# Risk Probability - Is there a Better System?

#### Mark Meer

Trusted Information Resource
We've got a 14971 compliant risk management procedure in place that's been working pretty well for us.

...that being said, there's always been one element that has bothered me: Probability. It seems to me that a single number (e.g. 1-5) is lacking... perhaps there is a better way?

Take a simplified example: A window.

• (E) Event: Window is impacted.
• (HS) Hazardous Situation: Window shatters into sharp shards.
• (H) Harm: Cuts
• (S) Worst-Case Severity: An artery is cut.

It seems like a more refined probability structure would be prudent if we wanted to effectively evaluate this risk. Namely:
• What is the probability of the event?
• What is the probability that, given the event, it results in a hazardous situation?
• What is the probability that, given the hazardous situation, it results in harm?
• What is the probability that, given harm, it is the worst-case harm?

This would certainly complicate the risk-management process, but it'd provide a better understanding of probability break-down...

Thoughts? I'd be curious how others would assign a probability value in this example...

#### Marcelo

##### Inactive Registered Visitor
(E) Event: Window is impacted.
(HS) Hazardous Situation: Window shatters into sharp shards.
(H) Harm: Cuts
(S) Worst-Case Severity: An artery is cut.
There?s a little error here, Windows shatter into sharp shards is not the hazardous situation, the hazardous situation would be when someone put this hand or step into the shard (it?s an exposure to the cutting or severing hazard).

So you sequence of events would be something like this:

(Hazard) Cutting or severing hazard
(Sequence of events)
(E1)Window is impacted
(E2)Window shatters into sharp shards in the floor
(E3)Shoeless person walks into the floor
(HS) Person steps into the shard
(H) Harm: Cuts
(S) Worst-Case Severity: An artery is cut

E1, E2 and E3 would have their own probability. Those together would form P1 (exposure probability). Most of the time, to reduce the probability you would need to act on one of those separate probabilities.

What is the probability of the event?
I understand that the event you mentioned here is the "failure/fault" or the initiating sequence of events, right?

What is the probability that, given the event, it results in a hazardous situation?
This is P1 as I mentioned.

What is the probability that, given the hazardous situation, it results in harm?
This is P2. IN my example, this will be 100% because I detailed the sequence of events with details enough to say that the person is shoeless.

What is the probability that, given harm, it is the worst-case harm?
Now, this usually depends on a evaluation of the problem from a clinical perspective.

This would certainly complicate the risk-management process, but it'd provide a better understanding of probability break-down...
ISO 14971 already requires this, so I don?t see the "complicate" stuff really (on the other hand, generally people do a very high level, usually non-compliant risk management, so in this case I would agree that it would complicate )

Last edited:

#### Mark Meer

Trusted Information Resource
Thanks for clarifying the sequence Marcelo.

ISO 14971 already requires this, so I don´t see the "complicate" stuff really (on the other hand, generally people do a very high level, usually non-compliant risk management, so in this case I would agree that it would complicate )
Annex D does allude to such a breakdown, but I don't see it as a requirement in the main text.

In practice, I think, the standard encourages people to aim for a some sort of matrix (like figure D3), which involves only one probability value.

So, if we continue with the example, we might have:

P(1) = Exposure Probability = P(E1) * P(E2) * P(E3)
P(2) = Harm Probability (given exposure has occured)
P(3) = Worst-case harm probability (given harm has occurred)

So, if we want a value for our matrix, what would it be? P(1) * P(2) * P(3)?

It seems like this approach would lead to under-valued RPNs, as all probabilities factor in probability of the worst-case outcome (which, in most cases, is far less than the typical outcome).

#### rickpaul01

##### Involved in HankyPanky
Thanks for clarifying the sequence Marcelo.

It seems like this approach would lead to under-valued RPNs,
You would have a low value of the worst case. But you already know the probability of "any" harm. Right? #### Marcelo

##### Inactive Registered Visitor
So, if we continue with the example, we might have:

P(1) = Exposure Probability = P(E1) * P(E2) * P(E3)
P(2) = Harm Probability (given exposure has occured)
P(3) = Worst-case harm probability (given harm has occurred)

So, if we want a value for our matrix, what would it be? P(1) * P(2) * P(3)?

It seems like this approach would lead to under-valued RPNs, as all probabilities factor in probability of the worst-case outcome (which, in most cases, is far less than the typical outcome).
No, the worst-case needs to be part of P2.

If you have more than one outcome, you may need to separate assessments, unless the worst case can be reasonable expected to cover all cases.

#### Mark Meer

Trusted Information Resource
You would have a low value of the worst case. But you already know the probability of "any" harm. Right?
Yes, but these should really be treated separately: the worst-case, and the "typical" case.
Otherwise, you'd be either over-representing the actual risk (by using probability of any harm (P(2)) with worst-case severity ranking), or under-representing the actual risk (by using probability of worst-case harm only).

#### rickpaul01

##### Involved in HankyPanky
Correct, but I don't think you can have one answer to two questions.

#### Mark Meer

Trusted Information Resource
No, the worst-case needs to be part of P2.
If you have more than one outcome, you may need to separate assessments, unless the worst case can be reasonable expected to cover all cases.
You almost always have more than one outcome, no?

Again, continuing with the example, possible outcomes might be:
1. Minor cut
2. Major cut (say, those requiring stitches)
3. (worst-case) Cut artery

Suppose, just for argument's sake, that outcome 1 is probable, outcome 2 is rare, and outcome 3 is extremely rare.

If we use the probability of outcome 1 (highly probably) with the worst-case severity (very severe), our risk-priority would be about as high as it gets!
...this, in my opinion, would not be an accurate representation of this risk.

#### Marcelo

##### Inactive Registered Visitor
You almost always have more than one outcome, no?

Again, continuing with the example, possible outcomes might be:
1. Minor cut
2. Major cut (say, those requiring stitches)
3. (worst-case) Cut artery

Suppose, just for argument's sake, that outcome 1 is probable, outcome 2 is rare, and outcome 3 is extremely rare.

If we use the probability of outcome 1 (highly probably) with the worst-case severity (very severe), our risk-priority would be about as high as it gets!
...this, in my opinion, would not be an accurate representation of this risk.
Hum, I think we are mixing things here.

Let me try to get more visual so we can level the discussion. The probability of the hazardous situation is the sum of the separate sequence of events provabilities, so:

PHS = PE1 + PE2 + PE3 + PE4

For each harm, we would have a specific probability.

So, the RISK, which is combination of the probability of occurrence of harm and the severity of that harm, is:

Risk 1: Minor cut severity : probability is PHZ x PH1
Risk 2: Major cut severity : probability is PHZ x PH2
Risk 3 : Artery cut severity : probability PHZ x PH1

With this, you can then evaluate your risk (using a matrix, for example).

Last edited: