# PRISM — Product Safety Risk Assessment Methodology (severity × probability matrix)

Canonical, citable source document for the IACE severity/probability risk-matrix
anchors. PRISM gives a complete, openly-licensed severity-of-harm × probability
risk-rating method that maps directly onto the IACE S (severity) and W
(frequency/probability) tiers and the four-level risk output.

## Source

- **Source:** UK Office for Product Safety & Standards (OPSS), Dept. for Business & Trade
- **Doc:** Product Safety Risk Assessment Methodology (PRISM), *A Guide for GB Market Surveillance Authorities*, Version 2.0, October 2024 (52 pp.)
- **License:** Open Government Licence v3.0 (OGL v3) — reuse permitted with attribution
- **Attribution:** `Source: OPSS, PRISM v2.0 (Oct 2024), © Crown copyright, licensed under the Open Government Licence v3.0`
- **Retrieved:** 2026-06
- **URL (guidance):** https://www.gov.uk/guidance/product-safety-risk-assessment-methodology-prism
- **URL (PDF):** https://assets.publishing.service.gov.uk/media/66fd385ae84ae1fd8592ec93/prism-guidance-v02.pdf

**Safety Gate / RAPEX alignment:** PRISM is the GB revision of the EU Safety Gate
(RAPEX) risk-assessment guidance (Commission Implementing Decision (EU) 2019/417).
It retains the same severity×probability structure and the same four resulting
risk levels (Serious / High / Medium / Low), so the matrix below is broadly
interoperable with the EU Safety Gate methodology.

## Risk-assessment model

Risk = f(severity of harm, probability of harm). The assessor builds one or more
**harm scenarios** (3–5 steps: hazard exists → exposure occurs → exposure causes
harm), then determines (v) severity and (vi) probability and reads off the risk
level. The four output risk levels are **Serious, High, Medium, Low**.

### Severity-of-harm levels (PRISM Table 2)

Four levels, by reversibility and treatment required. (Descriptions distilled; the
standard's full clinical example lists are not reproduced.)

| Level | Description (severity of harm) |
|---|---|
| 1 | Minor: after basic first aid does not substantially hamper functioning or cause excessive pain; consequences usually fully reversible. |
| 2 | Moderate: A&E visit may be needed, hospitalisation generally not; functioning affected for a limited period (≤ ~6 months), recovery more or less complete. |
| 3 | Serious: normally requires hospitalisation; affects functioning for > 6 months or causes permanent loss of function. |
| 4 | Critical/fatal: is or could be fatal (incl. brain death); reproductive harm; severe loss of limbs/function (> ~10% disability). |

Each level also carries a "potential for multiple casualties?" (Yes/No) flag.

### Probability-of-harm bands (PRISM Table 3, row axis)

Probability that the harm scenario materialises over the product lifetime, in
eight bands. Per-step probabilities are multiplied to give the overall figure.

| Band | Probability over product lifetime |
|---|---|
| 1 | > 50 % |
| 2 | > 1 in 10 |
| 3 | > 1 in 100 |
| 4 | > 1 in 1,000 |
| 5 | > 1 in 10,000 |
| 6 | > 1 in 100,000 |
| 7 | > 1 in 1,000,000 |
| 8 | < 1 in 1,000,000 |

### Risk matrix — single item (PRISM Table 3)

Severity (column) × probability (row) → risk level.

| Probability ↓ \ Severity → | Level 1 | Level 2 | Level 3 | Level 4 |
|---|---|---|---|---|
| > 50 %        | High   | Serious | Serious | Serious |
| > 1 in 10     | Medium | Serious | Serious | Serious |
| > 1 in 100    | Medium | Serious | Serious | Serious |
| > 1 in 1,000  | Low    | High    | Serious | Serious |
| > 1 in 10,000 | Low    | Medium  | High    | Serious |
| > 1 in 100,000| Low    | Low     | Medium  | High    |
| > 1 in 1,000,000 | Low | Low     | Low     | Medium  |
| < 1 in 1,000,000 | Low | Low     | Low     | Low     |

### Population escalation — all items in use (PRISM Table 4)

Single-item risk can escalate by the number of items in the field (population risk).

| Items in use ↓ \ single-item risk → | Low | Medium | High | Serious |
|---|---|---|---|---|
| > 1m   | High   | Serious | Serious | Serious |
| > 500k | Medium | High    | Serious | Serious |
| > 100k | Medium | High    | High    | Serious |
| ≤ 100k | Low    | Medium  | High    | Serious |

(For ≤ 100k the mapping is constant: Low→Low, Medium→Medium, High→High, Serious→Serious.)

After rating, the assessor records an **uncertainty level** (low/medium/high) and
may run a sensitivity analysis by varying severity, probability or item count.

## How these are used in IACE

1. **Tier definition (S × W):** the four severity levels map to the IACE **S**
   (severity) tiers and the eight probability bands map to the IACE **W**
   (frequency/probability) tiers, giving a defensible, openly-licensed scale.
2. **Risk lookup:** Table 3 anchors the severity×probability → risk-level lookup
   in `risk_estimation.go`; the four outputs (Serious/High/Medium/Low) align the
   IACE risk categories with the EU Safety Gate scale.
3. **Population escalation:** Table 4 provides the pattern for scaling
   single-instance risk by exposure/population where IACE has fleet/installed-base
   counts.
4. **Uncertainty:** PRISM's low/medium/high uncertainty + sensitivity-analysis
   step backs the IACE confidence flag on each estimate.

No DIN/EN/ISO/IEC risk-graph, decision tree or SIL/PL table is reproduced; the
matrix above is the OGL-v3 PRISM/Safety-Gate matrix only.