inventory_2

SOP Risk Management

Use this SOP Risk Management template to guide your systematic approach for identifying, assessing, controlling, and monitoring risks throughout the entire lifecycle of your medical device, in alignment with ISO 14971:2019 and relevant regulatory requirements. Complete this document during all key phases—from design and development to post-market production—to ensure comprehensive risk management, support product safety, and maintain regulatory compliance. This template is essential for documenting risk management files, plans, assessments, mitigation actions, and ongoing post-market risk evaluations.
Generate ->

SOP Risk Management

ID: Lorem ipsum dolor sit amet

1. Purpose

The purpose of this SOP is to establish a structured process for identifying, assessing, controlling, and monitoring risks associated with the development, deployment, and use of medical devices. This SOP ensures that all risk management activities comply with ISO 14971:2019 requirements, thereby supporting the safety and effectiveness of the product.

2. Scope

This SOP applies to all phases of the lifecycle of the medical device, including design, development, testing, deployment, maintenance, and decommissioning. It encompasses risk management activities required to identify potential hazards, evaluate associated risks, and implement appropriate controls to mitigate those risks.

3. Responsibilities

  • Top Management: Responsible for ensuring the provision of adequate resources, assisting in defining the risk management policy, and reviewing the effectiveness of the risk management process through management review.
  • Product and Software team: Responsible for assisting in the creation of the risk assessment, control, and monitoring
  • Quality team: Ensures that the risk management process is compliant with ISO 14971 and that all records are complete and accurate.

4. Definitions

Hazard: Lorem ipsum dolor sit amet, consectetur adipiscing elit.

Harm: Fusce nec velit nec urna cursus dictum ac eu massa.

Risk: Nulla facilisi. Etiam eget massa a erat pretium pharetra.

Benefit: Pellentesque habitant morbi tristique senectus et netus et malesuada fames.

Risk control: In hac habitasse platea dictumst. Mauris sed erat ut magna dictum.

Residual risk: Morbi sed ipsum ac sapien dictum posuere.

5. Procedures

5.1 Risk Management File

For the particular medical device being considered, the manufacturer shall establish and maintain a risk management file. It shall include documentation of all risk management activities, decisions, and changes related to risk. In addition to the requirements of other clauses of this document, the risk management file shall provide traceability for each identified hazard to:

  • preliminary hazard analysis;
  • the risk analysis;
  • the risk evaluation;
  • the implementation and verification of the risk control measures; and
  • the results of the evaluation of the residual risks.

5.2 Risk Management Plan

Risk management activities shall be performed according to the risk management plan. The risk management plan takes in put from information created during the product design, development, testing, verification and validation processes.

For the particular medical device being considered, the manufacturer shall establish and document a risk management plan in accordance with the risk management process. The risk management plan shall be part of the risk management file.

This plan shall include at least the following:

a) the scope of the planned risk management activities, identifying and describing the medical device and the life cycle phases for which each element of the plan is applicable;

b) assignment of responsibilities and authorities;

c) requirements for review of risk management activities;

d) criteria for risk acceptability, based on the policy for determining acceptable risk, including criteria for accepting risks when the probability of occurrence of harm cannot be estimated;

e) a method to evaluate the overall residual risk, and criteria for acceptability of the overall residual risk based on the benefit-risk analysis and acceptable risk;

f) activities for verification of the implementation and effectiveness of risk control measures; and

g) activities related to collection and review of relevant production and post-production information.

If the plan changes during the life cycle of the medical device, a record of the changes shall be maintained in the risk management file.

5.2.1 Risk Acceptance Matrix

The risk acceptability is defined according to the risk acceptability matrix. It provides the acceptance criteria for the risks and residual risks identified in the risk assessment. It is used to determine if a risk is acceptable or not.

The risk acceptance matrix is organized according to severity and occurrence and can range from a 3x3 matrix to a 5x5 matrix. Each cell within the matrix is assigned with the term "Acceptable", "Reduce Risk AFAP", or "Unacceptable". This means the following:

  • Acceptable: The risk is deemed acceptable and no further action is required.
  • Reduce Risk AFAP: The risk is deemed acceptable but should be reduced. Risk mitigation should be performed to reduce the risk to an acceptable level.
  • Unacceptable: The risk is deemed unacceptable and additional risk mitigation procedures are required to reduce the risk to an acceptable level.

