Regulatory Open Forum

Hello fellow RAPpers,

I'm using ISO 80002-2:2017 for a current software validation project and I ran into a part that I don't understand. In the "Analysis of process failure risk" section, there are three types of risk listed out: 
1. Risk of harm to humans;
2. Regulatory risk;
3. Environmental risk

I understand 1 and 2 but in the Environmental risk description it included both physical and virtual environment.
Does anyone have an example of a virtual environmental risk? 
Would it be a risk of the software to the environment or the risk of the environment on the software? Both? 

Thank you for your help,

------------------------------
Maddi Myers
Regulatory and Quality Project Manager
Edina MN
United States
------------------------------

Hi Maddi.

Let me start out with the fact that I am not very familiar with this ISO standard so my assumptions might be completely off the mark in this response.  If they are, please accept my apologies in advance.  With that said, I would read this to be environmental risk for something going wrong with the software and the environment being exposed to something that could cause damage.  I think about this in the classic "chemical company" way (yes, I was a regulatory person for one of the largest chemical companies in the world in an earlier lifetime!) where the software is essentially managing the production process of when to add which chemical under what circumstances and how to control the reaction such that you don't have a release of the chemical or precursors into the environment.  The other possibility to think about is the risk of the software to the enterprise itself.  Could the software cause errors with other systems within the company?  If so, how would they be detected?  Or could the software allow for an attack on the company's other systems from outside the organization (or worse from inside the organization) where the access point is through say a web-enable software system.

Like I said, I am not readily familiar with the standard itself, but these are the two paths that I find that might make a certain amount of sense.  Look forward to other's insights on this one!​

------------------------------
Victor Mencarelli
Director Regulatory Affairs
United States
------------------------------

Original Message:
Sent: 28-Jan-2019 15:32
From: Maddi Myers
Subject: QMS Software Validation - Environmental risk

Hello fellow RAPpers,

I'm using ISO 80002-2:2017 for a current software validation project and I ran into a part that I don't understand. In the "Analysis of process failure risk" section, there are three types of risk listed out:
1. Risk of harm to humans;
2. Regulatory risk;
3. Environmental risk

I understand 1 and 2 but in the Environmental risk description it included both physical and virtual environment.
Does anyone have an example of a virtual environmental risk?
Would it be a risk of the software to the environment or the risk of the environment on the software? Both?

Thank you for your help,

------------------------------
Maddi Myers
Regulatory and Quality Project Manager
Edina MN
United States
------------------------------