Qualitative vs. Quantitative Risk Assessment

D

Dan Johnson

#1
While educating myself on risk management in preparation to write a risk procedure (some years ago), I had come to the conclusion that the criteria, probability and severity, needed to be quantified. I remember determining this was a requirement rather then a "best practice" but can no longer find any reference.

Am I off track on this or can someone please point me in the right direction?
 
Elsmar Forum Sponsor
T

Tyler C

#2
What standard or other reason are you looking at writing a risk management procedure?

In ISO 9001:2015, there are no explicit requirements for a risk management procedure, nor whether or not criteria, probability, and severity need to be quantified.

However, there is a statement, "Actions taken to address risks and opportunities shall be proportionate to the potential impact on the conformity of products and services." To me, this means you somehow have to determine whether or not the action you take is proportionate to the impact it may have. Quantifying the criteria, probability, and severity seem to be the only way, or most accepted way to determine this. But, if you can find a different way to determine proportion to impact, then feel free to explore it.
 

howste

Thaumaturge
Super Moderator
#3
What standard or other reason are you looking at writing a risk management procedure?
This thread is in the AS9100 forum, so I'll assume AS9100.

AS9100 Rev C (product realization) risk requirements (7.1.2):
The organization shall establish, implement and maintain a process for managing risk to the achievement of applicable requirements, that includes as appropriate to the organization and the product
a) assignment of responsibilities for risk management,
b) definition of risk criteria (e.g., likelihood, consequences, risk acceptance),
c) identification, assessment and communication of risks throughout product realization,
d) identification, implementation and management of actions to mitigate risks that exceed the defined risk acceptance criteria, and
e) acceptance of risks remaining after implementation of mitigating actions.
AS9100 Rev D (operational) risk requirements (8.1.1):
The organization shall plan, implement, and control a process for managing operational risks to the achievement of applicable requirements, which includes as appropriate to the organization and the products and services:
a. assignment of responsibilities for operational risk management;
b. definition of risk assessment criteria (e.g., likelihood, consequences, risk acceptance);
c. identification, assessment, and communication of risks throughout operations;
d. identification, implementation, and management of actions to mitigate risks that exceed the defined risk acceptance criteria;
e. acceptance of risks remaining after implementation of mitigating actions.
I don't see anything in there that specifically requires quantitative values. There's nothing in the definitions of risk in AS9100C or ISO 9000:2015 that indicate a quantitative data either. I prefer it though even though often the numbers end up being somewhat subjective.
 

Helmut Jilling

Auditor / Consultant
#5
While educating myself on risk management in preparation to write a risk procedure (some years ago), I had come to the conclusion that the criteria, probability and severity, needed to be quantified. I remember determining this was a requirement rather then a "best practice" but can no longer find any reference.

Am I off track on this or can someone please point me in the right direction?
There are many different types of situations that have risks and opportunities. There are many different ways to evaluate risks and opportunities. Let the situation define the methods. Some things should be quantified.... then do so. Some things are qualitative...if I order the key lime pie, what if it turns out to be commercial and not traditional style...? You don't quantify that, you just decide and go....
 
D

Dan Johnson

#6
Thank you, gentlemen. I read it the same. The procedure I wrote a few years ago has qualitative criteria but also states its scalable to lower level programs within our organization. We have an AS certification at our corporate site but also independently certified programs at different locations. While reviewing a corrective action from a customer, the question came up and I didn't see any other reference in 9100/9110 to another standard like you see in configuration management. Hence the question.

While even criteria with quantitative metrics are somewhat subjectively determined, I feel they give a better picture to everyone across the organization of the level of risk.
 
