Qualitative vs. Quantitative Risk Assessment

D

Dan Johnson

#1
While educating myself on risk management in preparation to write a risk procedure (some years ago), I had come to the conclusion that the criteria, probability and severity, needed to be quantified. I remember determining this was a requirement rather then a "best practice" but can no longer find any reference.

Am I off track on this or can someone please point me in the right direction?
 
Elsmar Forum Sponsor
T

Tyler C

#2
What standard or other reason are you looking at writing a risk management procedure?

In ISO 9001:2015, there are no explicit requirements for a risk management procedure, nor whether or not criteria, probability, and severity need to be quantified.

However, there is a statement, "Actions taken to address risks and opportunities shall be proportionate to the potential impact on the conformity of products and services." To me, this means you somehow have to determine whether or not the action you take is proportionate to the impact it may have. Quantifying the criteria, probability, and severity seem to be the only way, or most accepted way to determine this. But, if you can find a different way to determine proportion to impact, then feel free to explore it.
 

howste

Thaumaturge
Trusted Information Resource
#3
What standard or other reason are you looking at writing a risk management procedure?
This thread is in the AS9100 forum, so I'll assume AS9100.

AS9100 Rev C (product realization) risk requirements (7.1.2):
The organization shall establish, implement and maintain a process for managing risk to the achievement of applicable requirements, that includes as appropriate to the organization and the product
a) assignment of responsibilities for risk management,
b) definition of risk criteria (e.g., likelihood, consequences, risk acceptance),
c) identification, assessment and communication of risks throughout product realization,
d) identification, implementation and management of actions to mitigate risks that exceed the defined risk acceptance criteria, and
e) acceptance of risks remaining after implementation of mitigating actions.
AS9100 Rev D (operational) risk requirements (8.1.1):
The organization shall plan, implement, and control a process for managing operational risks to the achievement of applicable requirements, which includes as appropriate to the organization and the products and services:
a. assignment of responsibilities for operational risk management;
b. definition of risk assessment criteria (e.g., likelihood, consequences, risk acceptance);
c. identification, assessment, and communication of risks throughout operations;
d. identification, implementation, and management of actions to mitigate risks that exceed the defined risk acceptance criteria;
e. acceptance of risks remaining after implementation of mitigating actions.
I don't see anything in there that specifically requires quantitative values. There's nothing in the definitions of risk in AS9100C or ISO 9000:2015 that indicate a quantitative data either. I prefer it though even though often the numbers end up being somewhat subjective.
 

Helmut Jilling

Auditor / Consultant
#5
While educating myself on risk management in preparation to write a risk procedure (some years ago), I had come to the conclusion that the criteria, probability and severity, needed to be quantified. I remember determining this was a requirement rather then a "best practice" but can no longer find any reference.

Am I off track on this or can someone please point me in the right direction?
There are many different types of situations that have risks and opportunities. There are many different ways to evaluate risks and opportunities. Let the situation define the methods. Some things should be quantified.... then do so. Some things are qualitative...if I order the key lime pie, what if it turns out to be commercial and not traditional style...? You don't quantify that, you just decide and go....
 
D

Dan Johnson

#6
Thank you, gentlemen. I read it the same. The procedure I wrote a few years ago has qualitative criteria but also states its scalable to lower level programs within our organization. We have an AS certification at our corporate site but also independently certified programs at different locations. While reviewing a corrective action from a customer, the question came up and I didn't see any other reference in 9100/9110 to another standard like you see in configuration management. Hence the question.

While even criteria with quantitative metrics are somewhat subjectively determined, I feel they give a better picture to everyone across the organization of the level of risk.
 
