Risk Analysis and Probability of Occurrence

#1
Hi Everyone,
First, thanks to so many people on this forum for the information and perspective you provide. Ronen, Bev, Marcello, Ajit, Don, Marc, and others, you have been more valuable than you know. Anyways, on to my question.

When conducting risk analysis according to 14971, and specifically when pulling together a hazard analysis, does it actually make sense to evaluate the risk prior to identification\implementation of risk control measures?

I have seen several times now where companies/individuals want to assign an “initial” probability of occurrence rating without taking into account any risk control measures. These are almost always 5’s or 10’s on the rating scale, indicating harm is nearly all but certain if this imaginary device were to be used. Then they have risk controls listed, and a “residual” probability rating, often very low on the scale, that is determined taking the risk controls into account.

In my mind, the first probability rating is non-value add. The reality is nobody would ever release a medical device without addressing these risks. And people reliably end up debating back and forth about what probability of occurrence ratings to assign to these somewhat imaginary, unaddressed risks.

I understand that having an “initial” risk score could help the company prioritize which risks to address first or with more rigor, but in the end, the expectation is that ALL risks must be reduced as far as possible. The order in which they are addressed doesn’t matter, and the level of “initial risk” doesn’t matter.

I also understand that its convenient to be able to say to an assessor/inspector/auditor “our risk control measures reduced the risk from this early high rating to this new lower rating.” But again, does the amount of reduction from some starting point actually matter? In my perspective, what truly matters is that (1) risks are reduced as far as possible (without sacrificing performance or impacting benefit-risk ratio), and (2) residual risks remaining after implementation of risk controls are deemed acceptable or justified by a benefit-risk analysis.

What I would like to propose on my current project is that we delay assigning any probability of occurrence of harm ratings until the risk controls are identified and we have actual data to support the ratings.

The flow should be (and I'm simplifying here, as I don't think this is a singular linear process, but rather an iterative one): 1. Identify intended use and foreseeable misuse. 2. Identify hazards, hazardous situations, and the series of events that can result in the hazard situation occurring. 3. Identify the severity of the harms. 4. Identify risk control measures to address the aforementioned series of events. 5. Evaluate probability of occurrence of harm, once these controls are identified\implemented, and calculate/determine/classify the residual risk that remains. 6. Evaluate acceptability of residual risks.

Does this make sense? Am I missing something? Sorry for the wall of text, but this is obviously a loaded topic that doesn’t fit into single sentences. Thanks!
 
Elsmar Forum Sponsor

Tidge

Trusted Information Resource
#2
When conducting risk analysis according to 14971, and specifically when pulling together a hazard analysis, does it actually make sense to evaluate the risk prior to identification\implementation of risk control measures?
Yes. My blunt assessment: Any group that 'blindly' (or rather 'uninformedly') assesses pre-control risks as all being equally 'ultimate bad' probably can't be trusted (to do an appropriate, uniform job) when it comes to assessing risks post-controls for their actual design.

More subtly: One approach to an evaluation of risk reduction is to consider "how powerful" the verification of effectiveness "needs to be" to reduce risks to acceptable levels (previous era) or reduce risks as much as possible (to some arbitrary point of diminishing returns, current era). If you start with all risks as being the "ultimately bad" (in a quantitative approach), logically you won't be able to defend your post control ratings (across the board) as satisfying 'reduced as much as possible' because you didn't do a true assessment of the initial risk. (Not exactly the same thing: you need two defined points to draw a single line.)
 

Bev D

Heretical Statistician
Staff member
Super Moderator
#3
It never makes sense to assess 'probability of occurrence' without data. no data = wild a$$ guess.
It does make sense to assign severity as that can be logically derived. This prioritizes the failure modes or hazards you need to focus on for control plans and mitigations and design changes...
 

indubioush

Quite Involved in Discussions
#4
When conducting risk analysis according to 14971, and specifically when pulling together a hazard analysis, does it actually make sense to evaluate the risk prior to identification\implementation of risk control measures?
Yes it does, and this is why: You should be doing risk analysis activities from the very beginning of design and development. These activities provide design input, which, when implemented, are risk control measures. Risk assessment informs design. If you cannot estimate probability, don't worry; you don't have to. For items where the probability of occurrence cannot be estimated, you can assess based on the severity alone (as Bev states above). Just be sure to state this in your risk management plan.

Many companies start doing risk management activities too late. Maybe they had these risks in their heads when they were designing the device, but they did not document them. Now the device is fully designed and the company is documenting the pre-control risk levels as though they actually started doing risk assessment when they were supposed to. This just feels weird. If risk management is done the right way, the pre-control risk doesn't feel weird or wrong; it feels right and truthful.
 
