⚠️

Risk Management Specialist (ISO 14971)

Implement ISO 14971 risk management for medical devices — FMEA, fault tree analysis, benefit-risk assessments, and risk management file maintenance.

by @alirezarezvani · MIT New

Built for: Founders

What this skill does

Navigate medical device compliance by generating structured risk analysis reports and management plans aligned with industry regulations. You will produce clear risk assessments and documentation ready for regulatory review without needing deep expertise in safety protocols. Reach for this resource whenever you need to identify product risks, justify safety decisions, or maintain your compliance file from prototype to market.

@alirezarezvani · Compliance

view on github ↗

name: “risk-management-specialist” description: Medical device risk management specialist implementing ISO 14971 throughout product lifecycle. Provides risk analysis, risk evaluation, risk control, and post-production information analysis. Use when user mentions risk management, ISO 14971, risk analysis, FMEA, fault tree analysis, hazard identification, risk control, risk matrix, benefit-risk analysis, residual risk, risk acceptability, or post-market risk.

Risk Management Specialist

ISO 14971:2019 risk management implementation throughout the medical device lifecycle.

Risk Management Planning Workflow
Risk Analysis Workflow
Risk Evaluation Workflow
Risk Control Workflow
Post-Production Risk Management
Risk Assessment Templates
Decision Frameworks
Tools and References

Risk Management Planning Workflow

Establish risk management process per ISO 14971.

Workflow: Create Risk Management Plan

Define scope of risk management activities:
- Medical device identification
- Lifecycle stages covered
- Applicable standards and regulations
Establish risk acceptability criteria:
- Define probability categories (P1-P5)
- Define severity categories (S1-S5)
- Create risk matrix with acceptance thresholds
Assign responsibilities:
- Risk management lead
- Subject matter experts
- Approval authorities
Define verification activities:
- Methods for control verification
- Acceptance criteria
Plan production and post-production activities:
- Information sources
- Review triggers
- Update procedures
Obtain plan approval
Establish risk management file
Validation: Plan approved; acceptability criteria defined; responsibilities assigned; file established

Risk Management Plan Content

Section	Content	Evidence
Scope	Device and lifecycle coverage	Scope statement
Criteria	Risk acceptability matrix	Risk matrix document
Responsibilities	Roles and authorities	RACI chart
Verification	Methods and acceptance	Verification plan
Production/Post-Production	Monitoring activities	Surveillance plan

Risk Acceptability Matrix (5x5)

Probability \ Severity	Negligible	Minor	Serious	Critical	Catastrophic
Frequent (P5)	Medium	High	High	Unacceptable	Unacceptable
Probable (P4)	Medium	Medium	High	High	Unacceptable
Occasional (P3)	Low	Medium	Medium	High	High
Remote (P2)	Low	Low	Medium	Medium	High
Improbable (P1)	Low	Low	Low	Medium	Medium

Risk Level Actions

Level	Acceptable	Action Required
Low	Yes	Document and accept
Medium	ALARP	Reduce if practicable; document rationale
High	ALARP	Reduction required; demonstrate ALARP
Unacceptable	No	Design change mandatory

Risk Analysis Workflow

Identify hazards and estimate risks systematically.

Workflow: Conduct Risk Analysis

Define intended use and reasonably foreseeable misuse:
- Medical indication
- Patient population
- User population
- Use environment
Select analysis method(s):
- FMEA for component/function analysis
- FTA for system-level analysis
- HAZOP for process deviations
- Use Error Analysis for user interaction
Identify hazards by category:
- Energy hazards (electrical, mechanical, thermal)
- Biological hazards (bioburden, biocompatibility)
- Chemical hazards (residues, leachables)
- Operational hazards (software, use errors)
Determine hazardous situations:
- Sequence of events
- Foreseeable misuse scenarios
- Single fault conditions
Estimate probability of harm (P1-P5)
Estimate severity of harm (S1-S5)
Document in hazard analysis worksheet
Validation: All hazard categories addressed; all hazards documented; probability and severity assigned

Hazard Categories Checklist

Category	Examples	Analyzed
Electrical	Shock, burns, interference	☐
Mechanical	Crushing, cutting, entrapment	☐
Thermal	Burns, tissue damage	☐
Radiation	Ionizing, non-ionizing	☐
Biological	Infection, biocompatibility	☐
Chemical	Toxicity, irritation	☐
Software	Incorrect output, timing	☐
Use Error	Misuse, perception, cognition	☐
Environment	EMC, mechanical stress	☐

Analysis Method Selection

Situation	Recommended Method
Component failures	FMEA
System-level failure	FTA
Process deviations	HAZOP
User interaction	Use Error Analysis
Software behavior	Software FMEA
Early design phase	PHA

Probability Criteria

Level	Name	Description	Frequency
P5	Frequent	Expected to occur	>10⁻³
P4	Probable	Likely to occur	10⁻³ to 10⁻⁴
P3	Occasional	May occur	10⁻⁴ to 10⁻⁵
P2	Remote	Unlikely	10⁻⁵ to 10⁻⁶
P1	Improbable	Very unlikely	<10⁻⁶

Severity Criteria

Level	Name	Description	Harm
S5	Catastrophic	Death	Death
S4	Critical	Permanent impairment	Irreversible injury
S3	Serious	Injury requiring intervention	Reversible injury
S2	Minor	Temporary discomfort	No treatment needed
S1	Negligible	Inconvenience	No injury

See: references/risk-analysis-methods.md

Risk Evaluation Workflow

Evaluate risks against acceptability criteria.

