Medical Device Software Risk Management and ISO 14971:2007

R

RA Princess

#1
Hi Everyone :bigwave:

I work for an engineering company who are new to the field of medical devices and are currently embarking on a project to develop a device that is standalone software.

We have a risk management process which I am currently revising to bring in line with the new ISO 14971:2007 std, however this procedure does not currently address software risk management in any aspect. (Not sure if it should:confused:)

We are unsure of an appropriate scoring system to use for the estimation of the risks for each hazard. (i.e probability and severity). Its the probability that is causing us the most confusion. It will either happen or it wont? So how can you have a probability? :bonk::frust:

Does anyone have any advice or any examples that they could share with me I would be most grateful,

Thanks
RA Princess
 
Elsmar Forum Sponsor
S

Sleepless

#2
Re: Software Risk Management

I think I understand your confusion and hopefully this helps. Risks, as you said, either happen or they don't. That being said, some risks are more likely to happen than others and that's what needs to be identified. You usually track risks using a pair of attributes, impact vs. likelyhood. A LOW impact risk with a LOW likelyhood would be considered below a HIGH impact risk with a LOW likelyhood. Following that logic, the HIGH impact/LOW likelyhood would be considered below a HIGH impact/HIGH likelyhood.
I've been working in software engineering for 20 years and risks (from my experience) are usually managed for each project using the following criteria (or something like it):
1. Identify the risk
2. Categorize the risk
3. Identify the impact of the risk
4. Identify the likelyhood of the risk happening
5. Prioritize the risk
6. Plan a mitigation strategy for the risk, if it should occur
7. Execute migitagtion strategy as needed
8. Monitor and update the risk continually

* Hopefully, I've understood your question and answered it sufficiently?
 
Last edited by a moderator:
M

Madly RA'd Woman

#3
Re: Software Risk Management

Here is an excerpt from a good article (just google FMEA and ISO 14971):

Detectability and Risk

In applying FMEA to risk management, some manufacturers use the concept of detectability to generate an initial risk priority number (RPN). This troubling practice is not found in IEC 60812. It comes not from design FMEA techniques but from the use of FMEA to evaluate manufacturing processes.

As defined in ISO 14971, RPN involves numeric techniques to represent the relative severity of risk. The value to be given to the severity of each risk is determined by assigning a value indicating the significance of the harm that would occur. This number is multiplied by a value assigned to the probability that the harm will occur. (Risk as defined in the standard is the product of severity and likelihood of occurrence.) This process is virtually identical to the one described for device FMEA in IEC 60812.

However, process FMEA introduces a third term into the calculation. During manufacture, when a defect that could result in harm is detected, action can be taken to either repair the defect immediately or impound the product until it is repaired. In these circumstances, the use of detectability to figure the RPN is completely appropriate. The time lag between detection during manufacture and the actual use, where the harm typically occurs, is substantial.
 

Marcelo

Inactive Registered Visitor
#4
Re: Software Risk Management

In fact there´s two probabilities involved - per ISO 14971:2007.

First there´s the probability of a hazard, throught a sequence of events, turn into a hazard situation. Then there´s the probability of this hazard situation turn into harm. Take a look in my example in this thread: http://elsmar.com/Forums/showthread.php?t=21190&page=2&highlight=14971 for a better understanting. Also, the probability is that the harm WILL happen, meaning, the hazard turn into a harm.

Oh, IEC is working in a document on guidance on applying ISO 14971 to medical device software. You can try to get it through the National Committe of your country. The document is:

IEC/TS 80002 Ed. 1.0 - Medical device software - Guidance on the application of ISO 14971 to medical device software

And it really provides a lot of guidance (the pre-approved draft is almost 80 pages long!).
 
M

Matthew_Hopkins

#5
Re: Software Risk Management

In my opinion, mmantunes seems closest to answer the actual question of RA Princess. The core here would be that the probability of failure and probability of harm are two different things. You could argue that the probability of a SW failure is either 0 or 100%. The probability of harm to the operator/patient/environment etc. due to this failure is necesseraily not the same. Primariliy 14971 focuses on the probability of harm and not the failure. That's something to start out from.

Thanks for the IEC/TS hint, looks interesting indeed. I hope I can get hold of a copy somehow.

//MH
 
S

Sleepless

#6
Re: Software Risk Management

In case it wasn't clear in my earlier posting, I was trying to point out that you have to track these attributes as a pair (Likelihood & Impact).

Probability of Failure = Likelihood (of risk occurring)
Probability of Harm = Impact (if risk does occur)

You could go so far as to take it to three dimensions and include a "time" since impact of a risk can be different depending on when the risk occurs.
 

burovoy

Starting to get Involved
#7
I found the answer to probability estimation for software risks in AAMI TIR32:2004 Medical device software risk management. This Technical Report references ISO 14971 clauses, however, revision 2000, and interprets them from the software perspective.

AAMI=Association for the Advancement of Medical Instrumentation.
 
R

RA Princess

#8
Apologies for not responding to anyone's answers sooner.

:thanx:Thank you all for your comments. It has certainly made it all alot clearer and I have just ordered a copy of AAMI TIR32.
 
