# Can I reduce P1 to zero?

#### Cybel

##### Involved In Discussions
Hi there,
for my device I have:
P1: the probability that a hazardous situation occurs may depend on my device of course, and I can introduce some control measures to reduce it. In some cases I think that, after risk control measures are implemented, P1 can be considered equal to zero (except in case of fault), so my question: can I consider P1=zero in normal condition? (I suppose I can't).

P2: the probability that a hazardous situation (caused by my device) leads to harms is completely independent of my device but it can be due to failure or misuse of other risk reduction measures (other devices or procedures not under my control). I guess I cannot use the possibility of success (or failure) of other risk reduction measures to change P2.

S: the same hazard/hazardous situation can generate harms with different severity degree (from no symptoms to death), and this depends only on the individual reaction: I consider only the worst case.

Unless I can reduce P1 to zero, even if I reduce P1 to its lowest level, my residual risk still falls under the category “to be reduced as far as possible” because I cannot reduce P2 neither S.
As my device is requested and recognized as one of the cumulative methods to reduce the possibility that the hazardous situation occurs, should I stop here and evaluate the risk/benefit profile?

More generally, I'm not sure the way I'm thinking to this process is correct.
Could someone give my an opinion?

Thank you!!

#### yodon

Super Moderator
Reducing probability to 0 is taboo... at least that's how I've been taught. The standard consistently talks to 'reduce.'

I'm not following your question on P2. Can you provide an example?

You *can* reduce severity. It's uncommon, but the standard certainly allows it.

If you abide by the :2012 content deviation that all risks must be reduced to the greatest extent possible, then you effectively only have either unacceptable risks or acceptable risks. That said, take a look at this note from section 4.2 in the :2019 version:

NOTE 1 The manufacturer’s policy for establishing criteria for risk acceptability can define the approaches to risk control: reducing risk as low as reasonably practicable, reducing risk as low as reasonably achievable, or reducing risk as far as possible without adversely affecting the benefit-risk ratio. See ISO/TR 24971[9] for guidance on defining such policy.

Not sure what your policy is but it sounds like you're in the camp of reduce to the greatest extent possible so you don't stop until you can no longer lower the residual risk.

#### Cybel

##### Involved In Discussions

Context: COVID-19 emergency
My device: diagnostic
My hazard: false negative.
My hazardous situation: in case of false negative, a person can infect other persons. The infection may be avoided if other measures are taken (for example correct use of face masks, keeping social distance, and so on). This means that other measures act on the possibility that the hazardous situation leads to a harm, is it correct? (sorry for my really unclear question on P2 and for my bad English!)
Possible harms (to the "other persons"): no or minor symptoms, or pulmonary inflammation without hospitalization, or systemic inflammation with hospitalization, until death: I afraid I cannot reduce severity with my device.

Not sure what your policy is but it sounds like you're in the camp of reduce to the greatest extent possible so you don't stop until you can no longer lower the residual risk.
Yes, I suppose I should do this, even if the "greatest extend possible" is not much, actually. Thank you for your input.

Last edited:

#### yodon

Super Moderator
My hazardous situation: in case of false negative, a person can infect other persons. The infection may be avoided if other measures are taken (for example correct use of face masks, keeping social distance, and so on). This means that other measures act on the possibility that the hazardous situation leads to a harm, is it correct? (sorry for my really unclear question on P2 and for my bad English!)
Ah, ok, thanks for clarifying. Those things are not under your controls so you can't rely on them and thus shouldn't reduce probability (P2)

#### Tidge

Trusted Information Resource
I am of the belief that P1 can be reduced to zero, but that such a reduction is typically without (practical) value in terms of the risk file for a device intended to be marketed. An example might be risks relating to ionizing energy (e.g. alpha emitters) and the design of the device removes all radioactive sources. How much value is there in tracking such a line of (risk) analysis? The answer is probably zero (just like new value of P1!). (*1)

After a device is on the market, there exists a hypothetical circumstance where there is an (initially, when marketed) unrecognized hazardous situation with (in hindsight) a non-zero P1. A periodic risk review may expose this hazardous situation, and it is conceivable (if unlikely, see below) that a design change could later eliminate the hazard responsible for the hazardous situation.

Why I personally think it is unlikely that a post-market addition of a new (added) line to a hazard analysis would ever (eventually) have P1 = 0: In my way of thinking, such a change would almost certainly need to be fundamentally different than the original device... such as using a different power source, or a fundamentally different method of delivering therapy/interacting with the human body. Such a circumstance feels like a new DHF to me.

(*1) I can imagine that there may be circumstances where a medical device manufacturer feels "backed into a corner" by a third party asking questions along the lines of "Why doesn't your risk file consider risks from ____? (Fill in the blank with some absurd hazard that doesn't exist in the theory of operation or implemented design choices, like the steam hazards from pneumatically powered pacemakers)... and that in order to satisfy such an absurd request that P1=0 lines get added to a hazard analysis. This wouldn't be the same as reducing a recognized P1 to zero. There are usually better (i.e. more systematic ways) of heading off such questions, but never underestimate the chances of getting a peculiar "third party."

