ID: Lorem ipsum dolor sit amet
The purpose of this SOP is to establish a structured process for identifying, assessing, controlling, and monitoring risks associated with the development, deployment, and use of medical devices. This SOP ensures that all risk management activities comply with ISO 14971:2019 requirements, thereby supporting the safety and effectiveness of the product.
This SOP applies to all phases of the lifecycle of the medical device, including design, development, testing, deployment, maintenance, and decommissioning. It encompasses risk management activities required to identify potential hazards, evaluate associated risks, and implement appropriate controls to mitigate those risks.
Hazard: Lorem ipsum dolor sit amet, consectetur adipiscing elit.
Harm: Fusce nec velit nec urna cursus dictum ac eu massa.
Risk: Nulla facilisi. Etiam eget massa a erat pretium pharetra.
Benefit: Pellentesque habitant morbi tristique senectus et netus et malesuada fames.
Risk control: In hac habitasse platea dictumst. Mauris sed erat ut magna dictum.
Residual risk: Morbi sed ipsum ac sapien dictum posuere.
For the particular medical device being considered, the manufacturer shall establish and maintain a risk management file. It shall include documentation of all risk management activities, decisions, and changes related to risk. In addition to the requirements of other clauses of this document, the risk management file shall provide traceability for each identified hazard to:
Risk management activities shall be performed according to the risk management plan. The risk management plan takes in put from information created during the product design, development, testing, verification and validation processes.
For the particular medical device being considered, the manufacturer shall establish and document a risk management plan in accordance with the risk management process. The risk management plan shall be part of the risk management file.
This plan shall include at least the following:
a) the scope of the planned risk management activities, identifying and describing the medical device and the life cycle phases for which each element of the plan is applicable;
b) assignment of responsibilities and authorities;
c) requirements for review of risk management activities;
d) criteria for risk acceptability, based on the policy for determining acceptable risk, including criteria for accepting risks when the probability of occurrence of harm cannot be estimated;
e) a method to evaluate the overall residual risk, and criteria for acceptability of the overall residual risk based on the benefit-risk analysis and acceptable risk;
f) activities for verification of the implementation and effectiveness of risk control measures; and
g) activities related to collection and review of relevant production and post-production information.
If the plan changes during the life cycle of the medical device, a record of the changes shall be maintained in the risk management file.
The risk acceptability is defined according to the risk acceptability matrix. It provides the acceptance criteria for the risks and residual risks identified in the risk assessment. It is used to determine if a risk is acceptable or not.
The risk acceptance matrix is organized according to severity and occurrence and can range from a 3x3 matrix to a 5x5 matrix. Each cell within the matrix is assigned with the term "Acceptable", "Reduce Risk AFAP", or "Unacceptable". This means the following:
The following should be considered when creating a risk acceptability matrix:
During the risk assessment, a preliminary hazard analysis is conducted and an initial risk table is drafted. This occurs during Stage 2 of the development process according to SOP Design Controls and SOP Software Development, if applicable.
This can include but is not limited to:
The severity and probability of risk should be reduced as far as possible (AFAP) without affecting the benefit risk ratio of the device. If a risk is deemed unacceptable, it may be mitigated through risk control measures in the priority as listed below.
Risk control measures should be implemented as product requirements and those risk control measures that require informing the user should be added to the Instructions for Use.
Prior to release for commercial distribution of the medical device, the manufacturer shall review the execution of the risk management plan. This review shall at least ensure that:
The results of this review shall be recorded and maintained as the risk management report and shall be included in the risk management file. The responsibility for review shall be assigned in the risk management plan to persons having the appropriate authority.
Production and post-production risk management are ongoing processes that extend the principles of risk management beyond the design and development phases of the medical device. These processes ensure that risks continue to be monitored and controlled throughout the lifecycle of the product, including during its production, deployment, use, and eventual decommissioning.
During the production phase, the manufacturer must establish and maintain a system for actively collecting information relevant to the safety of the product. This includes data generated during the production process, such as quality control metrics, defect reports, and any incidents that occur during testing. The system should also gather feedback from users, including reports of product issues, user errors, or incidents that could indicate a safety concern. Additionally, information from the supply chain, such as component failures or variations in production quality, should be monitored.
Once the product is deployed, post-production risk management involves continuously reviewing the collected information to identify any new or previously unrecognized hazards. The manufacturer must assess whether the risks associated with these hazards are acceptable based on the predefined criteria. If a new hazard is identified, or if the severity or likelihood of a known risk increases, the manufacturer must reassess the risk and determine whether additional risk control measures are necessary.
Post-production risk management receives input from complaints, feedback and clinical/performance data generated by processes included in the SOP Feedback and Complaint Management.