Thread starter Similar threads Forum Replies Date
R Medical Device Software Certification IEC 62304 - Medical Device Software Life Cycle Processes 1
Q Storing and developing SAMD (Software as a Medical Device) in the Cloud IEC 62304 - Medical Device Software Life Cycle Processes 3
MDD_QNA Medical Device Software - Is a Help Button required? IEC 62304 - Medical Device Software Life Cycle Processes 1
F Software as a Medical Device (SaMD) Technical File Requirements Manufacturing and Related Processes 1
A Software as Medical Device (SaMD) definition and its applicability Other Medical Device and Orthopedic Related Topics 4
T First 510(k) submission - Class II software as medical device US Food and Drug Administration (FDA) 4
Z Software Library - could it be a medical device? ISO 13485:2016 - Medical Device Quality Management Systems 5
M Informational TGA – Submissions received: Regulation of software, including Software as a Medical Device (SaMD) Medical Device and FDA Regulations and Standards News 1
D Requirements for the dimensions / color of medical device labels - Software as a Medical Device IEC 62304 - Medical Device Software Life Cycle Processes 2
D Software as an accessory to a Class I medical device EU Medical Device Regulations 4
R Medical device software without user interface Other Medical Device and Orthopedic Related Topics 3
R Validation of Medical Device Hardware containing Software - How many to Validate ISO 13485:2016 - Medical Device Quality Management Systems 1
Ed Panek Rule 11 Question - CE approvals for software as well as the medical device EU Medical Device Regulations 6
D IEC 60601 for a Software only Medical Device? IEC 60601 - Medical Electrical Equipment Safety Standards Series 5
S Software Release Note - Class A stand alone software medical device IEC 62304 - Medical Device Software Life Cycle Processes 2
M Professional Use Medical Software French Labeling for Canada -- Not Considered Medical Device Canada Medical Device Regulations 2
S Medical Device Software Distribution for a CE-marked medical device via a USB memory stick EU Medical Device Regulations 8
M Informational TGA – Webinar: An update on the consultation for the Regulation of Software, including Software as a Medical Device (SaMD) Medical Device and FDA Regulations and Standards News 0
J Qualification of a Software as a Medical Device (SaMD) guidance under MDR EU Medical Device Regulations 9
P Software requirement and design specifications - Medical device contains both hardware and software IEC 62304 - Medical Device Software Life Cycle Processes 2
M Informational TGA Consultation: Regulation of software, including Software as a Medical Device (SaMD) Medical Device and FDA Regulations and Standards News 0
N Medical Device Accessory Classification - Software as a Medical Device Other Medical Device Regulations World-Wide 5
R SaMD - Software as a Medical Device - Software change control form ISO 13485:2016 - Medical Device Quality Management Systems 3
G EU MDR 2017/745 Rule 11 interpretation - Re-classification of a Software as Medical Device Other Medical Device Related Standards 0
M Medical Device News TGA – Regulation of Software as a Medical Device Medical Device and FDA Regulations and Standards News 0
S Two Questions about Medical Device Software 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 3
K Medical Device Software Update in Field of AIMD IEC 62304 - Medical Device Software Life Cycle Processes 1
M Medical Device News Health Canada - Scientific Advisory Panel on Software as a Medical Device (SAP-SaMD) - Record of Proceedings – January 26, 2018 Canada Medical Device Regulations 0
R Online / Cloud Based Software as Medical Device EU Medical Device Regulations 8
S DMR (Device Master Record) for Medical Device Software IEC 62304 - Medical Device Software Life Cycle Processes 3
S Labelling in Medical Device Software IEC 62304 - Medical Device Software Life Cycle Processes 8
S What is considered the complete software medical device? Medical Information Technology, Medical Software and Health Informatics 6
JoCam Medical Device Software - Apps which can control medical devices EU Medical Device Regulations 13
L Software Medical Device - 7.3.8 - Design and Development Transfer ISO 13485:2016 - Medical Device Quality Management Systems 4
A SOP for software validation of software in medical device IEC 62304 IEC 62304 - Medical Device Software Life Cycle Processes 5
K Registering a Software medical device (SaMD) in China China Medical Device Regulations 5
N Medical Device Software - Switch from Waterfall to Agile methodology Medical Information Technology, Medical Software and Health Informatics 4
V Software medical device labelling EU Medical Device Regulations 5
I Medical Device Software Risk Analysis ISO 14971 - Medical Device Risk Management 4
S If a piece of software receives approval as part of a medical device system Canada Medical Device Regulations 5
C Controlling Software Versions that are part of a medical device IEC 62304 - Medical Device Software Life Cycle Processes 2
S Cloud-Based Stand Alone Software - Software Medical Device (Class II) US Food and Drug Administration (FDA) 2
Q QMS Software for Startup Medical Device Company Other Medical Device and Orthopedic Related Topics 7
B CQC oversight of Medical device software? EU Medical Device Regulations 3
H Identifying Guidance on Medical Device Software Level of Concern for the EU EU Medical Device Regulations 2
B Is IEC TR 80002-1:2009 applicable to stand-alone medical device software? ISO 14971 - Medical Device Risk Management 1
H ISO 14971 vs. IEC 62304 vs. 98/79/EC vs. ISO 13485 (Software Medical Device) ISO 14971 - Medical Device Risk Management 1
T Are internally found Medical Device Software "Bugs" Complaints? 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 3
K 510k "Premarket" Submission for Existing Class II Software Medical Device US Food and Drug Administration (FDA) 3
P UDI Registration - Class II Medical Device Software Other US Medical Device Regulations 9

Similar threads

Top Bottom