Can I reduce P1 to zero?

Cybel

Involved In Discussions
Hi there,
for my device I have:
P1: the probability that a hazardous situation occurs may depend on my device of course, and I can introduce some control measures to reduce it. In some cases I think that, after risk control measures are implemented, P1 can be considered equal to zero (except in case of fault), so my question: can I consider P1=zero in normal condition? (I suppose I can't).

P2: the probability that a hazardous situation (caused by my device) leads to harms is completely independent of my device but it can be due to failure or misuse of other risk reduction measures (other devices or procedures not under my control). I guess I cannot use the possibility of success (or failure) of other risk reduction measures to change P2.

S: the same hazard/hazardous situation can generate harms with different severity degree (from no symptoms to death), and this depends only on the individual reaction: I consider only the worst case.

Unless I can reduce P1 to zero, even if I reduce P1 to its lowest level, my residual risk still falls under the category “to be reduced as far as possible” because I cannot reduce P2 neither S.
As my device is requested and recognized as one of the cumulative methods to reduce the possibility that the hazardous situation occurs, should I stop here and evaluate the risk/benefit profile?

More generally, I'm not sure the way I'm thinking to this process is correct.
Could someone give my an opinion?

Thank you!!
 

yodon

Leader
Super Moderator
Reducing probability to 0 is taboo... at least that's how I've been taught. The standard consistently talks to 'reduce.'

I'm not following your question on P2. Can you provide an example?

You *can* reduce severity. It's uncommon, but the standard certainly allows it.

If you abide by the :2012 content deviation that all risks must be reduced to the greatest extent possible, then you effectively only have either unacceptable risks or acceptable risks. That said, take a look at this note from section 4.2 in the :2019 version:

NOTE 1 The manufacturer’s policy for establishing criteria for risk acceptability can define the approaches to risk control: reducing risk as low as reasonably practicable, reducing risk as low as reasonably achievable, or reducing risk as far as possible without adversely affecting the benefit-risk ratio. See ISO/TR 24971[9] for guidance on defining such policy.

Not sure what your policy is but it sounds like you're in the camp of reduce to the greatest extent possible so you don't stop until you can no longer lower the residual risk.
 

Cybel

Involved In Discussions
Thank you for your answer, Yodon. My comments:

Context: COVID-19 emergency
My device: diagnostic
My hazard: false negative.
My hazardous situation: in case of false negative, a person can infect other persons. The infection may be avoided if other measures are taken (for example correct use of face masks, keeping social distance, and so on). This means that other measures act on the possibility that the hazardous situation leads to a harm, is it correct? (sorry for my really unclear question on P2 and for my bad English!)
Possible harms (to the "other persons"): no or minor symptoms, or pulmonary inflammation without hospitalization, or systemic inflammation with hospitalization, until death: I afraid I cannot reduce severity with my device.

Not sure what your policy is but it sounds like you're in the camp of reduce to the greatest extent possible so you don't stop until you can no longer lower the residual risk.

Yes, I suppose I should do this, even if the "greatest extend possible" is not much, actually. Thank you for your input.
 
Last edited:

yodon

Leader
Super Moderator
My hazardous situation: in case of false negative, a person can infect other persons. The infection may be avoided if other measures are taken (for example correct use of face masks, keeping social distance, and so on). This means that other measures act on the possibility that the hazardous situation leads to a harm, is it correct? (sorry for my really unclear question on P2 and for my bad English!)

Ah, ok, thanks for clarifying. Those things are not under your controls so you can't rely on them and thus shouldn't reduce probability (P2)
 

Tidge

Trusted Information Resource
I am of the belief that P1 can be reduced to zero, but that such a reduction is typically without (practical) value in terms of the risk file for a device intended to be marketed. An example might be risks relating to ionizing energy (e.g. alpha emitters) and the design of the device removes all radioactive sources. How much value is there in tracking such a line of (risk) analysis? The answer is probably zero (just like new value of P1!). (*1)

After a device is on the market, there exists a hypothetical circumstance where there is an (initially, when marketed) unrecognized hazardous situation with (in hindsight) a non-zero P1. A periodic risk review may expose this hazardous situation, and it is conceivable (if unlikely, see below) that a design change could later eliminate the hazard responsible for the hazardous situation.

Why I personally think it is unlikely that a post-market addition of a new (added) line to a hazard analysis would ever (eventually) have P1 = 0: In my way of thinking, such a change would almost certainly need to be fundamentally different than the original device... such as using a different power source, or a fundamentally different method of delivering therapy/interacting with the human body. Such a circumstance feels like a new DHF to me.

(*1) I can imagine that there may be circumstances where a medical device manufacturer feels "backed into a corner" by a third party asking questions along the lines of "Why doesn't your risk file consider risks from ____? (Fill in the blank with some absurd hazard that doesn't exist in the theory of operation or implemented design choices, like the steam hazards from pneumatically powered pacemakers)... and that in order to satisfy such an absurd request that P1=0 lines get added to a hazard analysis. This wouldn't be the same as reducing a recognized P1 to zero. There are usually better (i.e. more systematic ways) of heading off such questions, but never underestimate the chances of getting a peculiar "third party."
 

