Page 158 - Safety Risk Management for Medical Devices
P. 158

Software Risk Management  137


                   Table 15.5 SDFMEA S-D Criticality Table
                                               Severity
                     Criticality
                                   1       2      3       4      5
                             5     2       2      3       3      3
                        Detectability  4  1 1 1  2  2 2 1  3 2 2  3 3 3

                             3
                                           1
                             2
                                           1
                             1     1       1      1       1      2



                      For Level 1, per EN ISO 14971:2012 [7] for safety-related Failure Modes the RPN
                   must be reduced as far as possible, therefore the treatment of RPN is the same as for
                   Level 2. However, for nonsafety-related Failure Modes, further action is not required.
                      If the Occ rating is left blank, then only Severity and Detectability rankings are
                   available to determine the criticality of a software Failure Mode. In such cases, the
                   template offers a two-dimensional criticality matrix (see Table 15.5). This criticality
                   matrix also stratifies the software Failure Modes into three levels. The disposition of
                   the three levels can follow the same action recommendations that are found in
                   Table 15.4. The purpose of SFMEA is the identification of software-caused Hazards,
                   and to prioritize software Failure Modes for mitigation. General mitigations such as
                   static code checks, structured walkthroughs, and peer reviews benefit all of the soft-
                   ware. But for software failures with high criticality, additional mitigations like external
                   hardware, or external independent software mechanisms should be devised.
                      As with other FMEAs, SFMEAs serve two benefits: safety and reliability. For safety,
                   all we need to determine is whether a software item can precipitate a Hazardous
                   Situation. But for reliability, it is of interest to know the areas of software whose
                   failure could impact product performance.


                   15.3 SOFTWARE SAFETY CLASSIFICATION

                   Manufacturers of medical devices that include software are required to assign a safety
                   classification to the Software System, based on the potential risk of Harm to people
                   from the Software System, in a worst-case scenario. According to Ref. [9],

                      “The Software System is software safety class A if:
                      2    the software system cannot contribute to a Hazardous Situation; or
                      2    the Software System can contribute to a Hazardous Situation which does not
                           result in unacceptable risk after consideration of Risk Control measures
                           external to the software system.
   153   154   155   156   157   158   159   160   161   162   163