What is the difference between a hazard and a hazardous situation?

A hazard is a potential source of harm — electrical energy, wrong dose data, a sharp edge. A hazardous situation is the circumstance in which people are actually exposed to that hazard — the clinician reading the wrong dose during prescribing. Harm is the resulting injury or damage to health. Risk lives in the situation, not the hazard: the same hazard can produce many situations with very different risks.

What are P1 and P2 in risk estimation?

A decomposition of probability the standard's guidance suggests: P1 is the probability that the hazardous situation occurs; P2 is the probability that the situation leads to harm. Their product is the probability of harm. The split matters because risk controls usually attack one factor or the other — an alarm reduces P2, a design change reduces P1 — and tracking them separately shows what each control changed.

Who sets the risk acceptability criteria?

The manufacturer — you. ISO 14971 deliberately doesn't prescribe acceptable risk levels; it requires you to define criteria in your risk management plan, under a policy established by top management, and apply them consistently. Reviewers don't challenge your criteria nearly as often as they challenge inconsistent application of them.

Can we accept a risk because reducing it is too expensive?

No. Under EN ISO 14971 as applied to the EU MDR, risks must be reduced as far as possible without adversely affecting the benefit-risk ratio — economic considerations are not legitimate grounds. A residual risk above your criteria can only be justified by a documented benefit-risk analysis on clinical or technical grounds.

The Risk File: Hazard → Hazardous Situation → Harm, With Examples

Q: Is FMEA enough for ISO 14971?

No. FMEA analyses component failures and their effects — but ISO 14971 also covers hazards present when the device works exactly as designed: use error, foreseeable misuse, environmental conditions, biocompatibility. Keep your FMEAs as an input; the risk file needs the full hazard → hazardous situation → harm analysis on top.

What the risk file is

One record, the whole lifecycle.

ISO 14971:2019 requires a risk management file: the single, traceable record of every hazard you identified, the situations that expose people to it, the harms that could result, the controls you applied, the residual risk you accepted and why — plus the plan and the criteria the whole thing runs on. It spans the device's life, from first architecture sketch to post-market data, and it's cited by your technical file (Annex II §5), your GSPR matrix, and — via ISO 13485 — the FDA QMSR.

What it is not: an FMEA spreadsheet with severities attached. FMEA analyses component failures; ISO 14971 also covers hazards present when the device works exactly as designed — use error, foreseeable misuse, environment, biocompatibility. FMEAs feed the file. They don't constitute it.

FMEA asks "what if it breaks?" ISO 14971 also asks "who gets hurt when it works?"

The chain, worked

Hazard → hazardous situation → harm.

Three terms, precisely defined, and the discipline of the whole file is keeping them apart. A hazard is a potential source of harm. A hazardous situation is the circumstance in which people are exposed to it — usually reached through a sequence of events. Harm is the injury or damage to health that can result. Risk is estimated on the situation, because the same hazard creates different risks in different situations.

Worked example · software device

Hazard

Incorrect dose information presented by the application.

Sequence of events

Unit-conversion defect activates for patients with weight entered in pounds → displayed dose is computed from the wrong mass.

Hazardous situation

Clinician prescribes based on the displayed (incorrect) dose during a time-pressured consultation.

Harm

Overdose; for the affected drug class: severe, potentially life-threatening.

Risk controls

Single canonical mass unit internally (RC-014 → SW-310); out-of-range dose alert with hard stop (RC-015 → SW-311); both verified by TC-208, TC-209.

Worked example · normal use, no failure

Hazard

Audible alarm (correct, by design).

Sequence of events

Ward with many devices → frequent low-priority alarms → staff habituate and silence reflexively.

Hazardous situation

High-priority alarm silenced without being read — alarm fatigue. Nothing malfunctioned.

Harm

Delayed intervention for a deteriorating patient.

Risk controls

Alarm prioritisation scheme; distinct high-priority pattern; usability validation of the alarm design (RC-031).

The second example is the one FMEA-only teams never write — and the kind reviewers look for first, because it shows the analysis went beyond the failure modes.

P1, P2 and estimation

Split the probability where the controls act.

Probability of harm is usefully decomposed — as the standard's guidance suggests — into P1, the probability that the hazardous situation occurs, and P2, the probability that the situation leads to harm. The split isn't pedantry; it's where control strategy lives. A design change that eliminates the unit-conversion path attacks P1. The out-of-range alert attacks P2. Estimating them separately, before and after each control, shows exactly what each control bought you — which is precisely the evidence "risk reduced as far as possible" needs behind it.

Severity and probability land on the scales defined in your risk management plan, against acceptability criteria you set under a top-management policy. Reviewers rarely challenge the criteria themselves; they challenge criteria applied inconsistently, or quietly relaxed when a risk wouldn't pass.

The control hierarchy

Design first. Warnings last. In that order, provably.

ISO 14971 prescribes the priority of risk controls, and the MDR's GSPRs repeat it:

1 · Inherent safety by design. Remove the hazard or the path to it — the canonical-units redesign. Always the first question, and the file should show it was asked.
2 · Protective measures. Guards, interlocks, alarms — in the device or its manufacture. The hard-stop dose alert lives here.
3 · Information for safety. Warnings, labeling, training. Legitimate, last, and weak — a residual-risk disclosure in the IFU is not a substitute for the first two levels, and files that lean on it read as exactly that.

Each control becomes a requirement in your requirement tree and is verified like any other — the hazard ↔ control ↔ requirement ↔ test loop is the first trace chain auditors pull. And under EN ISO 14971 as applied to the MDR, "as far as possible" means what it says: economic convenience is not a defence, and a residual risk above your criteria survives only on a documented benefit-risk analysis with clinical or technical grounds.

The file never closes

Clause 10: the loop back from the field.

Production and post-production information — complaints, service reports, PMS findings, literature — must be collected, reviewed for safety relevance, and fed back into the file. A complaint that reveals a new sequence of events reopens the affected risk; a frequency estimate contradicted by field data gets revised; a new control goes back through verification. The risk file you submit at conformity assessment and the one your post-market process maintains are the same document — and a file untouched since certification is, to a reviewer, a finding announcing itself.

FAQ

Common questions.

Hazard vs. hazardous situation — what's the actual difference?

A hazard is a potential source of harm; a hazardous situation is the circumstance where someone is exposed to it; harm is the resulting injury. Risk is estimated on the situation — the same hazard can create many situations with very different risks.

Is FMEA enough for ISO 14971?

No. FMEA covers failures; ISO 14971 also covers hazards present in normal use — use error, misuse, environment. Keep the FMEAs as input; the file needs the full chain on top.

What are P1 and P2?

P1: probability the hazardous situation occurs. P2: probability the situation leads to harm. Controls usually attack one or the other — tracking them separately shows what each control changed.

Who sets the acceptability criteria?

You do, in the risk management plan, under a policy from top management. What gets challenged isn't usually the criteria — it's applying them inconsistently.

Can cost justify accepting a risk?

No. Under EN ISO 14971 as applied to the MDR, risks are reduced as far as possible; economic considerations don't count. Above-criteria residual risk survives only on a documented benefit-risk analysis with clinical or technical grounds.

Sources & further reading

ISO 14971:2019 (EN ISO 14971:2019/A11:2021 for EU presumption of conformity) and ISO/TR 24971:2020, the application guidance — both from ISO or your national standards body.

Regulation (EU) 2017/745 (MDR) — Annex I, Chapter I: the GSPRs that bind the risk process into EU conformity.

The risk file: hazard, situation, harm — with examples.