Risk Analysis: Beyond Probability and Severity

Although a combination of probability and severity is commonly used for estimating risk, it can be useful to consider other factors that may also affect whether a risk is deemed acceptable.

15 Min Read
Risk Analysis: Beyond Probability and Severity

Risk management is commonly defined as the systematic application of management practices, policies, and procedures for identifying, analyzing, controlling and monitoring risk.1 Application of risk management to medical devices is expected by medical device regulatory bodies. For instance, risk management is considered as an essential requirement for compliance to the European Union Medical Device Directive 93/42/EEC.2 FDA also expects risk management to be integrated with device design control activities and other compliance activities, as made clear in the quality system regulation preamble.3,4 Standards-developing agencies have also highlighted the importance of applying risk management to medical devices in view of ensuring patient safety, notably ISO 14971.5 At the facility level, IEC 80001, “Application of Risk Management for IT Networks Incorporating Medical Devices—Part 1: Roles, Responsibilities, and Activities,” has been released in draft form and widely commented on.6,7

Risk management involves a three-step procedure: hazard identification, risk assessment, and risk mitigation in case of unacceptable risk levels. In fact, the hazard identification process should account not only for hazards directly related to the medical device itself, i.e., design and manufacturing, but also hazards related to the device use in the clinical world, i.e., user operation, device interaction with its environment of use, etc.8 After identifying the hazards, a qualitative or quantitative evaluation of risk should follow to assess the acceptability of the risks involved. Based on this assessment, effective design or process changes can then be developed and implemented to mitigate unacceptable risks, thereby making them acceptable according to the action levels defined by the analyst. 

The risk evaluation process is a key step in risk management, and we have addressed certain aspects of this process previously.9 This article addresses another aspect of risk evaluation: the consideration of factors other than the probability of harm occurrence and the severity of that harm if it were to occur. While the combination of probability and severity is helpful in reflecting the level of risk importance, reliance on only these two factors fails to capture other significant elements that should influence the decision-making process. For example, detectability is often considered in manufacturing risk management. Other factors that may be integrated into the risk equation are hazard correctability and product utility. 

A Two-Dimensional Definition

Figure 1. Two-dimensional risk space with three-zone delimitation.

ISO 14971 defines risk as the combination of the probability of harm occurring and the severity of the harm once it occurs. The combination of these two variables is generally depicted by a two-dimensional matrix, sometimes called the risk space (see Figure 1).

The risk space is divided into regions describing the level of risk significance. One common procedure consists of dividing the risk chart into three zones: a generally acceptable (GA) region for which probability and severity are low, a generally unacceptable (GU) region for which probability and severity are high, and the so-called as low as reasonably practicable (ALARP) region in between. Note that risks corresponding to low probability and high severity can be controversial because the clinical significance to the affected patient may be high even though the general probability is low. After reasonable mitigation, the acceptability of such risks should be partially based on a risk-benefit analysis, whereby they may be tolerated if benefits outweigh risk. Note also that dividing it into three regions is quite arbitrary—more regions can be used based on a more detailed decision-making process.

A common practice in the risk space is to break down the probability and severity axes into discrete scales that may be also have descriptions as shown in Table I, yielding a segmented yet still qualitative assessment of risk. Linguistic scales may also be converted into ordinal numbers in an attempt to quantify the notion of risk through applying some mathematical combination of the probability and severity values. Figure 2 shows an example of a quantitative risk matrix using a multiplicative combination for the scaled estimations. Multiplying probability and severity ratings is common; however, other mathematical operations can also be employed. Although the obtained quantitative score is intended to reflect the degree of importance of the risk, this number should not be seen as representative of some real and measurable quantity.9

Other Dimensions of Risk

The risk space is meant to give the user an insight into whether a considered risk should be further mitigated or whether it could be tolerated without unduly compromising patient safety. However, relying on a two-dimensional definition of risk overlooks other important decision factors. Such factors include the ability to detect the hazard before harm occurrence, the economical and technical practicability of correction procedures, and the device's value or medical significance.

Figure 2. Example of a quantitative risk matrix. Note that some risk scores are redundant.

Detection, when applied to hazards rather than harms, is a significant measure to consider in the sense that it alters the probability of the harm actually occurring, assuming the detected condition is effectively acted on. High detectability yields a reduction in the likelihood that harm would occur, and thus it should influence the risk score. Consideration of the ease of mitigation in the risk equation is appropriate given the general philosophy that risks should be lowered to the lowest practicable level.5 Therefore, all easily correctable risks should be prioritized and dealt with.

Product benefit is another factor that can be added to the risk score. In fact, a risk that remains unacceptable after performing all practicable mitigation measures may be tolerable if the device's clinical benefit or medical significance outweighs its residual risks.

Hazard Detectability

Hazard detection accounts for the likelihood of discovering and correcting a hazard or failure mode prior to harm occurrence. For example, in the manufacture of a catheter, there might be a gluing or welding step to attach a connector to tubing. This in turn can introduce the hazard of leakage. A leakage test can then be added to eliminate (with some degree of assurance) the further processing of badly glued or welded units. Hazard detection suggests the existence of an inverse relationship between the level of detectability and the degree of risk seriousness. If severity and probability were weighted such that a higher rating corresponds to a more frequent hazard occurrence and more critical harm consequences, detectability should then be scaled such that increasing scores denote a decreasing likelihood of hazard detection.

