Risk

Risk Management

The hazard nobody thought of.

Risk files that surface contradictions with field data. AI-drafted hazard analysis from predicate files. Unified with QMS and MES.

The hazard nobody thought of.

Surgical device launches after three years of development. Risk analysis covered electrical safety, biocompatibility, mechanical failure, use errors. 510(k) cleared. Eight months later, first adverse event: infection at the surgical site. The device's surface texture. Chosen for grip. Creates micro-crevices that harbor bacteria during reprocessing. The sterilization cycle validated for smooth surfaces doesn't reliably sterilize this texture.

This hazard wasn't in the risk file. Nobody asked: "What happens to this surface during reprocessing?" The intersection of two design decisions. Surface texture and sterilization method. Created a hazard that neither team considered because it lived at the boundary between their domains.

Risk management · a living system, not a checkbox
The static risk file
Created during development. Never updated.
Post-market complaints? In a different system.
Risk-benefit at audit? Scramble to reconstruct.
The Seal approach
Risk file linked to complaints, CAPAs, design changes.
New safety signal? Risk automatically re-scored.
Real-time risk-benefit ratio. Always audit-ready.
Identify
FMEA / hazard analysis
Assess
Severity × probability · risk priority
Control
Design controls · process controls
Verify
Control effective? · residual risk
Monitor
Post-market signals · continuous update
Continuous inputs update the risk file
Complaints feed in
CAPAs update assessments
Design changes re-score risks
New safety signals re-trigger verify
Fig. 1 — Risk Management Framework
§1

Your risk file is a snapshot. Reality keeps moving.

The risk analysis you filed with your submission reflects what you knew at the time. It was thorough. Your team spent months on it. The problem is that it's frozen. A document that captured your assumptions on the day you signed it.

Since then, complaints have arrived about issues that weren't in the file. Post-market surveillance has revealed hazards at frequencies different from your estimates. Your design has been modified through multiple change orders. But the risk file sits in a document management system, disconnected from all of it.

Most organizations update the risk file periodically. Maybe annually, maybe during design changes. In between updates, the file and reality diverge. A complaint about an unanticipated hazard gets investigated by the post-market team. The risk management team doesn't see it unless someone remembers to forward it. By the time the annual review happens, the connection between the complaint and the risk analysis has gone cold.

Seal connects the risk file to the systems that generate post-market data. When a complaint maps to an existing hazard, the occurrence data updates automatically. When a complaint describes a hazard that isn't in the file, the system flags the gap. When occurrence rates exceed your pre-market estimates, you see it in real time. Not during a review meeting six months later.

The risk file stops being a document you update and becomes a living model that evolves with your product.

§2

The spreadsheet produces whatever answer the analyst wants

Criteria constrain the answer · not the analyst's voice
P3 · "Possible" — defined
Expected rate: 1-in-10,000 to 1-in-1,000 procedures
Basis required: clinical data · complaints · literature · engineering
Remote
Unlikely
Possible
Probable
Frequent
Catastrophic
Critical
Serious
Minor
Negligible
Rationale · documented · visible to reviewers
Probability P3: complaint rate 1.4 per 10,000 uses over 18 months (PMS-2024-207 through 2026-03-22). Severity S4: potential for serious injury absent the redundant shutoff.
Fig. 2 — Risk Matrix

"What's the probability of this hazard occurring?" Three engineers in a room give three different answers. Without defined criteria. What exactly does "remote" mean for this device, with this patient population, in this use environment? the risk matrix is an opinion laundering machine. You get a number that feels rigorous but reflects whoever argued loudest.

This is the core problem with spreadsheet-based risk management. The tool doesn't enforce consistency. Two teams evaluating the same hazard can reach different conclusions because their probability definitions are vague. Severity scales that say "serious injury" without defining the threshold invite interpretation. The matrix produces a green cell, everyone moves on, and nobody questions the assumptions.

Seal defines probability and severity criteria per product type. When an analyst selects P3, they see the specific definition and must cite the basis. Clinical data, complaint history, literature, or engineering analysis. The same hazard evaluated by different teams reaches the same conclusion because the criteria constrain the answer, not the analyst's judgment.

This matters during audits and submissions. When a notified body or FDA reviewer asks "how did you determine this probability?", the answer is a documented rationale tied to defined criteria. Not "the team discussed it and agreed."

§3

Design out the hazard. Don't label around it.

Risk Control Hierarchy
Fig. 3 — Risk Control Hierarchy

The device overheats during extended use. Engineering's proposed control: a warning label. "Do not use for more than 30 minutes continuously." Users will ignore it. They'll use it for 45 minutes because they're almost done. The label absolves the company on paper while the patient gets burned.

ISO 14971 is explicit about control hierarchy: inherent safety first, then protective measures, then information for safety. If you can design out the overheating. Automatic shutoff at a safe threshold. A warning label isn't an acceptable primary control. It's what you add after you've exhausted design and protective options.

Seal enforces this hierarchy structurally. When an analyst proposes a warning label as a control, the system asks: was a design control considered? If yes, why was it rejected? The rationale is documented. If no design control was considered, the analyst must explain why. And that explanation is visible to reviewers.

