Risk Probability - Is there a Better System?

Mark Meer

Trusted Information Resource
#1
We've got a 14971 compliant risk management procedure in place that's been working pretty well for us.

...that being said, there's always been one element that has bothered me: Probability. It seems to me that a single number (e.g. 1-5) is lacking... perhaps there is a better way?

Take a simplified example: A window.

  • (E) Event: Window is impacted.
  • (HS) Hazardous Situation: Window shatters into sharp shards.
  • (H) Harm: Cuts
  • (S) Worst-Case Severity: An artery is cut.

It seems like a more refined probability structure would be prudent if we wanted to effectively evaluate this risk. Namely:
  • What is the probability of the event?
  • What is the probability that, given the event, it results in a hazardous situation?
  • What is the probability that, given the hazardous situation, it results in harm?
  • What is the probability that, given harm, it is the worst-case harm?

This would certainly complicate the risk-management process, but it'd provide a better understanding of probability break-down...

Thoughts? I'd be curious how others would assign a probability value in this example...
 
Elsmar Forum Sponsor

Marcelo

Inactive Registered Visitor
#3
(E) Event: Window is impacted.
(HS) Hazardous Situation: Window shatters into sharp shards.
(H) Harm: Cuts
(S) Worst-Case Severity: An artery is cut.
There?s a little error here, Windows shatter into sharp shards is not the hazardous situation, the hazardous situation would be when someone put this hand or step into the shard (it?s an exposure to the cutting or severing hazard).

So you sequence of events would be something like this:

(Hazard) Cutting or severing hazard
(Sequence of events)
(E1)Window is impacted
(E2)Window shatters into sharp shards in the floor
(E3)Shoeless person walks into the floor
(HS) Person steps into the shard
(H) Harm: Cuts
(S) Worst-Case Severity: An artery is cut


E1, E2 and E3 would have their own probability. Those together would form P1 (exposure probability). Most of the time, to reduce the probability you would need to act on one of those separate probabilities.

What is the probability of the event?
I understand that the event you mentioned here is the "failure/fault" or the initiating sequence of events, right?

What is the probability that, given the event, it results in a hazardous situation?
This is P1 as I mentioned.

What is the probability that, given the hazardous situation, it results in harm?
This is P2. IN my example, this will be 100% because I detailed the sequence of events with details enough to say that the person is shoeless.

What is the probability that, given harm, it is the worst-case harm?
Now, this usually depends on a evaluation of the problem from a clinical perspective.

This would certainly complicate the risk-management process, but it'd provide a better understanding of probability break-down...
ISO 14971 already requires this, so I don?t see the "complicate" stuff really (on the other hand, generally people do a very high level, usually non-compliant risk management, so in this case I would agree that it would complicate :p)
 
Last edited:

Mark Meer

Trusted Information Resource
#4
Thanks for clarifying the sequence Marcelo.

ISO 14971 already requires this, so I don´t see the "complicate" stuff really (on the other hand, generally people do a very high level, usually non-compliant risk management, so in this case I would agree that it would complicate :p)
Annex D does allude to such a breakdown, but I don't see it as a requirement in the main text.

In practice, I think, the standard encourages people to aim for a some sort of matrix (like figure D3), which involves only one probability value.

So, if we continue with the example, we might have:

P(1) = Exposure Probability = P(E1) * P(E2) * P(E3)
P(2) = Harm Probability (given exposure has occured)
P(3) = Worst-case harm probability (given harm has occurred)

So, if we want a value for our matrix, what would it be? P(1) * P(2) * P(3)?

It seems like this approach would lead to under-valued RPNs, as all probabilities factor in probability of the worst-case outcome (which, in most cases, is far less than the typical outcome).
 

Marcelo

Inactive Registered Visitor
#6
So, if we continue with the example, we might have:

P(1) = Exposure Probability = P(E1) * P(E2) * P(E3)
P(2) = Harm Probability (given exposure has occured)
P(3) = Worst-case harm probability (given harm has occurred)

So, if we want a value for our matrix, what would it be? P(1) * P(2) * P(3)?

