Hazard Analysis of OTS and COTS

Could someone please chime in and share their approach for conducting hazard analysis for off-the-shelf / commercial-off-the-shelf software? What level of detail do we need to include?

Our current hazard analysis matrix contains the following fields (columns): Hazard number, Hazard (actual hazard), Hazard Origin (e.g., clinical, device component, tool, etc.), Severity, Occurrence, Risk Index, Control Measure Type, Risk Control/Mitigation, Software Hazard? (Hazard that can result from software malfunction or can be mitigated by the device built-in software), New Hazard? (New hazard introduced by mitigation  (Yes / No)), Mitigation Occurrence, Mitigation Risk Index, Design Output (e.g., labeling, design document, drawing, requirement procedure/protocol, test procedure, training,etc.), Verification Evidence (e.g., actual test result report, record, etc.)

The above seems like an overkill analysis for COTS such as MS Word, Excel, Project, or even statistical tools such as Minitab and Matlab. Any suggestions, thoughts would be immensely appreciated.

Thank you so much in advance!
1 comment



12 days ago

I can see why it seems overly complicated to go to this much effort for commonly used COTS.  However it's also worth considering how much complexity you would be introducing by having more than on hazard analysis methodology/criteria.
With multiple methodologies/criteria do you risk something having an inadequate hazard analysis?  If this does happen the resulting issues may far outweigh the work that is required to put COTS through the standard hazard analysis.
I don't believe in doing things 'because we always do it this way', but sometimes having multiple options actually creates more work and/or more risk so it's important to carefully consider this before deciding what the best way forward is.

Unfortunately there's no easy answer to this, your companies particular circumstances are going to play a large role in deciding what the best option is.