Formula sheet
Medical Device Verification, Validation, and Risk Management Formula Sheet
Medical device V&V formulas for traceability, risk controls, uncertainty guard bands, usability validation, timing, reliability, sampling, and release gates.
This formula sheet collects engineering calculations used to review medical device verification, validation, risk-control evidence, traceability closure, uncertainty margins, usability evidence, software timing, reliability exposure, process validation evidence, acceptance sampling, and release readiness.
The equations are screening and documentation tools. They do not replace the applicable quality system, risk management procedure, standards, professional review, regulatory submission requirements, clinical evaluation, usability process, software lifecycle controls, cybersecurity review, biological evaluation, sterilization validation, or market-specific approval process.
Basis and Boundaries
State these items before calculating:
- device, accessory, software version, configuration, intended use, user group, and use environment;
- claim, requirement, hazard, hazardous situation, risk control, protocol, acceptance criterion, and evidence record;
- measured quantity, reference method, uncertainty, sample, population, and operating condition;
- whether the calculation supports design verification, validation, risk-control verification, process validation, change impact, or release review;
- the decision rule that converts the result into pass, fail, repeat test, deviation, risk review, or release block.
A high numerical score is not a substitute for objective evidence. A release package can fail because one high-severity risk control lacks evidence, even if most low-risk rows are complete.
Symbols
| Symbol | Meaning | Typical unit |
|---|---|---|
| N | count of claims, requirements, controls, tasks, samples, or records | count |
| N_c | count satisfying a criterion | count |
| C | closure, coverage, or completion fraction | dimensionless |
| S,O,D | severity, occurrence, and detection scores | score |
| RPN | risk priority number | score |
| u_c | combined standard uncertainty | same as measurand |
| U | expanded uncertainty | same as measurand |
| k | coverage factor | dimensionless |
| L | limit or acceptance threshold | stated basis |
| M | engineering margin | stated basis |
| t | time, latency, duration, or mission interval | s, min, h |
| \lambda | failure rate | failures/time |
| R(t) | reliability over interval t | dimensionless |
| p | probability or success proportion | dimensionless |
| x | count of successes, defects, failures, or observations | count |
Keep each variable tied to the evidence record. A claim count, sample count, exposure time, or risk score has little value if it cannot be traced to configuration, protocol, data, reviewer, and acceptance criterion.
Traceability Closure
Full traceability closure:
Open claim count:
Evidence gap fraction:
Risk-link gap fraction:
Labeling-control gap fraction:
Traceability closure is not a popularity vote across rows. Missing evidence on a high-severity safety claim is more serious than several incomplete low-risk documentation rows.
Risk-Control Evidence Coverage
Risk-control verification coverage:
Validation coverage for user, workflow, or environment claims:
Configuration coverage:
Evidence strength gate:
The minimum gate is conservative. It prevents strong protocol completion from hiding weak configuration control, incomplete review, or missing validation context.
Risk Priority Number and Residual-Risk Screening
Risk priority number:
RPN reduction after a control:
Relative RPN reduction:
Residual-risk index for screening:
Weighted open-risk load:
where w_i may represent clinical criticality, detectability concern, exposure, or release priority. The weighting basis must be defined before the review.
RPN is useful for prioritization, not proof of safety. High severity can justify action even when occurrence or detection scores make the RPN appear moderate.
Measurement Error and Guard Bands
Measurement error:
Absolute error:
Relative error:
Independent combined standard uncertainty:
Expanded uncertainty:
Guarded pass margin for an absolute error limit:
Pass under this conservative rule requires:
If M<0, the result is too close to the limit or outside it under the selected decision rule. The response may be repeat measurement, improved calibration, tighter fixture control, risk review, deviation disposition, or design change.
Signal Quality and Sensor Evidence
Voltage-ratio decibel form for equal impedance:
SNR margin:
Artifact exceedance fraction:
Use signal metrics only inside the stated bandwidth, electrode or sensor setup, accessory lot, algorithm version, and operating condition. A bench SNR result may not cover motion, skin interface, fluid ingress, cable routing, wireless coexistence, or user setup.
Electrical Safety Screening Margins
Ohm law leakage-current estimate:
Insulation-resistance margin:
Leakage-current margin with uncertainty:
Pass under this guarded rule requires:
These equations are not a substitute for the required safety test method. They are useful for reviewing bench evidence, calibration, guard bands, and whether a design change is moving toward or away from the safety boundary.
Usability Validation Proportions
Observed task success proportion:
Observed use-error proportion:
Approximate one-sided lower confidence bound for success:
Approximate one-sided upper confidence bound for use error:
Usability evidence should distinguish total tasks from critical tasks. A high average success rate can still fail validation if one critical task creates unacceptable residual risk.
Software Timing, Alarm Latency, and Jitter
End-to-end alarm or response latency:
Timing margin:
Observed missed-deadline fraction:
Fault-recovery success fraction:
Timing evidence should state clock source, synchronization method, firmware build, scheduler load, network condition, packet loss, alarm state, and fault-injection coverage.