This doesn't prevent teams from using warning labels when appropriate. It prevents them from defaulting to the easiest control without considering alternatives. The risk file shows not just what controls you chose, but what you considered and rejected. When a regulator asks "why didn't you design this out?", the answer is already documented.

§4

When the risk file connects to everything else

Risk management in isolation is an academic exercise. It becomes powerful when it connects to the systems that generate evidence about whether your risk estimates were right.

In Seal, the risk file connects to complaints, CAPAs, design controls, and post-market surveillance. Because they're all on the same platform. A complaint about a new hazard triggers a risk file update. A CAPA that modifies a risk control triggers re-evaluation of the affected risk. A design change triggers impact assessment against the risk analysis.

These connections aren't manual forwarding between departments. They're structural links in the platform. The design engineer who changes a component sees the hazards associated with it. The quality engineer reviewing a complaint sees the pre-market risk estimate for that hazard. The regulatory team preparing a periodic safety update has current occurrence data, not data they assembled from five different sources.

This is what a living risk file actually means. Not a document that someone updates periodically, but a model that reflects current knowledge because it's connected to the systems generating that knowledge.

Capabilities

01Hazard Identification
Systematic identification using energy analysis, use analysis, failure analysis, and standards review. Comprehensive coverage.
02Risk Estimation
Configurable severity and probability scales. Risk matrix with clear acceptability thresholds. FMEA support with detectability.
03Control Traceability
Link controls to the hazards they address. Track verification evidence. Identify residual risk after controls.
04Benefit-Risk Analysis
Structured evaluation for devices with significant residual risk. Document benefits vs. risks for regulatory submissions.
05Living Risk File
Pre-market analysis, production controls, and post-market data in one connected file. Updates flow through automatically.
06Design Integration
Risk mitigation requirements flow to design inputs. Design verification confirms controls work. Full lifecycle connection.
07FMEA Management
Structured failure mode analysis with architecture-driven coverage. Track severity, occurrence, detection, and RPN with verification evidence.
08Post-Market Connection
Complaints and adverse events link to pre-market hazards. Real-world data validates or challenges risk estimates automatically.
01 / 08
Hazard Identification
Hazard Identification

Entities

Entity
Description
Kind
Hazard
The hazard nobody thought of. Surface texture + reprocessing = infection. Intersections matter.
type
Energy Hazard
Electrical, mechanical, thermal, radiation. Physical energy transfer that can cause harm.
template
Biological Hazard
Biocompatibility, infection, contamination. The device meets the body.
template
HAZ-2024-017
Surface texture harbors bacteria during reprocessing. Nobody asked the question until the infection reports.
instance
Use Error
Misuse, abnormal use, use environment. The surgeon's hand strength can't generate 2N.
template
Risk
Severity × probability. But three engineers give three answers without defined criteria.
type
Risk Control
Design first, protective second, warnings last. A warning label is the weakest control. Patients will still get burned.
type
Design Control
Inherent safety. Better thermal management, automatic shutoff. Can't overheat if physics prevents it.
template
CTRL-2024-001
Automatic shutoff at 29 minutes. Can't overheat because it stops. No warning label needed.
instance
Protective Measure
Guards, alarms, interlocks. Device shuts off before harm. Second line of defense.
template
Information Control
'Do not use for more than 30 minutes.' Users will use it for 45. Warning labels are for residual risk, not engineering laziness.
template
Residual Risk
What remains after controls. Some devices can't eliminate risk. Implants, diagnostics. Benefit must outweigh.
type
Post-Market Data
The file that lives. Complaints link to hazards. When reality diverges from prediction, the system flags it.
type
FMEA
Systematic, not brainstorming. Start with architecture. For each component: how can this fail? You can't skip what you forgot.
type

FAQ

Software risk management integrates ISO 14971 with IEC 62304 software lifecycle requirements. Software items link to hazards they contribute to. Software changes trigger risk impact assessment. Traceability connects software requirements to risk controls.
The same FMEA framework applies to manufacturing processes. Identify failure modes in process steps, estimate severity/occurrence/detection, implement controls for high-RPN items. Process FMEAs link to product hazards they contribute to.
Complaints, adverse events, and field data link to pre-market hazards. When post-market data suggests a risk was underestimated, the system flags it for review. Trend analysis surfaces emerging risks across your device population.
Yes. Define severity and probability scales appropriate to your device. Set acceptability thresholds per your risk management plan. The system applies your criteria consistently across all risk evaluations.
The risk management file is structured for regulatory submission. Export summaries for 510(k), PMA, or CE Technical Documentation. The system maintains the evidence that supports your risk conclusions.
Add the new hazard to the risk file, assess it using the same framework, and implement controls if needed. The system tracks the date of discovery and connects to any corrective actions or field safety actions taken.
Start with the device architecture. Components, interfaces, functions. The system prompts failure mode analysis for each element. You can't sign off on the FMEA without addressing every component. Coverage is structural, not based on memory.
Yes. Hazards common to a product family link across individual devices. When a risk control is improved for one device, the system shows other devices in the family that might benefit from the same improvement.

Go live in 48 hours.

Talk to an Expert