TLDR; P2 is an array [probability of low severity harm, probability of medium severity harm, probability of high severity harm], and unitless. P1 has a unit and scales the distribution of P2. You lose the distinction and its associated advantages if you simplistically take P2 to be the summed likelihood of non-negligible likelihood and link it to the maximum possible severity.
---
A concept, which is both intuitively and informatively (guidance-level) clear:
Take the relevant core definitions (publicly available through ISO OBP):
A) harm: injury or damage to the health of people, or damage to property or the environment
B) hazardous situation: circumstance in which people, property or the environment is/are exposed to one or more hazards
C) risk: combination of the probability of occurrence of harm (A) and the severity (D) of that harm (A)
D) severity: measure of the possible consequences of a hazard (E)
E) hazard: potential source of harm
Now amend your interpretation of C to result in an array of values, which is as big as the number of severity categories you employ within your risk management.
Let's take a (further disconnected; not going to build a full risk management system) 5 bin scale of severity:
- No notable harm
- Superficial
- Partial,
- Fully, prolonged yet incomplete (scars) healing
- Permanent, functional impairment
- Death (if you go nitty gritty not a harm, but hey, standards aren't perfect and let's be pragmatic).
Now, given a (thermal?) hazard, construct an empty risk array: [null,null,null,null,null,null] (6 times no value; won't go into the differences between null, nill, zero and not available and such)
Any amount of causes, hazard could be either generally hot or even split into hot liquid, hot surface. Sequence of events might include length of exposure, etc. Are the splits useful? Most likely only when you take into account how design can control their levels somewhat independently.
Your risk management team, including the ever relevant clinical expertise, assess probabilities (for hot liquid and hot surface).
Read these as:
given that the harm (of burn)
occurs, what
is are the
most likely likelihoods of each severity of outcome (P2. No particular reason
).
Results: the hazard arrays (These must sum to one.):
Hot Liquid[0, 0.1, 0.2, 0.5, 0.15, 0.05];
Hot Surface[0.4, 0.4, 0.19, 0.01, 0, 0];
Compared (roughly) visually:
_ - -≡=_
==-_ _ _
But wait: we forgot occurrence of harm, which is an a priori condition prior to the casino of life distributing the severity. (P1. No particular reason, again
). If your scale for P1 is well thought out (i.e. normalizable to either per service year, or per 1000 devices, basically any reasonably accurate quantity you can realistically normalize your statistics against.), you can link post-market surveillance directly to your risk analysis. Then your feedback will show whether your distribution (P2), or your assessment of occurrence of the hazardous situation.
Your design and development department could act on the priority of severity of harm. Let's say additional screens present between the possible exit points for hot liquid in single fault mode condition (ah, base assumptions of risk management, justify thee well) and all probable locations of users of the device. Let's imagine they're placed to prevent splashing on the most lethal areas at all, and reduce the likelihood a bit from. Necessarily it moves the distribution (independent of actual occurrence; remember: we're dealing with the given presence of exposure at the moment) left.
Design assessed result:
Hot Liquid[0.2, 0.25, 0.2, 0.3, 0.05, 0]; (it was [0, 0.1, 0.2, 0.5, 0.15, 0.05]
Hot Surface[0.4, 0.4, 0.19, 0.01, 0, 0];
Compared (roughly) visually:
_ - -≡=_ (what hot liquid was)
-===__ (what hot liquid is newly assessed with control; skipping over implementation and effectiveness verification steps for clarity)
==-_ _ _ (hot surface, still the same)
Yes, we're accepting a relatively higher occurrence of lower degree harms for the benefit of practiclaly eliminating the high severity harms.
Funnily enough, this means that you've also reduced, under the assumption of single fault mode, the maximum severity you're likely to encounter by adjustment of the distribution to exclude the high severity ones. (no stupid user continuing to jump into the very new slowly growing hot liquid puddle).
Perhaps foreseen, perhaps unsuspecting, you could see a change in P1 as well, which would affect the total amount of occurrences you'd get independent of the distribution of severity for the outcomes. Whether you analyze that deep, up to you. Note that in the split version, only P1 has a unit. P2 is merely a cumulative distribution function without unit. P derives its unit (/year, /use) from P1.
If you're really good you've excluded all risk to have P2 result in [ 1, 0, 0, 0, 0, 0] ≡_ _ _ _ _. Give yourself a cookie. Your risk mitigation is not included in your design output as it's not a risk for your device at all (complete negligibly severity means socially acceptable in the norms and morals of the communities you distribute to).
But then it would not be in your design input. So it would not be in your characteristics of the medical device. So why is it in your risk management file? (answer, iterative design. It was a risk in some previous design interation, and you are remembering not to make that dangerous choice by introducing a prohibition (requirement to not do something) into your customer requirements).
Note: the severities (roughly) match those of burn wounds. The probabilities don't (instructiveness above accuracy in this case)
The far more difficult question would be attribution of (final) clinical conditions to specific yet related harms (burn directly, smoke due to fire due to faulty device, infection from exposed skin due to burn, or some other consequence harm) in your feedback mechanisms/post-market surveillance.
The medium difficulty one (more effort than difficult really), is constructing the (mathematical) graph, as there are multiple connections from a single node of hazard to multiple hazardous situation, and from a hazardous situation to multiple harms; and in reverse from a harm to multiple hazardous situations that can cause it, and the hazardous situation that can arise from multiple
failure modes of the system hazards.
To keep on-topic:
The type of control (design, protection, information) is merely an indication of the tendency on how they transforms the distribution (P2) and likelihood of exposure (P1), and the preference by politicians made to reflect the (loudest) voice of the people: to make stuff as foolproof as possible, as fools are ingenious.
