# InformationalRisk Register - Same hazardous situation, different severity of harms

#### MrTetris

##### Involved In Discussions
Hello,

I tried to read the faq and first two pages, but I could not find an answer to a probably basic question about the Risk Register.

My company is a manufacturer of imaging SaMD, used to prepare surgical plans.
One of the hazards considered in our Risk Register is the possibility for the clinician to overestimate the precision of our computer guided treatment system, thinking that if the plan is safe he cannot damage the patient. Hazardous situation: the clinician touches with his instruments a nerve of the patient (hazardous situation). The problem here is that two different harms are possible (or the same harm, with different severity): paralyzed muscle (severity: 4) or muscle temporary weakness/tingling (severity: 3).

Case 1:
p1 (probability of occurrence of hazardous situation) = 2
p2 (probability of hazardous situation leading to harm - paralyzed muscle) = 2
SE (severity of harm - paralyzed muscle) = 4

Case 2:
p1 (probability of occurrence of hazardous situation) = 2 (the same as case 1)
p2 (probability of hazardous situation leading to harm - muscle temporary weakness/tingling) = 3
SE (severity of harm - muscle temporary weakness/tingling) = 3

Same hazardous situation, but different probability for consequent possible harms.
Should we include both cases in the Risk Register, or only the second one with the highest severity harm?
I am also thinking about even more extreme cases (for instance, a hospital gas patient-delivery equipment, where the probability p2 decreases with the severity of the caused harm - headache p2=4, loss of balance p2=3, coma p2=2, death p2=1)... how to deal with this kind of situation?

#### Kevin Shyu

##### Kevin
Generally, it's good to list all the hazards that are associated with the device in some document or across multiple documents. This helps in a few things:
1. Demonstrates to the reader/reviewer that the team has methodically evaluated all the risks associated with the device.
2. Provides a more complete view of the need to apply stricter risk controls/mitigation.
3. Assists in the evaluation of the risk acceptability of the entire product, considering all hazards (not just the most harmful ones).
4. Enables a more complete assessment of post market surveillance data after product launch.
Structure of documentation is generally up to the manufacturer, but should follow SOPs and/or risk management plan.

#### Marcelo

##### Inactive Registered Visitor
Please note that ISO 14971 does not require that you record all the sequence or combination of event (although I disagree with that, because I think they should be recorded).

Anyway, yes, you should include different risks for the same hazards and hazardous situations. For example, the risk control measure for them could be different.

#### MrTetris

##### Involved In Discussions
Please note that ISO 14971 does not require that you record all the sequence or combination of event (although I disagree with that, because I think they should be recorded).

Anyway, yes, you should include different risks for the same hazards and hazardous situations. For example, the risk control measure for them could be different.
Thank you Marcelo, that is what I suspected, although I have never seen this implemented in my (limited) experience.
What if the risk control measure is unique for all risks? Where is the value of listing all the risks/hazardous situations in this case?

#### Marcelo

##### Inactive Registered Visitor
People tend to try and "reduce" the burden by saying that they will focus only in some part, usually the highest severity ones, but this does not make sense.

For a starter, risk (unless a special case) is not severity only, which means that a better justification (which still does not make sense) would be to focus in higher risks (probability/severity).

Second, most expectations (including regulatory) are that all risk are identified and evaluated. in the case for example of a hazardous situation with different harms, we have different risks. So all of them should be included.

Third, as I mentioned, for different risks (even from the same hazardous situation), different risk controls might be required, so it's important to have them all and analyze them all.

#### MrTetris

##### Involved In Discussions
People tend to try and "reduce" the burden by saying that they will focus only in some part, usually the highest severity ones, but this does not make sense.

For a starter, risk (unless a special case) is not severity only, which means that a better justification (which still does not make sense) would be to focus in higher risks (probability/severity).

Second, most expectations (including regulatory) are that all risk are identified and evaluated. in the case for example of a hazardous situation with different harms, we have different risks. So all of them should be included.

Third, as I mentioned, for different risks (even from the same hazardous situation), different risk controls might be required, so it's important to have them all and analyze them all.
Thank you Marcelo, very valuable answer as usual...

#### Ed Panek

##### QA RA Small Med Dev Company
Super Moderator
I agree. When we do risk reviews we include all possible ideas. Even if they seem nearly impossible its important to document you dont use group think to limit ideas. Groupthink - Wikipedia

#### Peter Selvey

Super Moderator
I'd throw a bit of a wet blanket on the idea of documenting "all" possible types of harm for a particular sequence. It's a nice ideal, but not possible in practice. Just about every hazardous situation has a complex spectrum of severity, it is not just a single "risk"- consider for example electric shock:

- death from cardiac arrest, no resuscitation
- death from cardiac arrest with resuscitation, but with brain damage
- death from cardiac arrest with resuscitation, but with full recovery
- death from pulmonary arrest, with same range of outcomes as above
- involuntary action, which could lead to a wide range of outcomes with different severity of harm
- burns, with varying degrees of harm
- tissue necrosis
- short and long nerve damage
- ... and the list could go on, there are reports of broken bones, paralysis, damage to the spine ...

We could do this for all the lines in a risk management file and turn it into a 24 set encyclopedia for just one device.

So in practice it will require a degree of common sense in deciding what to document. To a large extent, it may come down to the type and effectiveness of the risk controls, with special attention to the case where reasonable risk controls were available but were not used. There may be very good reasons not to use the risk controls, but in my opinion they are the most important cases to sit down and write up a couple of pages to explore what the options were and why they were not implemented. In that case there is also scope to explore all the different types of harm and severity from a particular sequence.

