Should it even be on the hazard analysis (software)?

#1
Should it even be on the hazard analysis (software)?

We have a software that creates reports that can tell a patient about their usage of a drug. No real time messages, but if they go through enough clicks, they can find this report.

Our reports follow what the regulatory body told us to do, to minimize, no, ELIMINATE the risk of misinterpretation causing too much or too little medicine. The medicine is not potent, so would one would have to really take a lot, or stop for a long time, for it to be a serious harm.

We have previously run human factors studies showing these reports, and other text that has now been removed, did not cause the patients to take any type of action that they wouldn't normally do - as in, they still take the medicine based on they are feeling, nto based on what the report says.

Now we are trying to classify from an IEC 62304 persepective, and debating whether this should be even be on the hazard analysis. Some of us say that based on the DESIGN of the wording of these messages, a patient would not take more or less medicine based on what the report said (correct or incorrect), so it doesn't even belong on the risk analysis. The text can be on a user risk analysis, but not on this software hazard analysis

Others state that the software could malfunction, produce incorrect data on the report, the possibility a patient might then misinterpret it, the remote possibility a patient would then significantly over or under dose, and then cause a harm. Therefore, it would belong on the risk analysis with a low probability, but high harm. Since per IEC 62304, probability is considered 100%, and before mitigation so human factors is not considered, it then pushes us into level C. But others disagree with this since the messages have been DESIGNED (as told by the regulatory body) so people will not take action on them independent of how they are feeling, and so the human factors is not a mitigation, but part of the design, and therefore, should not even be on the risk analysis.

How can we resolve this from a risk management perspective?
 
Last edited:
Elsmar Forum Sponsor

Ronen E

Problem Solver
Staff member
Moderator
#2
This is nice.
Effective risk management has already occurred: A risk was identified, estimated and mitigated.
Now it is purely a discussion on how not to waste resources on the appearance of everything being neat and tidy.
I wish I knew a way to avoid this. I'm not an expert on IEC 62304 / software development, so I don't.
In terms of ISO 14971 I would just document all of it and close it out with no further mitigation, due to acceptable risk.
 

yodon

Staff member
Super Moderator
#3
While I agree with @Ronen E that you did a good job identifying and addressing the risk, 62304 does require a bit more. We always do a separate software FMEA to address the things 62304 expects (potential causes):
a) incorrect or incomplete specification of functionality;
b) software defects in the identified SOFTWARE ITEM functionality;
c) failure or unexpected results from SOUP;
d) hardware failures or other software defects that could result in unpredictable software operation; and
e) reasonably foreseeable misuse.

I don't see this being Class C software - the software itself is not causing the over / under dosing. I don't know how your report is framed but maybe you can say something to the effect of always confirm dosing with the physician. Definitely coordinate the class decision with the applicable regulatory bodies - they don't seem to always apply the same logic.
 
