Page 153 - Safety Risk Management for Medical Devices
P. 153

132   Safety Risk Management for Medical Devices


                   The Standard IEC 62304 [9] recognizes that application of appropriate levels of
                rigor to software development does reduce the probability of failure of software items,
                presumably due to detection and elimination of software defects.
                   It should be understood that setting P(software failure) 5 1 doesn’t necessarily
                mean that P 1 5 100%. It means: if software is an element in the causal chain that leads
                to the exposure to a Hazard, set the probability of software failure to 100%.


                   Risk 5 P(Hazardous Situation) 3 P(Harm) 5 P 1 3 P 2
                   P 1 5 P(Hazardous Situation) 5 P(Hazard) 3 P(Exposure)
                   P(Hazard) 5 P(Software Failure) 3 P(additional intervening events)

                   Using the above equations, risk of software failures can be computed. If P(Software
                Failure) is set to 1, then P(Hazard) 5 P(additional intervening events).
                   In some Systems a software failure may immediately expose the patient/user to a
                Hazard. In such cases, P(Software Failure) 5 P(Hazardous Situation).
                   If P(Software Failure) is unknown, the risk of Harm due to software failure cannot
                be estimated and thus cannot be included in the overall residual risk computations.



                15.2 SOFTWARE FAILURE MODES AND EFFECTS ANALYSIS (SFMEA)

                Failure Modes and Effects Analyses (FMEAs) are a common and ubiquitous tool for
                hazard analysis. SFMEA is a variation of the Design Failure Modes and Effects
                Analysis (DFMEA). When used for software hazard analysis, FMEAs are applied in a
                slightly different manner than in hardware FMEAs. SFMEAs are applied to software
                architectural elements, or software items. This requires the knowledge of the software
                architecture and inputs to the software.
                   Systemic Causes/mechanisms of software failure such as design or implementation
                errors, or hardware anomalies, like bit flips are analogous to common cause failures in
                hardware and should be mitigated globally for the whole software system, not cited
                for every row of the SFMEA.


                15.2.1 Software Failure Modes and Effects Analysis Workflow
                The following explanation of the SFMEA is based on the SFMEA template that is
                provided in Appendix B—Templates.
                   Entries in the “Item” column are the elements within the scope of analysis.
                “Source” column captures where the Failure Mode was identified. In hierarchical
                multilevel FMEAs, this refers the underlying FMEAs whose End Effects were rolled
                up to the current SFMEA.
                   The entries in the “Failure Mode” column of the FMEA would be the answers to
                the question: “In what ways can this software item fail to perform its intended
   148   149   150   151   152   153   154   155   156   157   158