# InformationalRisk Register - Same hazardous situation, different severity of harms

#### MrTetris

##### Involved In Discussions
Hello,

I tried to read the faq and first two pages, but I could not find an answer to a probably basic question about the Risk Register.

My company is a manufacturer of imaging SaMD, used to prepare surgical plans.
One of the hazards considered in our Risk Register is the possibility for the clinician to overestimate the precision of our computer guided treatment system, thinking that if the plan is safe he cannot damage the patient. Hazardous situation: the clinician touches with his instruments a nerve of the patient (hazardous situation). The problem here is that two different harms are possible (or the same harm, with different severity): paralyzed muscle (severity: 4) or muscle temporary weakness/tingling (severity: 3).

Case 1:
p1 (probability of occurrence of hazardous situation) = 2
p2 (probability of hazardous situation leading to harm - paralyzed muscle) = 2
SE (severity of harm - paralyzed muscle) = 4

Case 2:
p1 (probability of occurrence of hazardous situation) = 2 (the same as case 1)
p2 (probability of hazardous situation leading to harm - muscle temporary weakness/tingling) = 3
SE (severity of harm - muscle temporary weakness/tingling) = 3

Same hazardous situation, but different probability for consequent possible harms.
Should we include both cases in the Risk Register, or only the second one with the highest severity harm?
I am also thinking about even more extreme cases (for instance, a hospital gas patient-delivery equipment, where the probability p2 decreases with the severity of the caused harm - headache p2=4, loss of balance p2=3, coma p2=2, death p2=1)... how to deal with this kind of situation?

#### Kevin Shyu

##### Kevin
Generally, it's good to list all the hazards that are associated with the device in some document or across multiple documents. This helps in a few things:
1. Demonstrates to the reader/reviewer that the team has methodically evaluated all the risks associated with the device.
2. Provides a more complete view of the need to apply stricter risk controls/mitigation.
3. Assists in the evaluation of the risk acceptability of the entire product, considering all hazards (not just the most harmful ones).
4. Enables a more complete assessment of post market surveillance data after product launch.
Structure of documentation is generally up to the manufacturer, but should follow SOPs and/or risk management plan.

#### Marcelo

##### Inactive Registered Visitor
Please note that ISO 14971 does not require that you record all the sequence or combination of event (although I disagree with that, because I think they should be recorded).

Anyway, yes, you should include different risks for the same hazards and hazardous situations. For example, the risk control measure for them could be different.

#### MrTetris

##### Involved In Discussions
Please note that ISO 14971 does not require that you record all the sequence or combination of event (although I disagree with that, because I think they should be recorded).

Anyway, yes, you should include different risks for the same hazards and hazardous situations. For example, the risk control measure for them could be different.
Thank you Marcelo, that is what I suspected, although I have never seen this implemented in my (limited) experience.
What if the risk control measure is unique for all risks? Where is the value of listing all the risks/hazardous situations in this case?

#### Marcelo

##### Inactive Registered Visitor
People tend to try and "reduce" the burden by saying that they will focus only in some part, usually the highest severity ones, but this does not make sense.

For a starter, risk (unless a special case) is not severity only, which means that a better justification (which still does not make sense) would be to focus in higher risks (probability/severity).

Second, most expectations (including regulatory) are that all risk are identified and evaluated. in the case for example of a hazardous situation with different harms, we have different risks. So all of them should be included.

Third, as I mentioned, for different risks (even from the same hazardous situation), different risk controls might be required, so it's important to have them all and analyze them all.

#### MrTetris

##### Involved In Discussions
People tend to try and "reduce" the burden by saying that they will focus only in some part, usually the highest severity ones, but this does not make sense.

For a starter, risk (unless a special case) is not severity only, which means that a better justification (which still does not make sense) would be to focus in higher risks (probability/severity).

Second, most expectations (including regulatory) are that all risk are identified and evaluated. in the case for example of a hazardous situation with different harms, we have different risks. So all of them should be included.

