scope:

This technical information report (TIR) should be regarded as a reference for developing safe software systems to be used in medical devices. The information that it contains provides a framework within which experience, insight, and judgment are applied systematically to reduce medical device risks. The TIR does this in the context of ANSI/AAMI/ISO 14971:2000, Medical devices-Application of risk management to medical devices, and in the context of ANSI/AAMI SW68:2001, Medical device software-Software life cycle processes.

For readers to understand the scope of this document, it is important to understand the distinction between software safety and software reliability. The National Institute of Science and Technology information report [NISTIR 5589] on software hazard analysis states this distinction quite clearly:

Software safety should not be confused with software reliability. Reliability is the ability of a system to perform its required functions under stated conditions for a specified period of time [IEEE610]. Safety is the probability that conditions (hazards) that can lead to a mishap do not occur, whether or not the intended function is performed [LEVESON86]. Reliability is interested in all possible software errors, while safety is concerned only with those errors that cause actual system hazards [LEVESON86]. . . . Software safety and software reliability are part of software quality. Quality is the degree to which a system meets specified requirements, and customer or user needs or expectations [IEEE610].

Many of the same techniques used to ensure software reliability and quality are relevant for ensuring software safety. This report does not discuss general aspects of software quality assurance.

Purpose

The goal of this TIR is to be a technical reference on risk management for medical devices. It is intended primarily for software engineers, software quality assurance personnel, and those responsible for medical device risk management. Others involved in medical device product development, quality assurance, regulatory affairs, and auditing may also find this document useful.

The report attempts to clarify process relationships outlined in ANSI/AAMI SW68:2001, Medical device software- Software life cycle processes, and ANSI/AAMI/ISO 14971:2000, Medical devices-Application of risk management to medical devices, in the context of software system safety, keeping in mind the varied interests of the audience.

Understanding the terminology and its proper context is key to understanding the associated processes. This report attempts to clarify some of those subtleties by looking at the components of risk management, and by using precise language to identify how those components relate to each other. For example, ISO definitions such as hazard, harm, and safety are clarified through use of additional terms and examples from a software perspective.

The report provides guidance for those new to the concepts of software system safety in the medical device industry and as an aide-memoire for medical device and software designers more familiar with the topic.

The first objective of this report is to provide those working "down in the trenches" with some insight into safety considerations when using software in a medical device. A second objective is to help risk managers understand the implications for risk management posed by the presence of software in the system. All too often, those charged with the responsibility for developing software and those charged with the responsibility of managing risk operate independently of each other. It is a goal of this report to help bridge this divide by fostering communication and a shared understanding of the relationship between software engineering and risk management.