Workflow: Evaluate Identified Risks

Calculate initial risk level from probability × severity
Compare to risk acceptability criteria
For each risk, determine:
- Acceptable: Document and accept
- ALARP: Proceed to risk control
- Unacceptable: Mandatory risk control
Document evaluation rationale
Identify risks requiring benefit-risk analysis
Complete benefit-risk analysis if applicable
Compile risk evaluation summary
Validation: All risks evaluated; acceptability determined; rationale documented

Risk Evaluation Decision Tree

Risk Estimated
      │
      ▼
Apply Acceptability Criteria
      │
      ├── Low Risk ──────────► Accept and document
      │
      ├── Medium Risk ───────► Consider risk reduction
      │   │                    Document ALARP if not reduced
      │   ▼
      │   Practicable to reduce?
      │   │
      │   Yes──► Implement control
      │   No───► Document ALARP rationale
      │
      ├── High Risk ─────────► Risk reduction required
      │   │                    Must demonstrate ALARP
      │   ▼
      │   Implement control
      │   Verify residual risk
      │
      └── Unacceptable ──────► Design change mandatory
                               Cannot proceed without control

ALARP Demonstration Requirements

Criterion	Evidence Required
Technical feasibility	Analysis of alternative controls
Proportionality	Cost-benefit of further reduction
State of the art	Comparison to similar devices
Stakeholder input	Clinical/user perspectives

Benefit-Risk Analysis Triggers

Situation	Benefit-Risk Required
Residual risk remains high	Yes
No feasible risk reduction	Yes
Novel device	Yes
Unacceptable risk with clinical benefit	Yes
All risks low	No

Risk Control Workflow

Implement and verify risk control measures.

Workflow: Implement Risk Controls

Identify risk control options:
- Inherent safety by design (Priority 1)
- Protective measures in device (Priority 2)
- Information for safety (Priority 3)
Select optimal control following hierarchy
Analyze control for new hazards introduced
Document control in design requirements
Implement control in design
Develop verification protocol
Execute verification and document results
Evaluate residual risk with control in place
Validation: Control implemented; verification passed; residual risk acceptable; no unaddressed new hazards

Risk Control Hierarchy

Priority	Control Type	Examples	Effectiveness
1	Inherent Safety	Eliminate hazard, fail-safe design	Highest
2	Protective Measures	Guards, alarms, automatic shutdown	High
3	Information	Warnings, training, IFU	Lower

Risk Control Option Analysis Template

RISK CONTROL OPTION ANALYSIS

Hazard ID: H-[XXX]
Hazard: [Description]
Initial Risk: P[X] × S[X] = [Level]

OPTIONS CONSIDERED:
| Option | Control Type | New Hazards | Feasibility | Selected |
|--------|--------------|-------------|-------------|----------|
| 1 | [Type] | [Yes/No] | [H/M/L] | [Yes/No] |
| 2 | [Type] | [Yes/No] | [H/M/L] | [Yes/No] |

SELECTED CONTROL: Option [X]
Rationale: [Justification for selection]

IMPLEMENTATION:
- Requirement: [REQ-XXX]
- Design Document: [Reference]

VERIFICATION:
- Method: [Test/Analysis/Review]
- Protocol: [Reference]
- Acceptance Criteria: [Criteria]

Risk Control Verification Methods

Method	When to Use	Evidence
Test	Quantifiable performance	Test report
Inspection	Physical presence	Inspection record
Analysis	Design calculation	Analysis report
Review	Documentation check	Review record

Residual Risk Evaluation

After Control	Action
Acceptable	Document, proceed
ALARP achieved	Document rationale, proceed
Still unacceptable	Additional control or design change
New hazard introduced	Analyze and control new hazard

Post-Production Risk Management

Monitor and update risk management throughout product lifecycle.

Workflow: Post-Production Risk Monitoring

Identify information sources:
- Customer complaints
- Service reports
- Vigilance/adverse events
- Literature monitoring
- Clinical studies
Establish collection procedures
Define review triggers:
- New hazard identified
- Increased frequency of known hazard
- Serious incident
- Regulatory feedback
Analyze incoming information for risk relevance
Update risk management file as needed
Communicate significant findings
Conduct periodic risk management review
Validation: Information sources monitored; file current; reviews completed per schedule

Information Sources

Source	Information Type	Review Frequency
Complaints	Use issues, failures	Continuous
Service	Field failures, repairs	Monthly
Vigilance	Serious incidents	Immediate
Literature	Similar device issues	Quarterly
Regulatory	Authority feedback	As received
Clinical	PMCF data	Per plan

Risk Management File Update Triggers

Trigger	Response Time	Action
Serious incident	Immediate	Full risk review
New hazard identified	30 days	Risk analysis update
Trend increase	60 days	Trend analysis
Design change	Before implementation	Impact assessment
Standards update	Per transition period	Gap analysis

Periodic Review Requirements

Review Element	Frequency
Risk management file completeness	Annual
Risk control effectiveness	Annual
Post-market information analysis	Quarterly
Risk-benefit conclusions	Annual or on new data

