Should potential bugs be considered in software risk analysis?

MrTetris

Involved In Discussions
#1
Hello people of the forum :)
Do you consider risks triggered (only) by potential bugs in your medical sw risk management charters?
I am not talking about known issues, bugs already found and decided not to fix, but potential bugs that apparently are not affecting the product (but of course could potentially be there... you never know!).
For instance, if I have a sw aiming to automate the design of an implant, should I consider the possibility that a bug escaped to our V&V process?
As a rule of thumb, I would say yes, it should be considered... but on a practical level, this would mean to list in the RMC an endless list of potential, very remote probability of occurrence bugs...
Looking forward to hear your opinions.
Have a nice day (despite the hard times)!
 
Elsmar Forum Sponsor

Ninja

Looking for Reality
Moderator
#2
Might I suggest this thread?

Granted, it isn't about tracing risks...but it makes it fairly clear that they are a risk...and some ideas how to handle them after...HTH
 

yodon

Staff member
Super Moderator
#3
There are a couple of angles to this that probably warrant discussion.

First, in 62304 (which you should consider if you haven't), the 2015 amendment in section B.4.3 notes that probability of occurrence (of software faults) cannot be estimated and thus should be considered at worst case (let the severity drive). So, yes, assume bugs have escaped.

Also in that standard, section 7.1.2 lists the potential causes that minimally need to be considered:

a) incorrect or incomplete specification of functionality;
b) software defects in the identified SOFTWARE ITEM functionality;
c) failure or unexpected results from SOUP;
d) hardware failures or other software defects that could result in unpredictable software operation; and
e) reasonably foreseeable misuse.


So you can use these as a good way to group things and avoid the "endless list" of errors.
 

Bev D

Heretical Statistician
Staff member
Super Moderator
#4
I suggest that you are thinking about this in the wrong way. Software is really no different than a physical thing. We don’t look for every single potential defect or cause of a failure in physical things. (Certainly we do look for some specific causes through characterization etc. and the use of replication from a variety of input adn use conditions.) We do look for every functional failure. We also perform design reviews and characterization and verification/validation at the component level then at the system level to make it more manageable. If you think about software in the same way you won’t be listing every possible ‘bug’...
 

Tidge

Trusted Information Resource
#5
Do you consider risks triggered (only) by potential bugs in your medical sw risk management charters?
I am not talking about known issues, bugs already found and decided not to fix, but potential bugs that apparently are not affecting the product (but of course could potentially be there... you never know!).
Short answer: "No."

Longer answer: "No, because the role software plays in the device (both as a functional control of, and possible contributor to, risk) is analyzed.'

You have the liberty to use whatever form of risk analysis works best for you, but I do suggest that consider the two parenthetical pieces I included in the longer answer. The first is obviously necessary because you are minimally required to show that the software is doing what you need it to do (even for lowest risk classifications per 62304). One approach to addressing the second is the sort of testing suggested by Bev D in her response above.
 

MrTetris

Involved In Discussions
#6
Thank you all for your answers... I think I understood the sense of them.
I agree that considering functionalities is a better approach than considering potential bugs... However, for many functionalities in a sw there is not other failure mode than potential bugs, hence considering a failure for those functionalities actually means to consider the eventuality of a potential bug behind it.
I think that it is too complex to discuss it without going deep into details, however I want to thank you all for your contribution. You gave me some very good food for thought!
 
