Informational Risk Register - Same hazardous situation, different severity of harms

MrTetris

Involved In Discussions
#1
Hello,

I tried to read the faq and first two pages, but I could not find an answer to a probably basic question about the Risk Register.

My company is a manufacturer of imaging SaMD, used to prepare surgical plans.
One of the hazards considered in our Risk Register is the possibility for the clinician to overestimate the precision of our computer guided treatment system, thinking that if the plan is safe he cannot damage the patient. Hazardous situation: the clinician touches with his instruments a nerve of the patient (hazardous situation). The problem here is that two different harms are possible (or the same harm, with different severity): paralyzed muscle (severity: 4) or muscle temporary weakness/tingling (severity: 3).

Case 1:
p1 (probability of occurrence of hazardous situation) = 2
p2 (probability of hazardous situation leading to harm - paralyzed muscle) = 2
SE (severity of harm - paralyzed muscle) = 4

Case 2:
p1 (probability of occurrence of hazardous situation) = 2 (the same as case 1)
p2 (probability of hazardous situation leading to harm - muscle temporary weakness/tingling) = 3
SE (severity of harm - muscle temporary weakness/tingling) = 3

Same hazardous situation, but different probability for consequent possible harms.
Should we include both cases in the Risk Register, or only the second one with the highest severity harm?
I am also thinking about even more extreme cases (for instance, a hospital gas patient-delivery equipment, where the probability p2 decreases with the severity of the caused harm - headache p2=4, loss of balance p2=3, coma p2=2, death p2=1)... how to deal with this kind of situation?
 
Elsmar Forum Sponsor
#2
Generally, it's good to list all the hazards that are associated with the device in some document or across multiple documents. This helps in a few things:
  1. Demonstrates to the reader/reviewer that the team has methodically evaluated all the risks associated with the device.
  2. Provides a more complete view of the need to apply stricter risk controls/mitigation.
  3. Assists in the evaluation of the risk acceptability of the entire product, considering all hazards (not just the most harmful ones).
  4. Enables a more complete assessment of post market surveillance data after product launch.
Structure of documentation is generally up to the manufacturer, but should follow SOPs and/or risk management plan.
 

Marcelo

Inactive Registered Visitor
#3
Please note that ISO 14971 does not require that you record all the sequence or combination of event (although I disagree with that, because I think they should be recorded).

Anyway, yes, you should include different risks for the same hazards and hazardous situations. For example, the risk control measure for them could be different.
 

MrTetris

Involved In Discussions
#4
Please note that ISO 14971 does not require that you record all the sequence or combination of event (although I disagree with that, because I think they should be recorded).

Anyway, yes, you should include different risks for the same hazards and hazardous situations. For example, the risk control measure for them could be different.
Thank you Marcelo, that is what I suspected, although I have never seen this implemented in my (limited) experience.
What if the risk control measure is unique for all risks? Where is the value of listing all the risks/hazardous situations in this case?
 

Marcelo

Inactive Registered Visitor
#5
People tend to try and "reduce" the burden by saying that they will focus only in some part, usually the highest severity ones, but this does not make sense.

For a starter, risk (unless a special case) is not severity only, which means that a better justification (which still does not make sense) would be to focus in higher risks (probability/severity).

Second, most expectations (including regulatory) are that all risk are identified and evaluated. in the case for example of a hazardous situation with different harms, we have different risks. So all of them should be included.

Third, as I mentioned, for different risks (even from the same hazardous situation), different risk controls might be required, so it's important to have them all and analyze them all.
 

MrTetris

Involved In Discussions
#6
People tend to try and "reduce" the burden by saying that they will focus only in some part, usually the highest severity ones, but this does not make sense.

For a starter, risk (unless a special case) is not severity only, which means that a better justification (which still does not make sense) would be to focus in higher risks (probability/severity).

Second, most expectations (including regulatory) are that all risk are identified and evaluated. in the case for example of a hazardous situation with different harms, we have different risks. So all of them should be included.

