Morris Medical Monthly: RiskPack Basics (Part 1 of 2)

By morrisd

Welcome back to Morris Medical Monthly: a monthly series for medical device development companies (and companies who are related to such companies), providing some useful information about Polarion solutions and Polarion extensions.

Today we will start on the subject of Polarion’s RiskPack extension, and have a look into RiskPack’s Basics.

The RiskPack approach to risk management

Screenshot image - Polarion RiskPack ExtensionThe RiskPack is build upon the requirements of the international standard for risk management for medical devices,
ISO 14971. It supports all elements commonly used in risk management:

  • defining categories for the severities of harm and the probability of their occurrence

  • defining acceptance levels for all risk/probability-combinations

  • defining harms, hazards, hazardous situations and sequences of events

  • estimating and evaluating risks

  • defining risk control measures and track their implementation and verification

  • displaying all relevant information in a table view

  • displaying risks before and after mitigation in a matrix view

  • creating an overall risk-benefit analysis

  • creating a risk management report

How RiskPack deals with information

In traditional risk management approaches, all relevant information is stored in a table-like structure, applications like
Microsoft’s Excel are often used for this. The problem with this approach is that when the table gets bigger, it’s
getting more and more inconvenient to maintain. In addition to this, often information (like hazards or harm) have to
be repeated and copy-and-pasted within the table. So, as the table grows, people are getting more and more
anxious to make any changes to the table and rather keep things like they are – which is exactly the opposite of what
risk management should be.
The RiskPack has a different approach – it stores its data as pieces of information. Those pieces can be entered in
any order and can be combined to rather complex statements by creating links between them. The RiskPack uses
Polarion’s work items to store these information and adds powerful visualization capabilities to create table views
just like in the “old Excel approach”. The resulting table view can be customized to only show the information that
are relevant for the device under consideration. Of course, only these information must then be provided by work
This approach makes the RiskPack flexible to support an efficient risk management process that lets you
concentrate on the facts independent on their representation.

Which information can be stored

In general, RiskPack can store any kind of information. For a proper risk management, harms must be identified and
both their severity and the probability of their occurrence must be recorded. With this information, risk analysis
compliant to ISO 14971 is possible. RiskPack provides a data type “harm” with an attribute “severity” and a data
type “risk” with the attribute “probability”. So identification of possible harms and their severity can be done
independently of considering the probability of their occurrence. A “risk” then estimates the probability that a harm
can occur. The harm that is considered by that risk is simply linked to the risk.
Unfortunately, things are rarely that easy and the sequence of events that finally leads to a harm can be quite
complex. RiskPack provides a data type “sequence of events” for exactly that purpose. A sequence of events
describes something that is going on, it has a start and an end and “something in between”. For example, a
sequence of events might start with a system component, taking hazards and hazardous situations into account and
finally ending with a harm to a patient. All this can be documented using distinct work item types for system components, hazards, hazardous situations and – as described above – harms. The sequence of events that glues all this together is also a work item type and provides link possibilities for all the other types mentioned above. A
“risk” would now consider the probability of occurrence of a whole sequence of events instead of a single harm. But
as a harm is part of the sequence of events, the severity of it can be identified and the risk can be estimated for both
severity (which is an attribute of the harm) and probability of occurrence (which is an attribute of the risk).
To sum it up, information storage within the RiskPack can be quite detailed or quite simple – it only depends on the
level of detail needed for the device risk management is done for. The major point is to decide where the risk
analysis starts and which information is considered along the way to the harm. In any case, compliance to ISO
14971 can be achieved.

For more information about Polarion’s RiskPack visit our Extension Portal using following link: I hope you liked this article and you will visit our Blog again when there is another Morris Medical Monthly article.

Free eGuide: How to Make Risk a First-class Citizen in Your Development

Leave a Reply

This article first appeared on the Siemens Digital Industries Software blog at