Mask Example ISO 14971 - Medical Device Risk Management 14
Risk Analysis Flow - Confusion between ISO 14971 and IEC 62304 IEC 62304 - Medical Device Software Life Cycle Processes 8
ECG Risk Analysis Standards ISO 14971 - Medical Device Risk Management 2
Device Labeling - Medtronic Ventilator Files (Risk Management documents) Coffee Break and Water Cooler Discussions 2
5 x 5 Risk Matrix - Looking for a good example Manufacturing and Related Processes 2
Risk for Quality Assurance Department in a Hospital - Hospital Incident Reporting ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 7
Should volume of sales be factored into risk probability assessments? ISO 14971 - Medical Device Risk Management 33
How do you define your Hazards? <a Risk Management discussion> ISO 14971 - Medical Device Risk Management 16