It seems like this approach would lead to under-valued RPNs, as all probabilities factor in probability of the worst-case outcome (which, in most cases, is far less than the typical outcome).
No, the worst-case needs to be part of P2.

If you have more than one outcome, you may need to separate assessments, unless the worst case can be reasonable expected to cover all cases.
 

Mark Meer

Trusted Information Resource
#7
You would have a low value of the worst case. But you already know the probability of "any" harm. Right?
Yes, but these should really be treated separately: the worst-case, and the "typical" case.
Otherwise, you'd be either over-representing the actual risk (by using probability of any harm (P(2)) with worst-case severity ranking), or under-representing the actual risk (by using probability of worst-case harm only).
 

Mark Meer

Trusted Information Resource
#9
No, the worst-case needs to be part of P2.
If you have more than one outcome, you may need to separate assessments, unless the worst case can be reasonable expected to cover all cases.
You almost always have more than one outcome, no?

Again, continuing with the example, possible outcomes might be:
1. Minor cut
2. Major cut (say, those requiring stitches)
3. (worst-case) Cut artery

Suppose, just for argument's sake, that outcome 1 is probable, outcome 2 is rare, and outcome 3 is extremely rare.

If we use the probability of outcome 1 (highly probably) with the worst-case severity (very severe), our risk-priority would be about as high as it gets!
...this, in my opinion, would not be an accurate representation of this risk.
 

Marcelo

Inactive Registered Visitor
#10
You almost always have more than one outcome, no?

Again, continuing with the example, possible outcomes might be:
1. Minor cut
2. Major cut (say, those requiring stitches)
3. (worst-case) Cut artery

Suppose, just for argument's sake, that outcome 1 is probable, outcome 2 is rare, and outcome 3 is extremely rare.

If we use the probability of outcome 1 (highly probably) with the worst-case severity (very severe), our risk-priority would be about as high as it gets!
...this, in my opinion, would not be an accurate representation of this risk.
Hum, I think we are mixing things here.

Let me try to get more visual so we can level the discussion.



The probability of the hazardous situation is the sum of the separate sequence of events provabilities, so:

PHS = PE1 + PE2 + PE3 + PE4

For each harm, we would have a specific probability.

So, the RISK, which is combination of the probability of occurrence of harm and the severity of that harm, is:

Risk 1: Minor cut severity : probability is PHZ x PH1
Risk 2: Major cut severity : probability is PHZ x PH2
Risk 3 : Artery cut severity : probability PHZ x PH1

With this, you can then evaluate your risk (using a matrix, for example).
 

