The Risk Management Plan outlines the risk policy and sets the criteria for risk acceptability. It also references relevant processes and activities integral to product-specific risk management within the integrated software development workflow (as detailed in SOP Integrated Software Development).
Mapping of ISO 14971:2019 Requirements to Document Sections
| ISO 14971:2019 Section | Document Section |
|---|---|
| 4.1 | 1 |
| 4.2 | 1.2, 3 |
| 4.3 | (Records of competence maintained as part of QMS) |
| 4.4 | (all) |
| 4.5 | (all) |
| 5.1 | 1.1 |
| 7.2 | 1.3 |
| 10.1 | 1.4 |
1. Key Processes
1.1 Risk Management Process and Activities
Risk management activities are embedded within the software development lifecycle as detailed in SOP Integrated Software Development.
1.2 Risk Policy and Criteria for Risk Acceptability
This policy outlines the criteria for determining risk acceptability in alignment with ISO 14971:2019 and ISO/TR 24971:2020. It applies to all personnel and activities involved in the design, development, and distribution phases of the medical device to ensure maximum safety in line with stakeholder expectations.
The manufacturer sets the framework for risk acceptability based on estimated usage, potential severity of harm, and occurrence probability (sections 1.2.1 – 1.2.3). These criteria are initially established during early development stages and are revisited at each post-market surveillance cycle.
Estimates for usage, severity categories, and risk matrix acceptance are determined according to applicable regulatory standards, relevant international norms, and the recognized state of the art, including scientific findings, authoritative publications, and industry best practices.
Individual risk acceptability is assessed considering both severity and probability, following the risk matrix in section 1.2.4.
All identified risks must be minimized as much as possible without compromising the benefit-risk ratio. Risk control measures should be chosen in the following hierarchy:
- Inherent safety through design
- Protective measures
- Safety information
Overall residual risk acceptability is assessed during clinical evaluations, comparing the benefits of intended use against residual risk. Benefits can be described in terms of magnitude, likelihood within the target patient group, duration, and frequency. For instance, comparisons can be made with similar devices on the market, considering differences in intended use. The benefit-risk ratio should reflect current knowledge of the medical indication, the state of the art, and alternative treatment options.
1.2.1 Usage Estimates
Provide an estimate for the expected market usage of your device.
| Usage | Values |
|---|---|
| Product life span | Enter the expected market lifespan (from initial design to decommissioning) |
| Users | Estimated number of users |
| Usages per user | Estimated usage frequency per user |
| Total usages | Calculate the total usage (e.g., 100 uses/day * 365.25 days/year * 4 years) |
Refer to the Software Development and Maintenance Plan for justification regarding the projected device lifespan.
1.2.2 Severity of Harm
Outline the potential harms associated with your product. Customize the examples as needed to accurately represent your product’s risks.
| Severity | Definition and Examples |
|---|---|
| S1: Negligible | Minor, reversible damage (e.g., superficial skin irritation, non-critical treatment delay) |
| S2: Marginal | Minor damage requiring medical intervention (e.g., skin laceration needing stitches) |
| S3: Critical | Major, irreversible harm requiring medical intervention (e.g., progression of disease) |
| S4: Catastrophic | Death |
1.2.3 Probability of Occurrence
Specify the probability definitions. The probability rows should differ by a factor of 10^2 from adjacent ones.
Adjust the “Estimated Maximum Event Count” to reflect the anticipated total usage throughout the product’s lifecycle.
| Probability | Upper Limit | Lower Limit | Estimated Maximum Event Count |
|---|---|---|---|
| P5: Certain | 1 | 10^-2 | 1000000 (adjust as needed) |
| P4: Likely | 10^-2 | 10^-4 | 10000 |
| P3: Unlikely | 10^-4 | 10^-6 | 100 |
| P2: Rare | 10^-6 | 10^-8 | 1 |
| P1: Unthinkable | 10^-8 | 0 | 0 |
1.2.4 Risk Acceptance Matrix
This crucial section evaluates the acceptability of each severity-probability combination. Acceptance criteria are influenced by company policy and the product’s benefits, as highlighted in clinical evaluations.
| Probability | S1: Negligible | S2: Marginal | S3: Critical | S4: Catastrophic | Estimated Maximum Event Count |
|---|---|---|---|---|---|
| P5: Certain | acceptable | unacceptable | unacceptable | unacceptable | 1000000 |
| P4: Likely | acceptable | unacceptable | unacceptable | unacceptable | 10000 |
| P3: Unlikely | acceptable | acceptable | unacceptable | unacceptable | 100 |
| P2: Rare | acceptable | acceptable | acceptable | unacceptable | 1 |
| P1: Unthinkable | acceptable | acceptable | acceptable | acceptable | 0 |
1.3 Verification of Risk Control Measures
Verification of risk control measures is performed as part of the software development lifecycle, detailed in SOP Integrated Software Development.
1.4 Assessment of Overall Residual Risk
After risk control measures are established, any potential risks from the combined effect of individual risks and control measures are assessed. The probability and severity of potential residual risk are evaluated using the risk matrix.
1.5 Collection and Review of Post-Production Information
The process for collecting and reviewing post-production information is outlined in SOP Post-Market Surveillance.
2. Associated Documents
- SOP Integrated Software Development
- Risk Acceptance Matrix
- Risk Table
- Risk Management Report
3. Responsibilities
| Title | Name(s) |
|---|---|
| Risk Manager | |
| Context / Subject Matter Expert (e.g., physician) |