Risk Assessment Templates

→ See references/risk-assessment-templates.md for details

Decision Frameworks

Risk Control Selection

What is the risk level?
        │
        ├── Unacceptable ──► Can hazard be eliminated?
        │                    │
        │                Yes─┴─No
        │                 │     │
        │                 ▼     ▼
        │            Eliminate  Can protective
        │            hazard     measure reduce?
        │                           │
        │                       Yes─┴─No
        │                        │     │
        │                        ▼     ▼
        │                   Add       Add warning
        │                   protection + training
        │
        └── High/Medium ──► Apply hierarchy
                            starting at Level 1

New Hazard Analysis

Question	If Yes	If No
Does control introduce new hazard?	Analyze new hazard	Proceed
Is new risk higher than original?	Reject control option	Acceptable trade-off
Can new hazard be controlled?	Add control	Reject control option

Risk Acceptability Decision

Condition	Decision
All risks Low	Acceptable
Medium risks with ALARP	Acceptable
High risks with ALARP documented	Acceptable if benefits outweigh
Any Unacceptable residual	Not acceptable - redesign

Tools and References

Scripts

Tool	Purpose	Usage
risk_matrix_calculator.py	Calculate risk levels and FMEA RPN	`python risk_matrix_calculator.py --help`

Risk Matrix Calculator Features:

ISO 14971 5x5 risk matrix calculation
FMEA RPN (Risk Priority Number) calculation
Interactive mode for guided assessment
Display risk criteria definitions
JSON output for integration

References

Document	Content
iso14971-implementation-guide.md	Complete ISO 14971:2019 implementation with templates
risk-analysis-methods.md	FMEA, FTA, HAZOP, Use Error Analysis methods

Quick Reference: ISO 14971 Process

Stage	Key Activities	Output
Planning	Define scope, criteria, responsibilities	Risk Management Plan
Analysis	Identify hazards, estimate risk	Hazard Analysis
Evaluation	Compare to criteria, ALARP assessment	Risk Evaluation
Control	Implement hierarchy, verify	Risk Control Records
Residual	Overall assessment, benefit-risk	Risk Management Report
Production	Monitor, review, update	Updated RM File

Skill	Integration Point
quality-manager-qms-iso13485	QMS integration
capa-officer	Risk-based CAPA
regulatory-affairs-head	Regulatory submissions
quality-documentation-manager	Risk file management

ISO 14971:2019 Implementation Guide

Complete implementation framework for medical device risk management per ISO 14971:2019.

Risk Management Planning
Risk Analysis
Risk Evaluation
Risk Control
Overall Residual Risk Evaluation
Risk Management Report
Production and Post-Production Activities

Risk Management Planning

Risk Management Plan Content

Element	Requirement	Documentation
Scope	Medical device and lifecycle stages covered	Scope statement
Responsibilities	Personnel and authority assignments	Organization chart, RACI
Review Requirements	Timing and triggers for reviews	Review schedule
Acceptability Criteria	Risk acceptance matrix and policy	Risk acceptability criteria
Verification Activities	Methods for control verification	Verification plan
Production/Post-Production	Activities for ongoing risk management	Surveillance plan

Risk Management Plan Template

RISK MANAGEMENT PLAN

Document Number: RMP-[Product]-[Rev]
Product: [Device Name]
Revision: [X.X]
Effective Date: [Date]

1. SCOPE AND PURPOSE
   1.1 Medical Device Description: [Description]
   1.2 Intended Use: [Statement]
   1.3 Lifecycle Stages Covered: [Design/Production/Post-Market]
   1.4 Plan Objectives: [Objectives]

2. RESPONSIBILITIES AND AUTHORITIES
   | Role | Responsibility | Authority |
   |------|----------------|-----------|
   | Risk Management Lead | Overall RM process | RM decisions |
   | Design Engineer | Risk identification | Design changes |
   | QA Manager | RM file review | File approval |
   | Clinical | Clinical input | Clinical risk assessment |

3. RISK ACCEPTABILITY CRITERIA
   3.1 Risk Matrix: [Reference to matrix]
   3.2 Acceptability Policy: [Acceptable/ALARP/Unacceptable definitions]
   3.3 Benefit-Risk Considerations: [When applicable]

4. VERIFICATION ACTIVITIES
   4.1 Risk Control Verification Methods: [Test, Analysis, Review]
   4.2 Verification Timing: [Design phase, V&V]
   4.3 Acceptance Criteria: [Pass/fail criteria]

5. PRODUCTION AND POST-PRODUCTION
   5.1 Information Collection: [Sources]
   5.2 Review Triggers: [Events requiring review]
   5.3 Update Process: [RM file update procedure]

6. REVIEW AND APPROVAL
   Prepared By: _________________ Date: _______
   Reviewed By: _________________ Date: _______
   Approved By: _________________ Date: _______

Risk Acceptability Criteria Definition

Risk Level	Definition	Action Required
Broadly Acceptable	Risk so low that no action needed	Document and monitor
ALARP (Tolerable)	Risk reduced as low as reasonably practicable	Verify ALARP, consider benefit
Unacceptable	Risk exceeds acceptable threshold	Risk control mandatory

Risk Matrix Example (5x5)

Probability \ Severity	Negligible	Minor	Serious	Critical	Catastrophic
Frequent	Medium	High	High	Unacceptable	Unacceptable
Probable	Low	Medium	High	High	Unacceptable
Occasional	Low	Medium	Medium	High	High
Remote	Low	Low	Medium	Medium	High
Improbable	Low	Low	Low	Medium	Medium

Risk Level Actions:

