S

Hi,

Our company makes medical devices following ISO 14971 risk management. We use a qualitative system with tables similar to those found in Annex D (Section D.3.4.1).

Upcoming devices will contain an increased amount of software so we're trying to improve our risk management surrounding software. To that end, I've re-read 14971 and also the IEC TIR80002-1:2009.

In the TIR, the point is made (in Section 4.4.3, among other places) that software anomalies are systematic and thus hard to estimate a probability of occurrence. Section 4.4.3 states:

If I understand this correctly, it says that we may continue to use our qualitative risk analysis even for hazardous situations that have software failure as an item in the sequence of events. When there are items in the sequence that are not software bugs, we'll get a useful number and ideas on what mitigations may bring this down. However, if I can't usefully estimate probability of a software bug beforehand, I'm not sure how a software control can be documented to be less hazardous after mitigation.

At the bottom of the same page (21) containing the above quote is the following:

Here I'm not sure how to interpret the guidance to "focus on the SEVERITY of the HARM". Is the idea to create a separate evaluation process for systemic hazards like software anomalies? The commentary in Section 5 suggests this is the intent:

However, the text in 4.4.3 then goes on to say

Then an example of detecting memory corruption using a checksum is presented, ending with

Taken together, my first impression on reading the TIR is that the idea is, indeed, to have two methods of evaluating hazards: one that takes both SEVERITY and PROBABILITY levels (as we do currently) and a completely separate one that takes into account SEVERITY only for systemic risks. On a certain level, this all makes some sense. What I'm lacking is some idea of the mechanics. Does anyone have experience along these lines to share?

After writing up this question, now I'm questioning my first reading. Specifically, the quote

suggests that one should somehow record this reduction in probability. Is it really just saying that we should use qualitative probability measures rather than trying to estimate quantitatively? If so, that suggests we could continue using our current qualitative system.

Any thoughts?

Thanks,

-Steve

Our company makes medical devices following ISO 14971 risk management. We use a qualitative system with tables similar to those found in Annex D (Section D.3.4.1).

Upcoming devices will contain an increased amount of software so we're trying to improve our risk management surrounding software. To that end, I've re-read 14971 and also the IEC TIR80002-1:2009.

In the TIR, the point is made (in Section 4.4.3, among other places) that software anomalies are systematic and thus hard to estimate a probability of occurrence. Section 4.4.3 states:

When software is present in a sequence of events leading to a HAZARDOUS SITUATION, the

probability of the software failure occurring cannot be considered in estimating the RISK for the

HAZARDOUS SITUATION. In such cases, considering a worse case probability is appropriate, and

the probability for the software failure occurring should be set to 1. When it is possible to

estimate the probability for the remaining events in the sequence (as it may be if they are not

software) that probability may be used for the probability of the HAZARDOUS SITUATION occurring

(P1 in Figure 1). If this is not possible, the probability of the HAZARDOUS SITUATION occurring

should be set to 1.

probability of the software failure occurring cannot be considered in estimating the RISK for the

HAZARDOUS SITUATION. In such cases, considering a worse case probability is appropriate, and

the probability for the software failure occurring should be set to 1. When it is possible to

estimate the probability for the remaining events in the sequence (as it may be if they are not

software) that probability may be used for the probability of the HAZARDOUS SITUATION occurring

(P1 in Figure 1). If this is not possible, the probability of the HAZARDOUS SITUATION occurring

should be set to 1.

At the bottom of the same page (21) containing the above quote is the following:

In many cases, estimating the probability of occurrence of HARM may not be possible, and the

RISK should be evaluated on the basis of the SEVERITY of the HARM alone. RISK ESTIMATION in

these cases should be focused on the SEVERITY of the HARM resulting from the HAZARDOUS

SITUATION.

RISK should be evaluated on the basis of the SEVERITY of the HARM alone. RISK ESTIMATION in

these cases should be focused on the SEVERITY of the HARM resulting from the HAZARDOUS

SITUATION.

As described in 4.4.3, it is difficult to estimate the probability of software failures. When this results

in the inability to estimate the probability of HARM then RISK should be evaluated on the basis of

the SEVERITY of the HARM alone.

in the inability to estimate the probability of HARM then RISK should be evaluated on the basis of

the SEVERITY of the HARM alone.

Although it may not be possible to estimate the probability of the occurrence of a software

failure, it is obvious that many RISK CONTROL measures reduce the probability that such a failure

would lead to a HAZARDOUS SITUATION.

failure, it is obvious that many RISK CONTROL measures reduce the probability that such a failure

would lead to a HAZARDOUS SITUATION.

Although the probability of a HAZARDOUS SITUATION cannot be estimated

either before or after the checksum is implemented, it can be asserted that the probability of a

HAZARDOUS SITUATION after the checksum is in place is lower than it was before implementing the

checksum.

either before or after the checksum is implemented, it can be asserted that the probability of a

HAZARDOUS SITUATION after the checksum is in place is lower than it was before implementing the

checksum.

After writing up this question, now I'm questioning my first reading. Specifically, the quote

it is obvious that many RISK CONTROL measures reduce the probability that such a failure

would lead to a HAZARDOUS SITUATION

would lead to a HAZARDOUS SITUATION

Any thoughts?

Thanks,

-Steve

Last edited by a moderator: