Formula sheet

Medical Device Verification, Validation, and Risk Management Formula Sheet

Medical device V&V formulas for traceability, risk controls, uncertainty guard bands, usability validation, timing, reliability, sampling, and release gates.

This formula sheet collects engineering calculations used to review medical device verification, validation, risk-control evidence, traceability closure, uncertainty margins, usability evidence, software timing, reliability exposure, process validation evidence, acceptance sampling, and release readiness.

The equations are screening and documentation tools. They do not replace the applicable quality system, risk management procedure, standards, professional review, regulatory submission requirements, clinical evaluation, usability process, software lifecycle controls, cybersecurity review, biological evaluation, sterilization validation, or market-specific approval process.

Basis and Boundaries

State these items before calculating:

  1. device, accessory, software version, configuration, intended use, user group, and use environment;
  2. claim, requirement, hazard, hazardous situation, risk control, protocol, acceptance criterion, and evidence record;
  3. measured quantity, reference method, uncertainty, sample, population, and operating condition;
  4. whether the calculation supports design verification, validation, risk-control verification, process validation, change impact, or release review;
  5. the decision rule that converts the result into pass, fail, repeat test, deviation, risk review, or release block.

A high numerical score is not a substitute for objective evidence. A release package can fail because one high-severity risk control lacks evidence, even if most low-risk rows are complete.

Symbols

SymbolMeaningTypical unit
Ncount of claims, requirements, controls, tasks, samples, or recordscount
N_ccount satisfying a criterioncount
Cclosure, coverage, or completion fractiondimensionless
S,O,Dseverity, occurrence, and detection scoresscore
RPNrisk priority numberscore
u_ccombined standard uncertaintysame as measurand
Uexpanded uncertaintysame as measurand
kcoverage factordimensionless
Llimit or acceptance thresholdstated basis
Mengineering marginstated basis
ttime, latency, duration, or mission intervals, min, h
\lambdafailure ratefailures/time
R(t)reliability over interval tdimensionless
pprobability or success proportiondimensionless
xcount of successes, defects, failures, or observationscount

Keep each variable tied to the evidence record. A claim count, sample count, exposure time, or risk score has little value if it cannot be traced to configuration, protocol, data, reviewer, and acceptance criterion.

Traceability Closure

Full traceability closure:

\displaystyle C_{full}=\frac{N_{claim\rightarrow req\rightarrow risk\rightarrow control\rightarrow evidence}}{N_{claims}}

Open claim count:

N_{open}=N_{claims}-N_{closed}

Evidence gap fraction:

\displaystyle G_{evidence}=\frac{N_{missing\ approved\ evidence}}{N_{claims}}

Risk-link gap fraction:

\displaystyle G_{risk}=\frac{N_{missing\ hazard\ or\ control\ link}}{N_{claims}}

Labeling-control gap fraction:

\displaystyle G_{label}=\frac{N_{label\ claims\ outside\ controlled\ requirements}}{N_{claims}}

Traceability closure is not a popularity vote across rows. Missing evidence on a high-severity safety claim is more serious than several incomplete low-risk documentation rows.

Risk-Control Evidence Coverage

Risk-control verification coverage:

\displaystyle C_{control}=\frac{N_{risk\ controls\ with\ accepted\ evidence}}{N_{risk\ controls\ required}}

Validation coverage for user, workflow, or environment claims:

\displaystyle C_{validation}=\frac{N_{claims\ validated\ in\ representative\ use}}{N_{claims\ requiring\ validation}}

Configuration coverage:

\displaystyle C_{config}=\frac{N_{evidence\ records\ matching\ released\ configuration}}{N_{evidence\ records}}

Evidence strength gate:

G_{evidence}=\min(C_{control},C_{validation},C_{config},C_{review})

The minimum gate is conservative. It prevents strong protocol completion from hiding weak configuration control, incomplete review, or missing validation context.

Risk Priority Number and Residual-Risk Screening

Risk priority number:

RPN=S\cdot O\cdot D

RPN reduction after a control:

\Delta RPN=RPN_0-RPN_1

Relative RPN reduction:

\displaystyle r_{RPN}=\frac{RPN_0-RPN_1}{RPN_0}

Residual-risk index for screening:

I_{res}=S_{res}\cdot O_{res}

Weighted open-risk load:

L_{risk}=\sum_i w_i I_{res,i}

where w_i may represent clinical criticality, detectability concern, exposure, or release priority. The weighting basis must be defined before the review.

RPN is useful for prioritization, not proof of safety. High severity can justify action even when occurrence or detection scores make the RPN appear moderate.

Measurement Error and Guard Bands

Measurement error:

e=x_{device}-x_{reference}

Absolute error:

|e|=|x_{device}-x_{reference}|

Relative error:

\displaystyle e_r=\frac{x_{device}-x_{reference}}{x_{reference}}

Independent combined standard uncertainty:

u_c=\sqrt{\sum_i (c_i u_i)^2}

Expanded uncertainty:

U=k u_c

Guarded pass margin for an absolute error limit:

M=L-(|e|+U)

Pass under this conservative rule requires:

M\geq 0

If M<0, the result is too close to the limit or outside it under the selected decision rule. The response may be repeat measurement, improved calibration, tighter fixture control, risk review, deviation disposition, or design change.

Signal Quality and Sensor Evidence

Signal-to-noise ratio:

\displaystyle SNR=\frac{P_{signal}}{P_{noise}}

Voltage-ratio decibel form for equal impedance:

\displaystyle SNR_{dB}=20\log_{10}\left(\frac{V_{signal}}{V_{noise}}\right)

SNR margin:

M_{SNR}=SNR_{measured,dB}-SNR_{limit,dB}

Artifact exceedance fraction:

\displaystyle F_{artifact}=\frac{N_{records\ exceeding\ artifact\ limit}}{N_{records}}

Use signal metrics only inside the stated bandwidth, electrode or sensor setup, accessory lot, algorithm version, and operating condition. A bench SNR result may not cover motion, skin interface, fluid ingress, cable routing, wireless coexistence, or user setup.

Electrical Safety Screening Margins

Ohm law leakage-current estimate:

\displaystyle I=\frac{V}{R}

Insulation-resistance margin:

M_R=R_{measured}-R_{limit}

Leakage-current margin with uncertainty:

M_I=I_{limit}-(I_{measured}+U_I)

Pass under this guarded rule requires:

M_R\geq 0\quad \text{and}\quad M_I\geq 0

These equations are not a substitute for the required safety test method. They are useful for reviewing bench evidence, calibration, guard bands, and whether a design change is moving toward or away from the safety boundary.

Usability Validation Proportions

Observed task success proportion:

\displaystyle \hat{p}=\frac{x}{n}

Observed use-error proportion:

\displaystyle \hat{q}=\frac{N_{use\ errors}}{N_{task\ opportunities}}

Approximate one-sided lower confidence bound for success:

\displaystyle p_L\approx \hat{p}-z_{\alpha}\sqrt{\frac{\hat{p}(1-\hat{p})}{n}}

Approximate one-sided upper confidence bound for use error:

\displaystyle q_U\approx \hat{q}+z_{\alpha}\sqrt{\frac{\hat{q}(1-\hat{q})}{n}}

Usability evidence should distinguish total tasks from critical tasks. A high average success rate can still fail validation if one critical task creates unacceptable residual risk.

Software Timing, Alarm Latency, and Jitter

End-to-end alarm or response latency:

t_{E2E}=t_{sense}+t_{filter}+t_{compute}+t_{queue}+t_{communicate}+t_{display}+t_{alarm}

Timing margin:

M_t=t_{limit}-(t_{measured}+U_t)

Jitter:

J=t_{max}-t_{min}

Observed missed-deadline fraction:

\displaystyle F_{miss}=\frac{N_{deadline\ misses}}{N_{trials}}

Fault-recovery success fraction:

\displaystyle C_{recovery}=\frac{N_{faults\ recovered\ within\ limit}}{N_{faults\ injected}}

Timing evidence should state clock source, synchronization method, firmware build, scheduler load, network condition, packet loss, alarm state, and fault-injection coverage.

Reliability Exposure

Observed failure rate:

\displaystyle \hat{\lambda}=\frac{N_f}{T_{exposure}}

Mean time between failures:

\displaystyle MTBF=\frac{T_{exposure}}{N_f}

Exponential reliability screening:

R(t)=e^{-\lambda t}=e^{-t/MTBF}

Zero-failure one-sided lower MTBF screening bound:

\displaystyle MTBF_{CL}\geq \frac{T_{exposure}}{-\ln(1-CL)}

Reliability calculations must state exposure basis: operating hours, clinical hours, cycles, starts, sterilization cycles, transport cycles, charging cycles, software transactions, or patient-use records. Mixing exposure bases can make a reliability claim meaningless.

Sterilization, Cleaning, and Process Evidence

Log reduction:

\displaystyle LR=\log_{10}\left(\frac{N_0}{N_f}\right)

Process-parameter margin:

M_{process}=P_{measured}-P_{minimum}

For a maximum allowed residual, temperature, dose, or contaminant:

M_{limit}=L_{max}-(x_{measured}+U_x)

Process-validation coverage:

\displaystyle C_{process}=\frac{N_{validated\ process\ states}}{N_{required\ process\ states}}

A log-reduction calculation is not a sterilization validation by itself. Evidence also depends on process selection, load geometry, packaging, product materials, biological indicators or other method-specific evidence, residuals, storage, transport, revalidation triggers, and change control.

Acceptance Sampling and Process Capability

Sample defect fraction:

\displaystyle \hat{d}=\frac{x_{defective}}{n}

Acceptance rule:

\text{accept if }x_{defective}\leq c

Process capability:

\displaystyle C_p=\frac{USL-LSL}{6\sigma}

One-sided capability:

\displaystyle C_{pk}=\min\left(\frac{USL-\mu}{3\sigma},\frac{\mu-LSL}{3\sigma}\right)

Sampling and capability evidence should be connected to risk. A small sample may be acceptable for a low-risk dimensional screen and unacceptable for a high-severity safety feature. Capability estimates also depend on stable process behavior, measurement-system adequacy, and representative lots.

Change-Impact Coverage

Affected evidence coverage:

\displaystyle C_{change}=\frac{N_{affected\ items\ assessed}}{N_{affected\ items}}

Retest coverage:

\displaystyle C_{retest}=\frac{N_{required\ retests\ completed}}{N_{required\ retests}}

Justification closure:

\displaystyle C_{justify}=\frac{N_{no\ retest\ justifications\ approved}}{N_{no\ retest\ justifications}}

Change release gate:

G_{change}=\min(C_{change},C_{retest},C_{justify},C_{config})

A supplier, material, sterilization, software, packaging, algorithm, tooling, or labeling change can invalidate old evidence. The calculation is only useful if affected items are identified from requirements, hazards, design outputs, process controls, and complaints, not just from document titles.

Release Gate

Critical release gate:

G_{release}=\min(C_{trace},C_{control},C_{validation},C_{uncertainty},C_{deviation},C_{configuration},C_{change})

Open blocker count:

N_{block}=N_{failed\ critical\ tests}+N_{unclosed\ high\ risks}+N_{unjustified\ deviations}+N_{configuration\ gaps}

Conditional release margin:

M_{release}=N_{allowed\ conditions}-N_{open\ conditions}

A release recommendation should not reduce the decision to one number. It should identify blockers, accepted residual risks, assumptions, limitations, monitoring triggers, owners, and the exact configuration covered by the evidence.

Worked Check 1: Traceability and Release Gate

A design review has:

StateCount
fully linked claim, requirement, risk control, and approved evidence44
missing hazard or risk-control link6
missing approved evidence4
label claim outside controlled requirements2

Total claims:

N_{claims}=44+6+4+2=56

Full closure:

\displaystyle C_{full}=\frac{44}{56}=0.786=78.6\%

Open claims:

N_{open}=56-44=12

Evidence gap:

\displaystyle G_{evidence}=\frac{4}{56}=7.1\%

Labeling-control gap:

\displaystyle G_{label}=\frac{2}{56}=3.6\%

Engineering interpretation: the closure percentage is not release-ready. The four missing evidence rows are blockers until tested or formally justified, and the two label claims outside controlled requirements are blockers because the device would make claims outside the controlled design evidence.

Worked Check 2: Measurement Uncertainty Guard Band

A sensor accuracy requirement allows:

L=0.50\ \text{unit}

The measured device-reference error is:

e=0.38\ \text{unit}

The uncertainty budget gives:

u_c=0.045\ \text{unit},\quad k=2

Expanded uncertainty:

U=ku_c=2(0.045)=0.090\ \text{unit}

Guarded margin:

M=L-(|e|+U)=0.50-(0.38+0.09)=0.03\ \text{unit}

Engineering interpretation: the result passes this conservative decision rule with only 0.03 unit of margin. The release package should preserve the calibration record, fixture setup, reference uncertainty, environmental condition, software version, and raw data because a small configuration or drift change could consume the margin.

Worked Check 3: Usability Critical-Task Evidence

A simulated-use validation observes:

x=58\ \text{successful critical tasks},\quad n=60

Observed success proportion:

\displaystyle \hat{p}=\frac{58}{60}=0.9667

Use a one-sided approximate screening value:

z_{\alpha}=1.645

Standard error:

\displaystyle SE=\sqrt{\frac{0.9667(1-0.9667)}{60}}=0.0232

Lower bound:

p_L\approx 0.9667-1.645(0.0232)=0.9285

Engineering interpretation: the observed success rate is high, but the approximate lower bound is only 92.9\%. If the project criterion requires high confidence that critical-task success exceeds 95\%, this evidence is not strong enough by itself. The team may need more participants, clearer task segmentation, stronger mitigation, or a risk-based justification tied to observed use errors.

Worked Check 4: Timing and Reliability Evidence

An alarm response test reports:

t_{measured}=1.72\ \text{s},\quad U_t=0.08\ \text{s},\quad t_{limit}=2.00\ \text{s}

Timing margin:

M_t=2.00-(1.72+0.08)=0.20\ \text{s}

The same pilot accumulates:

T_{exposure}=2400\ \text{h},\quad N_f=0

For a one-sided 90\% screening bound:

\displaystyle MTBF_{90}\geq \frac{2400}{-\ln(1-0.90)}=\frac{2400}{2.303}=1042\ \text{h}

Engineering interpretation: the timing result has positive margin under the selected decision rule, but the zero-failure reliability exposure is only a preliminary bound for the tested configuration and environment. It does not prove field reliability across all users, accessories, cleaning cycles, battery states, networks, software states, or service actions.

Common Failure Modes

Common calculation failures include:

  • counting a claim as closed when the evidence does not match the released configuration;
  • averaging release gates so that one failed safety gate disappears inside a high score;
  • treating RPN reduction as proof that residual risk is acceptable;
  • using uncertainty without stating the decision rule;
  • reporting task success while ignoring a critical use error;
  • using bench signal quality to support untested motion, cable, accessory, or workflow conditions;
  • treating zero observed failures as proof of reliability without exposure boundaries;
  • applying a log-reduction equation as a substitute for process validation;
  • accepting a change because documentation changed, while affected risk controls and retests remain open.

Review Checklist

Before using a calculation in a release package, verify that it states:

  1. the exact device, accessory, software, labeling, user, and environment configuration;
  2. the requirement, hazard, risk control, protocol, raw data, acceptance criterion, and reviewer;
  3. measurement uncertainty, sample basis, exposure basis, and decision rule;
  4. whether the evidence supports verification, validation, risk-control verification, process validation, change impact, or release;
  5. blockers, deviations, accepted residual risks, monitoring triggers, and limitations.

The engineering value of these formulas is traceability. They make weak assumptions visible, help reviewers compare evidence consistently, and prevent release decisions from being supported by disconnected measurements.

REF

See also