Thread starter Similar threads Forum Replies Date
qualprod Qualitative or Quantitative? Risk method evaluation ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 7
T Method for Quantitative and Qualitative ............... Misc. Quality Assurance and Business Systems Related Topics 1
P What should be documented for Qualitative Test results for the FDA? US Food and Drug Administration (FDA) 3
T Screening DOE (Design of Experiments) with qualitative response Quality Tools, Improvement and Analysis 23
S Method Validation for qualitative tests (specifically Absence/Presence) General Measurement Device and Calibration Topics 2
R Severity, Occurance and Detection ratings seem qualitative FMEA and Control Plans 14
S DOE - Qualitative Response - 4 Variables at 3 Levels Maximum Quality Tools, Improvement and Analysis 12
M Informational USFDA draft guidance – Technical Performance Assessment of Quantitative Imaging in Device Premarket Submissions Medical Device and FDA Regulations and Standards News 0
R Quantitative method to determine the need for 5S? Quality Tools, Improvement and Analysis 3
B Minitab for Non-Quantitative Survey Analysis Using Minitab Software 1
W Quantitative Customer Satisfaction Surveys - Templates or Forms? Benchmarking 4
J Design Inputs not Quantitative - ISO 9001 Clause 7.3.2 requirement Design and Development of Products and Processes 19
D Quantitative Measurement of the Level of Success in Training Programs Training - Internal, External, Online and Distance Learning 2
J What types of Quantitative Results are required in 510(k) ISO 13485:2016 - Medical Device Quality Management Systems 1
A CQE help - Quantitative section - Toronto Professional Certifications and Degrees 1
R Risk assessment on IT containers and the information they contain IEC 27001 - Information Security Management Systems (ISMS) 4
B Threat/Vulnerability Catalogue for risk assessment IEC 27001 - Information Security Management Systems (ISMS) 2
R Opportunity For Improvement vs Opportunity (Positive Risk) ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 18
R FOD Risk Assessment - What tools would you recommend for assessing FOD risk? AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 1
R Identify Medical Device characterstics as Annex C of ISO 14971 Risk Management ISO 14971 - Medical Device Risk Management 5
A ISO 14971 PFMEA Manufacturing Risk ISO 14971 - Medical Device Risk Management 2
Q Example of the Risk Template Document Control Systems, Procedures, Forms and Templates 1
K Overall residual risk according to ISO 14971:2019 ISO 14971 - Medical Device Risk Management 5
A Risk Number for each software requirement IEC 62304 - Medical Device Software Life Cycle Processes 7
A IEC 60601 11.2.2.1 Risk of Fire in an Oxygen Rich Environment, Source of Ignition IEC 60601 - Medical Electrical Equipment Safety Standards Series 0
D Importing a general wellness low risk product Other US Medical Device Regulations 3
C Quantifying risk in choosing the number of parts, operators and replicates in a GR&R Gage R&R (GR&R) and MSA (Measurement Systems Analysis) 4
R AQL, Consumer Risk and MA Statistical Analysis Tools, Techniques and SPC 2
M Risk managment report of Surgical Mask Example ISO 14971 - Medical Device Risk Management 14
M Risk Analysis Flow - Confusion between ISO 14971 and IEC 62304 IEC 62304 - Medical Device Software Life Cycle Processes 8
R ECG Risk Analysis Standards ISO 14971 - Medical Device Risk Management 2
N Device Labeling - Medtronic Ventilator Files (Risk Management documents) Coffee Break and Water Cooler Discussions 2
A 5 x 5 Risk Matrix - Looking for a good example Manufacturing and Related Processes 2
F Risk for Quality Assurance Department in a Hospital - Hospital Incident Reporting ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 7
M Should volume of sales be factored into risk probability assessments? ISO 14971 - Medical Device Risk Management 33
T How do you define your Hazards? <a Risk Management discussion> ISO 14971 - Medical Device Risk Management 16
adir88 Documenting Risk Control Option Analysis ISO 14971 - Medical Device Risk Management 8
B Risk Assessment Checklist for Non product Software IEC 62304 - Medical Device Software Life Cycle Processes 1
MrTetris Should potential bugs be considered in software risk analysis? ISO 14971 - Medical Device Risk Management 5
K Identification of hazards and Risk file IEC 62366 - Medical Device Usability Engineering 7
S Risk based internal auditing Internal Auditing 6
Robert Stanley I'm @ RISK of not showing my RISKS! ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 20
M Estimating the benefit-risk ration under MDR EU Medical Device Regulations 1
adir88 Information of safety can reduce risk now? ISO 14971 - Medical Device Risk Management 12
G Any good examples of CAPA forms that include a risk based approach? ISO 13485:2016 - Medical Device Quality Management Systems 8
adir88 MDR requirement: Risk Management Plan for "each device" ISO 14971 - Medical Device Risk Management 5
M Has anyone heard of Run at Risk? Manufacturing and Related Processes 17
Tagin Is SARS-CoV-2/COVID-19 on your risk register? Misc. Quality Assurance and Business Systems Related Topics 11
D IEC 62304 Risk Classification - With and without hardware control IEC 62304 - Medical Device Software Life Cycle Processes 2
J ISO 14971 applied to ISO 13485? Low risk class 1 devices ISO 13485:2016 - Medical Device Quality Management Systems 3

Similar threads

Top Bottom