# Risk Probability - Is there a Better System?

#### Mark Meer

Trusted Information Resource
We've got a 14971 compliant risk management procedure in place that's been working pretty well for us.

...that being said, there's always been one element that has bothered me: Probability. It seems to me that a single number (e.g. 1-5) is lacking... perhaps there is a better way?

Take a simplified example: A window.

• (E) Event: Window is impacted.
• (HS) Hazardous Situation: Window shatters into sharp shards.
• (H) Harm: Cuts
• (S) Worst-Case Severity: An artery is cut.

It seems like a more refined probability structure would be prudent if we wanted to effectively evaluate this risk. Namely:
• What is the probability of the event?
• What is the probability that, given the event, it results in a hazardous situation?
• What is the probability that, given the hazardous situation, it results in harm?
• What is the probability that, given harm, it is the worst-case harm?

This would certainly complicate the risk-management process, but it'd provide a better understanding of probability break-down...

Thoughts? I'd be curious how others would assign a probability value in this example...

#### Marcelo

##### Inactive Registered Visitor
(E) Event: Window is impacted.
(HS) Hazardous Situation: Window shatters into sharp shards.
(H) Harm: Cuts
(S) Worst-Case Severity: An artery is cut.
There?s a little error here, Windows shatter into sharp shards is not the hazardous situation, the hazardous situation would be when someone put this hand or step into the shard (it?s an exposure to the cutting or severing hazard).

So you sequence of events would be something like this:

(Hazard) Cutting or severing hazard
(Sequence of events)
(E1)Window is impacted
(E2)Window shatters into sharp shards in the floor
(E3)Shoeless person walks into the floor
(HS) Person steps into the shard
(H) Harm: Cuts
(S) Worst-Case Severity: An artery is cut

E1, E2 and E3 would have their own probability. Those together would form P1 (exposure probability). Most of the time, to reduce the probability you would need to act on one of those separate probabilities.

What is the probability of the event?
I understand that the event you mentioned here is the "failure/fault" or the initiating sequence of events, right?

What is the probability that, given the event, it results in a hazardous situation?
This is P1 as I mentioned.

What is the probability that, given the hazardous situation, it results in harm?
This is P2. IN my example, this will be 100% because I detailed the sequence of events with details enough to say that the person is shoeless.

What is the probability that, given harm, it is the worst-case harm?
Now, this usually depends on a evaluation of the problem from a clinical perspective.

This would certainly complicate the risk-management process, but it'd provide a better understanding of probability break-down...
ISO 14971 already requires this, so I don?t see the "complicate" stuff really (on the other hand, generally people do a very high level, usually non-compliant risk management, so in this case I would agree that it would complicate )

Last edited:

#### Mark Meer

Trusted Information Resource
Thanks for clarifying the sequence Marcelo.

ISO 14971 already requires this, so I don´t see the "complicate" stuff really (on the other hand, generally people do a very high level, usually non-compliant risk management, so in this case I would agree that it would complicate )
Annex D does allude to such a breakdown, but I don't see it as a requirement in the main text.

In practice, I think, the standard encourages people to aim for a some sort of matrix (like figure D3), which involves only one probability value.

So, if we continue with the example, we might have:

P(1) = Exposure Probability = P(E1) * P(E2) * P(E3)
P(2) = Harm Probability (given exposure has occured)
P(3) = Worst-case harm probability (given harm has occurred)

So, if we want a value for our matrix, what would it be? P(1) * P(2) * P(3)?

It seems like this approach would lead to under-valued RPNs, as all probabilities factor in probability of the worst-case outcome (which, in most cases, is far less than the typical outcome).

#### rickpaul01

##### Involved in HankyPanky
Thanks for clarifying the sequence Marcelo.

It seems like this approach would lead to under-valued RPNs,
You would have a low value of the worst case. But you already know the probability of "any" harm. Right?

