| R-01 | CDS engine unavailable — medication orders proceed without allergy or drug-interaction checks | Patient Safety | Medium | Critical | High | Clinical Safety Officer | CDS degraded mode blocks medication activation (not just warns); CDS_DEGRADED audit log; ADMIN override with mandatory reason; OrdersCdsCheckTimeout alert | Low after mitigation |
| R-02 | Duplicate order created via network retry — patient receives duplicate medication administration or lab draw | Patient Safety | Low | High | Medium | Tech Lead | Idempotency-Key at controller level (24 h cache); client_mutation_id DB unique constraint; CDS duplicate order warning within 24 h window | Low after mitigation |
| R-03 | Allergy cache stale — new allergy recorded after last cache refresh; CDS misses during TTL window | Patient Safety | Low | Critical | High | Clinical Informatics | Cache TTL ≤ 15 min; cache miss always falls back to live registration-service query; NATS durable consumer ensures allergy events delivered; ALLERGY_CACHE_UPDATED metrics | Low after mitigation |
| R-04 | Tenant RLS misconfiguration exposes cross-tenant order data | Compliance / Security | Very Low | Critical | High | SRE + Tech Lead | tenant-isolation.spec.ts mandatory CI gate; session variable set in middleware before every DB call; quarterly RLS audit | Very Low after mitigation |
| R-05 | Order set partial instantiation — clinician does not notice that some orders in a set failed to create | Clinical Workflow | Medium | High | High | UX + Tech Lead | Response body includes failedTemplates[] array; UI must display explicit warning when failedTemplates.length > 0 and prompt clinician to retry; server-side audit event ORDER_SET_PARTIAL_FAILURE | Low after UI implementation |
| R-06 | CDS hard-stop override used inappropriately — clinician bypasses valid patient safety alert without genuine clinical reason | Patient Safety / Governance | Low | High | Medium | Clinical Safety Officer | Override requires free-text reason (mandatory field, min 10 chars); ADMIN escalation required for hard-stops; dual-sign for controlled substances; monthly CDS override audit report to medical director | Low with monitoring |
| R-07 | Referral routing event dropped — referral order created but referral.created event never reaches scheduling-service; appointment never made | Clinical Workflow | Low | High | Medium | Tech Lead | NATS JetStream durable consumer with replay; OrdersReferralOverdue alert after 72 h; UI pending_scheduling indicator with age badge; manual follow-up SOP | Low after monitoring |
| R-08 | Legacy CPOE data migration count discrepancy — some historical orders not migrated; clinical history gaps | Migration | Medium | High | High | Migration Engineer + Clinical Informatics | Upsert-idempotent migration scripts; count validation script with 0-tolerance threshold; 10% sample clinical review before go-live; 90-day legacy read-only retention | Low after validation |
| R-09 | CDS rule update causes unexpected hard-stop surge — terminology-service deploys new rules that fire on many existing patient-medication combinations | Operations | Medium | Medium | Medium | terminology-service team | CDS rule deployment requires staging canary with CDS metrics review; OrdersCdsHardStopSpike alert fires > 3× baseline; CDS rule rollback procedure in terminology-service runbook | Low with process |
| R-10 | Performance degradation under load — order creation with full CDS check exceeds 800 ms p95 SLO at peak usage | Performance | Medium | Medium | Medium | SRE + Tech Lead | HPA scales orders-service pods on CPU/latency; CDS engine has its own HPA; k6 baseline + soak tests before each release; orders.create.latency SLO alert | Low after load tests |