Low (Acceptable): Document, no action required
Medium (ALARP): Consider risk reduction, document rationale
High (ALARP): Risk reduction required unless ALARP demonstrated
Unacceptable: Risk reduction mandatory before proceeding

Risk Analysis

Hazard Identification Methods

Method	Application	Standard Reference
FMEA	Component/subsystem failures	IEC 60812
FTA	System-level failure analysis	IEC 61025
HAZOP	Process hazard identification	IEC 61882
PHA	Preliminary hazard assessment	-
Use FMEA	Use-related hazards	IEC 62366-1

Intended Use Analysis Checklist

Category	Questions to Address
Medical Purpose	What condition is treated/diagnosed?
Patient Population	Age, health status, contraindications?
User Population	Healthcare professional, patient, caregiver?
Use Environment	Hospital, home, ambulatory?
Duration	Single use, repeated, continuous?
Body Contact	External, internal, implanted?

Hazard Categories (Informative Annex C)

Category	Examples
Energy	Electrical, thermal, mechanical, radiation
Biological	Bioburden, pyrogens, biocompatibility
Chemical	Residues, degradation products, leachables
Operational	Incorrect output, delayed function, unexpected operation
Information	Incomplete instructions, inadequate warnings
Use Environment	Electromagnetic, mechanical stress

Hazardous Situation Documentation

HAZARD ANALYSIS WORKSHEET

Product: [Device Name]
Analyst: [Name]
Date: [Date]

| ID | Hazard | Hazardous Situation | Sequence of Events | Harm | P1 | P2 | Initial Risk |
|----|--------|--------------------|--------------------|------|----|----|--------------|
| H-001 | [Hazard] | [Situation] | [Sequence] | [Harm] | [Prob] | [Sev] | [Level] |

P1 = Probability of hazardous situation occurring
P2 = Probability of harm given hazardous situation
Initial Risk = Risk before controls

Risk Estimation

Probability Categories:

Level	Term	Definition	Frequency
5	Frequent	Expected to occur	>10⁻³
4	Probable	Likely to occur	10⁻³ to 10⁻⁴
3	Occasional	May occur	10⁻⁴ to 10⁻⁵
2	Remote	Unlikely to occur	10⁻⁵ to 10⁻⁶
1	Improbable	Very unlikely	<10⁻⁶

Severity Categories:

Level	Term	Definition	Patient Impact
5	Catastrophic	Results in death	Death
4	Critical	Results in permanent impairment	Permanent impairment
3	Serious	Results in injury requiring intervention	Injury requiring treatment
2	Minor	Results in temporary injury	Temporary discomfort
1	Negligible	Inconvenience or temporary discomfort	No injury

Risk Evaluation

Evaluation Workflow

Apply risk acceptability criteria to estimated risk
Determine if risk is acceptable, ALARP, or unacceptable
For ALARP risks, document ALARP demonstration
For unacceptable risks, proceed to risk control
Document evaluation rationale
Validation: All risks evaluated against criteria; rationale documented

Risk Acceptability Decision

Initial Risk	Benefit Available	Decision
Acceptable	N/A	Accept, document
ALARP	No	Verify ALARP
ALARP	Yes	Include in benefit-risk
Unacceptable	No	Design change required
Unacceptable	Yes	Benefit-risk analysis

ALARP Demonstration

Criterion	Evidence Required
Technical feasibility	Analysis of alternatives
Economic proportionality	Cost-benefit assessment
State of the art	Review of similar devices
User acceptance	Stakeholder input

Risk Control

Risk Control Hierarchy

Priority	Control Type	Examples
1	Inherent safety by design	Remove hazard, substitute material
2	Protective measures in device	Guards, alarms, software limits
3	Information for safety	Warnings, training, IFU

Risk Control Option Analysis

RISK CONTROL OPTION ANALYSIS

Hazard ID: [H-XXX]
Risk Level: [Unacceptable/High]

| Option | Control Type | Effectiveness | Feasibility | New Risks | Selected |
|--------|--------------|---------------|-------------|-----------|----------|
| Option 1 | [Type] | [H/M/L] | [H/M/L] | [Yes/No] | [Yes/No] |
| Option 2 | [Type] | [H/M/L] | [H/M/L] | [Yes/No] | [Yes/No] |

Selected Option: [Option X]
Rationale: [Justification]

Risk Control Implementation Record

RISK CONTROL IMPLEMENTATION

Control ID: RC-[XXX]
Related Hazard: H-[XXX]

Control Description: [Description]
Control Type: [ ] Inherent Safety [ ] Protective Measure [ ] Information

Implementation:
- Specification/Requirement: [Reference]
- Design Document: [Reference]
- Verification Method: [Test/Analysis/Review]
- Verification Criteria: [Pass criteria]

Verification:
- Protocol Reference: [Document]
- Execution Date: [Date]
- Result: [ ] Pass [ ] Fail
- Evidence Reference: [Document]

New Risks Introduced: [ ] Yes [ ] No
If Yes: [New Hazard ID references]

Residual Risk:
- P1: [Probability]
- P2: [Severity]
- Residual Risk Level: [Level]

Approved By: _________________ Date: _______

Risk Control Verification Methods

Method	Application	Evidence
Test	Quantifiable control effectiveness	Test report
Inspection	Physical control presence	Inspection record
Analysis	Design analysis confirmation	Analysis report
Review	Document/drawing review	Review record

