Could someone please chime in and share their approach for conducting hazard analysis for off-the-shelf / commercial-off-the-shelf software? What level of detail do we need to include?
Our current hazard analysis matrix contains the following fields (columns): Hazard number, Hazard (actual hazard), Hazard Origin (e.g., clinical, device component, tool, etc.), Severity, Occurrence, Risk Index, Control Measure Type, Risk Control/Mitigation, Software Hazard? (Hazard that can result from software malfunction or can be mitigated by the device built-in software), New Hazard? (New hazard introduced by mitigation (Yes / No)), Mitigation Occurrence, Mitigation Risk Index, Design Output (e.g., labeling, design document, drawing, requirement procedure/protocol, test procedure, training,etc.), Verification Evidence (e.g., actual test result report, record, etc.)
The above seems like an overkill analysis for COTS such as MS Word, Excel, Project, or even statistical tools such as Minitab and Matlab. Any suggestions, thoughts would be immensely appreciated.
Thank you so much in advance!