Hazard Analysis of OTS and COTS

Could someone please chime in and share their approach for conducting hazard analysis for off-the-shelf / commercial-off-the-shelf software? What level of detail do we need to include?

Our current hazard analysis matrix contains the following fields (columns): Hazard number, Hazard (actual hazard), Hazard Origin (e.g., clinical, device component, tool, etc.), Severity, Occurrence, Risk Index, Control Measure Type, Risk Control/Mitigation, Software Hazard? (Hazard that can result from software malfunction or can be mitigated by the device built-in software), New Hazard? (New hazard introduced by mitigation  (Yes / No)), Mitigation Occurrence, Mitigation Risk Index, Design Output (e.g., labeling, design document, drawing, requirement procedure/protocol, test procedure, training,etc.), Verification Evidence (e.g., actual test result report, record, etc.)

The above seems like an overkill analysis for COTS such as MS Word, Excel, Project, or even statistical tools such as Minitab and Matlab. Any suggestions, thoughts would be immensely appreciated.

Thank you so much in advance!



17 days ago

Hi Carol, 

The hazard analysis question is always a struggle. I am assuming the prodct in question is a medical device. 

The tools that you listed (MS Word, Excel, etc.) are those that seem to impact the QMS and not integrated into the actual device itself. In most cases, these are handled differently.

If it is a OTS/COTS that won't be integrated into the device,  ISO 80002-2:2017 Validation of software for medical device quality systems, is a great resource. Remember the goal of the risk analysis is to determine the level of validation effort required in order to reduce risk. 

Typically an analysis of these software tools will  evaluate if the tool poses a risk to the product (think production or development software), risk of harm to humans (think production software harming operators or software affecting the device indirectly causing harm to customer), risk of affecting  regulatory compliance (think software tools that affect the QMS - CAPA, document storage), or risk to the virtual or physical environment.

The FMEA is one method of risk analyis. I have also seen tool assessments utilize decision trees. Remember the risk analysis will be used to determine how much validation is needed and if there needs to be design or process controls around the tool's use. 

Hope this helps! Happy Validating.

10-05-2017 23:37

I can see why it seems overly complicated to go to this much effort for commonly used COTS.  However it's also worth considering how much complexity you would be introducing by having more than on hazard analysis methodology/criteria.
With multiple methodologies/criteria do you risk something having an inadequate hazard analysis?  If this does happen the resulting issues may far outweigh the work that is required to put COTS through the standard hazard analysis.
I don't believe in doing things 'because we always do it this way', but sometimes having multiple options actually creates more work and/or more risk so it's important to carefully consider this before deciding what the best way forward is.

Unfortunately there's no easy answer to this, your companies particular circumstances are going to play a large role in deciding what the best option is.