Note that the introduction of detectability into the risk equation actually induces a modification in the definition of probability. Instead of denoting the probability of harm, i.e., the end result, it now refers to the probability of hazardous condition prior to detection. In this context, the hazard detectability factor can be thought of as a correction factor for the probability of failure prior to detection. Their combination would result once again in the probability of harm occurring. Although detection seems to be an integral part of probability, keeping it distinct from the harm probability measure helps to recognize two ways of mitigating the associated risk: either by reducing the probability of failure or by improving detectability.

An example of a detection scaling is shown in Table II. If a multiplicative combination is applied to evaluate risk in the case of a five-level ordinal scaling of probability, severity, and detectability, risk indices from as low as 1 to as high as 125 can be obtained. Note that adding a third variable increases the opportunity of obtaining the same risk score for distinct combinations. In fact, a total of 125 combinations can be made with only 30 unique numbers generated. Notice that even though they both yield a risk score of 25 for the same detectability value of 5, a risk combination of a high severity of 5 and low probability of 1 should in general not be treated equally to a risk combination of a low severity of 1 and high probability of 5. This difference may be made more explicit with the use of a three-dimensional risk chart (see Figure 3).

Another option is considering detectability as a correction factor for the probability measure by introducing a scaling centered on unity (see Table III). In this case, unity would denote a moderate detectability that does not affect the risk score. Values above and below unity refer to poor and good hazard detectability, respectively. The advantage of such scaling is that it preserves the same numerical acceptability criterion that might be used for only probability and severity.

Although commonly used in manufacturing risk analysis, detectability is generally associated with specific inspection processes. However, detection can also be defined at various levels of the product life cycle, from the design and development phase to the use and operation phase.10 Whether considered at the design stage or at the operation phase, assessing detectability can be more challenging because inspection procedures are typically less well defined. However, the risk assessment can indicate the need for detection, and thus drive the development of an appropriate process.

Figure 3. Three-dimensional risk chart with high-risk zone in red and low-risk zone in blue.

Detection during the device conception and production phases can be defined as the ability of the design controls to identify possible weaknesses and failures before releasing the product on the market. In fact, the evaluation of this type of hazard detectability requires an assessment of the likelihood of detecting causation during such activities as design reviews, reliability modeling, verification and validation, etc. In short, detectability at this stage is closely related to the quality practices implemented by the design and production entities responsible for developing the final product. Adequate detectability assessment may be more difficult to achieve in outsourcing, whether it involves a partial or complete subcontracting of the design or the manufacturing of device components.

Hazard detection can also be defined as the likelihood of detecting possible failures or complications in the operation environment and purportedly preventing their culmination in a harmful occurrence. Important considerations in the process of assessing detectability within the clinical environment include resource availability, response timeliness, and personnel practical expertise.

For instance, a high patient-to-nurse ratio can negatively affect the likelihood of a nurse detecting possible hazards within the clinical environment. Response timeliness is yet another major element to be considered in the assessment of detectability. In this context, several questions may be raised. How much time is really available between detection and harm? If the hazard failed to be announced by a clinical alarm, how likely is it to be otherwise detected or communicated by other alarm notification systems? Knowing the noise background in the clinical world and the tendency to ignore alarms, how likely are nurses to respond to a sounding alarm and in how timely a manner?
Another important factor is the user’s practical expertise and knowledge. Assuming the hazard was detected prior to the occurrence of harm, does the caregiver have the required skills to perform the preventive procedure under real-world situational stress in a safe, effective, and timely manner?11 The temptation by manufacturers to assume a high level of detection by clinical users, and to therefore not adequately eliminate hazards at the source, must be avoided. In general, reliance on the end-user to avoid hazards that should otherwise be mitigated is undesirable and unacceptable because, in the parlance of this article, the probability of such detection is low, giving it a high numerical score (see Tables II and III).

Hazard Correctability

The hazard correctability factor rates the relative ease of mitigating a certain risk. It accounts for the associated feasibility and effort required in reducing a particular risk to the lowest practicable level. In this context, ease and practicability address the ability to mitigate the risk taking into account both technical and economic feasibility. Practicability has two components, as mentioned in Appendix E of ISO 14971: a technical practicability denoting the ability to mitigate the risk regardless of cost, and an economic practicability denoting the ability to reduce a risk without making the medical device an unsound economic proposition.5 In other words, in assessing the level of hazard correctability, both the availability of technical solutions and their economic feasibility and budget constraints should be considered.