Overall Residual Risk Evaluation

Evaluation Process

Compile all individual residual risks
Consider cumulative effects of residual risks
Assess overall residual risk acceptability
Conduct benefit-risk analysis if required
Document overall evaluation conclusion
Validation: All residual risks compiled; overall evaluation complete

Benefit-Risk Analysis

Factor	Assessment
Clinical Benefit	Documented therapeutic benefit
State of the Art	Comparison to alternative treatments
Patient Expectation	Benefit patient would accept
Medical Opinion	Clinical expert input
Risk Quantification	Residual risk characterization

Benefit-Risk Documentation

BENEFIT-RISK ANALYSIS

Product: [Device Name]
Date: [Date]

BENEFITS:
1. Primary Clinical Benefit: [Description]
   - Evidence: [Reference]
   - Magnitude: [Quantification]

2. Secondary Benefits: [List]

RISKS:
1. Residual Risks Summary:
   | Risk Category | Count | Highest Level |
   |---------------|-------|---------------|
   | Acceptable | [N] | Low |
   | ALARP | [N] | Medium/High |

2. Cumulative Considerations: [Assessment]

COMPARISON:
- State of the Art: [How device compares]
- Alternative Treatments: [Risk comparison]
- Patient Acceptance: [Expected acceptance]

CONCLUSION:
[ ] Benefits outweigh risks - Acceptable
[ ] Benefits do not outweigh risks - Not Acceptable

Rationale: [Justification]

Approved By: _________________ Date: _______

Risk Management Report

Report Content Requirements

Section	Content
Results of Risk Analysis	Summary of hazards and risks identified
Risk Control Decisions	Controls selected and implemented
Overall Residual Risk	Evaluation and acceptability conclusion
Benefit-Risk Conclusion	If applicable
Review and Approval	Formal sign-off

Risk Management Report Template

RISK MANAGEMENT REPORT

Document Number: RMR-[Product]-[Rev]
Product: [Device Name]
Date: [Date]

1. EXECUTIVE SUMMARY
   - Total hazards identified: [N]
   - Risk controls implemented: [N]
   - Residual risks: [N] acceptable, [N] ALARP
   - Overall conclusion: [Acceptable/Not Acceptable]

2. RISK ANALYSIS SUMMARY
   - Methods used: [FMEA, FTA, etc.]
   - Scope coverage: [Lifecycle stages]
   - Hazard categories addressed: [List]

3. RISK EVALUATION SUMMARY
   | Risk Level | Before Control | After Control |
   |------------|----------------|---------------|
   | Unacceptable | [N] | [N] |
   | High | [N] | [N] |
   | Medium | [N] | [N] |
   | Low | [N] | [N] |

4. RISK CONTROL SUMMARY
   - Inherent safety controls: [N]
   - Protective measures: [N]
   - Information for safety: [N]
   - All controls verified: [Yes/No]

5. OVERALL RESIDUAL RISK
   - Individual residual risks: [Summary]
   - Cumulative assessment: [Conclusion]
   - Acceptability: [Acceptable/ALARP demonstrated]

6. BENEFIT-RISK ANALYSIS (if applicable)
   - Conclusion: [Statement]

7. PRODUCTION AND POST-PRODUCTION
   - Monitoring plan: [Reference]
   - Review triggers: [List]

8. CONCLUSION
   [Statement of overall risk acceptability]

9. APPROVAL
   Risk Management Lead: _________________ Date: _______
   Quality Assurance: _________________ Date: _______
   Management Representative: _________________ Date: _______

Production and Post-Production Activities

Information Sources

Source	Information Type	Review Frequency
Complaints	Use-related issues, failures	Continuous
Service Reports	Field failures, repairs	Monthly
Vigilance Reports	Serious incidents	Immediate
Literature	Similar device issues	Quarterly
Regulatory Feedback	Authority communications	As received
Clinical Data	Post-market clinical follow-up	Per PMCF plan

Risk Management File Update Triggers

Trigger	Action Required
New hazard identified	Risk analysis update
Control failure	Risk control reassessment
Serious incident	Immediate risk review
Design change	Impact assessment
Standards update	Compliance review
Regulatory feedback	Risk evaluation update

Risk Management Review Record

RISK MANAGEMENT REVIEW RECORD

Review Date: [Date]
Review Type: [ ] Periodic [ ] Triggered
Trigger (if applicable): [Description]

INFORMATION REVIEWED:
| Source | Period | Findings |
|--------|--------|----------|
| Complaints | [Period] | [Summary] |
| Vigilance | [Period] | [Summary] |
| Literature | [Period] | [Summary] |

RISK MANAGEMENT FILE STATUS:
- Current and complete: [ ] Yes [ ] No
- Updates required: [ ] Yes [ ] No

ACTIONS:
| Action | Owner | Due Date |
|--------|-------|----------|
| [Action 1] | [Name] | [Date] |

CONCLUSION:
[ ] No changes to risk profile
[ ] Risk profile updated - see [Document Reference]
[ ] Further investigation required

Reviewed By: _________________ Date: _______

Risk Analysis Methods

Systematic techniques for hazard identification and risk analysis in medical device development.