#### Cybel

##### Involved In Discussions
Those things are not under your controls so you can't rely on them and thus shouldn't reduce probability (P2)
I know we are in the ISO 14971 forum, but I've remembered that the IEC 62304 (on medical device software) allows consideration of risk control measures external to the SW system (even health care procedures, so external to the device and to the manufacturer as well) to determinate if the SW system can contribute to a hazardous situation which does or does't result in unacceptable risk.
It appears this means that the external (not under the manufacturer’s control) control measures can be considered as a risk reduction measure for the SW, or am I wrong?

#### yodon

Super Moderator
consideration of risk control measures external to the SW system (even health care procedures, so external to the device and to the manufacturer as well)
I think you may be conflating assignment of software safety class with risk management. The 62304 standard does say that you can consider external risk controls to lower the software safety class. Unless those controls are under my control, though, I would not reduce the risk. I'm in the camp that risks cannot be reduced by information for safety alone and relying on something that's out of my control is in that same boat (my opinion).

#### Hi_Its_Matt

##### Involved In Discussions
I think Tidge hit the nail on the head with respect to P1=0. If P1 was truly zero, then I wouldn't include this scenario in my risk analysis. An at-home COVID test consisting of a nasal swab, a few drops of solution, and a test strip could never cause harm to someone by (for example) tipping over and falling on top of someone. So I wouldn't include this scenario in my risk analysis. (I use this scenario as an example because it would be perfectly valid for a tall, heavy medical device like a robotic surgical unit).

If during design and development you make some fundamental change to a device such that it precludes a particular hazardous situation from ever occurring, then yes you could say P1=0. Or you could just remove that scenario from your analysis.

I do want to point out a flaw in your example though, as I think you may be misunderstanding hazardous situation.
Context: COVID-19 emergency
My device: diagnostic
My hazard: false negative.
My hazardous situation: in case of false negative, a person can infect other persons. The infection may be avoided if other measures are taken (for example correct use of face masks, keeping social distance, and so on). This means that other measures act on the possibility that the hazardous situation leads to a harm, is it correct? (sorry for my really unclear question on P2 and for my bad English!)
Possible harms (to the "other persons"): no or minor symptoms, or pulmonary inflammation without hospitalization, or systemic inflammation with hospitalization, until death: I afraid I cannot reduce severity with my device.
A hazardous situation occurs when an individual is exposed to a particular hazard. In this example, the hazardous situation may be "COVID virus is present in fluid sample, but in an amount small enough such that it cannot be detected by the system. Therefore, the test reports a false negative."
To me, the "hazardous situation" you have given is actually a harm ("virus spread to others due to sick person being given a false negative"). You could lower P2 by including in your instructions a warning that false negatives are possible, and that an individual should isolate from others if they display any COVID-like symptoms. This is a risk control option that IS within your control. However, I wouldn't include something like "mask wearing/social distancing" as a way of reducing P2, as these are outside your control. (Of course, the effectiveness of any risk control measure has to be verified, so if you claim something reduces your risk, then you have to prove it.)

#### Cybel

##### Involved In Discussions
Thanks to all for your inputs!

To me, the "hazardous situation" you have given is actually a harm ("virus spread to others due to sick person being given a false negative").
I have wracked my mind for what to consider hazardous situation vs harm and I've faced the hypothesis that "virus spread to others due to sick person being given a false negative" is actually a harm. My change of mind was because this is not the “ending state” but there is something beyond (that may be "nothing" until “death”).
So, my additional question: at what harm level should I stop?

#### Tidge

Trusted Information Resource
It appears this means that the external (not under the manufacturer’s control) control measures can be considered as a risk reduction measure for the SW, or am I wrong?
I think you may be conflating assignment of software safety class with risk management. The 62304 standard does say that you can consider external risk controls to lower the software safety class. Unless those controls are under my control, though, I would not reduce the risk.
I would follow @yodon advice on this circumstance, although I want to comment around the edges of his answer.

It is now (more?) explicit in 62304 that the software safety classification is to be based on what functions and risk controls are allocated to the software. It is a subtly different point if in the course of software development it is discovered that a risk cannot be reduced (or a new risk is introduced) by the software. In my experience: I have allowed and encouraged cross-references within a software hazard analysis (SHA) to non-software elements. It is sort of a dealer's choice (my words) if the SHA includes VI/VE for the identified risk control or the cross-reference points to another risk file (typically a design failure modes & effects document) that contains a line of risk analysis with VI/VE. My own preference is that the same information appears in BOTH risk analyses only because it is rare that hardware and software design teams to pay much attention to the "other' elements of designs.

