One of the more controversial requirements of IEC 62304 is the probability of failure of medical device software during Risk Analysis.
EN 62304:2006 paragraph 4.3 “Software Safety Classification” states “If the HAZARD could arise from a failure of the SOFTWARE SYSTEM to behave as specified, the probability of such failure shall be assumed to be 100 percent.”
For years this has been a contentious point of discussion. Although apparently clear, considering the failure of software to be 100% defies the purpose of the risk management process. What would be the incentive to add risk controls in the software when you cannot take credit for them in a reduction of the probability?
The amendment, EN 62304:2006+A1:2015 now clarifies this issue. The same paragraph 4.3 now relegates the statement “Probability of a software failure shall be assumed to be 1” as a side-note of the Safety Classification diagram below.
1) Annex B.4.3 reiterates the concept of probability of failure = 1, but again only in the context of Safety Classification.
2) Annex B.4.2 and B.7 directly refer to ISO 14971 for the risk management process, without any prescription on the probability of failure of software.
3) Annex B.7.1, first paragraph states “It is expected that the device HAZARD analysis will identify hazardous situations and corresponding RISK CONTROL measures to reduce the probability and/or severity of those hazardous situations to an acceptable level”. Reducing the probability of a hazardous situation (P1) is not possible if the probability cannot be different than 1.
It seems clear now that the intent of the standard is not to define software failure probability during risk management activities, but to guide the reader not to consider risk mitigation actions built into the software when determining the Safety Classification.
The requirement is therefore limited to the context of Safety Classification and does not extend to the entire Risk Management process.
This is also supported by the Guidance for the Content of Premarket Submissions for Software Contained in Medical Devices (FDA). The SLOC (Software Level Of Concern) is the FDA equivalent of the IEC 62304 Safety Classification. This FDA Guidance states: “We recommend that you determine the Level of Concern before any mitigation of relevant hazards. In other words, the Level of Concern should be driven by the hazard analysis in the absence of mitigations, regardless of the effects of the mitigations on the individual hazards.”
Note: some sources mention IEC 80002-1 “Medical device software — Part 1: Guidance on the application of ISO 14971 to medical device software”. It has to be remembered that this document was developed to the 2006 version of 62304.