Paul and group,
Happy to step in here with some clarification. First of all as FDA recognized in the Preamble to 21 CFR 820, the proper term is "risk analysis". FDA stated in the Preamble, I think it was Comment 83, that risk analysis is the proper term to use. After all, we are analyzing the risk and not the hazard in the ISO 14971 process.
I have a couple of references for you that give a proper framework to your question. The first is
GHTF Risk Guidance which is still in use though a 2005 document. I refer to it for an example of documenting risk management activities as shown in Annex C.
The second reference is directed related to software and that is the bridge document between IEC 62304 medical device software standard, and ISO 14971 risk management standard. The document I refer to here is IEC TR 80002-1 and it explains how risk management and software are to work together. It is a very useful document that explains the relationship between the two processes and provides some useful examples.
There were some discussions of FMEA here, and this tool can be used within its limitations, to provide some information on hazards that are then analyzed in the ISO 14971:2019 risk analysis process (Clause 5). FMEA requires design outputs be created to perform its analysis, and this is a major limitation as it comes late in the design process. Another major limitation which conflicts with ISO 14971 risk analysis and that is the fact that FMEA is a single-fault tool. 14971 requires you analyze all faults. A more proper tool may be Fault Tree Analysis (FTA) which actually came from he software world. FTA allows you to look at all sources of the hazard not just single-fault. FMEA was designed as a reliability tool, and not for performing risk analysis, but it can help in the late stages of design to see if you may have overlooked a single-fault hazard. I know Dan and I could provide a lot more information on FMEA, but that is not the purpose of my response here.
Get the documents i referred to above, the GHTF is a free document at the IMDRF webpage, but you will have to buy IEC TR 80002-1 from your standards supplier. It should help you understand how to connect software development and risk management.
Hope you find hit helpful.
------------------------------
Edwin Bills MEd, CQA, RAC, BSc, CQE, ASQ
Principal Consultant
Member, ISO TC 210 JWG1 Risk Management
Overland Park KS
United States
elb@edwinbillsconsultant.com------------------------------
Original Message:
Sent: 06-Jul-2022 07:07
From: Richard Vincins
Subject: Hazard Analysis for SaMD
Hello Paul,
You will probably find a wide variety of responses to your query as there are quite differing opinions and ways risk management tools are applied. This is my own personal thoughts, so will disclaim this first haha. Definitely a hazard analysis would be performed as this can be from a top down view of the software - though even hazard analysis can be done a few different ways. You can do a FMEA for a Software as Medical Device (SaMD) though it is not really quite effective because FMEA is a "bottom up" approach and often software is viewed as having no probability of occurrence - though probability of occurrence can be related to the harm according to the standard. Again there are different ways this can be done and will find differing ways this is applied or interpreted by people. Myself personally, I use a modified version of a typical hazard analysis structure which has been tailored over the years developed for software in medical devices and SaMD. This takes an approach of more a hazard analysis and Failure Tree Analysis (FTA) as a "top down" approach which have found is more appropriate for software.
------------------------------
Richard Vincins ASQ-CQA, MTOPRA, RAC
Vice President Global Regulatory Affairs
Original Message:
Sent: 05-Jul-2022 21:11
From: Paul Campbell
Subject: Hazard Analysis for SaMD
Hi Folks
What does everyone think is, or are, the best Hazard Analysis Tools for SaMD?
Or which ones (PHA, FMEA, HAZOP etc.) are the best ones to use at different stages in different Software Lifecycle stages?
Many thanks
Paul
------------------------------
Paul Campbell
Clinical Director
Glasgow
United Kingdom
------------------------------