Cybel

Involved In Discussions
Those things are not under your controls so you can't rely on them and thus shouldn't reduce probability (P2)

I know we are in the ISO 14971 forum, but I've remembered that the IEC 62304 (on medical device software) allows consideration of risk control measures external to the SW system (even health care procedures, so external to the device and to the manufacturer as well) to determinate if the SW system can contribute to a hazardous situation which does or does't result in unacceptable risk.
It appears this means that the external (not under the manufacturer’s control) control measures can be considered as a risk reduction measure for the SW, or am I wrong?
I would be interested in getting an opinion about this.
 

yodon

Leader
Super Moderator
consideration of risk control measures external to the SW system (even health care procedures, so external to the device and to the manufacturer as well)

I think you may be conflating assignment of software safety class with risk management. The 62304 standard does say that you can consider external risk controls to lower the software safety class. Unless those controls are under my control, though, I would not reduce the risk. I'm in the camp that risks cannot be reduced by information for safety alone and relying on something that's out of my control is in that same boat (my opinion).
 

Hi_Its_Matt

Involved In Discussions
I think Tidge hit the nail on the head with respect to P1=0. If P1 was truly zero, then I wouldn't include this scenario in my risk analysis. An at-home COVID test consisting of a nasal swab, a few drops of solution, and a test strip could never cause harm to someone by (for example) tipping over and falling on top of someone. So I wouldn't include this scenario in my risk analysis. (I use this scenario as an example because it would be perfectly valid for a tall, heavy medical device like a robotic surgical unit).

If during design and development you make some fundamental change to a device such that it precludes a particular hazardous situation from ever occurring, then yes you could say P1=0. Or you could just remove that scenario from your analysis.

I do want to point out a flaw in your example though, as I think you may be misunderstanding hazardous situation.
Context: COVID-19 emergency
My device: diagnostic
My hazard: false negative.
My hazardous situation: in case of false negative, a person can infect other persons. The infection may be avoided if other measures are taken (for example correct use of face masks, keeping social distance, and so on). This means that other measures act on the possibility that the hazardous situation leads to a harm, is it correct? (sorry for my really unclear question on P2 and for my bad English!)
Possible harms (to the "other persons"): no or minor symptoms, or pulmonary inflammation without hospitalization, or systemic inflammation with hospitalization, until death: I afraid I cannot reduce severity with my device.

A hazardous situation occurs when an individual is exposed to a particular hazard. In this example, the hazardous situation may be "COVID virus is present in fluid sample, but in an amount small enough such that it cannot be detected by the system. Therefore, the test reports a false negative."
To me, the "hazardous situation" you have given is actually a harm ("virus spread to others due to sick person being given a false negative"). You could lower P2 by including in your instructions a warning that false negatives are possible, and that an individual should isolate from others if they display any COVID-like symptoms. This is a risk control option that IS within your control. However, I wouldn't include something like "mask wearing/social distancing" as a way of reducing P2, as these are outside your control. (Of course, the effectiveness of any risk control measure has to be verified, so if you claim something reduces your risk, then you have to prove it.)
 

Cybel

Involved In Discussions
Thanks to all for your inputs!

To me, the "hazardous situation" you have given is actually a harm ("virus spread to others due to sick person being given a false negative").

I have wracked my mind for what to consider hazardous situation vs harm and I've faced the hypothesis that "virus spread to others due to sick person being given a false negative" is actually a harm. My change of mind was because this is not the “ending state” but there is something beyond (that may be "nothing" until “death”).
So, my additional question: at what harm level should I stop?
 

Tidge

Trusted Information Resource
It appears this means that the external (not under the manufacturer’s control) control measures can be considered as a risk reduction measure for the SW, or am I wrong?
I would be interested in getting an opinion about this.
I think you may be conflating assignment of software safety class with risk management. The 62304 standard does say that you can consider external risk controls to lower the software safety class. Unless those controls are under my control, though, I would not reduce the risk.

I would follow @yodon advice on this circumstance, although I want to comment around the edges of his answer.

It is now (more?) explicit in 62304 that the software safety classification is to be based on what functions and risk controls are allocated to the software. It is a subtly different point if in the course of software development it is discovered that a risk cannot be reduced (or a new risk is introduced) by the software. In my experience: I have allowed and encouraged cross-references within a software hazard analysis (SHA) to non-software elements. It is sort of a dealer's choice (my words) if the SHA includes VI/VE for the identified risk control or the cross-reference points to another risk file (typically a design failure modes & effects document) that contains a line of risk analysis with VI/VE. My own preference is that the same information appears in BOTH risk analyses only because it is rare that hardware and software design teams to pay much attention to the "other' elements of designs.
 
Top Bottom