#### Marcelo

##### Inactive Registered Visitor
So, if we continue with the example, we might have:

P(1) = Exposure Probability = P(E1) * P(E2) * P(E3)
P(2) = Harm Probability (given exposure has occured)
P(3) = Worst-case harm probability (given harm has occurred)

So, if we want a value for our matrix, what would it be? P(1) * P(2) * P(3)?

It seems like this approach would lead to under-valued RPNs, as all probabilities factor in probability of the worst-case outcome (which, in most cases, is far less than the typical outcome).
No, the worst-case needs to be part of P2.

If you have more than one outcome, you may need to separate assessments, unless the worst case can be reasonable expected to cover all cases.

#### Mark Meer

Trusted Information Resource
You would have a low value of the worst case. But you already know the probability of "any" harm. Right?
Yes, but these should really be treated separately: the worst-case, and the "typical" case.
Otherwise, you'd be either over-representing the actual risk (by using probability of any harm (P(2)) with worst-case severity ranking), or under-representing the actual risk (by using probability of worst-case harm only).

#### rickpaul01

##### Involved in HankyPanky
Correct, but I don't think you can have one answer to two questions.

#### Mark Meer

Trusted Information Resource
No, the worst-case needs to be part of P2.
If you have more than one outcome, you may need to separate assessments, unless the worst case can be reasonable expected to cover all cases.
You almost always have more than one outcome, no?

Again, continuing with the example, possible outcomes might be:
1. Minor cut
2. Major cut (say, those requiring stitches)
3. (worst-case) Cut artery

Suppose, just for argument's sake, that outcome 1 is probable, outcome 2 is rare, and outcome 3 is extremely rare.

If we use the probability of outcome 1 (highly probably) with the worst-case severity (very severe), our risk-priority would be about as high as it gets!
...this, in my opinion, would not be an accurate representation of this risk.

#### Marcelo

##### Inactive Registered Visitor
You almost always have more than one outcome, no?

Again, continuing with the example, possible outcomes might be:
1. Minor cut
2. Major cut (say, those requiring stitches)
3. (worst-case) Cut artery

Suppose, just for argument's sake, that outcome 1 is probable, outcome 2 is rare, and outcome 3 is extremely rare.

If we use the probability of outcome 1 (highly probably) with the worst-case severity (very severe), our risk-priority would be about as high as it gets!
...this, in my opinion, would not be an accurate representation of this risk.
Hum, I think we are mixing things here.

Let me try to get more visual so we can level the discussion.

The probability of the hazardous situation is the sum of the separate sequence of events provabilities, so:

PHS = PE1 + PE2 + PE3 + PE4

For each harm, we would have a specific probability.

So, the RISK, which is combination of the probability of occurrence of harm and the severity of that harm, is:

Risk 1: Minor cut severity : probability is PHZ x PH1
Risk 2: Major cut severity : probability is PHZ x PH2
Risk 3 : Artery cut severity : probability PHZ x PH1

With this, you can then evaluate your risk (using a matrix, for example).