Thread starter Similar threads Forum Replies Date
M Should Potential Customer Complaint Outcome Define Registrar NC Rating? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 8
S Should an auditor document potential nonconformities in the audit report? General Auditing Discussions 41
H When should the first PSUR be issued? EU Medical Device Regulations 2
I If i do not want to be an initial importer should i register with FDA? 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 0
O Should a Covid vaccine and testing policy be included as part of ISO9001 or AS9100 risk management? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 6
B UKRP to what level should you audit Class I Technical Documentation? UK Medical Device Regulations 0
C When should you quit programming? Job Openings, Consulting and Employment Opportunities 3
C Should resolution be included in uncertainty budget for digital caliper or micrometer calibration? Measurement Uncertainty (MU) 5
Ed Panek External Standards List - Should this document include previously revised standards? ISO 13485:2016 - Medical Device Quality Management Systems 4
T How should I approach REACH, CM, etc. as a job shop? RoHS, REACH, ELV, IMDS and Restricted Substances 18
A Should we assign the PRRC before the date of application of MDR (26 May 2021)? EU Medical Device Regulations 0
J UDI-DI how should we interpret Device version or model to determine if a new UDI-DI is needed? EU Medical Device Regulations 0
Sidney Vianna Interesting Discussion Should ISO 9004 be changed from a guidance document to a requirements standard? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 7
A Should I take an online course for a career in Occupational Health and Safety? Career and Occupation Discussions 2
J Should a Class 1 medical device with an option to measure body weight be considered Class 1m? EU Medical Device Regulations 0
K Should APQP/PPAP has its own section in a QM? Quality Management System (QMS) Manuals 1
S What should i choose for "testing procedure" characteristics? (N95) General Information Resources 0
P Should eIFU link per ISO 15223-1:2016 be added to labels out of scope of Reg 207/2012? EU Medical Device Regulations 1
S Which Sampling Plan(s) Should I Use? Inspection, Prints (Drawings), Testing, Sampling and Related Topics 13
A Document release vs its related training. Which should come first? ISO 13485:2016 - Medical Device Quality Management Systems 18
S Which department should prepare the control plan? could you show me a standard regarding to this matter. FMEA and Control Plans 17
J Help settle a disagreement: Should external providers of preventive maintenance be on your ASL? AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 5
N Master Samples - What should we be keeping? IATF 16949 - Automotive Quality Systems Standard 9
G Supplier delivered recent PPAP, should he deliver yearly layout inspection? IATF 16949 - Automotive Quality Systems Standard 4
John Broomfield Vote - Should ISO9004 Become a Requirements Standard? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 11
A Capability Study - in the beginning of your career what should you have known about the tool Quality Tools, Improvement and Analysis 11
J Should Loading and Unloading be Included in Cycle Times? Lean in Manufacturing and Service Industries 14
E Manufacturers should develop a testing device for covid19 Service Industry Specific Topics 0
T 510(k) submission - Which name should I use in the submission? Other US Medical Device Regulations 3
N ISO 19011:2018 - 5.4.2 "...audit program should engage in appropriate continual development..." Training - Internal, External, Online and Distance Learning 4
G Should I perform Gage R&R only at the beginning of a new project? Gage R&R (GR&R) and MSA (Measurement Systems Analysis) 6
DuncanGibbons Should the requirements FAA/EASA Part 21 be addressed within the QMS and AS9100D quality manual? AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 5
M Should 510(k) Predicates be Actively Listed Devices? Other US Medical Device Regulations 12
B Why the Greek god Hephaestus should have done a design FMEA (DFMEA) on his giant robot APQP and PPAP 1
J On PFMEA for danger labels - Label always should be assigned severity 10 ? FMEA and Control Plans 3
H Who should be listed as the manufacturer/distributor on the box? 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 15
M MDR, RED and LVD - Should our device comply with them? EU Medical Device Regulations 3
BeaBea How Many Processes should be created for each Department? Process Maps, Process Mapping and Turtle Diagrams 5
M Should volume of sales be factored into risk probability assessments? ISO 14971 - Medical Device Risk Management 33
S Should safety checks be included in the Control Plan? IATF 16949 - Automotive Quality Systems Standard 5
M Which incubation condition should be selected to recover both bacteria and fungus effectively Miscellaneous Environmental Standards and EMS Related Discussions 3
D Is there a specific location for PPE such as safety glass holders and glove dispensers should be mounted Occupational Health & Safety Management Standards 10
Robert Stanley Which Registrar Should I Choose for ISO 9001:2015 registration? Registrars and Notified Bodies 10
M Who should receive the bills from suppliers and vendors, account payable or procurement? Consultants and Consulting 4
V IATF 16949 8.4.1 Control of externally provided processes, products and services - Should the CB be on our Approved Supplier List? IATF 16949 - Automotive Quality Systems Standard 10
A We are ISO 13485:2016 should we be audited to ISO 14971 ISO 13485:2016 - Medical Device Quality Management Systems 16
E Received a Major finding during IATF Surveillance audit for loss of BIQS Level 3 (more than 6 SPPS in 6 months)...how should we address SYSTEMIC CA? IATF 16949 - Automotive Quality Systems Standard 11
J Organization merger. Should we keep two separate ISO 13485 certificates? ISO 13485:2016 - Medical Device Quality Management Systems 6
S Companies that maintain your machine should be in ASL? AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 2
S Use of "Shall" versus "Should" in Procedures ISO 13485:2016 - Medical Device Quality Management Systems 26

Similar threads

Top Bottom