Should potential bugs be considered in software risk analysis?

MrTetris

Involved In Discussions
#1
Hello people of the forum :)
Do you consider risks triggered (only) by potential bugs in your medical sw risk management charters?
I am not talking about known issues, bugs already found and decided not to fix, but potential bugs that apparently are not affecting the product (but of course could potentially be there... you never know!).
For instance, if I have a sw aiming to automate the design of an implant, should I consider the possibility that a bug escaped to our V&V process?
As a rule of thumb, I would say yes, it should be considered... but on a practical level, this would mean to list in the RMC an endless list of potential, very remote probability of occurrence bugs...
Looking forward to hear your opinions.
Have a nice day (despite the hard times)!
 
Elsmar Forum Sponsor

Ninja

Looking for Reality
Trusted Information Resource
#2
Might I suggest this thread?

Granted, it isn't about tracing risks...but it makes it fairly clear that they are a risk...and some ideas how to handle them after...HTH
 

yodon

Staff member
Super Moderator
#3
There are a couple of angles to this that probably warrant discussion.

First, in 62304 (which you should consider if you haven't), the 2015 amendment in section B.4.3 notes that probability of occurrence (of software faults) cannot be estimated and thus should be considered at worst case (let the severity drive). So, yes, assume bugs have escaped.

Also in that standard, section 7.1.2 lists the potential causes that minimally need to be considered:

a) incorrect or incomplete specification of functionality;
b) software defects in the identified SOFTWARE ITEM functionality;
c) failure or unexpected results from SOUP;
d) hardware failures or other software defects that could result in unpredictable software operation; and
e) reasonably foreseeable misuse.


So you can use these as a good way to group things and avoid the "endless list" of errors.
 

Bev D

Heretical Statistician
Staff member
Super Moderator
#4
I suggest that you are thinking about this in the wrong way. Software is really no different than a physical thing. We don’t look for every single potential defect or cause of a failure in physical things. (Certainly we do look for some specific causes through characterization etc. and the use of replication from a variety of input adn use conditions.) We do look for every functional failure. We also perform design reviews and characterization and verification/validation at the component level then at the system level to make it more manageable. If you think about software in the same way you won’t be listing every possible ‘bug’...
 

Tidge

Involved In Discussions
#5
Do you consider risks triggered (only) by potential bugs in your medical sw risk management charters?
I am not talking about known issues, bugs already found and decided not to fix, but potential bugs that apparently are not affecting the product (but of course could potentially be there... you never know!).
Short answer: "No."

Longer answer: "No, because the role software plays in the device (both as a functional control of, and possible contributor to, risk) is analyzed.'

You have the liberty to use whatever form of risk analysis works best for you, but I do suggest that consider the two parenthetical pieces I included in the longer answer. The first is obviously necessary because you are minimally required to show that the software is doing what you need it to do (even for lowest risk classifications per 62304). One approach to addressing the second is the sort of testing suggested by Bev D in her response above.
 

MrTetris

Involved In Discussions
#6
Thank you all for your answers... I think I understood the sense of them.
I agree that considering functionalities is a better approach than considering potential bugs... However, for many functionalities in a sw there is not other failure mode than potential bugs, hence considering a failure for those functionalities actually means to consider the eventuality of a potential bug behind it.
I think that it is too complex to discuss it without going deep into details, however I want to thank you all for your contribution. You gave me some very good food for thought!
 
