Regulatory Open Forum

Hello,

Quick question as this gets a bit confusing...

For risk assessment of software as device, aren't we to assume that defects will occur and not assign probabilities, but only outline severity?

Also, IEC 62304 speaks of software safety classification and ISO 14971 speaks of estimation of risk.  If we wish to conform to both, should I establish probabilities for every failure?

Thank you in advance

------------------------------
Gretchen Upton RAC
San Antonio TX
United States
------------------------------

Gretchen,

Surely very confusing.We are looking at this now too. So I am very interested in this discussion.

Our thoughts now are:

It is difficult to consider probability that a use case happens and that an error in software is not detected at the test. The only way to eliminate all risks would be to 100% testing.... what we didn't achieved.

As you say it is better to consider that event will occur, to look at the severity and for the 'unacceptable severity' doing a 100%test. Pity is that 14971 requires an estimation of probability and severity.

------------------------------
Olivier Marchesini
Portavita BV
Amsterdam
Netherlands

Original Message:
Sent: 29-Sep-2016 13:53
From: Gretchen Upton
Subject: Software Risk Assessment and probabilities

Hello,

Quick question as this gets a bit confusing...

For risk assessment of software as device, aren't we to assume that defects will occur and not assign probabilities, but only outline severity?

Also, IEC 62304 speaks of software safety classification and ISO 14971 speaks of estimation of risk.  If we wish to conform to both, should I establish probabilities for every failure?

Thank you in advance

------------------------------
Gretchen Upton RAC
San Antonio TX
United States
------------------------------

You're correct in that the probability of a software defect must be assumed to be 100%; however, this is not the same as the probability of a harm occurring from a software defect. If you look at the figure in the Appendix E of the ISO14971 (Pictorial representation of the relationship of hazard, sequence of events, hazardous situation, and harm) you'll notice that the probability of harm has two components. One is a probability of a defect occurring and the second is the probability of the defect causing harm. So, while a software defect is considered to be certain, it does not always result in a harm to a patient or environment. 

For IEC 62304 safety classification, you only consider the potential harm, without considering the probability. 

in systems where software is part of the hardware, you may be able to lower the safety classification, or probability of harm, if you have specifically designed hardware controls to mitigate software defects that may lead to harm.

hope this helps.

------------------------------
Michael Zagorski RAC
Pittsburgh PA

Original Message:
Sent: 29-Sep-2016 13:53
From: Gretchen Upton
Subject: Software Risk Assessment and probabilities

Hello,

Quick question as this gets a bit confusing...

For risk assessment of software as device, aren't we to assume that defects will occur and not assign probabilities, but only outline severity?

Also, IEC 62304 speaks of software safety classification and ISO 14971 speaks of estimation of risk.  If we wish to conform to both, should I establish probabilities for every failure?

Thank you in advance

------------------------------
Gretchen Upton RAC
San Antonio TX
United States
------------------------------

Original Message------

Hello,

Quick question as this gets a bit confusing...

For risk assessment of software as device, aren't we to assume that defects will occur and not assign probabilities, but only outline severity?

Also, IEC 62304 speaks of software safety classification and ISO 14971 speaks of estimation of risk.  If we wish to conform to both, should I establish probabilities for every failure?

Thank you in advance

------------------------------
Gretchen Upton RAC
San Antonio TX
United States
------------------------------

A bit off topic, but...

What kinds of risks are commonly rated for probability and severity?  I have seen various types of risks (clinical, business, regulatory, legal) included in risk assessments.

------------------------------
Julie Omohundro, ex-RAC (US, GS), still an MBA
Principal Consultant
Class Three, LLC
Durham, North Carolina, USA
919-544-3366 (T)
434-964-1614 (C)
julie@class3devices.com

Original Message:
Sent: 29-Sep-2016 13:53
From: Gretchen Upton
Subject: Software Risk Assessment and probabilities

Hello,

Quick question as this gets a bit confusing...

For risk assessment of software as device, aren't we to assume that defects will occur and not assign probabilities, but only outline severity?

Also, IEC 62304 speaks of software safety classification and ISO 14971 speaks of estimation of risk.  If we wish to conform to both, should I establish probabilities for every failure?