Third, as I mentioned, for different risks (even from the same hazardous situation), different risk controls might be required, so it's important to have them all and analyze them all.
Thank you Marcelo, very valuable answer as usual...

#### Ed Panek

##### QA RA Small Med Dev Company
Trusted Information Resource
I agree. When we do risk reviews we include all possible ideas. Even if they seem nearly impossible its important to document you dont use group think to limit ideas. Groupthink - Wikipedia

#### Peter Selvey

Staff member
Moderator
I'd throw a bit of a wet blanket on the idea of documenting "all" possible types of harm for a particular sequence. It's a nice ideal, but not possible in practice. Just about every hazardous situation has a complex spectrum of severity, it is not just a single "risk"- consider for example electric shock:

- death from cardiac arrest, no resuscitation
- death from cardiac arrest with resuscitation, but with brain damage
- death from cardiac arrest with resuscitation, but with full recovery
- death from pulmonary arrest, with same range of outcomes as above
- involuntary action, which could lead to a wide range of outcomes with different severity of harm
- burns, with varying degrees of harm
- tissue necrosis
- short and long nerve damage
- ... and the list could go on, there are reports of broken bones, paralysis, damage to the spine ...

We could do this for all the lines in a risk management file and turn it into a 24 set encyclopedia for just one device.

So in practice it will require a degree of common sense in deciding what to document. To a large extent, it may come down to the type and effectiveness of the risk controls, with special attention to the case where reasonable risk controls were available but were not used. There may be very good reasons not to use the risk controls, but in my opinion they are the most important cases to sit down and write up a couple of pages to explore what the options were and why they were not implemented. In that case there is also scope to explore all the different types of harm and severity from a particular sequence.

Obviously though you can't do that for every line in the risk management table.

To look at the original post, the subject is the accuracy of the guidance system, which is really a core, critical risk for the product. So, it makes sense to really explore that well, not in a table form but in a special report. And within that report, it makes sense to identify the different types of harm, not only nerve damage but other types of injury as well. When the report looks at the risk controls, it might review how effective they are against each type of injury/harm.

Also note that ISO 14971 does not require this, the normative section has a "one size fits all" approach, with relatively simple records. My guess is that in the future, they will eventually figure out a way to a variable approach.

Ironically, it is the thinking which has been mentioned in this post (e.g. documenting "all possible ideas") which stops ISO 14971 from being improved. If for example, the standard selected three levels of documentation A, B and C, many auditors and experts would push for Level A to be used most of the the time because it seems the safest way. But the best way is to use Level A (i.e. special reports) sparingly so that it can be done properly and effectively.