Thread starter Similar threads Forum Replies Date
MrPhish Should Potential Customer Complaint Outcome Define Registrar NC Rating? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 8
S Should an auditor document potential nonconformities in the audit report? General Auditing Discussions 41
B Why the Greek god Hephaestus should have done a design FMEA (DFMEA) on his giant robot APQP and PPAP 1
J On PFMEA for danger labels - Label always should be assigned severity 10 ? FMEA and Control Plans 3
H Who should be listed as the manufacturer/distributor on the box? 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 15
M MDR, RED and LVD - Should our device comply with them? EU Medical Device Regulations 2
BeaBea How Many Processes should be created for each Department? Process Maps, Process Mapping and Turtle Diagrams 5
M Should volume of sales be factored into risk probability assessments? ISO 14971 - Medical Device Risk Management 33
S Should safety checks be included in the Control Plan? IATF 16949 - Automotive Quality Systems Standard 5
M Which incubation condition should be selected to recover both bacteria and fungus effectively Miscellaneous Environmental Standards and EMS Related Discussions 3
D Is there a specific location for PPE such as safety glass holders and glove dispensers should be mounted Occupational Health & Safety Management Standards 10
Robert Stanley Which Registrar Should I Choose for ISO 9001:2015 registration? Registrars and Notified Bodies 10
M Who should receive the bills from suppliers and vendors, account payable or procurement? Consultants and Consulting 4
V IATF 16949 8.4.1 Control of externally provided processes, products and services - Should the CB be on our Approved Supplier List? IATF 16949 - Automotive Quality Systems Standard 10
A We are ISO 13485:2016 should we be audited to ISO 14971 ISO 13485:2016 - Medical Device Quality Management Systems 16
E Received a Major finding during IATF Surveillance audit for loss of BIQS Level 3 (more than 6 SPPS in 6 months)...how should we address SYSTEMIC CA? IATF 16949 - Automotive Quality Systems Standard 11
J Organization merger. Should we keep two separate ISO 13485 certificates? ISO 13485:2016 - Medical Device Quality Management Systems 6
S Companies that maintain your machine should be in ASL? AS9100, IAQG 9100, Nadcap and related Aerospace Standards and Requirements 2
S Use of "Shall" versus "Should" in Procedures ISO 13485:2016 - Medical Device Quality Management Systems 21
D Class II medical device - When should a complaint be closed? Customer Complaints 6
Sidney Vianna IATF 16949 News Presentations from the latest IATF Stakeholder Event - Expectation that IATF 16949 certification should equate with product quality. Misguided? IATF 16949 - Automotive Quality Systems Standard 7
L Clause 0.4 of ISO 9001 and EHS - Where should I stop the inclusion of EHS in my QMS ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 8
Ed Panek Part 11 Self Certify Memo - What else should it cover? Qualification and Validation (including 21 CFR Part 11) 5
H Should I mention machine/Equipment password In SOP? Qualification and Validation (including 21 CFR Part 11) 4
D How long should we keep the spare parts available for our medical device, after we have stopped the production? ISO 13485:2016 - Medical Device Quality Management Systems 0
H Statistical Techniques Procedure - What should be included Document Control Systems, Procedures, Forms and Templates 4
Q How should I analyze measurement correlation between me and customer? Gage R&R (GR&R) and MSA (Measurement Systems Analysis) 12
Sidney Vianna Interesting Discussion ISO 9001:2024 - What should be changed in the next Edition of ISO 9001? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 70
N Should it even be on the hazard analysis (software)? FMEA and Control Plans 2
V Which batches should or could be considered for design validation and design verification? 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 0
L A Taiwan company want to sell Class I medical device (510(k) exempt) on Amazon, should we register with FDA? US Food and Drug Administration (FDA) 4
M Routine testing of medical electrical systems - What specific electrical safety tests should be performed? IEC 60601 - Medical Electrical Equipment Safety Standards Series 5
G ISO 17025:2017 7.1.2 - Should I produce a document for the customer? ISO 17025 related Discussions 8
F Quality Objectives - Where in the QMS Quality Objectives should be located ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 8
P ISO 80369-7 standard - Interpreting which Parts should be in scope Other Medical Device Related Standards 7
V Who should define and own the Design and Development Plan and how to maintain the updates and revisions. ISO 13485:2016 - Medical Device Quality Management Systems 2
A How should the Medical Device OEMs be declared to ANVISA? Other Medical Device Regulations World-Wide 0
D Should "Waste" be included as Output in SIPOC Chart? Process Maps, Process Mapping and Turtle Diagrams 8
N Control plan evaluation methods - Which methods should be carried over from the PFMEA? FMEA and Control Plans 3
A PFMEA - How long should the recommended actions remain in the recommended actions column? APQP and PPAP 3
M Should Quality be an independent organization in aerospace company? Quality Manager and Management Related Issues 25
S Should there be a SOP on Cybersecurity? ISO 14971 - Medical Device Risk Management 1
B AS9102 FAI & Lower Level Drawings - How should we perform the FAI? AS9100, IAQG 9100, Nadcap and related Aerospace Standards and Requirements 1
I Imaging Services - Which standard should we be certified to? ISO 13485:2016 - Medical Device Quality Management Systems 4
D Design FMEA for a component - Should I make the following assumptions? FMEA and Control Plans 7
M Medical Device News FDA's Policies and Procedures Should Better Address Postmarket Cybersecurity Risk to Medical Devices Other US Medical Device Regulations 0
M Who should have access to Audit trail? Qualification and Validation (including 21 CFR Part 11) 6
S Should an Initial Importer separately do Establishment Registration? US Food and Drug Administration (FDA) 1
J What Calibration Standards should I have? AS9100, IAQG 9100, Nadcap and related Aerospace Standards and Requirements 5
Hieupm Clause 8.5.5 and Clause 8.6: which one should be coming first? (ISO 9001:2015) ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 3
Similar threads


















































Top Bottom