Why Overly Conservative Risk Assessments Help No One

Engineers, scientists, and clinicians who support long‑marketed medical devices and pharmaceuticals understand the patterns of a mature product. The therapy works, the safety record is strong, and years of post‑market experience reinforce confidence that the benefit–risk profile is well characterized. Your role in safeguarding patients is grounded in disciplined assessment, sound engineering judgment, and a commitment to public health.

Which is why the shock is so jarring when you open the product’s risk file and find a list of rare but real failure modes — each assigned a “results in death” severity and paired with frequencies wildly misaligned with field performance. On paper, the product suddenly appears orders of magnitude more dangerous than anything your surveillance data or clinical experience would suggest.

So where is the disconnect? Is the product unsafe, or is the analysis itself distorting the signal?

In many organizations, the problem lies not in the product but in the structure of the Risk Management SOPs. Depending on how severity, harm, and probability are defined and combined, certain distortions are not only possible — they are inevitable. A risk file predicting harm rates three, four, or five orders of magnitude above observed field data is not “conservative”; it is evidence of a methodology flaw.

The Worst‑Case Abyss

Worst‑case estimation usually begins with good intentions. The logic is simple: choose the most conservative assumptions to protect patients, especially when the therapy is life‑saving or life‑sustaining.

But a risk file is a model — and a model is only useful when its estimates are representative. Worst‑case assumptions are not representative by design. They compound extremes: the most severe manifestation of a failure, the most vulnerable patient, the most unfavorable comorbidities, and the least forgiving use conditions. Layered together, these assumptions create scenarios so detached from real‑world performance that they cease to inform meaningful decisions.

Instead of protecting patients, they distort the reality, skew expectations, and undermine the credibility of the entire analysis.

When Worst‑Case Thinking Meets Qualitative Tables

Most SOPs rely on categorical severity tables. The structure is familiar:

The problem emerges when teams are forced to pick a single severity box for each failure mode. The reasoning often goes like this:

• Can infusion of air kill someone? Yes → Severity 5

• Can infusion of particulates kill someone? Yes → Severity 5

• Can a kinked port prevent delivery of a life‑saving medication and kill someone? Yes → Severity 5

Everyone congratulates themselves for being “conservative” in the name of safety.

But when everything is rated as catastrophic, the model loses its ability to differentiate. The analysis becomes a blunt instrument with limited engineering use and a mine field of potential compliance traps.

The Inevitable Failure of This Approach

It Robs Risk Management of Its Value in Design

When every failure mode is assigned the worst severity, the process can no longer distinguish which issues warrant deeper engineering attention. Controls get “peanut‑buttered” across the entire product, driving unnecessary complexity, and obscuring where the greatest risk reduction can actually be achieved.

This shotgun approach is nearly impossible to unwind later. Remediation becomes a matter of picking every piece of the shotgun’s buckshot out of the design — often with limited success. When the underlying design strategy is flawed, the product is as likely to face removal from the market as it is to find a viable remediation path.

It Creates Post‑Market Chaos

Post‑market systems are designed to detect unexpected performance. But if the risk file is unrealistically conservative, field data will never match predictions. This leaves only three unappealing options:

1. Take overly conservative actions (excessive recalls, notifications).

2. Revise the analysis after launch (appearing to “paper over” issues).

3. Evaluate field events independently of the risk file (creating inconsistency).

It Sends the Wrong Message to Regulators

Regulators cannot know the nuances of internal SOPs or the details of the product control strategy. They see only the mismatch between predicted and actual performance.

Depending on how companies handle the mismatch, the regulators may conclude that:

• The product was poorly designed and the company is avoiding fixing it

• The company is retroactively fixing only the documentation, or

• Post‑market teams are rationalizing away real issues.

  
  

None of these interpretations inspire confidence.

A More Elegant Approach: Precision Over Panic

The Scalpel, Not the Chainsaw

The solution is to create procedural space for real engineering and clinical analysis — not to force hazards and failure modes into a single categorical box.

Start by examining inherent hazards (e.g., infusion of air) and identifying the different magnitudes or extents of hazardous situations that can arise from different failure modes.

For example, “infusion of air” does not occur in a single form. The table below shows an example of different magnitudes of hazardous situations potentially occurring from different failure modes.  Each has a different clinical impact and probability.

Once hazardous situations have been quantized (infusion of air 10 ml – 70 ml versus generic infusion of air), clinicians can begin estimating the severity and probability of harm. Again, the goal is to create the procedural space for a robust analysis and move away from the limiting questions of “in the worst case, could this hazardous situation result in death?” because the answer is way too often “yes”.  The table below shows an example of this analysis and how estimating across the range of severities yields much more useful information which can guide sound and data-based decisions during both design and post market monitoring.

These scenarios all stem from the same hazard — infusion of air — yet their clinical implications differ dramatically.

There are no perfect answers here.  The goal is to be accurate enough to drive sound decision making.  Directional accuracy (this hazardous situation is more likely to cause serious harm than that hazardous situation) is far more important than absolute accuracy which is both unachievable and unmeasurable. 

Remember, “All models are wrong, some models are useful.”

The Payoff: Upfront Investment, Long‑Term Clarity

Building this analysis early in the lifecycle yields enormous value:

1. Hazardous situation analysis becomes reusable. While failure modes are product‑specific or at least product-family specific, hazardous situations often apply across an entire therapy area. This saves time, limits resource demands, and prevents conflicting data.

2. Design decisions become faster and clearer. When teams enter decision phases with a clear understanding of what needs to be mitigated — and to what extent — ambiguity drops and rework is eliminated.

3. Post‑market monitoring becomes cleaner and more actionable. Much of the clinical reasoning is already done, enabling rapid, consistent responses and reducing noise.

This is how risk management becomes what it was always meant to be: a tool for protecting patients and enabling good engineering — not a bureaucratic exercise in worst‑case storytelling.

Looking for support in this area? A‑Z Continuous Compliance, LLC provides Risk Management process development, training, and creation of Risk Files. We can also develop culture change strategies that engages the organization cross-functionally through Risk Management value propositions.