Software Safety Classification 62304 Control system/Protective system

weightonwheels

Registered
Hello all.
Quick details:
Med device that can cause serious injury/death if there is a software failure, Class C.
Is it possible to to have the control chip be Class B, if we have an independent protective/safety chip as Class C?

We may be adding a dead man's switch to this as well.

Thanks!
 
Last edited:

yodon

Leader
Super Moderator
The standard does allow for lowering the class through external measures if the resulting harm would be non-serious injury.

In practice (what I've seen from reviewers) is that if you have a device that CAN result in unacceptable risk, they're going to want to see that as Class C, irrespective of the external controls. You can fight it and you may win (possibly a Pyrrhic victory!). Frankly, the additional burden going from Class B to C isn't all that great and can lead to better long-term support.
 

DanMann

Quite Involved in Discussions
If the external controls drive the risk to be "acceptable", then the standard allows for it to be Class A, but as per what Yodon says, good luck convincing reviewers of this.
 

OccamMan

Involved In Discussions
I tend to work with unusually large and complex devices that have many potential serious hazards, so what we do might be less applicable than for more typical devices. In order to reduce safety classes for parts of the system, we often do the following:
  1. Have redundant independent controls to mitigate an otherwise-unacceptable risk. Like different processors, different OS if applicable, different developers, different languages. Preferably we can use some controls that don't contain software.
  2. Each of these is detectable if they fail, and the system fails safe if one does.
  3. We rate the frequency of each control failing (we tend to be super conservative about this)
  4. We rate the safety class based on the probability of more than one failure occurring at a given time.
Without this approach, I think that these devices would simply not be feasible to develop.
 
Top Bottom