Page 156 - Safety Risk Management for Medical Devices
P. 156

Software Risk Management  135


                   consider contribution of external factors to software failures. Therefore the Occ col-
                   umn would contain the likelihood that the software item could fail due to external
                   factors. In the case of legacy software with available data for the probability of sys-
                   temic software failure, Occ would compound the likelihood of software failure with
                   the likelihood of the external factors. Let’s say, e.g., that historical data shows that leg-
                   acy software fails at a rate of 0.01% per 10,000 hours of operation. In the tank pres-
                   surization example earlier, if legacy data shows that the pressure sensor fails at a rate of
                   0.02% per 10,000 hours of operation, then the likelihood software failure due to a sys-
                   temic failure or a sensor failure would be 0.03% per 10,000 hours of operation.
                      If Occurrence is based only on software failure rate, and there is no available data
                   on software failure rate, then leave the Occ rating blank. Otherwise, use the qualita-
                   tive, or quantitative guidelines in Table 15.2 to estimate a ranking for Occ.


                   Table 15.2 Definitions of Software Failure Modes and Effects Analysis occurrence ratings
                                         Probability of Occurrence Criteria (Occ)
                   Category     Rank    Qualitative criteria                  Quantitative criteria
                   Frequent      5      The occurrence is frequent. Failure may be  $ 10 23
                                          almost certain or constant failure
                                                                                  23        24
                   Probable      4      The occurrence is probable. Failure may be  ,10  and $ 10
                                          likely | Repeated failures are expected
                                                                                  24        25
                   Occasional    3      The occurrence is occasional. Failures may  ,10  and $ 10
                                          occur at infrequent intervals
                   Remote        2      The occurrence is remote. Failures are  ,10 25  and $ 10 26
                                          seldom expected to occur
                   Improbable    1      The occurrence is improbable. The failure  ,10 26
                                          is not expected to occur




                      Detectability in SFMEA has a similar connotation as in the DFMEA—it is an indi-
                   cation of how likely it is for the End Effect to be detected and countermeasures be
                   taken, external to the boundary of analysis, to minimize the risk of Harm. This con-
                   cept was elucidated in DFMEA workflow analysis, Section 12.6.1.3. A software
                   Failure Mode with a safety impact is of lower criticality if it can be externally detected
                   and countermeasures taken to minimize harm.
                      Internal detection and mitigations, such as CRC checks and error corrections are
                   considered part of good design and serve to systemically reduce Occ ratings.
                      Refer to Table 15.3 for definitions of detectability rankings. Use quantitative data
                   if available. Otherwise use the qualitative criteria to determine the Detectability
                   rankings
   151   152   153   154   155   156   157   158   159   160   161