#### Attachments

• 243.4 KB Views: 214
Last edited:
Software Risk Management & probability of occurrence as per IEC 62304 IEC 62304 - Medical Device Software Life Cycle Processes 8
Should volume of sales be factored into risk probability assessments? ISO 14971 - Medical Device Risk Management 33
Risk Acceptability Criteria - Probability and Acceptability Level ISO 14971 - Medical Device Risk Management 1
E Risk Management selection Probability of Occurrence and Severity ISO 14971 - Medical Device Risk Management 24
S Software Risk Estimation: Probability of Medical Device Software Anomaly Occuring ISO 14971 - Medical Device Risk Management 9
Risk Management - Probability vs. Frequency IEC 60601 - Medical Electrical Equipment Safety Standards Series 3
R Sampling - Total probability of accepting bad lot - Producer's risk Inspection, Prints (Drawings), Testing, Sampling and Related Topics 2
AS9102 - 3D printing a special tool required for assembly (counterfeit risk?) AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 10
Defining risk control measures IEC 62304 - Medical Device Software Life Cycle Processes 13
Supply risk management Manufacturing and Related Processes 4
Biological Evaluation (10993) & Risk Management ISO 14971 - Medical Device Risk Management 9
Cybersecurity and Risk Management: Loss of confidentiality IEC 62304 - Medical Device Software Life Cycle Processes 4
FMEA and Risk assessment in Microsoft Access FMEA and Control Plans 6
Realization processes input into overall risk ISO 14971 - Medical Device Risk Management 2
Need Help With Information Security Asset Risk Register IEC 27001 - Information Security Management Systems (ISMS) 2
Post Market/Production Risk Assessment ISO 14971 - Medical Device Risk Management 0
Risk Management Review ISO 14971 - Medical Device Risk Management 4
Low risk IVD study in the UK, do I need MHRA approval? UK Medical Device Regulations 1
Risk Management and other Files ISO 14971 - Medical Device Risk Management 8
Overall Benefit/Risk Analysis - Risk Management VS Clinical Evaluation ISO 14971 - Medical Device Risk Management 3
ISO 27001 for Jumb Burger - Risk Assessment sheet IEC 27001 - Information Security Management Systems (ISMS) 11
Risk Assessment Tools ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 3
Examples to mitigate risk from Covid ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 5
Risk of stopping your customer's line IATF 16949 - Automotive Quality Systems Standard 4
Risk Matrix vs FMEAs ISO 14971 - Medical Device Risk Management 11
IVD risk class II devices for Brazil and MDSAP Other Medical Device Regulations World-Wide 0
ISO 14971:2019: Criteria for overall residual risk ISO 14971 - Medical Device Risk Management 11
ISO14971:2019 - Verification of implementation and effectiveness of risk control ISO 14971 - Medical Device Risk Management 3
Medical Device Cybersecurity Risk Management IEC 27001 - Information Security Management Systems (ISMS) 2
Traceability of requirements to design and risk Design and Development of Products and Processes 3
Risk control measures as per ISO 14971 ISO 14971 - Medical Device Risk Management 6
Deciding whether or not pre-market clinical investigation is required for low risk device EU Medical Device Regulations 5
The term "Benefit Risk Ratio" in EU MDR, do I need to present benefit risk analysis as a RATIO Risk Management Principles and Generic Guidelines 4
Security Risk Assessment Tool IEC 27001 - Information Security Management Systems (ISMS) 0
21 CFR 820 - Risk Management - Looking for some guidance US Food and Drug Administration (FDA) 3
Contract Review and risk managment AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 2
Risk Analysis using Monte Carlo Simulation instead of Scoring and Heat Map Risk Management Principles and Generic Guidelines 2
Normal Condition Hazards in Risk Analysis ISO 14971 - Medical Device Risk Management 3
Rationalising the level of effort and depth of software validation based on risk ISO 13485:2016 - Medical Device Quality Management Systems 10
Risk assessment on IT containers and the information they contain IEC 27001 - Information Security Management Systems (ISMS) 4
Threat/Vulnerability Catalogue for risk assessment IEC 27001 - Information Security Management Systems (ISMS) 4
Opportunity For Improvement vs Opportunity (Positive Risk) ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 18
FOD Risk Assessment - What tools would you recommend for assessing FOD risk? AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 1
Identify Medical Device characterstics as Annex C of ISO 14971 Risk Management ISO 14971 - Medical Device Risk Management 5
ISO 14971 PFMEA Manufacturing Risk ISO 14971 - Medical Device Risk Management 2
Example of the Risk Template Document Control Systems, Procedures, Forms and Templates 1
Overall residual risk according to ISO 14971:2019 ISO 14971 - Medical Device Risk Management 5
Risk Number for each software requirement IEC 62304 - Medical Device Software Life Cycle Processes 7
IEC 60601 11.2.2.1 Risk of Fire in an Oxygen Rich Environment, Source of Ignition IEC 60601 - Medical Electrical Equipment Safety Standards Series 0
Importing a general wellness low risk product Other US Medical Device Regulations 3