Thank you in advance

------------------------------
Gretchen Upton RAC
San Antonio TX
United States
------------------------------

Medical device risk management, ISO 14971:2007, is concerned with harm to the patient or user (and some other stuff). The harm is scored to determine its severity and then the probability it occurs with that severity. These scores are combined to estimate risk and then evaluated to determine if the risk meets the acceptability criteria set by the device manufacturer.

The results of the evaluation determines the need for risk reduction.

------------------------------
Dan O'Leary
Swanzey NH
United States

Original Message:
Sent: 30-Sep-2016 09:25
From: Julie Omohundro
Subject: Software Risk Assessment and probabilities

A bit off topic, but...

What kinds of risks are commonly rated for probability and severity?  I have seen various types of risks (clinical, business, regulatory, legal) included in risk assessments.

------------------------------
Julie Omohundro, ex-RAC (US, GS), still an MBA
Principal Consultant
Class Three, LLC
Durham, North Carolina, USA
919-544-3366 (T)
434-964-1614 (C)
julie@class3devices.com

Original Message:
Sent: 29-Sep-2016 13:53
From: Gretchen Upton
Subject: Software Risk Assessment and probabilities

Hello,

Quick question as this gets a bit confusing...

For risk assessment of software as device, aren't we to assume that defects will occur and not assign probabilities, but only outline severity?

Also, IEC 62304 speaks of software safety classification and ISO 14971 speaks of estimation of risk.  If we wish to conform to both, should I establish probabilities for every failure?

Thank you in advance

------------------------------
Gretchen Upton RAC
San Antonio TX
United States
------------------------------

IEC 62304:2006 has ISO 14971:2007 as a normative reference. This means that the risk management standard is “indispensable for the application of this document”.

ISO 14971:2007 says, in clause 3.4.d, that the risk acceptability criteria should include “criteria for accepting risks when the probability of occurrence of harm cannot be estimated”. Clause D.3.2.3 provides four examples “where probabilities are very difficult to estimate”. One is software failure. It also provides, in clause 4.4, “For hazardous situations for which the probability of the occurrence of harm cannot be estimated, the possible consequences shall be listed for use in risk evaluation and risk control”.

Notice that ISO 14971:2007 does say that the probability of software failure must be 100%.

IEC 62304:2006 classifies software systems with the intent of determining the subsequent software development process steps. IEC 62304:2006 Amendment 1 was issued on June 26, 2015 and changed the classification of software systems. The new classes are:

Class A: Software doesn’t contribute to a hazardous situation

Class B: The harm is a non-serious injury

Class C: There is a possibility of serious injury or death

In terms of ISO 14971:2007, recall the sequence: hazard, sequence of events, hazardous situation, and harm. Risk is estimated using the probability and severity of the harm. The classes define the severity (no injury, non-serious injury, serious injury, or death). The probability is the probability of a hazardous situation (software failure = 100%) combined with the probability of the harm with the specified severity. In other words, the software will always create a hazardous situation (100%), but this doesn’t mean exposure with its consequent harm. The risk estimate combines the harm’s severity and its probability.

To finally answer your questions. If you wish to conform to IEC 62304:2006 you must also conform to ISO 14971:2007 as a normative reference.

You should establish probabilities for every harm, not every failure. ISO 14971:2007 does not analyze failures, but hazards – it is not an application of FMEA. To estimate risk and residual risk and to perform the evaluation you need the severity and probability of the harm.

------------------------------
Dan O'Leary
Swanzey NH
United States

Original Message:
Sent: 29-Sep-2016 13:53
From: Gretchen Upton
Subject: Software Risk Assessment and probabilities

Hello,

Quick question as this gets a bit confusing...

For risk assessment of software as device, aren't we to assume that defects will occur and not assign probabilities, but only outline severity?

Also, IEC 62304 speaks of software safety classification and ISO 14971 speaks of estimation of risk.  If we wish to conform to both, should I establish probabilities for every failure?

Thank you in advance

------------------------------
Gretchen Upton RAC
San Antonio TX
United States
------------------------------