SBS - The best value in QMS software

Qualitative vs. Quantitative Risk Assessment

D

Dan Johnson

#1
While educating myself on risk management in preparation to write a risk procedure (some years ago), I had come to the conclusion that the criteria, probability and severity, needed to be quantified. I remember determining this was a requirement rather then a "best practice" but can no longer find any reference.

Am I off track on this or can someone please point me in the right direction?
 
Elsmar Forum Sponsor
T

Tyler C

#2
What standard or other reason are you looking at writing a risk management procedure?

In ISO 9001:2015, there are no explicit requirements for a risk management procedure, nor whether or not criteria, probability, and severity need to be quantified.

However, there is a statement, "Actions taken to address risks and opportunities shall be proportionate to the potential impact on the conformity of products and services." To me, this means you somehow have to determine whether or not the action you take is proportionate to the impact it may have. Quantifying the criteria, probability, and severity seem to be the only way, or most accepted way to determine this. But, if you can find a different way to determine proportion to impact, then feel free to explore it.
 

howste

Thaumaturge
Super Moderator
#3
What standard or other reason are you looking at writing a risk management procedure?
This thread is in the AS9100 forum, so I'll assume AS9100.

AS9100 Rev C (product realization) risk requirements (7.1.2):
The organization shall establish, implement and maintain a process for managing risk to the achievement of applicable requirements, that includes as appropriate to the organization and the product
a) assignment of responsibilities for risk management,
b) definition of risk criteria (e.g., likelihood, consequences, risk acceptance),
c) identification, assessment and communication of risks throughout product realization,
d) identification, implementation and management of actions to mitigate risks that exceed the defined risk acceptance criteria, and
e) acceptance of risks remaining after implementation of mitigating actions.
AS9100 Rev D (operational) risk requirements (8.1.1):
The organization shall plan, implement, and control a process for managing operational risks to the achievement of applicable requirements, which includes as appropriate to the organization and the products and services:
a. assignment of responsibilities for operational risk management;
b. definition of risk assessment criteria (e.g., likelihood, consequences, risk acceptance);
c. identification, assessment, and communication of risks throughout operations;
d. identification, implementation, and management of actions to mitigate risks that exceed the defined risk acceptance criteria;
e. acceptance of risks remaining after implementation of mitigating actions.
I don't see anything in there that specifically requires quantitative values. There's nothing in the definitions of risk in AS9100C or ISO 9000:2015 that indicate a quantitative data either. I prefer it though even though often the numbers end up being somewhat subjective.
 

Helmut Jilling

Auditor / Consultant
#5
While educating myself on risk management in preparation to write a risk procedure (some years ago), I had come to the conclusion that the criteria, probability and severity, needed to be quantified. I remember determining this was a requirement rather then a "best practice" but can no longer find any reference.

Am I off track on this or can someone please point me in the right direction?
There are many different types of situations that have risks and opportunities. There are many different ways to evaluate risks and opportunities. Let the situation define the methods. Some things should be quantified.... then do so. Some things are qualitative...if I order the key lime pie, what if it turns out to be commercial and not traditional style...? You don't quantify that, you just decide and go....
 
D

Dan Johnson

#6
Thank you, gentlemen. I read it the same. The procedure I wrote a few years ago has qualitative criteria but also states its scalable to lower level programs within our organization. We have an AS certification at our corporate site but also independently certified programs at different locations. While reviewing a corrective action from a customer, the question came up and I didn't see any other reference in 9100/9110 to another standard like you see in configuration management. Hence the question.

While even criteria with quantitative metrics are somewhat subjectively determined, I feel they give a better picture to everyone across the organization of the level of risk.
 