Method Selection Guide
FMEA - Failure Mode and Effects Analysis
FTA - Fault Tree Analysis
HAZOP - Hazard and Operability Study
Use Error Analysis
Software Hazard Analysis

Method Selection Guide

Method Application Matrix

Method	Best For	Standard	Complexity
FMEA	Component/process failures	IEC 60812	Medium
FTA	System-level failure analysis	IEC 61025	High
HAZOP	Process deviations	IEC 61882	Medium
PHA	Early hazard screening	-	Low
Use FMEA	Use-related hazards	IEC 62366-1	Medium
STPA	Software/system interactions	-	High

Selection Decision Tree

What is the analysis focus?
        │
        ├── Component failures → FMEA
        │
        ├── System-level failure → FTA
        │
        ├── Process deviations → HAZOP
        │
        ├── User interaction → Use Error Analysis
        │
        └── Software behavior → Software FMEA/STPA

When to Use Each Method

Project Phase	Recommended Methods
Concept	PHA, initial FTA
Design	FMEA, detailed FTA
Development	Use Error Analysis, Software HA
Verification	FMEA review, FTA validation
Production	Process FMEA
Post-Market	Trend analysis, FMEA updates

FMEA - Failure Mode and Effects Analysis

FMEA Overview

Aspect	Description
Purpose	Identify potential failure modes and their effects
Approach	Bottom-up analysis from component to system
Output	Failure mode list with severity, occurrence, detection ratings
Standard	IEC 60812

FMEA Process Workflow

Define scope and system boundaries
Develop functional block diagram
Identify failure modes for each component/function
Determine effects of each failure mode (local, next level, end)
Assign severity rating
Identify potential causes
Assign occurrence rating
Identify current controls (detection)
Assign detection rating
Calculate Risk Priority Number (RPN) or use risk matrix
Determine actions for high-priority items
Validation: All components analyzed; RPNs calculated; actions assigned for high risks

FMEA Worksheet Template

FMEA WORKSHEET

Product: [Device Name]
Subsystem: [Subsystem]
FMEA Lead: [Name]
Date: [Date]

| ID | Item/Function | Failure Mode | Effect (Local) | Effect (End) | S | Cause | O | Controls | D | RPN | Action |
|----|---------------|--------------|----------------|--------------|---|-------|---|----------|---|-----|--------|
| FM-001 | [Item] | [Mode] | [Local Effect] | [End Effect] | [1-10] | [Cause] | [1-10] | [Detection] | [1-10] | [S×O×D] | [Action] |

S = Severity (1=None, 10=Catastrophic)
O = Occurrence (1=Remote, 10=Frequent)
D = Detection (1=Certain, 10=Cannot Detect)
RPN = Risk Priority Number

Severity Rating Scale

Rating	Severity	Criteria
10	Hazardous	Death or regulatory non-compliance
9	Serious	Serious injury, major function loss
8	Major	Significant injury, major inconvenience
7	High	Minor injury, significant inconvenience
6	Moderate	Discomfort, partial function loss
5	Low	Some performance loss
4	Very Low	Minor performance degradation
3	Minor	Noticeable effect, no function loss
2	Very Minor	Negligible effect
1	None	No effect

Occurrence Rating Scale

Rating	Occurrence	Probability
10	Almost Certain	>1 in 2
9	Very High	1 in 3
8	High	1 in 8
7	Moderately High	1 in 20
6	Moderate	1 in 80
5	Low	1 in 400
4	Very Low	1 in 2,000
3	Remote	1 in 15,000
2	Very Remote	1 in 150,000
1	Nearly Impossible	<1 in 1,500,000

Detection Rating Scale

Rating	Detection	Likelihood of Detection
10	Absolute Uncertainty	Cannot detect
9	Very Remote	Very remote chance
8	Remote	Remote chance
7	Very Low	Very low chance
6	Low	Low chance
5	Moderate	Moderate chance
4	Moderately High	Moderately high chance
3	High	High chance
2	Very High	Very high chance
1	Almost Certain	Will detect

RPN Action Thresholds

RPN Range	Priority	Action
>200	Critical	Immediate action required
100-200	High	Action plan required
50-100	Medium	Consider action
<50	Low	Monitor

FTA - Fault Tree Analysis

FTA Overview

Aspect	Description
Purpose	Determine combinations of events leading to top event
Approach	Top-down deductive analysis
Output	Fault tree diagram with cut sets
Standard	IEC 61025

FTA Process Workflow

Define top event (undesired system state)
Identify immediate causes using logic gates
Continue decomposition to basic events
Draw fault tree diagram
Identify cut sets (combinations causing top event)
Calculate probability if quantitative analysis required
Identify single points of failure
Validation: All branches complete; cut sets identified; single points documented

Fault Tree Symbols

Symbol	Name	Meaning
Rectangle	Intermediate Event	Event resulting from other events
Circle	Basic Event	Primary event, no further development
Diamond	Undeveloped Event	Not analyzed further
House	House Event	Event expected to occur (condition)
AND Gate	AND	All inputs required for output
OR Gate	OR	Any input causes output

FTA Worksheet Template

FAULT TREE ANALYSIS

Top Event: [Description of undesired state]
System: [System name]
Analyst: [Name]
Date: [Date]

BASIC EVENTS:
| ID | Event | Description | Probability | Control |
|----|-------|-------------|-------------|---------|
| BE-001 | [Event] | [Description] | [P] | [Control] |

CUT SETS:
| Cut Set | Events | Order | Probability |
|---------|--------|-------|-------------|
| CS-001 | BE-001 | 1 | [P] |
| CS-002 | BE-001, BE-002 | 2 | [P] |

