# Risk Management selection Probability of Occurrence and Severity

E

#### eileenr

Hello everyone,
I am currently producing a risk management procedure following the ISO 14971 standard. I appreciate that the Risk Management Team who will complete the risk table will be trained and experienced, but I also believe that my procedure should be comprehensive enough that anyone ought to be able to pick it up and use it. Therefore I am wondering, I have my probability of occurrence table and the probability of severity table, however, is there some sort of formula that ought to be used to ensure that the probabilities selected are correct versus estimates? So my question is do other people put guidance at the end of their procedures or equations on how to actually determine the probability of hazard, hazardous situation, harm occurring etc?
Thank you in advance for any feedback
Eileen

#### Sam Lazzara

Trusted Information Resource
This up to the manufacturer to define in their risk management process - no standardization I am aware of.
What I see most commonly are 5 levels of Probability (1 through 5) with corresponding numeric ranges, typically logarithmic.
That way, the persons doing the estimates have a reasonable basis for making those estimates instead of only having vague words like probable, remote, once every blue moon, etc. to think about.

For example, P=3 could correlate to 0.1% to 1.0%.
The P values should correspond to the probability of a particular cause leading to harm through a sequence of events.
You could choose to incorporate detectability into your P estimates although at least for Process FMEA type analyses most people seem to have Detectability as a third component of the Residual Risk Index calculation.

Side note - Most people do not speak about the probability of severity. The Severity (also typically a 5 point scale in my experience) is the severity of the worst imagined consequence/harm stemming from the imagined hazards/failures. While I suppose Severity is probabilistic, most tend to just assume the worst will happen (within reason).

Last edited:
E

#### eileenr

Good Morning Sam,
Thank you for your response. I was hoping that there might be some equation I could use, something very concrete. Having discussed this with the engineering team who will be completing the risk management they have decided not to use the detectability equation. It was just a question I asked when I was actually going through the risk management, I found that the numbers being selected were estimates versus being concrete fact, I imagine when the actual procedure is being used, there will be exact risks and hence there will be evidence to support the answers- I hope!!!!
Thank you again for your response.
E

Moderator
I find that the informative Annex D to 14971 to be very helpful as it gives clear examples of both qualitative and semi-quantitative analyses, as well as examples of a 3x3 matrix and 5x5 matrix.

For what it's worth we now tend to use a 4x4 matrix, having previously used a 3S x 5P. We changed that because we could not separate two of the probability levels with anything other than guess work.

The choice of matrix size does tend to be based on the expected overall risk and complexity of the manufacturers device. Simple low risk devices tend to use a smaller matrix (that is; have fewer defined levels for severity and probability). And, with a more complex device you may have more "solid data" that can be used in calculations of probability, so moving more towards the "quantitative" approach.

E

#### eileenr

Thank you for that advice, I have been referencing ISO 14971 and have found it to be so useful. I think the key to it all is the amount of data that is available for the medical device that is undergoing the risk assessment. I have been working on a hypothetical risk assessment and its too abstract. I am sure when I am actually doing the risk management assessment for real it will all fall into place. I will use the information provided in annex D.3. Thank you

#### sagai

##### Quite Involved in Discussions
Recently I tend to ignore the probability part of this story to be honest.
I think the only certainty we may have is solely our impression if the mitigation moves probability up, down or stays more or less the same, that' all.
And this is also coming through for me based on some of the recently mentioned deviations among the sevenish.
Regards

#### Bev D

##### Heretical Statistician
Super Moderator
I was hoping that there might be some equation I could use, something very concrete... I found that the numbers being selected were estimates versus being concrete fact, I imagine when the actual procedure is being used, there will be exact risks and hence there will be evidence to support the answers- I hope!!!!

the only way to determine the probability of occurence is to test for it. which is the purpose of verification and validation testing...Even then it will be an 'estimate' but you can calculate the precision of the estimate based on the value and the sample size.

Really the probability or occurence (or frequency of occurence) is really only of value in relationship to the severity of the effect. very serious effects should be mitigated so that there is a very low probability/frequency of occurence and trivial severities can have much larger occurences...

Risk assessment is not intended to be a mathematically precise excercise. it requires thought, logic and good science.

E

#### eileenr

Good Morning Sagai & Bev D
Thank ye both for your replies. I am only learning about all this risk management at the moment, I suppose having a scientific background, I really wanted an equation, but it seems that one does not apply. That answers my question, thank you for your replies, I do appreciate all the feedback.
Thanks
E

#### sagai

##### Quite Involved in Discussions
E,
We can take a huge advantage on this forum to save a massive number of years for the journey that takes us to the more or less same conclusion.