Third, as I mentioned, for different risks (even from the same hazardous situation), different risk controls might be required, so it's important to have them all and analyze them all.
Thank you Marcelo, very valuable answer as usual...
 

Peter Selvey

Leader
Super Moderator
#8
I'd throw a bit of a wet blanket on the idea of documenting "all" possible types of harm for a particular sequence. It's a nice ideal, but not possible in practice. Just about every hazardous situation has a complex spectrum of severity, it is not just a single "risk"- consider for example electric shock:

- death from cardiac arrest, no resuscitation
- death from cardiac arrest with resuscitation, but with brain damage
- death from cardiac arrest with resuscitation, but with full recovery
- death from pulmonary arrest, with same range of outcomes as above
- involuntary action, which could lead to a wide range of outcomes with different severity of harm
- burns, with varying degrees of harm
- tissue necrosis
- short and long nerve damage
- ... and the list could go on, there are reports of broken bones, paralysis, damage to the spine ...

We could do this for all the lines in a risk management file and turn it into a 24 set encyclopedia for just one device.

So in practice it will require a degree of common sense in deciding what to document. To a large extent, it may come down to the type and effectiveness of the risk controls, with special attention to the case where reasonable risk controls were available but were not used. There may be very good reasons not to use the risk controls, but in my opinion they are the most important cases to sit down and write up a couple of pages to explore what the options were and why they were not implemented. In that case there is also scope to explore all the different types of harm and severity from a particular sequence.

Obviously though you can't do that for every line in the risk management table.

To look at the original post, the subject is the accuracy of the guidance system, which is really a core, critical risk for the product. So, it makes sense to really explore that well, not in a table form but in a special report. And within that report, it makes sense to identify the different types of harm, not only nerve damage but other types of injury as well. When the report looks at the risk controls, it might review how effective they are against each type of injury/harm.

Also note that ISO 14971 does not require this, the normative section has a "one size fits all" approach, with relatively simple records. My guess is that in the future, they will eventually figure out a way to a variable approach.

Ironically, it is the thinking which has been mentioned in this post (e.g. documenting "all possible ideas") which stops ISO 14971 from being improved. If for example, the standard selected three levels of documentation A, B and C, many auditors and experts would push for Level A to be used most of the the time because it seems the safest way. But the best way is to use Level A (i.e. special reports) sparingly so that it can be done properly and effectively.
 