Sample Size rationale to reduce size and use special levels EU Medical Device Regulations 6
5 Ways to Reduce Stress on Your Next Audit Using GAGEpack Software 0
Reduce risks as far as possible - Quartz Crystal ISO 14971 - Medical Device Risk Management 11
Advice on how to reduce overhead of handling non-conforming material Nonconformance and Corrective Action 7
Reduce occurrence rating based on the PMS data and customer complaint data ISO 14971 - Medical Device Risk Management 2
Stress / Challenge Conditions for Design Verification Testing to Reduce Sample Size 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 11
How to reduce the process SPC monitoring Capability, Accuracy and Stability - Processes, Machines, etc. 3
Information of safety can reduce risk now? ISO 14971 - Medical Device Risk Management 12
Is it possible to reduce Risk likelihood and impact Post control Ranking after corrective action taken for risk? FMEA and Control Plans 1
Is it possible to reduce FMEA Occurrence and Detection Ranking after corrective action taken for customer complaints? FMEA and Control Plans 6
Duplicated Gauges want to reduce calibration General Measurement Device and Calibration Topics 2
S Methods to reduce relative humidity in Datacenter IEC 27001 - Information Security Management Systems (ISMS) 3
How do reduce the risk of suppliers having similar problems? Supplier Quality Assurance and other Supplier Issues 4
R Employee diet to reduce absenteeism and increase productivity Hospitals, Clinics & other Health Care Providers 24
Proactive efforts to reduce risk - PFMEA risk reduction activities IATF 16949 - Automotive Quality Systems Standard 8
N How to reduce RPN of Visual Inspection Process FMEA and Control Plans 6
2 High-tech medical equipment to reduce medication errors Medical Information Technology, Medical Software and Health Informatics 5
M Is That Plating Wave Washer will reduce its stiffness? Supplier Quality Assurance and other Supplier Issues 1
C How to Reduce Inspection Frequency in Metal Stamping Company Quality Manager and Management Related Issues 4
C Design of Experiments to Reduce Variation in a Lathe Operation Quality Assurance and Compliance Software Tools and Solutions 9
D How to reduce the number of Quality Inspectors Quality Manager and Management Related Issues 7
S Using ANSI/ASQ Z1.4 to Reduce Impact of Field Service Campaign AQL - Acceptable Quality Level 17
P How to reduce or shut off Compressed Air for Painting Robots Manufacturing and Related Processes 3
P How to Reduce or Eliminate Inspection on an Assembly Line Quality Tools, Improvement and Analysis 10
ISO 14006 - New Standard to Reduce Environmental Impacts of Products and Services Miscellaneous Environmental Standards and EMS Related Discussions 1
D How to Reduce Sampling and get the same MTTF (Mean Time to Faliure) Reliability Analysis - Predictions, Testing and Standards 4
J Reduce 50 Work Instructions into 12 Key Processes Process Maps, Process Mapping and Turtle Diagrams 8
Can we reduce documents checking percentage on supplier certificates? Supplier Quality Assurance and other Supplier Issues 3
T How do I Reduce Frequency of Receiving Inspection Testing for Quality Control Inspection, Prints (Drawings), Testing, Sampling and Related Topics 9
PFMEA (Process FMEA) Detection Rating - Actions to Reduce RPN FMEA and Control Plans 3
S What to do if no further control possible to reduce the OHS risk? Occupational Health & Safety Management Standards 16
S How to Reduce the Cost of Broken Measurement Equipment Quality Tools, Improvement and Analysis 8
M Plastic Mold Approval - What are the ways to reduce mold approval cycle? Manufacturing and Related Processes 8
A How to Reduce Printed Paper Waste Sustainability, Green Initiatives and Ecology 47
P Does Six Sigma Project have to Reduce Variability? What about a mean shift to target? Six Sigma 6
M Does Disciplinary Action Reduce Operator Errors? Misc. Quality Assurance and Business Systems Related Topics 80
Control Chart to Track Effectiveness of Actions to Reduce Scrap Rate Six Sigma 7
P Attempting to reduce sample size - The "best" statistical technique to use Statistical Analysis Tools, Techniques and SPC 10
ISO Guide 64 will help reduce environmental impacts of products Other ISO and International Standards and European Regulations 1
B On Time Delivery Question - Project to reduce late shipments Lean in Manufacturing and Service Industries 7
T Using SPC Control Charts to Reduce AQL Sample Size AQL - Acceptable Quality Level 16
R CMM Machine upgrade - Ways to reduce CMM inspection cycle time Inspection, Prints (Drawings), Testing, Sampling and Related Topics 5
D Project to Reduce Destructive Sampling in Crimping Process Inspection, Prints (Drawings), Testing, Sampling and Related Topics 3
J Customer wants to Reduce GD&T Tolerances on Sheet Metal Subassemblies Manufacturing and Related Processes 8
Y Can I reduce the Sample Size? Sampling check of more than 1,000 pieces daily Inspection, Prints (Drawings), Testing, Sampling and Related Topics 25
Classification of Suppliers & Control Plans to Reduce Receiving Inspection FMEA and Control Plans 6
R Tool Kits to Reduce Direct Time on Milling Machine Manufacturing and Related Processes 15
D When do you reduce SPC sampling? And How? Inspection, Prints (Drawings), Testing, Sampling and Related Topics 7
J Cost Down! - Reduce Manpower Misc. Quality Assurance and Business Systems Related Topics 7
R 100% Visual Inspection - Would you Remove or Reduce the Visual Inspection? Inspection, Prints (Drawings), Testing, Sampling and Related Topics 9