warning

Risk Management Plan

Use this Risk Management Plan template to systematically document your medical device’s risk policy, acceptance criteria, and risk management activities in alignment with ISO 14971 and FDA requirements. Complete this document at the beginning of product development and update it throughout the lifecycle to ensure all risks are identified, evaluated, controlled, and monitored, supporting regulatory compliance and patient safety. This template is essential for demonstrating a structured, compliant approach to risk management and is required for regulatory submissions and audits.
Generate ->

Risk Management Plan

ID: Lorem ipsum dolor sit amet

1. Purpose and Scope

The Risk Management Plan contains the risk policy and defines the criteria for risk acceptance. It also references relevant processes and activities which will be conducted for product-specific risk management as part of the product development process according to SOP Design Controls and SOP Software Development, if applicable.

Risk management activities are described in SOP Risk Management. This risk management plan is applicable for Consectetur adipiscing elit.

2. Policy for Risk and Acceptability

The risk policy establishes criteria for risk acceptability following ISO 14971:2019 and ISO/TR 24971:2020. It applies to all people and activities involved in the design, development and distribution process of the medical device and all persons involved in establishing, reviewing, updating, and approving risk management processes for Consectetur adipiscing elit. The risk policy intends to ensure highest levels of medical device safety consistent with stakeholder expectations and regulatory requirements of the region in which the product will be marketed.

The manufacturer defines framework criteria for risk acceptability in the form of severity of harm and probability of occurrence. The criteria are initially defined as part of the early software development process and reviewed during every post-market surveillance cycle.

The risk matrix acceptance criteria are defined based on applicable regulatory requirements, relevant international norms and standards, as well as the generally acknowledged state of the art including but not limited to accepted results of scientific research, reports published by authorities, established industry best practices.

Acceptability for individual risks always must be established based on both, the estimated severity and the estimated probability of a risk as defined in the risk acceptance matrix (Section 3.3).

All identified risks must be reduced as far as possible (AFAP) without adversely affecting the benefit-risk-ratio. Risk control measures implemented to reduce the risks must be chosen in the following order:

  1. Inherent safety by design
  2. Protective measures
  3. Information for safety

Acceptability of the overall residual risk is established as part of the clinical evaluation process by weighing benefits from intended use against the overall residual risk. Benefits may be described by their magnitude or extent, the probability of experience within the intended patient population, the duration and frequency of the benefit. This can be performed by comparing the device to similar medical devices available on the market wherein residual risks can be compared individually to corresponding risks of the similar device(s), considering differences in intended use. The overall evaluation of the benefit-risk-ratio should take into account knowledge of the intended medical indication, the generally acknowledged state of the art in technology and medicine, and the availability of alternative medical devices or treatments.

3. Risk Acceptability Matrix

3.1 Severity of Harm

The table below provides criteria for severity of harm to be considered in the risk acceptability matrix.

3.2 Probability of Occurrence

To estimate the correct probability of occurrence for Consectetur adipiscing elit, an estimate of the total usage of the device was considered. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. The Table below provides the probability of occurrence criteria to be used in the risk acceptance matrix.

3.3 Risk Matrix

Risk acceptability is based on the risk policy as well as the intended purpose of Consectetur adipiscing elit and acceptable risks that can be passed on to the intended user and patient population.

Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur.

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

4. Risk Management Activities

The deliverables for the risk management process include (i) the Risk Management Plan, (ii) the Risk Assessment, and (iii) the Risk Management Report. The risk management process is outlined in the SOP Risk Management.

4.1 Risk Analysis Process

The risk assessment takes into account the following:

  • the intended use of Consectetur adipiscing elit and the reasonably foreseeable misuse
  • identification of characteristics of the device related to safety
  • identification of hazards and hazardous situations associated with the device
  • estimation of associated risk(s) for hazardous situations identified

The risk analysis is captured within the Risk Assessment and is performed according to this Risk Management Plan. Risk control measures are determined in order to reduce risks to an acceptable level.

4.1 Risk Control Measures

Risk control measures are determined in order to reduce risks to an acceptable level. As described in the risk policy, risk control options include inherently safe design and manufacture, protective measures in the medical device itself or in the manufacturing/development process, and/or information for safety and, where appropriate, training to users.

Verification of risk control measures is described in SOP Risk Management as part of the software development life cycle.

4.2 Residual Risk

After risk control measures have been determined and implemented for the identified risks, the residual risk must be identified and evaluated. Residual risk is the remaining risk presented by a combination of the individual risk and mitigating risk control measures implemented.

For this purpose, the probability and severity of the possible residual risk are estimated and evaluated using the risk matrix (section 3.3). Overall residual risk is acceptable if it is determined that there are no unacceptable risks and that the benefits outweigh the risks for the device.

If a residual risk is not judged acceptable and further risk control is not practicable, data and literature related to the device and state of the art can be gathered and reviewed to determine if the benefits of the intended use outweigh this residual risk. This final benefit-risk-ratio for unacceptable residual risk will be performed as part of the clinical evaluation.

After all risk control measures have been implemented and verified, the overall residual risk posed by the Consectetur adipiscing elit will be evaluated taking into account the contributions of all residual risks. If there are no unacceptable risks, then the overall residual risks are considered acceptable. If there are unacceptable risks, the overall residual risk shall be taken into consideration in relation to the benefits of the intended use through a comparison to the state of the art. This will be performed as part of the clinical evaluation wherein if it is determined the benefit-risk-ratio is positive then the overall residual risks are acceptable.

4.3 Post-Production Information

Post-production information will be monitored, collected, and evaluated as part of the post-market surveillance system for Consectetur adipiscing elit. The procedures for post-production information are described in SOP Post-Market Surveillance.

5. Software Safety Classification IEC 62304 (Software only)

The safety classification of the software according to ISO 62304:2006 will be included into the Risk Assessment (Class A, Class B, or Class C) for products incorporating software. The software risk classification according to IMDRF/SaMD WG/N12FINAL:2014 "Software as a Medical Device: Possible Framework for Risk Categorization and Corresponding Considerations" may also be included as needed.

  • Class A: The Software Module/System cannot contribute to a hazardous situation; or the Software System can contribute to a hazardous situation which does not result in unacceptable risk after consideration of risk control measures external to the Software System.
  • Class B: The Software Module/System can contribute to a hazardous situation which results in unacceptable risk after consideration of risk control measures external to the Software System and the resulting possible harm is non-serious injury.
  • Class C: The Software Module/System can contribute to a hazardous situation which results in unacceptable risk after consideration of risk control measures external to the software system and the resulting possible harm is death or serious injury.

6. FDA Documentation level (Software only)

In consideration of FDA requirements according to 21 CFR, the following questions should be considered in determining the documentation level for medical products incorporating software:

  • Do the failure or flaw of any device software function(s) present a hazardous situation with a probable risk of death or serious injury (i.e. S3 and above severity) either to a patient, user of the device, or others in the environment of use; prior to the implementation of risk control measures?
  • Is the Device a Class II device per FDA classification?

Should the answer to either question be "Yes", then ENHANCED documentation level is required. The organization can provide justification and rationale for BASIC documentation level, as needed.

7. Related Documents

  • SOP Design Controls
  • SOP Risk Management
  • SOP Post-Market Surveillance
  • Risk Assessment
  • Risk Management Report
  • Clinical evaluation plan and report