Risk Analysis for COTS/OTS


Involved In Discussions
Could someone please chime in and share their approach for conducting hazard analysis for off-the-shelf / commercial-off-the-shelf software? What level of detail do we need to include?

Our current hazard analysis matrix contains the following fields (columns): Hazard number, Hazard (actual hazard), Hazard Origin (e.g., clinical, device component, tool, etc.), Severity, Occurrence, Risk Index, Control Measure Type, Risk Control/Mitigation, Software Hazard? (Hazard that can result from software malfunction or can be mitigated by the device built-in software), New Hazard? (New hazard introduced by mitigation* (Yes / No)), Mitigation Occurrence, Mitigation Risk Index, Design Output (e.g., labeling, design document, drawing, requirement procedure/protocol, test procedure, training,etc.), Verification Evidence (e.g., actual test result report, record, etc.)*

The above seems like an overkill analysis for COTS such as MS Word, Excel, Project, or even statistical tools such as Minitab and Matlab. Any suggestions, thoughts would be immensely appreciated.

Thank you so much in advance!


Involved In Discussions

Thank you for responding. Like I said on my initial post, my question is related strictly to software used in medical devices. So, no OSHA.

For risk management, we use ISO 14971; however, software is a bit tricky to categorize (unlike hardware). I'm hoping to find advice on how to apply ISO 14971, 21 CFR part 11, and the FDA guidance on Off the Shelf Software to software tools in a way that's not too burdensome. Thanks again!


Super Moderator
I'm confused. You mention "software in a medical device" and then mention examples such as MS Word, Minitab, etc.

If the software is in a medical device, part of a medical device, or is itself a medical device then yes, the risks of the COTS need to be addressed as part of your product risk management. IEC 62304 and IEC 60601-1 (PEMS) give some good guidance on some of the risk aspects to consider.

If you're talking about software that is used in implementation of the quality system (e.g., MS Word) then those applications need to be considered for validation and you can take a risk-based approach to the rigor of the validation activities. The typical approach is to establish the criteria in a Validation Master Plan. For these, application of 14971 is probably (way) overkill.


Carol refer to this guidance document fda.gov/downloads/MedicalDevices/.../ucm073779.pdf specifically section 2.2 and 2.3. In basic terms will conduct a 'ISO 14971' risk assessment on the software but will be a basic assessment, since these are OTS.

(I could not post the link directly, but is you google FDA OTS Software Guidance it will come up.)
Top Bottom