Reliability Exposure
Observed failure rate:
Exponential reliability screening:
Zero-failure one-sided lower MTBF screening bound:
Reliability calculations must state exposure basis: operating hours, clinical hours, cycles, starts, sterilization cycles, transport cycles, charging cycles, software transactions, or patient-use records. Mixing exposure bases can make a reliability claim meaningless.
Sterilization, Cleaning, and Process Evidence
Log reduction:
Process-parameter margin:
For a maximum allowed residual, temperature, dose, or contaminant:
Process-validation coverage:
A log-reduction calculation is not a sterilization validation by itself. Evidence also depends on process selection, load geometry, packaging, product materials, biological indicators or other method-specific evidence, residuals, storage, transport, revalidation triggers, and change control.
Acceptance Sampling and Process Capability
Sample defect fraction:
Acceptance rule:
Process capability:
One-sided capability:
Sampling and capability evidence should be connected to risk. A small sample may be acceptable for a low-risk dimensional screen and unacceptable for a high-severity safety feature. Capability estimates also depend on stable process behavior, measurement-system adequacy, and representative lots.
Change-Impact Coverage
Affected evidence coverage:
Retest coverage:
Justification closure:
Change release gate:
A supplier, material, sterilization, software, packaging, algorithm, tooling, or labeling change can invalidate old evidence. The calculation is only useful if affected items are identified from requirements, hazards, design outputs, process controls, and complaints, not just from document titles.
Release Gate
Critical release gate:
Open blocker count:
Conditional release margin:
A release recommendation should not reduce the decision to one number. It should identify blockers, accepted residual risks, assumptions, limitations, monitoring triggers, owners, and the exact configuration covered by the evidence.
Worked Check 1: Traceability and Release Gate
A design review has:
| State | Count |
|---|---|
| fully linked claim, requirement, risk control, and approved evidence | 44 |
| missing hazard or risk-control link | 6 |
| missing approved evidence | 4 |
| label claim outside controlled requirements | 2 |
Total claims:
Full closure:
Open claims:
Evidence gap:
Labeling-control gap:
Engineering interpretation: the closure percentage is not release-ready. The four missing evidence rows are blockers until tested or formally justified, and the two label claims outside controlled requirements are blockers because the device would make claims outside the controlled design evidence.
Worked Check 2: Measurement Uncertainty Guard Band
A sensor accuracy requirement allows:
The measured device-reference error is:
The uncertainty budget gives:
Expanded uncertainty:
Engineering interpretation: the result passes this conservative decision rule with only 0.03 unit of margin. The release package should preserve the calibration record, fixture setup, reference uncertainty, environmental condition, software version, and raw data because a small configuration or drift change could consume the margin.
Worked Check 3: Usability Critical-Task Evidence
A simulated-use validation observes:
Observed success proportion:
Use a one-sided approximate screening value:
Standard error:
Lower bound:
Engineering interpretation: the observed success rate is high, but the approximate lower bound is only 92.9\%. If the project criterion requires high confidence that critical-task success exceeds 95\%, this evidence is not strong enough by itself. The team may need more participants, clearer task segmentation, stronger mitigation, or a risk-based justification tied to observed use errors.
Worked Check 4: Timing and Reliability Evidence
An alarm response test reports:
Timing margin:
The same pilot accumulates:
For a one-sided 90\% screening bound:
Engineering interpretation: the timing result has positive margin under the selected decision rule, but the zero-failure reliability exposure is only a preliminary bound for the tested configuration and environment. It does not prove field reliability across all users, accessories, cleaning cycles, battery states, networks, software states, or service actions.
Common Failure Modes
Common calculation failures include:
- counting a claim as closed when the evidence does not match the released configuration;
- averaging release gates so that one failed safety gate disappears inside a high score;
- treating RPN reduction as proof that residual risk is acceptable;
- using uncertainty without stating the decision rule;
- reporting task success while ignoring a critical use error;
- using bench signal quality to support untested motion, cable, accessory, or workflow conditions;
- treating zero observed failures as proof of reliability without exposure boundaries;
- applying a log-reduction equation as a substitute for process validation;
- accepting a change because documentation changed, while affected risk controls and retests remain open.
Review Checklist
Before using a calculation in a release package, verify that it states:
- the exact device, accessory, software, labeling, user, and environment configuration;
- the requirement, hazard, risk control, protocol, raw data, acceptance criterion, and reviewer;
- measurement uncertainty, sample basis, exposure basis, and decision rule;
- whether the evidence supports verification, validation, risk-control verification, process validation, change impact, or release;
- blockers, deviations, accepted residual risks, monitoring triggers, and limitations.
The engineering value of these formulas is traceability. They make weak assumptions visible, help reviewers compare evidence consistently, and prevent release decisions from being supported by disconnected measurements.