Thread starter Similar threads Forum Replies Date
N ISO 19011:2018 - 5.4.2 "...audit program should engage in appropriate continual development..." Training - Internal, External, Online and Distance Learning 4
G Should I perform Gage R&R only at the beginning of a new project? Gage R&R (GR&R) and MSA (Measurement Systems Analysis) 6
DuncanGibbons Should the requirements FAA/EASA Part 21 be addressed within the QMS and AS9100D quality manual? AS9100, IAQG 9100, Nadcap and related Aerospace Standards and Requirements 5
M Should 510(k) Predicates be Actively Listed Devices? Other US Medical Device Regulations 12
B Why the Greek god Hephaestus should have done a design FMEA (DFMEA) on his giant robot APQP and PPAP 1
J On PFMEA for danger labels - Label always should be assigned severity 10 ? FMEA and Control Plans 3
H Who should be listed as the manufacturer/distributor on the box? 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 15
M MDR, RED and LVD - Should our device comply with them? EU Medical Device Regulations 2
BeaBea How Many Processes should be created for each Department? Process Maps, Process Mapping and Turtle Diagrams 5
M Should volume of sales be factored into risk probability assessments? ISO 14971 - Medical Device Risk Management 33
MrTetris Should potential bugs be considered in software risk analysis? ISO 14971 - Medical Device Risk Management 5
S Should safety checks be included in the Control Plan? IATF 16949 - Automotive Quality Systems Standard 5
M Which incubation condition should be selected to recover both bacteria and fungus effectively Miscellaneous Environmental Standards and EMS Related Discussions 3
D Is there a specific location for PPE such as safety glass holders and glove dispensers should be mounted Occupational Health & Safety Management Standards 10
Robert Stanley Which Registrar Should I Choose for ISO 9001:2015 registration? Registrars and Notified Bodies 10
M Who should receive the bills from suppliers and vendors, account payable or procurement? Consultants and Consulting 4
V IATF 16949 8.4.1 Control of externally provided processes, products and services - Should the CB be on our Approved Supplier List? IATF 16949 - Automotive Quality Systems Standard 10
A We are ISO 13485:2016 should we be audited to ISO 14971 ISO 13485:2016 - Medical Device Quality Management Systems 16
E Received a Major finding during IATF Surveillance audit for loss of BIQS Level 3 (more than 6 SPPS in 6 months)...how should we address SYSTEMIC CA? IATF 16949 - Automotive Quality Systems Standard 11
J Organization merger. Should we keep two separate ISO 13485 certificates? ISO 13485:2016 - Medical Device Quality Management Systems 6
S Companies that maintain your machine should be in ASL? AS9100, IAQG 9100, Nadcap and related Aerospace Standards and Requirements 2
S Use of "Shall" versus "Should" in Procedures ISO 13485:2016 - Medical Device Quality Management Systems 21
D Class II medical device - When should a complaint be closed? Customer Complaints 6
Sidney Vianna IATF 16949 News Presentations from the latest IATF Stakeholder Event - Expectation that IATF 16949 certification should equate with product quality. Misguided? IATF 16949 - Automotive Quality Systems Standard 7
L Clause 0.4 of ISO 9001 and EHS - Where should I stop the inclusion of EHS in my QMS ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 8
Ed Panek Part 11 Self Certify Memo - What else should it cover? Qualification and Validation (including 21 CFR Part 11) 5
H Should I mention machine/Equipment password In SOP? Qualification and Validation (including 21 CFR Part 11) 4
D How long should we keep the spare parts available for our medical device, after we have stopped the production? ISO 13485:2016 - Medical Device Quality Management Systems 0
H Statistical Techniques Procedure - What should be included Document Control Systems, Procedures, Forms and Templates 4
Q How should I analyze measurement correlation between me and customer? Gage R&R (GR&R) and MSA (Measurement Systems Analysis) 12
Sidney Vianna Interesting Discussion ISO 9001:2024 - What should be changed in the next Edition of ISO 9001? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 75
V Which batches should or could be considered for design validation and design verification? 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 0
L A Taiwan company want to sell Class I medical device (510(k) exempt) on Amazon, should we register with FDA? US Food and Drug Administration (FDA) 4
M Routine testing of medical electrical systems - What specific electrical safety tests should be performed? IEC 60601 - Medical Electrical Equipment Safety Standards Series 5
G ISO 17025:2017 7.1.2 - Should I produce a document for the customer? ISO 17025 related Discussions 8
F Quality Objectives - Where in the QMS Quality Objectives should be located ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 8
P ISO 80369-7 standard - Interpreting which Parts should be in scope Other Medical Device Related Standards 7
V Who should define and own the Design and Development Plan and how to maintain the updates and revisions. ISO 13485:2016 - Medical Device Quality Management Systems 2
A How should the Medical Device OEMs be declared to ANVISA? Other Medical Device Regulations World-Wide 0
D Should "Waste" be included as Output in SIPOC Chart? Process Maps, Process Mapping and Turtle Diagrams 8
N Control plan evaluation methods - Which methods should be carried over from the PFMEA? FMEA and Control Plans 3
A PFMEA - How long should the recommended actions remain in the recommended actions column? APQP and PPAP 3
M Should Quality be an independent organization in aerospace company? Quality Manager and Management Related Issues 25
S Should there be a SOP on Cybersecurity? ISO 14971 - Medical Device Risk Management 1
B AS9102 FAI & Lower Level Drawings - How should we perform the FAI? AS9100, IAQG 9100, Nadcap and related Aerospace Standards and Requirements 1
I Imaging Services - Which standard should we be certified to? ISO 13485:2016 - Medical Device Quality Management Systems 4
D Design FMEA for a component - Should I make the following assumptions? FMEA and Control Plans 7
M Medical Device News FDA's Policies and Procedures Should Better Address Postmarket Cybersecurity Risk to Medical Devices Other US Medical Device Regulations 0
M Who should have access to Audit trail? Qualification and Validation (including 21 CFR Part 11) 6
S Should an Initial Importer separately do Establishment Registration? US Food and Drug Administration (FDA) 1
Similar threads


















































Top Bottom