Risk Management selection Probability of Occurrence and Severity

[eileenr]

Hello everyone,
I am currently producing a risk management procedure following the ISO 14971 standard. I appreciate that the Risk Management Team who will complete the risk table will be trained and experienced, but I also believe that my procedure should be comprehensive enough that anyone ought to be able to pick it up and use it. Therefore I am wondering, I have my probability of occurrence table and the probability of severity table, however, is there some sort of formula that ought to be used to ensure that the probabilities selected are correct versus estimates? So my question is do other people put guidance at the end of their procedures or equations on how to actually determine the probability of hazard, hazardous situation, harm occurring etc?
Thank you in advance for any feedback
Eileen

 

[Sam Lazzara]

This up to the manufacturer to define in their risk management process - no standardization I am aware of.
What I see most commonly are 5 levels of Probability (1 through 5) with corresponding numeric ranges, typically logarithmic.
That way, the persons doing the estimates have a reasonable basis for making those estimates instead of only having vague words like probable, remote, once every blue moon, etc. to think about.

For example, P=3 could correlate to 0.1% to 1.0%.
The P values should correspond to the probability of a particular cause leading to harm through a sequence of events.
You could choose to incorporate detectability into your P estimates although at least for Process FMEA type analyses most people seem to have Detectability as a third component of the Residual Risk Index calculation.

Side note - Most people do not speak about the probability of severity. The Severity (also typically a 5 point scale in my experience) is the severity of the worst imagined consequence/harm stemming from the imagined hazards/failures. While I suppose Severity is probabilistic, most tend to just assume the worst will happen (within reason).

 

[eileenr]

Good Morning Sam,
Thank you for your response. I was hoping that there might be some equation I could use, something very concrete. Having discussed this with the engineering team who will be completing the risk management they have decided not to use the detectability equation. It was just a question I asked when I was actually going through the risk management, I found that the numbers being selected were estimates versus being concrete fact, I imagine when the actual procedure is being used, there will be exact risks and hence there will be evidence to support the answers- I hope!!!!
Thank you again for your response.
E

 

[Pads38]

I find that the informative Annex D to 14971 to be very helpful as it gives clear examples of both qualitative and semi-quantitative analyses, as well as examples of a 3x3 matrix and 5x5 matrix.

For what it's worth we now tend to use a 4x4 matrix, having previously used a 3S x 5P. We changed that because we could not separate two of the probability levels with anything other than guess work.

The choice of matrix size does tend to be based on the expected overall risk and complexity of the manufacturers device. Simple low risk devices tend to use a smaller matrix (that is; have fewer defined levels for severity and probability). And, with a more complex device you may have more "solid data" that can be used in calculations of probability, so moving more towards the "quantitative" approach.

 

[eileenr]

Dear Pads38
Thank you for that advice, I have been referencing ISO 14971 and have found it to be so useful. I think the key to it all is the amount of data that is available for the medical device that is undergoing the risk assessment. I have been working on a hypothetical risk assessment and its too abstract. I am sure when I am actually doing the risk management assessment for real it will all fall into place. I will use the information provided in annex D.3. Thank you

 

[sagai]

Recently I tend to ignore the probability part of this story to be honest.
I think the only certainty we may have is solely our impression if the mitigation moves probability up, down or stays more or less the same, that' all.
And this is also coming through for me based on some of the recently mentioned deviations among the sevenish.
Regards

 

[Bev D]

I was hoping that there might be some equation I could use, something very concrete... I found that the numbers being selected were estimates versus being concrete fact, I imagine when the actual procedure is being used, there will be exact risks and hence there will be evidence to support the answers- I hope!!!!

the only way to determine the probability of occurence is to test for it. which is the purpose of verification and validation testing...Even then it will be an 'estimate' but you can calculate the precision of the estimate based on the value and the sample size.

Really the probability or occurence (or frequency of occurence) is really only of value in relationship to the severity of the effect. very serious effects should be mitigated so that there is a very low probability/frequency of occurence and trivial severities can have much larger occurences...

Risk assessment is not intended to be a mathematically precise excercise. it requires thought, logic and good science.

 

[eileenr]

Good Morning Sagai & Bev D
Thank ye both for your replies. I am only learning about all this risk management at the moment, I suppose having a scientific background, I really wanted an equation, but it seems that one does not apply. That answers my question, thank you for your replies, I do appreciate all the feedback.
Thanks
E

 

[sagai]

E,
We can take a huge advantage on this forum to save a massive number of years for the journey that takes us to the more or less same conclusion.

 

[somashekar]

Good Morning Sagai & Bev D
Thank ye both for your replies. I am only learning about all this risk management at the moment, I suppose having a scientific background, I really wanted an equation, but it seems that one does not apply. That answers my question, thank you for your replies, I do appreciate all the feedback.
Thanks
E

A serious approach to this can be going out of the organization into the medical field, hospitals, doctors and other medical professionals and assess from their experience. It is worth to have such professionals on your panel for any sort of discussions that throws more light on risk management