Last edited:
Thread starter Similar threads Forum Replies Date
M Need Help With Information Security Asset Risk Register IEC 27001 - Information Security Management Systems (ISMS) 2
Tagin Is SARS-CoV-2/COVID-19 on your risk register? Misc. Quality Assurance and Business Systems Related Topics 11
D Risk Register - have we considered enough and is the format acceptable? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 8
Z Do we need a Risk Register for ISO 9001:2015 ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 11
A Risk Register template as per ISO 27001:2013 wanted IEC 27001 - Information Security Management Systems (ISMS) 9
V What is the importance of a Risk Register? FMEA and Control Plans 3
G Combining Aspect Impact and Hazard Risk Register Miscellaneous Environmental Standards and EMS Related Discussions 8
R Risk Register, Risk Analysis and Risk Response/Treatment IEC 27001 - Information Security Management Systems (ISMS) 5
P Pollution Risk Assessment vs. Register of Environmental Aspects Miscellaneous Environmental Standards and EMS Related Discussions 1
M What is the Risk of Using Obsolete Versions of C=0 & ANSI/ ASQ Z1.4 Sampling Plans? ISO 13485:2016 - Medical Device Quality Management Systems 8
D AS9100D 8.4.2 Note 2 Significant Operational Risk AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 1
A Calculating Risk Estimation ISO 14971 - Medical Device Risk Management 28
M Intended Use vs Actual Use and Scope of Risk Management EU Medical Device Regulations 8
S IDCB 0129/0160 Clinical Risk Management ISO 14971 - Medical Device Risk Management 2
H At what level (harm, hazardous situation, seq. of events, etc) is "risk" estimated? ISO 14971 - Medical Device Risk Management 12
A Risk Management Team IEC 60601 - Medical Electrical Equipment Safety Standards Series 11
S Risk Management File - Procedure Packs ISO 14971 - Medical Device Risk Management 3
B ISO 14001 Risk assesment ISO 14001:2015 Specific Discussions 4
J What risk to cover when NOT using ISO 17025 accredited/certified labs for calibration ISO 17025 related Discussions 3
G Risk Management for IEC 60601-1 and IEC 60601-1-2 IEC 60601 - Medical Electrical Equipment Safety Standards Series 15
S What is your favorite Usability Risk Analysis tool? IEC 62366 - Medical Device Usability Engineering 5
T Assessing risk where harm is indirect - Generic devices / accessories / intermediates ISO 14971 - Medical Device Risk Management 8
K Do you have separate clinical risk management group or experts in your manufactures? EU Medical Device Regulations 4
W IATF 9.2.2.1 Internal Audit how to determine risk IATF 16949 - Automotive Quality Systems Standard 12
S Risk control through Information for safety ISO 14971 - Medical Device Risk Management 8
A Derive Risk Acceptance Matrix from Risk Policy ISO 14971 - Medical Device Risk Management 8
B ERP software validation - risk assessment vs validation scope ISO 13485:2016 - Medical Device Quality Management Systems 11
I Estimation of overall residual risk. How to? EU Medical Device Regulations 11
Sidney Vianna ISO Practical Guide on ISO 31000:2018 - Risk Management Other ISO and International Standards and European Regulations 0
T IEC 62304 : Risk control for SaMD IEC 62304 - Medical Device Software Life Cycle Processes 8
T Risk Assessment and Management Misc. Quality Assurance and Business Systems Related Topics 0
P Scenario based risk assessment IEC 27001 - Information Security Management Systems (ISMS) 1
Q KPI risk assessment - Criteria for the given score IATF 16949 - Automotive Quality Systems Standard 3
S Foreign Risk Notification Canada Medical Device Regulations 2
J HELP NEEDED ! Risk Management Exercise ISO 14971 - Medical Device Risk Management 12
O Should a Covid vaccine and testing policy be included as part of ISO9001 or AS9100 risk management? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 6
M Does 4.5 - Alternative RISK CONTROL apply to the Particular Standards? IEC 60601 - Medical Electrical Equipment Safety Standards Series 3
Q Measurement Equipment Revocation - Looking for a Disposal Form with Risk Assessment IATF 16949 - Automotive Quality Systems Standard 10
B ISO13485 Risk managment implementation for suppliers ISO 14971 - Medical Device Risk Management 2
Moncia Chemical risk assessment / COSHH Manufacturing and Related Processes 5
Enghabashy Supply chain main policies ,scope, risk assessments & relavant KPI Supply Chain Security Management Systems 2
D Use Error Risk Controls and Control Verification ISO 14971 - Medical Device Risk Management 6
J Risk Assessment of Lithium Ion Batteries FMEA and Control Plans 3
Melissa Risk Management Process, How far do I need to go? ISO 14971 - Medical Device Risk Management 13
D Does Risk Management apply to re-labeler (MDR) EU Medical Device Regulations 1
H Risk Management Plan in agile process ISO 14971 - Medical Device Risk Management 14
H Risk Analysis and Probability of Occurrence ISO 14971 - Medical Device Risk Management 3
B Risk analysis for defective measuring or measuring equipment out of calibration General Measurement Device and Calibration Topics 2
P Benefit risk analysis on pFMEA ISO 14971 - Medical Device Risk Management 10
B AS9102 - 3D printing a special tool required for assembly (counterfeit risk?) AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 12

Similar threads

Top Bottom