qms-risk

Risk Management

Identify. Assess. Mitigate.

The hazard nobody thought of. Surface texture harbored bacteria—nobody asked the question. Risk analysis that connects complaints to assumptions.

The hazard nobody thought of.

Surgical device launches after three years of development. Risk analysis covered electrical safety, biocompatibility, mechanical failure, use errors. 510(k) cleared.

Eight months later, first adverse event. Patient developed infection at the surgical site. The device's surface texture, chosen for grip, creates micro-crevices that harbor bacteria during reprocessing. The sterilization process validated for smooth surfaces doesn't reliably sterilize this texture.

This hazard wasn't in the risk file. Nobody asked: "What happens to this surface texture during reprocessing?"

Risk Management Framework

The spreadsheet that lies

Most risk management happens in Excel. The spreadsheet lies by omission—it shows hazards someone thought to include. It doesn't show what's missing.

When a complaint arrives about an issue not in the risk file, the connection is manual. The post-market team investigates. The risk management team doesn't see it unless someone copies them. The file stays static while reality evolves.

Probability without criteria

Risk Matrix

"What's the probability of this hazard causing harm?" Three engineers give three answers. Without defined criteria—what does "remote" mean for this device?—the matrix produces whatever answer the analyst wants.

In Seal, probability criteria are defined per product type. When an analyst selects P3, they must cite the basis. The same hazard evaluated by different teams reaches the same conclusion.

The warning label fallacy

Risk Control Hierarchy

The device overheats during extended use. Engineering's control: a warning label. "Do not use for more than 30 minutes continuously."

Users will ignore it. They'll use it for 45 minutes because they're almost done. The label absolves the company on paper while patients get burned.

ISO 14971 requires controls in priority order: design first, then protective measures, then warnings. If you can design out the overheating—automatic shutoff—a warning label isn't acceptable.

The file that lives

Risk management doesn't end at submission. Seal connects post-market data to pre-market analysis. Complaints link to hazards. When a hazard appears more frequently than predicted, the system flags it for re-evaluation.

Capabilities

01Hazard Identification
Systematic identification using energy analysis, use analysis, failure analysis, and standards review. Comprehensive coverage.
02Risk Estimation
Configurable severity and probability scales. Risk matrix with clear acceptability thresholds. FMEA support with detectability.
03Control Traceability
Link controls to the hazards they address. Track verification evidence. Identify residual risk after controls.
04Benefit-Risk Analysis
Structured evaluation for devices with significant residual risk. Document benefits vs. risks for regulatory submissions.
05Living Risk File
Pre-market analysis, production controls, and post-market data in one connected file. Updates flow through automatically.
06Design Integration
Risk mitigation requirements flow to design inputs. Design verification confirms controls work. Full lifecycle connection.
07FMEA Management
Structured failure mode analysis with architecture-driven coverage. Track severity, occurrence, detection, and RPN with verification evidence.
08Post-Market Connection
Complaints and adverse events link to pre-market hazards. Real-world data validates or challenges risk estimates automatically.
01 / 08
Hazard Identification
Hazard Identification

Entities

Entity
Description
Kind
Hazard
The hazard nobody thought of. Surface texture + reprocessing = infection. Intersections matter.
type
Energy Hazard
Electrical, mechanical, thermal, radiation. Physical energy transfer that can cause harm.
template
Biological Hazard
Biocompatibility, infection, contamination. The device meets the body.
template
HAZ-2024-017
Surface texture harbors bacteria during reprocessing. Nobody asked the question until the infection reports.
instance
Use Error
Misuse, abnormal use, use environment. The surgeon's hand strength can't generate 2N.
template
Risk
Severity × probability. But three engineers give three answers without defined criteria.
type
Risk Control
Design first, protective second, warnings last. A warning label is the weakest control—patients will still get burned.
type
Design Control
Inherent safety. Better thermal management, automatic shutoff. Can't overheat if physics prevents it.
template
CTRL-2024-001
Automatic shutoff at 29 minutes. Can't overheat because it stops. No warning label needed.
instance
Protective Measure
Guards, alarms, interlocks. Device shuts off before harm. Second line of defense.
template
Information Control
'Do not use for more than 30 minutes.' Users will use it for 45. Warning labels are for residual risk, not engineering laziness.
template
Residual Risk
What remains after controls. Some devices can't eliminate risk—implants, diagnostics. Benefit must outweigh.
type
Post-Market Data
The file that lives. Complaints link to hazards. When reality diverges from prediction, the system flags it.
type
FMEA
Systematic, not brainstorming. Start with architecture. For each component: how can this fail? You can't skip what you forgot.
type

FAQ

Software risk management integrates ISO 14971 with IEC 62304 software lifecycle requirements. Software items link to hazards they contribute to. Software changes trigger risk impact assessment. Traceability connects software requirements to risk controls.