Q
Hello Everyone,
We had our Risk Management Process and Risk Analysis (ISO 14971, software-only medical device, class IIa (MDD)) sent to our Notified Body for pre-revision. We got some comments back which I would appreciate to get some additional thoughts about.
Validation as Risk Reduction
We have used validation as a Risk Control Measure, which was not entirely appreciated by the NB as they considered Validation only as a way to confirm that the products benefits outweights the risks. Our software performs volume estimations and we have therefore used validation (perhaps it should be called VERIFICATION?) studies to confirm that the volumes are correctly measured and have considered these validations as a way to reduce the risk of hazardous situations raised by incorrect volume estimations. This now don´t seem to be the way to do it. Does anyone have any suggestion on how we can re-evaluate our thinking?
Probability for Software
In IEC 62304, as well as in other standards, probability are questioned as a tool to estimate the risk in software devices. However, for hazardous situations caused by systematic software errors, we have chosen to estimate the probability as 1 until we have Test Records verifying that the errors are not present, then we have reduced the probability to 0 and henced considered the risk reduced to an acceptable level. This approach was also questioned by the NB, which prefered that risks from systematic/software errors should be based on the Severity ONLY. Then my question is - how can I reduce the severity caused by a systematic error using risk control measures, if testing is not the way of doing it?
Thanks!
We had our Risk Management Process and Risk Analysis (ISO 14971, software-only medical device, class IIa (MDD)) sent to our Notified Body for pre-revision. We got some comments back which I would appreciate to get some additional thoughts about.

Validation as Risk Reduction
We have used validation as a Risk Control Measure, which was not entirely appreciated by the NB as they considered Validation only as a way to confirm that the products benefits outweights the risks. Our software performs volume estimations and we have therefore used validation (perhaps it should be called VERIFICATION?) studies to confirm that the volumes are correctly measured and have considered these validations as a way to reduce the risk of hazardous situations raised by incorrect volume estimations. This now don´t seem to be the way to do it. Does anyone have any suggestion on how we can re-evaluate our thinking?
Probability for Software
In IEC 62304, as well as in other standards, probability are questioned as a tool to estimate the risk in software devices. However, for hazardous situations caused by systematic software errors, we have chosen to estimate the probability as 1 until we have Test Records verifying that the errors are not present, then we have reduced the probability to 0 and henced considered the risk reduced to an acceptable level. This approach was also questioned by the NB, which prefered that risks from systematic/software errors should be based on the Severity ONLY. Then my question is - how can I reduce the severity caused by a systematic error using risk control measures, if testing is not the way of doing it?
Thanks!
