Hello everybody, consulting this forum helped me to clarify a lot of cases, so I hope that it will be the same this time as well.
The company where I am currently working develops medical software products for making surgical planning.
One of the risks listed in the risk charter is defined as following (not exactly to be honest, but the case is very similar):
Hazard: unauthorized persons can access unattended pc showing the surgical plan
Failure mode: the unauthorized person can modify the surgical plan
Harm: patient's diagnosis and treatment are based on a wrong surgical plan
Occurrence: 3; Severity: 4; Detectability: 3; RPN: 36 (unacceptable)
Control measure implemented: information for safety: an indication for use is added to IFU's: "use the sw in a controlled, protected environment. Restrict access to our sw to authorized people only".
My problem is that this control measure is clearly information for safety, so according to IEC 14971 it cannot be used to reduce risk indexes.
But how can we control access to a pc, if not relying on user's conformity to our IFU's?
Do you see any solution to lower the risk indexes, other than justify the unacceptable RPN with the motivation that the risk is balanced with benefits?
Thank you in advance for your answers.
The company where I am currently working develops medical software products for making surgical planning.
One of the risks listed in the risk charter is defined as following (not exactly to be honest, but the case is very similar):
Hazard: unauthorized persons can access unattended pc showing the surgical plan
Failure mode: the unauthorized person can modify the surgical plan
Harm: patient's diagnosis and treatment are based on a wrong surgical plan
Occurrence: 3; Severity: 4; Detectability: 3; RPN: 36 (unacceptable)
Control measure implemented: information for safety: an indication for use is added to IFU's: "use the sw in a controlled, protected environment. Restrict access to our sw to authorized people only".
My problem is that this control measure is clearly information for safety, so according to IEC 14971 it cannot be used to reduce risk indexes.
But how can we control access to a pc, if not relying on user's conformity to our IFU's?
Do you see any solution to lower the risk indexes, other than justify the unacceptable RPN with the motivation that the risk is balanced with benefits?
Thank you in advance for your answers.