What is Probability of Failure of Medical Device Software?

April 24, 2018

One of the more controversial requirements of IEC 62304 is the probability of failure of medical device software during Risk Analysis.

EN 62304:2006 paragraph 4.3 “Software Safety Classification” states “If the HAZARD could arise from a failure of the SOFTWARE SYSTEM to behave as specified, the probability of such failure shall be assumed to be 100 percent.”

For years this has been a contentious point of discussion. Although apparently clear, considering the failure of software to be 100% defies the purpose of the risk management process. What would be the incentive to add risk controls in the software when you cannot take credit for them in a reduction of the probability?

The amendment, EN 62304:2006+A1:2015 now clarifies this issue. The same paragraph 4.3 now relegates the statement “Probability of a software failure shall be assumed to be 1” as a side-note of the Safety Classification diagram below.

In addition:

1) Annex B.4.3 reiterates the concept of probability of failure = 1, but again only in the context of Safety Classification.

2) Annex B.4.2 and B.7 directly refer to ISO 14971 for the risk management process, without any prescription on the probability of failure of software.

3) Annex B.7.1, first paragraph states “It is expected that the device HAZARD analysis will identify hazardous situations and corresponding RISK CONTROL measures to reduce the probability and/or severity of those hazardous situations to an acceptable level”. Reducing the probability of a hazardous situation (P1) is not possible if the probability cannot be different than 1.

It seems clear now that the intent of the standard is not to define software failure probability during risk management activities, but to guide the reader not to consider risk mitigation actions built into the software when determining the Safety Classification.

The requirement is therefore limited to the context of Safety Classification and does not extend to the entire Risk Management process.

This is also supported by the Guidance for the Content of Premarket Submissions for Software Contained in Medical Devices (FDA). The SLOC (Software Level Of Concern) is the FDA equivalent of the IEC 62304 Safety Classification. This FDA Guidance states: “We recommend that you determine the Level of Concern before any mitigation of relevant hazards. In other words, the Level of Concern should be driven by the hazard analysis in the absence of mitigations, regardless of the effects of the mitigations on the individual hazards.”

Note: some sources mention IEC 80002-1 “Medical device software — Part 1: Guidance on the application of ISO 14971 to medical device software”. It has to be remembered that this document was developed to the 2006 version of 62304.

SoftComply Risk Manager is a medical device risk management add-on for Atlassian Jira, available for both Jira Cloud and  Jira Server. You can try it for free for a month!

Table of Contents

Ready to get started?

Contact us to book a demo and learn how SoftComply can cover all your needs

6 Steps to Agile Risk Management in Jira
Picture of Marion Lepmets

Marion Lepmets

CEO
June 19, 2025

Balancing agile development with regulatory compliance feels like trying to mix oil and water. But what if I told you there’s a way to integrate risk management directly into your Jira workflow without sacrificing speed or compliance?  Based on a recent webinar with Aaron Morris, I’ve distilled the process into...

Solution Partners to verticals and business users
Picture of Marion Lepmets

Marion Lepmets

CEO
June 11, 2025

For years, Atlassian solution partners have built successful businesses around helping IT teams configure Jira and Confluence, manage licenses, and handle technical implementations. But that world is rapidly changing. Atlassian is shifting its focus from IT admins to business users in specific departments and industries – and partners who don’t...

Agile
Picture of Monika Isak

Monika Isak

Head of Growth
June 2, 2025

For regulated industries – such as Pharma, MedTech, FinTech and Aviation – compliance isn’t optional; it’s mandatory. Tools like Jira and Confluence are powerful, but their true potential is only realized when configured to meet industry-specific regulatory requirements. This is where industry consultants come into play, offering expertise that goes...