Thread starter Similar threads Forum Replies Date
B Risk analysis for defective measuring or measuring equipment out of calibration General Measurement Device and Calibration Topics 2
P Benefit risk analysis on pFMEA ISO 14971 - Medical Device Risk Management 9
silentmonkey Overall Benefit/Risk Analysis - Risk Management VS Clinical Evaluation ISO 14971 - Medical Device Risk Management 3
R The term "Benefit Risk Ratio" in EU MDR, do I need to present benefit risk analysis as a RATIO Risk Management Principles and Generic Guidelines 4
D Risk Analysis using Monte Carlo Simulation instead of Scoring and Heat Map Risk Management Principles and Generic Guidelines 2
E Normal Condition Hazards in Risk Analysis ISO 14971 - Medical Device Risk Management 3
M Risk Analysis Flow - Confusion between ISO 14971 and IEC 62304 IEC 62304 - Medical Device Software Life Cycle Processes 8
R ECG Risk Analysis Standards ISO 14971 - Medical Device Risk Management 2
adir88 Documenting Risk Control Option Analysis ISO 14971 - Medical Device Risk Management 8
MrTetris Should potential bugs be considered in software risk analysis? ISO 14971 - Medical Device Risk Management 5
M IATF 16949 (6.1.1 - Planning and Risk Analysis for a remote site) Process Maps, Process Mapping and Turtle Diagrams 5
D Risk Analysis & Technical File - What detail goes in the Risk Management Report ISO 14971 - Medical Device Risk Management 5
M An example of risk analysis of class I MD ISO 14971 - Medical Device Risk Management 36
T Risk analysis of QMS software - Validating software we use for QMS ISO 13485:2016 - Medical Device Quality Management Systems 8
B Grouping of Products for Risk Analysis ISO 14971 - Medical Device Risk Management 9
A Risk-benefit Analysis - Hazard Analysis (HA) and FMEAs ISO 14971 - Medical Device Risk Management 18
R The difference b/w FMEA & Risk analysis as per iso 14971 ISO 14971 - Medical Device Risk Management 8
K Risk Analysis Updates due to complaints ISO 14971 - Medical Device Risk Management 10
S The Severity of a Medical Device Hazard - Risk Analysis Clarification ISO 14971 - Medical Device Risk Management 6
Ed Panek Transition to IEC 60601 4th Edition - Risk Analysis and test submissions CE Marking (Conformité Européene) / CB Scheme 2
S In a risk analysis, how can we tie mobile app security breach to ISO 14971? 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 4
Q Risk / benefit Analysis in Risk Management Report CE Marking (Conformité Européene) / CB Scheme 12
R IATF 16949 Clause 6.1.2.1 - Lessons Learned and Risk Analysis IATF 16949 - Automotive Quality Systems Standard 6
S Risk analysis 6.1 and contingency plans 6.1.2.3, are they related? IATF 16949 - Automotive Quality Systems Standard 26
B Software Class A - Lengthy further risk analysis IEC 62304 - Medical Device Software Life Cycle Processes 9
W Biocompatibility Risk Analysis for Clinical Practitioner 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 4
F Risk Analysis of a Medical Device Accessory ISO 14971 - Medical Device Risk Management 4
S How we can use risk analysis for suppliers IATF 16949 - Automotive Quality Systems Standard 6
I Medical Device Software Risk Analysis ISO 14971 - Medical Device Risk Management 4
Q Risk Analysis - Same Risk Treatment for Context and Interested Parties ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 7
C Risk Analysis for COTS/OTS Risk Management Principles and Generic Guidelines 4
M IATF 16949 Cl. 8.7.1.4 - Risk analysis for decision making about rework IATF 16949 - Automotive Quality Systems Standard 2
E Risk Analysis - Events which may cause to Data Loss ISO 14971 - Medical Device Risk Management 12
W Risk Benefit Analysis - ISO 14971:2012 Requirements ISO 14971 - Medical Device Risk Management 27
F Medical Device HACCP (Hazard Analysis and Critical Control Point) Risk Management ISO 14971 - Medical Device Risk Management 2
Q Risk Tools in ISO 31010 - Root Cause Analysis vs. Cause-and-effect Analysis ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 1
S Organizing Risk Analysis and Controls for a New Medical Device (ISO 14971) ISO 14971 - Medical Device Risk Management 4
S Please review my Risk Analysis Table ISO 14971 - Medical Device Risk Management 13
K Risk Analysis and "Information for Safety" / Labeling ISO 14971 - Medical Device Risk Management 10
M Risk analysis - ISO/TS 16949 clause 7.2.2.2 IATF 16949 - Automotive Quality Systems Standard 2
C Help with Risk/Benefit Analysis Self-help Device for Diabetics ISO 14971 - Medical Device Risk Management 3
A FTA-Top/Down approach to Risk Analysis ISO 14971 - Medical Device Risk Management 2
A Industry best practice about Post-Market Surveillance and Risk Analysis ISO 14971 - Medical Device Risk Management 6
T Risk Analysis help for CE Marking Class I Medical Device ISO 14971 - Medical Device Risk Management 10
T Risk Analysis for moving manufacturing equipment ISO 14971 - Medical Device Risk Management 17
D Different kinds of Risk Analysis for various Hazards ISO 14971 - Medical Device Risk Management 3
L GHTF/SG3/N15R8 - Process Validation and Risk Analysis ISO 13485:2016 - Medical Device Quality Management Systems 4
R Risk Analysis of Class IIb Disinfectant ISO 14971 - Medical Device Risk Management 6
J Does anyone have an example of Risk-Benefit Analysis per ISO 14971? Other ISO and International Standards and European Regulations 2
P FMEA Risk Analysis Recommended Action Priority FMEA and Control Plans 2

Similar threads

Top Bottom