The following should be considered when creating a risk acceptability matrix:

  • What severity of risks are considered acceptable given the intended use of the device, the patient population and the potential consequences of harm
  • What is the probability of the risk occurring according to its use environment, intended use, and intended user
  • What is the frequency of use of the device
  • Other factors that are relevant to the device and its use

5.3 Risk Assessment

During the risk assessment, a preliminary hazard analysis is conducted and an initial risk table is drafted. This occurs during Stage 2 of the development process according to SOP Design Controls and SOP Software Development, if applicable.

5.3.1 Preliminary Hazard Analysis

  1. Identify device components and functionalities:
  • Have defined all hardware (electrical, mechanical, firmware) and software components of the medical device system.
  • Have defined the intended use, patient population, intended user, intended use environment, and foreseeable misuse and misuse scenarios for the device.
  1. Identify Potential Hazards

This can include but is not limited to:

  • Software malfunctions
  • User interface issues
  • Interoperability failures
  • Cybersecurity incidents
  • Physical hazards (e.g., electrical shock, mechanical failure)
  • Environmental factors (e.g.)
  1. Link Hazards to Hazardous Situations and Harms:
  • Link each identified hazard to one or more hazardous situations.
  • Link those hazardous situations to potential harms that could befall the user or patient.
  1. Estimate Probability of Occurrence:
  • Estimate the probability of each hazard leading to a hazardous situation.
  • Estimate the probability of each hazardous situation resulting in harm.
  1. Estimate Severity of Harm:
  • Estimate the severity of each potential harm.
  1. Determine Risk Acceptability:
  • Use the risk acceptance criteria to determine if the combination of occurrence and severity results in an Acceptable risk, Reduce Risk AFAP, or Unacceptable risk.
  1. Implement Risk Mitigation:
  • Implement risk mitigation measures for unacceptable and Reduce Risk AFAP risks.
  • Prioritize risk control measures in the following order:
    1. Inherently safe design
    2. Protective measures in the device or development process
    3. Information for safety and/or training of users
  1. Reassess Risks Post-Mitigation:
  • Identify any new risks introduced by the mitigation measures.
  • Reevaluate the probability of occurrence and severity of harm for existing and new risks.
  • Update the risk assessment to reflect the new risk levels.
  1. Determine Residual Risk Acceptability:
  • Assess the residual risks after mitigation measures have been implemented.
  • Determine if the residual risks are acceptable based on the predefined risk acceptance criteria.
  1. Perform Benefit-Risk Analysis:
  • Conduct a benefit-risk analysis to ensure that the benefits of the device outweigh the residual risks.
  • Document the benefit-risk analysis and include it in the risk management file.

5.4 Risk Mitigation

The severity and probability of risk should be reduced as far as possible (AFAP) without affecting the benefit risk ratio of the device. If a risk is deemed unacceptable, it may be mitigated through risk control measures in the priority as listed below.

  1. Inherently safe design
  2. Protective measures in the device or development process
  3. Information for safety and/or training of users

Risk control measures should be implemented as product requirements and those risk control measures that require informing the user should be added to the Instructions for Use.

5.5 Risk Management Report

Prior to release for commercial distribution of the medical device, the manufacturer shall review the execution of the risk management plan. This review shall at least ensure that:

  • the risk management plan has been appropriately implemented;
  • the overall residual risk is acceptable; and
  • appropriate methods are in place to collect and review information in the production and post-production phases.

The results of this review shall be recorded and maintained as the risk management report and shall be included in the risk management file. The responsibility for review shall be assigned in the risk management plan to persons having the appropriate authority.

6. Production and Post-Production Risk Management

Production and post-production risk management are ongoing processes that extend the principles of risk management beyond the design and development phases of the medical device. These processes ensure that risks continue to be monitored and controlled throughout the lifecycle of the product, including during its production, deployment, use, and eventual decommissioning.

During the production phase, the manufacturer must establish and maintain a system for actively collecting information relevant to the safety of the product. This includes data generated during the production process, such as quality control metrics, defect reports, and any incidents that occur during testing. The system should also gather feedback from users, including reports of product issues, user errors, or incidents that could indicate a safety concern. Additionally, information from the supply chain, such as component failures or variations in production quality, should be monitored.

Once the product is deployed, post-production risk management involves continuously reviewing the collected information to identify any new or previously unrecognized hazards. The manufacturer must assess whether the risks associated with these hazards are acceptable based on the predefined criteria. If a new hazard is identified, or if the severity or likelihood of a known risk increases, the manufacturer must reassess the risk and determine whether additional risk control measures are necessary.

Post-production risk management receives input from complaints, feedback and clinical/performance data generated by processes included in the SOP Feedback and Complaint Management.