ISO/TS 25238 - Health Informatics - Classification of Safety Risks from Health Software

Whilst the controls that are justified for a high level of risk may also be suitable for lower levels of risk, their application for lower levels of risk may not justified when other considerations are taken into account.

ISO/TS 25238 provides a framework for grouping health software products in a set of classes or types according to the risk that they may present. This provides a mechanism for screening individual products to allow different levels of rigour in the application of design and production controls that are broadly matched to risk.

The approach advocated in this TS is in effect a Preliminary Hazard Assessment with the output, effectively a Safety Integrity Level (SIL), linked to a set of recomended controls defined by the organisation undertaking the Assessment. The categorisation of risk is done using a 2 dimensional risk matrix but importantly the likelihood is defined such that it does not take account of the effect of any controls within the product. In essence the approach is as follows:

1. First identify some foreseeable hazards that a health software product might present to a patient if it were to malfunction or to be the cause of an adverse event.
2. Then assign a Consequence category using a predefined table of qualitative categories and descriptions.
3. Then assign a Likelihood category using a predefined table of values. This is estimated based on the likelihood of the occurrence of the identified Consequence without taking account of any mitigation expected from the product itself; however, expected mitigation from the environment should be included.

The output of the risk matrix is a set of classes to which appropriate process and product based controls can be applied.