A case study on software risk analysis and planning in medical device development

C. Lindholm, J. Pedersen Notander, M. Höst (2014) A case study on software risk analysis and planning in medical device development. Software Quality Journal 22(3) pp. 469-497.

Software failures in medical devices can lead to catastrophic situations.
Therefore, it is crucial to handle software-related risks when developing medical devices,
and there is a need for further analysis of how this type of risk management should be
conducted. The objective of this paper is to collect and summarise experiences from
conducting risk management with an organisation developing medical devices. Specific
focus is put on the first steps of the risk management process, i.e. risk identification, risk
analysis, and risk planning. The research is conducted as action research, with the aim of
analysing and giving input to the organisation’s introduction of a software risk manage-
ment process. First, the method was defined based on already available methods and then
used. The defined method focuses on user risks, based on scenarios describing the expected
use of the medical device in its target environment. During the use of the method, different
stakeholders, including intended users, were involved. Results from the case study show
that there are challenging problems in the risk management process with respect to defi-
nition of the system boundary and system context, the use of scenarios as input to the risk
identification, estimation of detectability during risk analysis, and action proposals during
risk planning. It can be concluded that the risk management method has potential to be
used in the development organisation, although future research is needed with respect to,
for example, context limitation and how to allow for flexible updates of the product.
UA-57933830-1