Thread starter Similar threads Forum Replies Date
qualprod Qualitative or Quantitative? Risk method evaluation ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 7
T Method for Quantitative and Qualitative ............... Misc. Quality Assurance and Business Systems Related Topics 1
P What should be documented for Qualitative Test results for the FDA? US Food and Drug Administration (FDA) 3
T Screening DOE (Design of Experiments) with qualitative response Quality Tools, Improvement and Analysis 23
S Method Validation for qualitative tests (specifically Absence/Presence) General Measurement Device and Calibration Topics 2
R Severity, Occurance and Detection ratings seem qualitative FMEA and Control Plans 14
S DOE - Qualitative Response - 4 Variables at 3 Levels Maximum Quality Tools, Improvement and Analysis 12
S Non parametric test for semi-quantitative data. Statistical Analysis Tools, Techniques and SPC 5
M Informational USFDA draft guidance – Technical Performance Assessment of Quantitative Imaging in Device Premarket Submissions Medical Device and FDA Regulations and Standards News 0
R Quantitative method to determine the need for 5S? Quality Tools, Improvement and Analysis 3
B Minitab for Non-Quantitative Survey Analysis Using Minitab Software 1
W Quantitative Customer Satisfaction Surveys - Templates or Forms? Benchmarking 4
J Design Inputs not Quantitative - ISO 9001 Clause 7.3.2 requirement Design and Development of Products and Processes 19
D Quantitative Measurement of the Level of Success in Training Programs Training - Internal, External, Online and Distance Learning 2
J What types of Quantitative Results are required in 510(k) ISO 13485:2016 - Medical Device Quality Management Systems 1
A CQE help - Quantitative section - Toronto Professional Certifications and Degrees 1
B AS9102 - 3D printing a special tool required for assembly (counterfeit risk?) AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 10
K Defining risk control measures IEC 62304 - Medical Device Software Life Cycle Processes 13
U Supply risk management Manufacturing and Related Processes 4
T Biological Evaluation (10993) & Risk Management ISO 14971 - Medical Device Risk Management 9
D Cybersecurity and Risk Management: Loss of confidentiality IEC 62304 - Medical Device Software Life Cycle Processes 4
Q FMEA and Risk assessment in Microsoft Access FMEA and Control Plans 6
I Realization processes input into overall risk ISO 14971 - Medical Device Risk Management 2
M Need Help With Information Security Asset Risk Register IEC 27001 - Information Security Management Systems (ISMS) 2
thisby_ Post Market/Production Risk Assessment ISO 14971 - Medical Device Risk Management 0
S Risk Management Review ISO 14971 - Medical Device Risk Management 4
D Low risk IVD study in the UK, do I need MHRA approval? UK Medical Device Regulations 1
S Risk Management and other Files ISO 14971 - Medical Device Risk Management 8
silentmonkey Overall Benefit/Risk Analysis - Risk Management VS Clinical Evaluation ISO 14971 - Medical Device Risk Management 3
N ISO 27001 for Jumb Burger - Risk Assessment sheet IEC 27001 - Information Security Management Systems (ISMS) 11
C Risk Assessment Tools ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 3
qualprod Examples to mitigate risk from Covid ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 5
G Risk of stopping your customer's line IATF 16949 - Automotive Quality Systems Standard 4
C Risk Matrix vs FMEAs ISO 14971 - Medical Device Risk Management 11
S IVD risk class II devices for Brazil and MDSAP Other Medical Device Regulations World-Wide 0
M ISO 14971:2019: Criteria for overall residual risk ISO 14971 - Medical Device Risk Management 11
M ISO14971:2019 - Verification of implementation and effectiveness of risk control ISO 14971 - Medical Device Risk Management 3
Aymaneh Medical Device Cybersecurity Risk Management IEC 27001 - Information Security Management Systems (ISMS) 2
S Traceability of requirements to design and risk Design and Development of Products and Processes 3
R Risk control measures as per ISO 14971 ISO 14971 - Medical Device Risk Management 6
D Deciding whether or not pre-market clinical investigation is required for low risk device EU Medical Device Regulations 5
R The term "Benefit Risk Ratio" in EU MDR, do I need to present benefit risk analysis as a RATIO Risk Management Principles and Generic Guidelines 4
_robinsingh Security Risk Assessment Tool IEC 27001 - Information Security Management Systems (ISMS) 0
A 21 CFR 820 - Risk Management - Looking for some guidance US Food and Drug Administration (FDA) 3
bryan willemot Contract Review and risk managment AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 2
D Risk Analysis using Monte Carlo Simulation instead of Scoring and Heat Map Risk Management Principles and Generic Guidelines 2
Sravan Manchikanti Software Risk Management & probability of occurrence as per IEC 62304 IEC 62304 - Medical Device Software Life Cycle Processes 8
E Normal Condition Hazards in Risk Analysis ISO 14971 - Medical Device Risk Management 3
silentmonkey Rationalising the level of effort and depth of software validation based on risk ISO 13485:2016 - Medical Device Quality Management Systems 10
R Risk assessment on IT containers and the information they contain IEC 27001 - Information Security Management Systems (ISMS) 4

Similar threads

Top Bottom