Medical: A Risk Management Data Model

By laurencesampson

In our previous blogs I described [blog 1] and [blog 2] the regulatory requirements related to product risk and the elements required to build a database for use in the risk management system. The following is a discussion of the risk management data model and how the evaluation of risk can be accomplished using the design control previously discussed.

ISO 14971 Annex E characterizes the relationship between elements in the analysis of risk with the following flow chart:

Risk Evaluation Work Items

In order to systematically implement the flow diagram, several work items, and commensurate variables must be defined in order to logically organize the analysis. The following is a flow diagram describing a system compliant with the risk management flow chart mentioned above:

The system is organized with three Work Items:

  • Harm

  • Hazardous Situation

  • Risk Record

The overall system analysis will be in the form of a traditional FMEA.

This is a convenient grouping due to several factors:

  • The work is completed and reviewed (different workflow) for each by different departments. The Hazardous situation is largely an engineering exercise, while risk analysis tends to be done by risk management professionals and clinical staff.

  • The conversion/probability variables cannot be defined without the components described by the work item. For example the probability that a hazardous situation occurring cannot be defined without knowing the hazard, the foreseeable sequence of events, and the resulting hazardous situation. In risk analysis the probability that a hazardous situation will lead to the patient harm cannot be known without an accumulation of the occurrence of the hazardous situation, and a characterization of the harm.

  • The “hazardous situation” term, for example, is discussed in regulatory documents (ISO 14971) and it’s convenient to match the work item with the regulatory term for audit clarification.

Work Item Examples

Harm Work Item
The risk assessment work item includes a harm description, and harm severity.
To continue the examples outlined above the progression could be

Electrical Shock > Patient death/severity 5
Anaphylactic shock > Patient hospitalization 4

Hazardous Situation Work Item
The fully characterized hazardous situation includes the source from which the failure mode originated (hazard), the failure mode description (foreseeable sequence of events), and the local effect (hazardous situation). Variable input includes the pre and post mitigation probability of HS occurrence (P1), and pre and post mitigation detection.

An example of this is:
Electromagnetic Radiation > 1) cut insulation, 2) conductor touches case > Energization of the cabinet chassis.
Biocompatibility, Allergenicity > 1) Syringe tip hole out of specification, large, 2) excessive dosage applied > Patient overdosed

Risk Record Work Item

The risk record work item combines a single Hazardous Situation with a Harm for analysis as a pair. Several operations are completed in this stage to complete the risk assessment.

The P2 factor is defined in as a relationship between the Hazardous Situation and the Harm (Probability of the hazardous situation leading to harm). In our example the hazardous situation is energization of the chassis. The harm is electrical shock to the user. The obvious question is then how often will shocking the user lead to user death? Thankfully, one does not always follow the other. This P2 conversion factor is the method we use to reduce the occurrence to the level a user would actually experience.

The P1 and P2 factors are then combined to determine the occurrence of the harm.
The final P factor is then used along with the harm severity to determine the harm / hazardous situation risk index.
The Risk Priority Level, or Risk Index is calculated to determine the effect of the risk on the product and company systems.

Grading Scales
Whenever a risk management system is defined, it is also necessary to develop the grading scales. The following is a discussion of each scale and their meaning. These scales are only one example of how this can be done. I have seen a great variety of different methods used.


In the system described below the Harm is defined as one of five options:

Hazardous Situation Occurrence (P1)
The HS occurrence is ranked on the basis of probability. The following table is one example of such a ranking system.

Probability that Hazardous Situation will lead to Harm(P2)
The likelihood that the hazardous situation will lead to a harm is also ranked by probability. The following table is an example.

Probability of Harm occurrence
The following table characterizes on method by which the harm occurrence can be determined by factoring the P1 and P2 occurrence values defined above.

Risk Priority Level (RPL)
The RPL can then be calculated from the severity and occurrence levels established in the previous tables. It can be derived either from a pick table or a variety of calculation methods. The following is the pick table definition used in this example.

Report Example

Once the characterization is completed for each hazard / harm combination, a risk management report is generated and a partial screenshot example is shown below:

Leave a Reply

This article first appeared on the Siemens Digital Industries Software blog at