Attachments

Last edited:
Thread starter Similar threads Forum Replies Date
M Should volume of sales be factored into risk probability assessments? ISO 14971 - Medical Device Risk Management 33
A Risk Acceptability Criteria - Probability and Acceptability Level ISO 14971 - Medical Device Risk Management 1
E Risk Management selection Probability of Occurrence and Severity ISO 14971 - Medical Device Risk Management 17
S Software Risk Estimation: Probability of Medical Device Software Anomaly Occuring ISO 14971 - Medical Device Risk Management 9
R Risk Management - Probability vs. Frequency IEC 60601 - Medical Electrical Equipment Safety Standards Series 3
R Sampling - Total probability of accepting bad lot - Producer's risk Inspection, Prints (Drawings), Testing, Sampling and Related Topics 2
R Risk assessment on IT containers and the information they contain IEC 27001 - Information Security Management Systems (ISMS) 4
B Threat/Vulnerability Catalogue for risk assessment IEC 27001 - Information Security Management Systems (ISMS) 4
R Opportunity For Improvement vs Opportunity (Positive Risk) ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 18
R FOD Risk Assessment - What tools would you recommend for assessing FOD risk? AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 1
R Identify Medical Device characterstics as Annex C of ISO 14971 Risk Management ISO 14971 - Medical Device Risk Management 5
A ISO 14971 PFMEA Manufacturing Risk ISO 14971 - Medical Device Risk Management 2
Q Example of the Risk Template Document Control Systems, Procedures, Forms and Templates 1
K Overall residual risk according to ISO 14971:2019 ISO 14971 - Medical Device Risk Management 5
A Risk Number for each software requirement IEC 62304 - Medical Device Software Life Cycle Processes 7
A IEC 60601 11.2.2.1 Risk of Fire in an Oxygen Rich Environment, Source of Ignition IEC 60601 - Medical Electrical Equipment Safety Standards Series 0
D Importing a general wellness low risk product Other US Medical Device Regulations 3
C Quantifying risk in choosing the number of parts, operators and replicates in a GR&R Gage R&R (GR&R) and MSA (Measurement Systems Analysis) 4
R AQL, Consumer Risk and MA Statistical Analysis Tools, Techniques and SPC 2
M Risk managment report of Surgical Mask Example ISO 14971 - Medical Device Risk Management 14
M Risk Analysis Flow - Confusion between ISO 14971 and IEC 62304 IEC 62304 - Medical Device Software Life Cycle Processes 8
R ECG Risk Analysis Standards ISO 14971 - Medical Device Risk Management 2
N Device Labeling - Medtronic Ventilator Files (Risk Management documents) Coffee Break and Water Cooler Discussions 2
A 5 x 5 Risk Matrix - Looking for a good example Manufacturing and Related Processes 2
F Risk for Quality Assurance Department in a Hospital - Hospital Incident Reporting ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 7
T How do you define your Hazards? <a Risk Management discussion> ISO 14971 - Medical Device Risk Management 16
adir88 Documenting Risk Control Option Analysis ISO 14971 - Medical Device Risk Management 8
B Risk Assessment Checklist for Non product Software IEC 62304 - Medical Device Software Life Cycle Processes 1
MrTetris Should potential bugs be considered in software risk analysis? ISO 14971 - Medical Device Risk Management 5
K Identification of hazards and Risk file IEC 62366 - Medical Device Usability Engineering 7
S Risk based internal auditing Internal Auditing 6
Robert Stanley I'm @ RISK of not showing my RISKS! ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 20
M Estimating the benefit-risk ration under MDR EU Medical Device Regulations 1
adir88 Information of safety can reduce risk now? ISO 14971 - Medical Device Risk Management 12
G Any good examples of CAPA forms that include a risk based approach? ISO 13485:2016 - Medical Device Quality Management Systems 8
adir88 MDR requirement: Risk Management Plan for "each device" ISO 14971 - Medical Device Risk Management 5
M Has anyone heard of Run at Risk? Manufacturing and Related Processes 15
Tagin Is SARS-CoV-2/COVID-19 on your risk register? Misc. Quality Assurance and Business Systems Related Topics 11
D IEC 62304 Risk Classification - With and without hardware control IEC 62304 - Medical Device Software Life Cycle Processes 2
J ISO 14971 applied to ISO 13485? Low risk class 1 devices ISO 13485:2016 - Medical Device Quality Management Systems 3
DuncanGibbons Classification of aerospace parts depending on their risk and criticality etc. Federal Aviation Administration (FAA) Standards and Requirements 3
D Performance specification as a Risk Control Measure, EN 14971 ISO 14971 - Medical Device Risk Management 7
M Risk Classification For Supplier - Clinical Research Organisation (CRO) Supply Chain Security Management Systems 3
Sidney Vianna IAQG SCMH explains "positive risk"..........but does it? AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 3
MrTetris Unacceptable risk and information for safety ISO 14971 - Medical Device Risk Management 16
M IATF 16949 (6.1.1 - Planning and Risk Analysis for a remote site) Process Maps, Process Mapping and Turtle Diagrams 5
D Risk Analysis & Technical File - What detail goes in the Risk Management Report ISO 14971 - Medical Device Risk Management 5
C AS9100 Rev D 8.1.1 & APQP - Operational risk management process AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 0
B ATP 5-19 "Risk Management" Misc. Quality Assurance and Business Systems Related Topics 2
D Reduction of software class based on multiple external risk controls IEC 62304 - Medical Device Software Life Cycle Processes 5

Similar threads

Top Bottom