How do you calculate Overall Residual Risk - Requirement of 14971 Risk Management


fuji033 - 2006

I am struggling to understand one requirement of 14971 Risk Management. How do you calculate overall residual risk otherwise known as aggregate risk. Any guidance?


Al Rosen

Super Moderator
It's not a calculation. You have to weigh the severity against the probability of an occurrence. It is somewhat subjective.


It's like Al Rosen says, but you can "make" it a calculation.

Depending on the techniques you use (I use FMEA) you can ascribe a value to the different risk elements.

To facilitate the (FMEA) risk assessment an estimate is needed of the
• Severity of the Effect (S) of a failure mode
• Likeliness of Occurrence (O) of a failure Cause
• Chance that the Effect or Failure mode is not Detected by means of current controls in place (Df)

These estimates are translated into a numerical value by means of a standardized approach. (I use a 1 to 5 rating for each)

The Risk (RPN) is subsequently quantified as follows
RPN = S x O x Df

This risk product number (RPN) is now a numeric representation of the calculated risk.
If this number is above a preset cutoff point (I use 15) I oblige myself to take risk mitigation measures.

Then I calculate again what the RPN is when the risk mitigating measures are implemented.

This can be seen as the "calculated" Overall Residual Risk.

It's one of many way's to make something this subjective and almost abstract, tangible by means of numbers.

Hope it helps.
(just my 50 ct's)

Best regards,



Hey there,

I just had this discussion with the European Authorities (TÜV) during our last audit.

They don't accept for example RPNs (or whatever you use) as a measure for the "allover residual risk" since the RPN belongs only to a single risk and not to the allover product risk.

We even have a statement in our Risk Management Procedure saying that the allover residual risk is considered acceptable when all single risks are acceptable.

Even this is not enough for TÜV.

This time they didn't write down a finding (the reason: "We don't know how you could do it better"). But they were not satisfied and will look at this topic again next year :(

Does anyone have an idea how to solve this problem?




Inactive Registered Visitor
Does anyone have an idea how to solve this problem?

I don´t. It´s eird that they do not know how you could do better and not accept what you do.

Please note that you can use some sort of general RPN or the like for the general - overall - risk, but you usually have to perform a different analysis for the overall risks.

Anyway, D.7 of ISO 14971 details some approachs to evaluate overall residual risks.


I would contact your NB again and ask for their advise. If your methods aren't suitable they must have people whose methods are. If they can't offer guidance I would seriously consider changing to a more helpful NB.


I guess I won't change anything for the moment- if they write a NC in the next audit, they have to provide me with guidance what they expect to see.

It seems like they were just re-trained on risk management because they wanted us to include "bleeding" as a potential hazard for implantation!

What a surprise that there will be blood in an operating theater during implantation of devices...

Anyway thank you all for your opinion and advise :)

davidespada - 2011

Risk Management is always a pain in the neck: everyone require it but nobody can show examples about how to do it!
The way we do it is the following:

We calculate the Risk Class by Impact x Likelihood for each hazard, we make a plan to reduce it and re-calculate the Risk Class.

Now, the question is (and I guess is what TUV ask for): is the Device safe or not? We assess the Risk Class of the Device (what I call Irreducible Residual Risk) by stating the the risk of the device simply equals the higher residual risk.

So if I have an hazard with a residual risk as "moderate", the risk of my device is moderate and so on.

Of course this is equal to say that "allover residual risk is considered acceptable when all single risks are acceptable", but you provide a quantitative analysis, which is what I guess TUV is asking for.

Top Bottom