What is Probability of Failure of Medical Device Software?

April 24, 2018

One of the more controversial requirements of IEC 62304 is the probability of failure of medical device software during Risk Analysis.

EN 62304:2006 paragraph 4.3 “Software Safety Classification” states “If the HAZARD could arise from a failure of the SOFTWARE SYSTEM to behave as specified, the probability of such failure shall be assumed to be 100 percent.”

For years this has been a contentious point of discussion. Although apparently clear, considering the failure of software to be 100% defies the purpose of the risk management process. What would be the incentive to add risk controls in the software when you cannot take credit for them in a reduction of the probability?

The amendment, EN 62304:2006+A1:2015 now clarifies this issue. The same paragraph 4.3 now relegates the statement “Probability of a software failure shall be assumed to be 1” as a side-note of the Safety Classification diagram below.

In addition:

1) Annex B.4.3 reiterates the concept of probability of failure = 1, but again only in the context of Safety Classification.

2) Annex B.4.2 and B.7 directly refer to ISO 14971 for the risk management process, without any prescription on the probability of failure of software.

3) Annex B.7.1, first paragraph states “It is expected that the device HAZARD analysis will identify hazardous situations and corresponding RISK CONTROL measures to reduce the probability and/or severity of those hazardous situations to an acceptable level”. Reducing the probability of a hazardous situation (P1) is not possible if the probability cannot be different than 1.

It seems clear now that the intent of the standard is not to define software failure probability during risk management activities, but to guide the reader not to consider risk mitigation actions built into the software when determining the Safety Classification.

The requirement is therefore limited to the context of Safety Classification and does not extend to the entire Risk Management process.

This is also supported by the Guidance for the Content of Premarket Submissions for Software Contained in Medical Devices (FDA). The SLOC (Software Level Of Concern) is the FDA equivalent of the IEC 62304 Safety Classification. This FDA Guidance states: “We recommend that you determine the Level of Concern before any mitigation of relevant hazards. In other words, the Level of Concern should be driven by the hazard analysis in the absence of mitigations, regardless of the effects of the mitigations on the individual hazards.”

Note: some sources mention IEC 80002-1 “Medical device software — Part 1: Guidance on the application of ISO 14971 to medical device software”. It has to be remembered that this document was developed to the 2006 version of 62304.

SoftComply Risk Manager is a medical device risk management add-on for Atlassian Jira, available for both Jira Cloud and  Jira Server. You can try it for free for a month!

Table of Contents

Ready to get started?

Contact us to book a demo and learn how SoftComply can cover all your needs

Medical Device Compliance Guide
Picture of Marion Lepmets

Marion Lepmets

CEO
September 23, 2024

Introduction This medical device compliance guide focuses on the key requirements and strategies for navigating the regulatory landscape. We will cover the role of major regulatory bodies like the FDA, the classification of devices, and the importance of quality management. We will also discuss the challenges of global compliance and...

CVSS-FDA-cybersecurity-medical-devices-1712x599-c
Picture of Matteo Gubellini

Matteo Gubellini

Regulatory Affairs Manager
September 16, 2024

This case study describes the experience of a multinational medical device manufacturer meeting the FDA cybersecurity requirements. The company is operating in the MedTech sector developing a class 2/IIb device consisting of hardware and software. The company spent about 2 years working on the security risk management of the device....

Information Security Risk Management Guide
Picture of Marion Lepmets

Marion Lepmets

CEO
September 13, 2024

Keeping your data safe is vital for every business. One way to do this is by following ISO 27001. But how can we manage these information security risks with a tool like Jira? Let’s dive in! What is Information Security Risk Management Information Security Risk Management is all about identifying,...