SINGLE POINTS OF FAILURE:
| Event | Risk | Mitigation |
|-------|------|------------|
| [Event] | [Risk assessment] | [Mitigation strategy] |

Cut Set Analysis

Cut Set Order	Meaning	Criticality
First Order	Single event causes top event	Highest - single point of failure
Second Order	Two events required	High
Third Order	Three events required	Moderate
Higher Order	Four+ events required	Lower

HAZOP - Hazard and Operability Study

HAZOP Overview

Aspect	Description
Purpose	Identify deviations from intended operation
Approach	Systematic examination using guide words
Output	Deviation analysis with consequences and safeguards
Standard	IEC 61882

HAZOP Guide Words

Guide Word	Meaning	Example Application
NO/NOT	Complete negation	No flow, no signal
MORE	Quantitative increase	More pressure, more current
LESS	Quantitative decrease	Less flow, less voltage
AS WELL AS	Qualitative increase	Extra component, contamination
PART OF	Qualitative decrease	Missing component
REVERSE	Logical opposite	Reverse flow, reverse polarity
OTHER THAN	Complete substitution	Wrong material, wrong signal
EARLY	Time-related	Early activation
LATE	Time-related	Delayed response

HAZOP Process Workflow

Select study node (process section or component)
Describe design intent for the node
Apply guide words to identify deviations
Determine causes of each deviation
Assess consequences
Identify existing safeguards
Recommend actions if needed
Validation: All nodes analyzed; all guide words applied; actions assigned

HAZOP Worksheet Template

HAZOP WORKSHEET

System: [System Name]
Node: [Node Description]
Design Intent: [What the node is supposed to do]
Team Lead: [Name]
Date: [Date]

| Guide Word | Deviation | Causes | Consequences | Safeguards | Actions |
|------------|-----------|--------|--------------|------------|---------|
| NO | [No + parameter] | [Causes] | [Consequences] | [Existing] | [Recommendations] |
| MORE | [More + parameter] | [Causes] | [Consequences] | [Existing] | [Recommendations] |
| LESS | [Less + parameter] | [Causes] | [Consequences] | [Existing] | [Recommendations] |

Use Error Analysis

Use Error Analysis Overview

Aspect	Description
Purpose	Identify use-related hazards and mitigations
Approach	Task analysis combined with error prediction
Output	Use error list with risk controls
Standard	IEC 62366-1

Use Error Categories

Category	Description	Examples
Perception Error	Failure to perceive information	Missing alarm, unclear display
Cognition Error	Failure to understand	Misinterpretation, wrong decision
Action Error	Incorrect physical action	Wrong button, slip, lapse
Memory Error	Failure to recall	Forgotten step, omission

Use Error Analysis Process

Identify user tasks and subtasks
Identify potential use errors for each task
Determine consequences of each use error
Estimate probability of use error
Identify design features contributing to error
Define risk control measures
Verify control effectiveness
Validation: All critical tasks analyzed; errors identified; controls defined

Use Error Worksheet Template

USE ERROR ANALYSIS

Device: [Device Name]
Task: [Task Description]
User: [User Profile]
Analyst: [Name]
Date: [Date]

| Step | User Action | Potential Use Error | Error Type | Cause | Consequence | S | P | Risk | Control |
|------|-------------|--------------------| -----------|-------|-------------|---|---|------|---------|
| 1 | [Action] | [Error] | [Type] | [Cause] | [Harm] | [S] | [P] | [Level] | [Control] |

Error Types: Perception (P), Cognition (C), Action (A), Memory (M)

Human Factors Risk Controls

Control Type	Examples
Design	Forcing functions, constraints, affordances
Feedback	Visual, auditory, tactile confirmation
Labeling	Clear instructions, warnings, symbols
Training	User education, competency verification
Environment	Adequate lighting, noise reduction

Software Hazard Analysis

Software Hazard Analysis Overview

Aspect	Description
Purpose	Identify software contribution to hazards
Approach	Analysis of software failure modes and behaviors
Output	Software hazard list with safety requirements
Standard	IEC 62304

Software Safety Classification

Class	Contribution to Hazard	Rigor Required
A	No contribution possible	Basic
B	Non-serious injury possible	Moderate
C	Death or serious injury possible	High

Software Hazard Categories

Category	Description	Examples
Omission	Required function not performed	Missing safety check
Commission	Incorrect function performed	Wrong calculation
Timing	Function at wrong time	Delayed alarm
Value	Function with wrong value	Incorrect dose
Sequence	Functions in wrong order	Steps reversed

Software FMEA Worksheet

SOFTWARE FMEA

Software Item: [Module/Function Name]
Safety Class: [A/B/C]
Analyst: [Name]
Date: [Date]

| ID | Function | Failure Mode | Cause | Effect on System | Effect on Patient | S | P | Risk | Mitigation |
|----|----------|--------------|-------|------------------|-------------------|---|---|------|------------|
| SW-001 | [Function] | [Mode] | [Cause] | [System effect] | [Patient effect] | [S] | [P] | [Level] | [Control] |

Failure Mode Types: Omission, Commission, Timing, Value, Sequence

Software Risk Controls

Control Type	Implementation
Defensive Programming	Input validation, range checking
Error Handling	Exception handling, graceful degradation
Redundancy	Dual channels, voting logic
Watchdog	Timeout monitoring, heartbeat
Self-Test	Power-on diagnostics, runtime checks
Separation	Independence of safety functions

