At what level (harm, hazardous situation, seq. of events, etc) is "risk" estimated?

ThatSinc

Quite Involved in Discussions
I do both, kind of...

I tend to assess by hazardous situation independently within the hazard analysis, but my document is structured slightly differently

Hazard Type | Hazard | RFSE | Hazardous Situation | Harm

As you acknowledged my thread regarding *when* a hazardous situation is, having the sequence of events documented as you have (though nowhere requires it to be documented, just that you must investigate them) allows you to more accurately estimate the probability of the overall hazardous situation occurring, depending on at what point in the "sequence of risk" you have documented it.

It is possible that 6 times out of 100 uses could be seen as unacceptable when looking at the total combined risk of the harm occurring, even if 2 out of 100 uses is acceptable for each of the individual hazardous situations? Or would this indicate some kind of logical breakdown in either our analysis or our acceptability criteria? Where is the acceptability of that combined risk evaluated? IS IT evaluated?

I manage this within the risk management report which includes a combined-risk summary where that holistic approach is taken.
This will review the number of hazardous situations that will lead to an individual harm - why these hazardous situations are occurring, and what risk control measures have been put in place across the board for all of them.
I've got a million hazardous situations that are all a million to one chance of killing somebody...

There is also the issue that the final decision point for acceptability is also arbitrary.

This is a very good point and, separate to the point of this thread but related in that I see acceptability based on calculated numbers, one of the reasons I've stopped using numbers for all of my calculations.
in a numerical S x P1 x P2 world a low severity frequent harm is just as unacceptable as a high severity rare harm - which may or may not be acceptable based on device type. I find more often I work with businesses that have a no-tolerance for high severity risks but a acceptability for low severity risks.
Moving to a matrix with Severity (1-6) on one side and Occurrence (A-E) on the other side and plotting it against a pre-defined acceptability matrix as per the plan has alleviated a lot of issues on risks being unacceptable through calculation when the business doesn't mean for them to be.


This was not asked, but I fully support "merged cells" when the same risk controls apply (and improve the ratings of) a common group of risk analysis lines.

I find it looks great, but doing any kind of analysis if you're working in excel becomes an absolute ballache when you have merged cells.
 

Tidge

Trusted Information Resource
I find it looks great, but doing any kind of analysis if you're working in excel becomes an absolute ballache when you have merged cells.

No disagreement when using a 2d spreadsheet. Consider my use of scare quotes around "merged cells" to be indicative of the potential for a many-to-many relationship (in this case between 'whatever the line of risk analysis is before risk controls' and 'risk controls').

I make the point primarily because the purpose of a risk analysis is ultimately (and I apologize for being old-school) is to make sure that all risks for the device are understood to be acceptable in a known context. Of course: there are nuances regarding my simple statement of this 'purpose' and risk management files can be used to in many diverse and important activities.

I am alert (or is it "triggered"?) when I see many-to-many relationships (or "merged cells") in places where they are ultimately going to confuse or interfere with an appropriate risk analysis. My lizard brain is warning me about trying to group harms (i.e. use a 'many-to-many' relationship as the basis of analysis) for reasons:
  • The same harm (e.g. "cut, minor") from many different sources, even on the same device. The risk of a "cut, minor" is going to be treated very differently if it is from the scalpel blade versus the scalpel handle.
  • We don't "engineer" the harms, we engineer the essential performance and risk controls.
  • Considering harms is different than considering failure modes.
My thinking around the final bullet is subtle: In a failure modes effects and analysis, it is common to consider extremely low occurrence failure modes no matter the severity... and even if documented it is usually easy to not require extra controls if detection is 'good enough' and/or occurrence is 'low enough'. However, reported harms are going to come from patients and users and there is going to be a regulatory requirement to do diligence with respect to consideration of the reports... and if the risk matrix has harms as the fundamental 'key', it is going to be incredibly difficult to use the files in a coherent way...

Consider a (hypothetical, but not prima facie absurd) report from a patient that they were 'harmed' because your medical device allowed someone to see some medical history that they preferred to be kept private. There was a sincere effort years ago to motivate risk controls for privacy by trying to add "mental distress" to lists of Master Harms. I don't want to hand-wave away actual concerns from real people, but there is no easily identified hazard, which is why it is impossible to make a cogent risk analysis based on 14971 for such harms. I won't say more on the privacy topic here, except that I'm grateful for regulators that establish the bounds of acceptability on this topic, as it isn't objectively possible for we manufacturers to do it.
 

abbie

Registered
I am a bit late to this thread, but if you haven't already, take a look at Annex C of 14971:2019+A11:2021:
"The probability of occurence of harm can be expressed as a combination of separate probabilities (P1, P2) or as a single probability (P)", where P1 is the probability of a hazardous situation occuring, and P2 is the probability of the hazardous situation leading to harm. Also, "A decomposition into P1 and P2 is not mandatory."

You have to estimate RISK at the level of HARM, and it is a function of the P1 (hazardous situation, HS) and P2 (HS leading to HARM). If you have two different HSs leading to HARM-1, then those are two different assessment, i.e. I would estimate each unique path to HARM-1. The annex explains it well.
 
Top Bottom