#### somashekar

Good Morning Sagai & Bev D
Thank ye both for your replies. I am only learning about all this risk management at the moment, I suppose having a scientific background, I really wanted an equation, but it seems that one does not apply. That answers my question, thank you for your replies, I do appreciate all the feedback.
Thanks
E
A serious approach to this can be going out of the organization into the medical field, hospitals, doctors and other medical professionals and assess from their experience. It is worth to have such professionals on your panel for any sort of discussions that throws more light on risk management

Criteria and Rationale for Selection of Risk Management Tool ISO 14971 - Medical Device Risk Management 2
Risk Management ISO 14971 - Probability of Occurrence ISO 14971 - Medical Device Risk Management 8
Risk Management SOP ISO 14971 ISO 14971 - Medical Device Risk Management 1
Risk Management Plan ISO 14971 - Medical Device Risk Management 13
Installation Related Issues and Risk Management ISO 14971 - Medical Device Risk Management 5
Risk management file according MDR or ISO 14971:P2019 ? EU Medical Device Regulations 2
Help:Risk Management - Accessories US Food and Drug Administration (FDA) 1
Writing Risk Management procedure for small manufacturing and we don't know where to start. Manufacturing and Related Processes 9
Clinical evaluation interface with the risk management process EU Medical Device Regulations 9
ISO 10993-1:2018 Format to Perform Risk Management Process US Food and Drug Administration (FDA) 1
Risk Management Procedure updates needed for 14971:2019 ISO 14971 - Medical Device Risk Management 11
Intended Use vs Actual Use and Scope of Risk Management EU Medical Device Regulations 8
IDCB 0129/0160 Clinical Risk Management ISO 14971 - Medical Device Risk Management 2
Risk Management Team IEC 60601 - Medical Electrical Equipment Safety Standards Series 11
Risk Management File - Procedure Packs ISO 14971 - Medical Device Risk Management 3
Risk Management for IEC 60601-1 and IEC 60601-1-2 IEC 60601 - Medical Electrical Equipment Safety Standards Series 15
Do you have separate clinical risk management group or experts in your manufactures? EU Medical Device Regulations 4
ISO Practical Guide on ISO 31000:2018 - Risk Management Other ISO and International Standards and European Regulations 0
Risk Assessment and Management [Deleted] Misc. Quality Assurance and Business Systems Related Topics 1
HELP NEEDED ! Risk Management Exercise ISO 14971 - Medical Device Risk Management 12
Should a Covid vaccine and testing policy be included as part of ISO9001 or AS9100 risk management? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 6
Risk Management Process, How far do I need to go? ISO 14971 - Medical Device Risk Management 13
Does Risk Management apply to re-labeler (MDR) EU Medical Device Regulations 1
Risk Management Plan in agile process ISO 14971 - Medical Device Risk Management 14
Supply risk management Manufacturing and Related Processes 4
Biological Evaluation (10993) & Risk Management ISO 14971 - Medical Device Risk Management 9
Cybersecurity and Risk Management: Loss of confidentiality IEC 62304 - Medical Device Software Life Cycle Processes 5
Risk Management Review ISO 14971 - Medical Device Risk Management 4
Risk Management and other Files ISO 14971 - Medical Device Risk Management 8
Overall Benefit/Risk Analysis - Risk Management VS Clinical Evaluation ISO 14971 - Medical Device Risk Management 3
Medical Device Cybersecurity Risk Management IEC 27001 - Information Security Management Systems (ISMS) 2
21 CFR 820 - Risk Management - Looking for some guidance US Food and Drug Administration (FDA) 3
Software Risk Management & probability of occurrence as per IEC 62304 IEC 62304 - Medical Device Software Life Cycle Processes 9
Identify Medical Device characterstics as Annex C of ISO 14971 Risk Management ISO 14971 - Medical Device Risk Management 5
Device Labeling - Medtronic Ventilator Files (Risk Management documents) Coffee Break and Water Cooler Discussions 2
How do you define your Hazards? <a Risk Management discussion> ISO 14971 - Medical Device Risk Management 16
MDR requirement: Risk Management Plan for "each device" ISO 14971 - Medical Device Risk Management 5
Risk Analysis & Technical File - What detail goes in the Risk Management Report ISO 14971 - Medical Device Risk Management 5
AS9100 Rev D 8.1.1 & APQP - Operational risk management process AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 3
ATP 5-19 "Risk Management" Misc. Quality Assurance and Business Systems Related Topics 2
Risk Management besides mandated FDA requirements 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 1
Identifying Hazards - Risk management process ISO 14971 - Medical Device Risk Management 6
Risk Management in the Medical Device Industry ISO 14971 - Medical Device Risk Management 4
Linking an ISO 31000 Risk management SOP to ISO 17025 ISO 17025 related Discussions 2
The unbearable insensitivity of risk management language Other Medical Device and Orthopedic Related Topics 1
ISO 14971 Risk Management - Questions for Hazard identification ISO 14971 - Medical Device Risk Management 2
Risk/Benefit vs. benefit-risk - Revising an SOP covering Risk Management with the MDR in mind EU Medical Device Regulations 10
Defining Expected Service Life in Risk Management File Reliability Analysis - Predictions, Testing and Standards 5
Linking the Processes of Continual Improvement, Change Management, Risk Management, Action Planning, etc? Preventive Action and Continuous Improvement 5
Risk management according to ISO 14971 - When to document risk controls? ISO 14971 - Medical Device Risk Management 10