The inclusion of this factor into the risk equation is meant to prioritize risks for which mitigation can be performed fairly easily, regardless of its degree of importance otherwise. More precisely, this suggests that there is no justification for a device to bear risks that can be easily eliminated or reduced while considering the technical and economic feasibility of the mitigation procedures. As a result, the easier the mitigation, the higher the correctability and the recalculated risk score (see Table IV). However, the opposite is not true. If the mitigation is hard to accomplish due to technical or economic limitations, the risk score should not be decreased. This implies that the corresponding risk is more acceptable as a result of low correctability. But ISO 14971 asserts that the economic impracticability should not be used as a rationale for the acceptance of unnecessary risks.5

Furthermore, an unacceptable risk should not be considered tolerable if corrective measures were judged impracticable. Alternatively, a risk-benefit analysis must be performed whenever mitigation procedures are hard to achieve in view of assessing the acceptability of such risks while considering the medical significance of the device.

Product Utility

The product utility factor is meant to integrate clinical benefit into the risk score. Consideration of the benefits that arise from the use of a medical device need to be carried out whenever corrective measures are deemed impracticable or whenever a risk mitigated to the lowest practicable level is still judged unacceptable or otherwise unwarranted. In fact, if the risk is outweighed by the benefits, it may be thought of as acceptable based on the device’s medical significance. As a result, the product utility may be factored into the risk score obtained by multiplication such that the score would be increased in the case of a low utility—i.e., risk is unjustified by clinical benefits, and decreased by a high utility—i.e., benefits outweigh the risk. See Table V for an example of a utility scaling.

Estimating the benefits of a medical device can be made through considering its performance during clinical use and the clinical outcomes expected from that performance compared with those of similar devices on the market.5 Such estimation can be challenging because certain clinical outcomes are difficult to compare. For example, which is more acceptable: severe pain or loss of mobility?

Determination of whether the estimated benefits outweigh the risk can then be addressed through performing clinical studies involving patients, users, and medical practitioners in view of assessing the risk acceptability to both society and individuals. This is also a challenging task because the notion of utility is subjective. For instance, there is an ongoing debate as to whether one should be more tolerant to a high-risk life-saving device as opposed to a high-risk cosmetic implant. While a high-risk cosmetic implant may be thought of as unacceptable since it is not an essential device, one may also argue that a high-risk life-support device is unacceptable because it is an essential piece of equipment designed for the very purpose of saving a life.

As with detection, the analyst must avoid overstating value in an effort to make risks acceptable that would otherwise be unacceptable. Besides outright cheating to get the risk scores one desires, self-delusion itself is a risk that must be mitigated.


Although a combination of probability and severity is commonly used for estimating risk, it can be useful to consider other factors that may also affect whether a risk is deemed acceptable. Examples of such factors are hazard detectability, mitigation practicability or hazard correctability, and product utility.

For increasing numerical values for higher probability and severity, a high detectability and a high utility should be scaled in view of decreasing the risk index, thereby indicating a more acceptable risk. A high mitigation practicability should increase the risk score, giving the impression of a higher risk and therefore highlighting the need for implementing mitigation procedures.


1.    PL Knepell, “Integrating Risk Management with Design Control,” Medical Device + Diagnostic Industry 20, no. 10 (1998): 83–91.
2.    Medical Device Directives, Annex 1—Essential Requirements, European Commission; available from Internet: http://ec.europa.eu/enterprise/sectors/medical-devices/regulatory-framework/index_en.htm.
3.    FDA, Medical Devices: Current Good Manufacturing Practices (CGMP) Final Rule; Quality Systems Regulation, Preamble, Federal Register, 61(195), 52602-52662, October, 7, 1996.
4.    21 CFR 820.30 (g).
5.    ISO 14971:2007, “Medical Devices—Application of Risk Management to Medical Devices” (Geneva: International Organization for Standardization, 2007).
6.    IEC 80001, “Application of Risk Management for IT Networks Incorporating Medical Devices—Part 1: Roles, Responsibilities, and Activities” [under development] (Geneva: International Organization for Standardization); available from Internet: www.iso.org/iso/catalogue_detail.htm?csnumber=44863.
7.    “IEC 80001 to Impact Providers,” Medical Connectivity, June 2008; available from Internet: http://medicalconnectivity.com/2008/06/16/iec-80001-to-impact-providers/.
8.    BS Dhillon, “Medical Device Risk Assessment and Control,” in Medical Device Reliability and Associated Areas (Boca Raton: CRC, 2000), 112–115.
9.    N Youssef and WA Hyman, “Analysis of Risk: Are Current Methods Theoretically Sound?,” Medical Device + Diagnostic Industry 31, no. 10 (2009): 38–46.
10.    S Kmenta and K Ishii, “Scenario-Based Failure Modes and Effects Analysis Using Expected Cost,” Journal of Mechanical Design 126 (2004): 1027–1035.
11.    WA Hyman, “Why Don’t Healthcare Professionals Do What They ‘Know’ They Should?” Journal of Clinical Engineering, October/December 2005: 214–218.

About the Author(s)

William A. Hyman

William A. Hyman is a professor emeritus in the department of biomedical engineering at Texas A&M University and adjunct professor of biomedical engineering at the Cooper Union. Reach him at [email protected].

Sign up for the QMED & MD+DI Daily newsletter.

You May Also Like