Skip to main content

Prerequisites

Residual Risk in the ISO 14971 Workflow

Residual risk evaluation is the critical step that determines whether your risk controls are effective enough — or whether additional measures, including benefit-risk analysis, are required. diagram

Step 1: Switch to the Residual Evaluation View

  1. Open your HARA document in risksheet mode
  2. Select the Residual Evaluation view — this shows 12 columns including post-mitigation probabilities and benefit-risk fields
  3. Confirm you see both the pre-mitigation and post-mitigation column groups for comparison

Step 2: Assign Post-Mitigation P1 (Hazard Probability)

For each risk record with assigned controls, update the post-mitigation P1 value:
  1. Click the P1 Post (postHazardProbability) cell
  2. Select the probability level reflecting conditions after risk controls are in place:
P1 ValueLabelFrequency
1Very unlikely<= 1/100,000
2Unlikely<= 1/10,000
3Possible<= 1/1,000
4Likely<= 1/100
5Very likely<= 1/1
Effective risk controls should reduce P1 post-mitigation. If P1 does not decrease, assess whether the control adequately addresses the hazardous situation probability, or whether a different control strategy is needed.

Step 3: Assign Post-Mitigation P2 (Harm Probability)

Update the post-mitigation P2 value:
  1. Click the P2 Post (postHarmProbability) cell
  2. Select the probability level for harm occurrence given the hazardous situation, after controls:
P2 ValueLabelPercentage
1Rare<= 5%
2Occasional6-25%
3Probable26-75%
4Frequent76-95%
5Almost certain>= 96%

Step 4: Review the Post-Mitigation Combined Probability

The risksheet automatically calculates the post-mitigation combined probability using the same P1 x P2 bucketing algorithm:
P1 x P2 ProductCombined P
1-31 (Remote)
4-82 (Low)
9-133 (Moderate)
14-184 (High)
19-255 (Very high)
The postControlProbability column updates automatically.

Step 5: Review the Residual Risk Level

The Post-Risk Level (postRisk) column shows the residual risk classification:
Post-Risk LevelColorRequired Action
AcceptableGreenRisk is tolerable. Proceed to final risk determination.
InvestigationAmberFurther analysis needed. Consider additional controls or benefit-risk analysis.
UnacceptableRedResidual risk is still too high. Apply additional risk controls or redesign.
If residual risk remains Unacceptable, you must apply additional risk controls before proceeding. Return to Assign Risk Controls to Hazards and consider higher-priority control types (inherent safety by design before protective measures).

Step 6: Compare Pre and Post Risk

Use the Residual Evaluation view to compare initial and residual risk side by side:
  • Verify that post-mitigation probability is equal to or lower than pre-mitigation
  • Confirm that at least one factor (P1 or P2) has been reduced by the applied controls
  • Severity does not change — it is an inherent property of the linked harm
Harm severity is read from the linked Harm work item and cannot be changed by risk controls. Risk reduction works exclusively through probability reduction (P1 and/or P2).

What Happens Next

Based on the residual risk level:
  • Acceptable — Proceed to document final risk. The finalRisk field will be set to Acceptable automatically.
  • Investigation — Determine whether additional controls are possible. If not, perform a Benefit-Risk Analysis per ISO 14971 Clause 7.4.
  • Unacceptable — Return to Assign Risk Controls and apply additional measures.
The overall final risk determination follows this decision tree:
  1. If postRisk = Acceptable —> finalRisk = Acceptable
  2. If additionalControlsPossible is not “No” —> finalRisk = Unacceptable (must exhaust controls first)
  3. If riskBenefitResult = “Benefit > Risk” —> finalRisk = Benefit-Risk Acceptable
  4. Otherwise —> finalRisk = Unacceptable

HARA risksheet configuration (HARATemplate/risksheet.json), risk record custom fields (riskRecord-custom-fields.xml), HARA top panel formulas (risksheetTopPanel.vm), P1 probability scale (pOccurrence-enum.xml), P2 probability scale (p2Occurrence-enum.xml), final risk enumeration (finalRisk-enum.xml).