Obviously though you can't do that for every line in the risk management table.

To look at the original post, the subject is the accuracy of the guidance system, which is really a core, critical risk for the product. So, it makes sense to really explore that well, not in a table form but in a special report. And within that report, it makes sense to identify the different types of harm, not only nerve damage but other types of injury as well. When the report looks at the risk controls, it might review how effective they are against each type of injury/harm.

Also note that ISO 14971 does not require this, the normative section has a "one size fits all" approach, with relatively simple records. My guess is that in the future, they will eventually figure out a way to a variable approach.

Ironically, it is the thinking which has been mentioned in this post (e.g. documenting "all possible ideas") which stops ISO 14971 from being improved. If for example, the standard selected three levels of documentation A, B and C, many auditors and experts would push for Level A to be used most of the the time because it seems the safest way. But the best way is to use Level A (i.e. special reports) sparingly so that it can be done properly and effectively.

Last edited:
Effective use of a Risk Register - Bumper sticker or Mission Control ? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 19
Need Help With Information Security Asset Risk Register IEC 27001 - Information Security Management Systems (ISMS) 2
Is SARS-CoV-2/COVID-19 on your risk register? Misc. Quality Assurance and Business Systems Related Topics 11
D Risk Register - have we considered enough and is the format acceptable? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 8
Z Do we need a Risk Register for ISO 9001:2015 ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 11
A Risk Register template as per ISO 27001:2013 wanted IEC 27001 - Information Security Management Systems (ISMS) 9
What is the importance of a Risk Register? FMEA and Control Plans 3
G Combining Aspect Impact and Hazard Risk Register Miscellaneous Environmental Standards and EMS Related Discussions 8
R Risk Register, Risk Analysis and Risk Response/Treatment IEC 27001 - Information Security Management Systems (ISMS) 5
P Pollution Risk Assessment vs. Register of Environmental Aspects Miscellaneous Environmental Standards and EMS Related Discussions 1
CE product Risk assement CE Marking (Conformité Européene) / CB Scheme 3
Q: In what circumstances can a clinical investigator submit an EFS/IDE for the Significant Risk Device? US Medical Device Regulations 1
Article 22 procedure pack risk analysis EU Medical Device Regulations 1
Risk analysis on patient monitor ISO 14971 - Medical Device Risk Management 5
NATURAL CAPITAL AT RISK Misc. Quality Assurance and Business Systems Related Topics 7
How deep should be risk control tracebility IEC 62304 - Medical Device Software Life Cycle Processes 3
Objective Measures for Risk Acceptability? ISO 14971 - Medical Device Risk Management 6
Risk Based Sample Size and Standards Compliance ISO 14971 - Medical Device Risk Management 2
Labeling Controls affecting Probability and Risk ISO 14971 - Medical Device Risk Management 7
Determination of software safety class (62304) prior to software risk analysis ISO 14971 - Medical Device Risk Management 3
Risk acceptance for missing DHR info and saving records ISO 13485:2016 - Medical Device Quality Management Systems 11
FDA requirements for risk analysis US Food and Drug Administration (FDA) 2
Corrective Action Risk Matrix AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 11
Fluorescent Video System risk class EU Medical Device Regulations 6
Risk Assessment for ISO 13485:2016 section 7?? ISO 13485:2016 - Medical Device Quality Management Systems 11
HA vs risk analysis ISO 14971 - Medical Device Risk Management 2
Risk Controls in PFMEA ISO 14971 - Medical Device Risk Management 12
What do you think of Chat GPTs answer to this Risk Acceptability question? ISO 14971 - Medical Device Risk Management 5
Two risk assessments for ISMS IEC 27001 - Information Security Management Systems (ISMS) 0
Risk-based approach to Test Method Validation for Design Verification? US Medical Device Regulations 5
Risk Management ISO 14971 - Probability of Occurrence ISO 14971 - Medical Device Risk Management 8
Risk Management SOP ISO 14971 ISO 14971 - Medical Device Risk Management 1
Risk Management Plan ISO 14971 - Medical Device Risk Management 13
Risk, contingency, and MOC. General Auditing Discussions 1
Help with ISO 14971: Benefit-Risk Analysis ISO 14971 - Medical Device Risk Management 3
AS9100D Risk-Based Internal Audit Schedule AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 10
Installation Related Issues and Risk Management ISO 14971 - Medical Device Risk Management 5
Reconciling FMEA RPN ratings with Risk Acceptability ISO 14971 - Medical Device Risk Management 22
How to address the content deviation of 'cannot apply criteria of risk acceptability prior to...' ISO 14971 - Medical Device Risk Management 1
Risk management file according MDR or ISO 14971:P2019 ? EU Medical Device Regulations 2
Risk based CA AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 5
IVD Risk - destruction of patient samples - Harm to property? ISO 14971 - Medical Device Risk Management 5
Do anyone have document of automotive production risk and control of risk? Lean in Manufacturing and Service Industries 1
Using RPN to Confirm Risk Reduced to an Acceptable Level Risk Management Principles and Generic Guidelines 12
IVD Device Software - Risk Classification IEC 62304 - Medical Device Software Life Cycle Processes 16
Help:Risk Management - Accessories US Food and Drug Administration (FDA) 1
Writing Risk Management procedure for small manufacturing and we don't know where to start. Manufacturing and Related Processes 9
How to risk assess tooling? For a medical device and is it needed??? Manufacturing and Related Processes 2
Clinical evaluation interface with the risk management process EU Medical Device Regulations 9
Risk analysis Manufacturing and Related Processes 4