Changing software classification via software - IEC 62304

[david316]

I have a question about the software classification as per clause 4.3 in edition 1.1. (2015 version) of 62304. In clause 4.3 the following statement is made:

For a SOFTWARE SYSTEM initially classified as software safety class B or C, the MANUFACTURER may implement additional RISK CONTROL measures external to the SOFTWARE SYSTEM (including revising the system architecture containing the SOFTWARE SYSTEM) and subsequently assign a new software safety classification to the SOFTWARE SYSTEM.

NOTE 1 External RISK CONTROL measures can be hardware, an independent SOFTWARE SYSTEM, health care procedures, or other means to minimize that software can contribute to a HAZARDOUS SITUATION.

So, I as understand this, you can change the software classification if a risk control external to the software makes the risk acceptable. As stated in Note 1, a risk control can be an independent software system. I don’t understand why when doing the software classification you assume 100% probability for software failure, but then the standard allows you to reduce the risk by an independent software system and potentially change the software classification. This seems counter intuitive. I would you assume you would need to justify the independent software control is effective at reducing the risk though the use of best practise for design and testing. Comments?

As a follow-up, how independent is independent. Can an independent software system be in the same microprocessor if you partition it appropriately and have an appropriate architecture? The standard kind of hints at this in Annex B.4.3?

Any input will be greatly appreciated.

 

[Marcelo]

I don’t understand why when doing the software classification you assume 100% probability for software failure,

This is clearly explained in B.4.3 (which was taken from 80002-1 to put in the standard so people may try to stop saying that the (erroneous) statement that the hazardous situation probability is 100 % (when in fact what is meant is that only the software failure, which is part of the sequence of events that characterize P1, is suggested to be 100 %).

I'm not sure what else can be said.

but then the standard allows you to reduce the risk by an independent software system and potentially change the software classification. This seems counter intuitive.

This was included because it was never the intention of the standard that the software classification is done once and can never change. Coming from the discussion above, clearly it's possible to have a risk probability (P1 x P2) which is different from 1, if there are events on the sequence of events of P1 that reduce the probability.

I would you assume you would need to justify the independent software control is effective at reducing the risk though the use of best practise for design and testing. Comments?

"Best practise for design and testing" does not reduce risk. Only inherit safe design (unconditional safety), protective measures (conditional safety) and information for safety (descriptive safety) reduces risk (please note that ISO 14971 does allow, in the second level, protective measures in the manufacturing process as control, but this is technically incorrect).

But you are right the the independent software control is effective at reducing the risk, as is already required by the verification of effectiveness requirement of ISO 14971.

As a follow-up, how independent is independent. Can an independent software system be in the same microprocessor if you partition it appropriately and have an appropriate architecture? The standard kind of hints at this in Annex B.4.3?

This is mainly related to be independent enough so a failure in one does not directly lead to a failure in the other.

 

[david316]

As per Figure 3, there is the statement in the figure:

"A SOFTWARE SYSTEM which implements RISK CONTROL measure may fail, and this may contribute to a HAZARDOUS SITUATION. The resulting HARM may include the HARM which the RISK CONTROL measure is designed to prevent (see 7.2.2b)"

In 7.2.2b it states
"assign to each SOFTWARE ITEM that contributes to the implementation of a RISK CONTROL measure a software safety class based on the RISK That the RISK CONTROL measure is controlling and develop the SOFTWARE ITEM in accordance with Clause 5"

So.... If as per figure 4.3 and clause 4.3 I have a software system that is class C, I can reduce the software classification by having an external risk control if the risk is acceptable (e.g. independent SOFTWARE SYSTEM) . But, assuming the risk control is an independent software system, the software in the independent software system now becomes class C. That's how I read it anyway.

 

[Marcelo]

As per Figure 3, there is the statement in the figure:

"A SOFTWARE SYSTEM which implements RISK CONTROL measure may fail, and this may contribute to a HAZARDOUS SITUATION. The resulting HARM may include the HARM which the RISK CONTROL measure is designed to prevent (see 7.2.2b)"

In 7.2.2b it states
"assign to each SOFTWARE ITEM that contributes to the implementation of a RISK CONTROL measure a software safety class based on the RISK That the RISK CONTROL measure is controlling and develop the SOFTWARE ITEM in accordance with Clause 5"

So.... If as per figure 4.3 and clause 4.3 I have a software system that is class C, I can reduce the software classification by having an external risk control if the risk is acceptable (e.g. independent SOFTWARE SYSTEM) . But, assuming the risk control is an independent software system, the software in the independent software system now becomes class C. That's how I read it anyway.

Well, yes, but please note that failure of a software system that implement a risk control measure does not directly leads to a hazardous situation. It may lead to a hazardous situation, as mentioned in the standard.