Last edited:
Is SARS-CoV-2/COVID-19 on your risk register? Misc. Quality Assurance and Business Systems Related Topics 11
Risk Register - have we considered enough and is the format acceptable? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 8
Z Do we need a Risk Register for ISO 9001:2015 ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 11
A Risk Register template as per ISO 27001:2013 wanted IEC 27001 - Information Security Management Systems (ISMS) 9
What is the importance of a Risk Register? FMEA and Control Plans 3
G Combining Aspect Impact and Hazard Risk Register Miscellaneous Environmental Standards and EMS Related Discussions 8
R Risk Register, Risk Analysis and Risk Response/Treatment IEC 27001 - Information Security Management Systems (ISMS) 5
P Pollution Risk Assessment vs. Register of Environmental Aspects Miscellaneous Environmental Standards and EMS Related Discussions 1
Software Risk Management & probability of occurrence as per IEC 62304 IEC 62304 - Medical Device Software Life Cycle Processes 8
Normal Condition Hazards in Risk Analysis ISO 14971 - Medical Device Risk Management 3
Rationalising the level of effort and depth of software validation based on risk ISO 13485:2016 - Medical Device Quality Management Systems 10
Risk assessment on IT containers and the information they contain IEC 27001 - Information Security Management Systems (ISMS) 4
Threat/Vulnerability Catalogue for risk assessment IEC 27001 - Information Security Management Systems (ISMS) 4
Opportunity For Improvement vs Opportunity (Positive Risk) ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 18
FOD Risk Assessment - What tools would you recommend for assessing FOD risk? AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 1
Identify Medical Device characterstics as Annex C of ISO 14971 Risk Management ISO 14971 - Medical Device Risk Management 5
ISO 14971 PFMEA Manufacturing Risk ISO 14971 - Medical Device Risk Management 2
Example of the Risk Template Document Control Systems, Procedures, Forms and Templates 1
Overall residual risk according to ISO 14971:2019 ISO 14971 - Medical Device Risk Management 5
Risk Number for each software requirement IEC 62304 - Medical Device Software Life Cycle Processes 7
IEC 60601 11.2.2.1 Risk of Fire in an Oxygen Rich Environment, Source of Ignition IEC 60601 - Medical Electrical Equipment Safety Standards Series 0
Importing a general wellness low risk product Other US Medical Device Regulations 3
Quantifying risk in choosing the number of parts, operators and replicates in a GR&R Gage R&R (GR&R) and MSA (Measurement Systems Analysis) 4
AQL, Consumer Risk and MA Statistical Analysis Tools, Techniques and SPC 2
Risk managment report of Surgical Mask Example ISO 14971 - Medical Device Risk Management 14
Risk Analysis Flow - Confusion between ISO 14971 and IEC 62304 IEC 62304 - Medical Device Software Life Cycle Processes 8
ECG Risk Analysis Standards ISO 14971 - Medical Device Risk Management 2
Device Labeling - Medtronic Ventilator Files (Risk Management documents) Coffee Break and Water Cooler Discussions 2
5 x 5 Risk Matrix - Looking for a good example Manufacturing and Related Processes 2
Risk for Quality Assurance Department in a Hospital - Hospital Incident Reporting ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 7
Should volume of sales be factored into risk probability assessments? ISO 14971 - Medical Device Risk Management 33
How do you define your Hazards? <a Risk Management discussion> ISO 14971 - Medical Device Risk Management 16
Documenting Risk Control Option Analysis ISO 14971 - Medical Device Risk Management 8
Risk Assessment Checklist for Non product Software IEC 62304 - Medical Device Software Life Cycle Processes 1
Should potential bugs be considered in software risk analysis? ISO 14971 - Medical Device Risk Management 5
Identification of hazards and Risk file IEC 62366 - Medical Device Usability Engineering 7
Risk based internal auditing Internal Auditing 6
I'm @ RISK of not showing my RISKS! ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 20
Estimating the benefit-risk ration under MDR EU Medical Device Regulations 1
Information of safety can reduce risk now? ISO 14971 - Medical Device Risk Management 12
Any good examples of CAPA forms that include a risk based approach? ISO 13485:2016 - Medical Device Quality Management Systems 8
MDR requirement: Risk Management Plan for "each device" ISO 14971 - Medical Device Risk Management 5
Has anyone heard of Run at Risk? Manufacturing and Related Processes 15
IEC 62304 Risk Classification - With and without hardware control IEC 62304 - Medical Device Software Life Cycle Processes 2
ISO 14971 applied to ISO 13485? Low risk class 1 devices ISO 13485:2016 - Medical Device Quality Management Systems 3
Classification of aerospace parts depending on their risk and criticality etc. Federal Aviation Administration (FAA) Standards and Requirements 3
Performance specification as a Risk Control Measure, EN 14971 ISO 14971 - Medical Device Risk Management 7
Risk Classification For Supplier - Clinical Research Organisation (CRO) Supply Chain Security Management Systems 3
IAQG SCMH explains "positive risk"..........but does it? AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 3
Unacceptable risk and information for safety ISO 14971 - Medical Device Risk Management 16