Thread starter Similar threads Forum Replies Date
qualprod Qualitative or Quantitative? Risk method evaluation ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 7
T Method for Quantitative and Qualitative ............... Misc. Quality Assurance and Business Systems Related Topics 1
P What should be documented for Qualitative Test results for the FDA? US Food and Drug Administration (FDA) 3
T Screening DOE (Design of Experiments) with qualitative response Quality Tools, Improvement and Analysis 23
S Method Validation for qualitative tests (specifically Absence/Presence) General Measurement Device and Calibration Topics 2
R Severity, Occurance and Detection ratings seem qualitative FMEA and Control Plans 14
S DOE - Qualitative Response - 4 Variables at 3 Levels Maximum Quality Tools, Improvement and Analysis 12
S Non parametric test for semi-quantitative data. Statistical Analysis Tools, Techniques and SPC 5
M Informational USFDA draft guidance – Technical Performance Assessment of Quantitative Imaging in Device Premarket Submissions Medical Device and FDA Regulations and Standards News 0
R Quantitative method to determine the need for 5S? Quality Tools, Improvement and Analysis 3
B Minitab for Non-Quantitative Survey Analysis Using Minitab Software 1
W Quantitative Customer Satisfaction Surveys - Templates or Forms? Benchmarking 4
J Design Inputs not Quantitative - ISO 9001 Clause 7.3.2 requirement Design and Development of Products and Processes 19
D Quantitative Measurement of the Level of Success in Training Programs Training - Internal, External, Online and Distance Learning 2
J What types of Quantitative Results are required in 510(k) ISO 13485:2016 - Medical Device Quality Management Systems 1
A CQE help - Quantitative section - Toronto Professional Certifications and Degrees 1
Q Risk Controls in PFMEA ISO 14971 - Medical Device Risk Management 0
D What do you think of Chat GPTs answer to this Risk Acceptability question? ISO 14971 - Medical Device Risk Management 4
Richard Regalado Two risk assessments for ISMS IEC 27001 - Information Security Management Systems (ISMS) 0
M Risk-based approach to Test Method Validation for Design Verification? US Medical Device Regulations 4
N Effective use of a Risk Register - Bumper sticker or Mission Control ? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 16
Q Risk Management ISO 14971 - Probability of Occurrence ISO 14971 - Medical Device Risk Management 8
Z Risk Management SOP ISO 14971 ISO 14971 - Medical Device Risk Management 1
M Risk Management Plan ISO 14971 - Medical Device Risk Management 4
J Risk, contingency, and MOC. General Auditing Discussions 1
K Help with ISO 14971: Benefit-Risk Analysis ISO 14971 - Medical Device Risk Management 3
T AS9100D Risk-Based Internal Audit Schedule AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 10
thisby_ Installation Related Issues and Risk Management ISO 14971 - Medical Device Risk Management 5
W Reconciling FMEA RPN ratings with Risk Acceptability ISO 14971 - Medical Device Risk Management 12
D How to address the content deviation of 'cannot apply criteria of risk acceptability prior to...' ISO 14971 - Medical Device Risk Management 1
Doninina Risk management file according MDR or ISO 14971:P2019 ? EU Medical Device Regulations 2
T Risk based CA AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 5
T IVD Risk - destruction of patient samples - Harm to property? ISO 14971 - Medical Device Risk Management 5
E Do anyone have document of automotive production risk and control of risk? Lean in Manufacturing and Service Industries 1
R Using RPN to Confirm Risk Reduced to an Acceptable Level Risk Management Principles and Generic Guidelines 12
T IVD Device Software - Risk Classification IEC 62304 - Medical Device Software Life Cycle Processes 16
G Help:Risk Management - Accessories US Food and Drug Administration (FDA) 1
N Writing Risk Management procedure for small manufacturing and we don't know where to start. Manufacturing and Related Processes 9
E How to risk assess tooling? For a medical device and is it needed??? Manufacturing and Related Processes 2
M Clinical evaluation interface with the risk management process EU Medical Device Regulations 9
L Risk analysis Manufacturing and Related Processes 4
J Risk Analysis for Proficiency Testing Reliability Analysis - Predictions, Testing and Standards 1
J ISO 10993-1:2018 Format to Perform Risk Management Process US Food and Drug Administration (FDA) 1
B Risk Management Procedure updates needed for 14971:2019 ISO 14971 - Medical Device Risk Management 11
M What is the Risk of Using Obsolete Versions of C=0 & ANSI/ ASQ Z1.4 Sampling Plans? ISO 13485:2016 - Medical Device Quality Management Systems 8
D AS9100D 8.4.2 Note 2 Significant Operational Risk AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 1
A Calculating Risk Estimation ISO 14971 - Medical Device Risk Management 29
M Intended Use vs Actual Use and Scope of Risk Management EU Medical Device Regulations 8
S IDCB 0129/0160 Clinical Risk Management ISO 14971 - Medical Device Risk Management 2
H At what level (harm, hazardous situation, seq. of events, etc) is "risk" estimated? ISO 14971 - Medical Device Risk Management 12

Similar threads

Top Bottom