Traceability Requirements

From	To	Purpose
Software Hazard	Software Requirement	Hazard addressed
Software Requirement	Architecture	Requirement implemented
Architecture	Code	Design realized
Code	Test	Verification coverage
Test	Hazard	Control verified

risk-management-specialist reference

Risk Assessment Templates

Hazard Analysis Worksheet

HAZARD ANALYSIS WORKSHEET

Product: [Device Name]
Document: HA-[Product]-[Rev]
Analyst: [Name]
Date: [Date]

| ID | Hazard | Hazardous Situation | Harm | P | S | Initial Risk | Control | Residual P | Residual S | Final Risk |
|----|--------|---------------------|------|---|---|--------------|---------|------------|------------|------------|
| H-001 | [Hazard] | [Situation] | [Harm] | [1-5] | [1-5] | [Level] | [Control ref] | [1-5] | [1-5] | [Level] |

FMEA Worksheet

FMEA WORKSHEET

Product: [Device Name]
Subsystem: [Subsystem]
Analyst: [Name]
Date: [Date]

| ID | Item | Function | Failure Mode | Effect | S | Cause | O | Control | D | RPN | Action |
|----|------|----------|--------------|--------|---|-------|---|---------|---|-----|--------|
| FM-001 | [Item] | [Function] | [Mode] | [Effect] | [1-10] | [Cause] | [1-10] | [Detection] | [1-10] | [S×O×D] | [Action] |

RPN Action Thresholds:
>200: Critical - Immediate action
100-200: High - Action plan required
50-100: Medium - Consider action
<50: Low - Monitor

Risk Management Report Summary

RISK MANAGEMENT REPORT

Product: [Device Name]
Date: [Date]
Revision: [X.X]

SUMMARY:
- Total hazards identified: [N]
- Risk controls implemented: [N]
- Residual risks: [N] Low, [N] Medium, [N] High
- Overall conclusion: [Acceptable / Not Acceptable]

RISK DISTRIBUTION:
| Risk Level | Before Control | After Control |
|------------|----------------|---------------|
| Unacceptable | [N] | 0 |
| High | [N] | [N] |
| Medium | [N] | [N] |
| Low | [N] | [N] |

CONTROLS IMPLEMENTED:
- Inherent safety: [N]
- Protective measures: [N]
- Information for safety: [N]

OVERALL RESIDUAL RISK: [Acceptable / ALARP Demonstrated]
BENEFIT-RISK CONCLUSION: [If applicable]

APPROVAL:
Risk Management Lead: _____________ Date: _______
Quality Assurance: _____________ Date: _______

#!/usr/bin/env python3
"""
FMEA Analyzer - Failure Mode and Effects Analysis for medical device risk management.

Supports Design FMEA (dFMEA) and Process FMEA (pFMEA) per ISO 14971 and IEC 60812.
Calculates Risk Priority Numbers (RPN), identifies critical items, and generates
risk reduction recommendations.

Usage:
    python fmea_analyzer.py --data fmea_input.json
    python fmea_analyzer.py --interactive
    python fmea_analyzer.py --data fmea_input.json --output json
"""

import argparse
import json
import sys
from dataclasses import dataclass, field, asdict
from typing import List, Dict, Optional, Tuple
from enum import Enum
from datetime import datetime


class FMEAType(Enum):
    DESIGN = "Design FMEA"
    PROCESS = "Process FMEA"


class Severity(Enum):
    INCONSEQUENTIAL = 1
    MINOR = 2
    MODERATE = 3
    SIGNIFICANT = 4
    SERIOUS = 5
    CRITICAL = 6
    SERIOUS_HAZARD = 7
    HAZARDOUS = 8
    HAZARDOUS_NO_WARNING = 9
    CATASTROPHIC = 10


class Occurrence(Enum):
    REMOTE = 1
    LOW = 2
    LOW_MODERATE = 3
    MODERATE = 4
    MODERATE_HIGH = 5
    HIGH = 6
    VERY_HIGH = 7
    EXTREMELY_HIGH = 8
    ALMOST_CERTAIN = 9
    INEVITABLE = 10


class Detection(Enum):
    ALMOST_CERTAIN = 1
    VERY_HIGH = 2
    HIGH = 3
    MODERATE_HIGH = 4
    MODERATE = 5
    LOW_MODERATE = 6
    LOW = 7
    VERY_LOW = 8
    REMOTE = 9
    ABSOLUTELY_UNCERTAIN = 10


@dataclass
class FMEAEntry:
    """Single FMEA line item."""
    item_process: str
    function: str
    failure_mode: str
    effect: str
    severity: int
    cause: str
    occurrence: int
    current_controls: str
    detection: int
    rpn: int = 0
    criticality: str = ""
    recommended_actions: List[str] = field(default_factory=list)
    responsibility: str = ""
    target_date: str = ""
    actions_taken: str = ""
    revised_severity: int = 0
    revised_occurrence: int = 0
    revised_detection: int = 0
    revised_rpn: int = 0

    def calculate_rpn(self):
        self.rpn = self.severity * self.occurrence * self.detection
        if self.severity >= 8:
            self.criticality = "CRITICAL"
        elif self.rpn >= 200:
            self.criticality = "HIGH"
        elif self.rpn >= 100:
            self.criticality = "MEDIUM"
        else:
            self.criticality = "LOW"

    def calculate_revised_rpn(self):
        if self.revised_severity and self.revised_occurrence and self.revised_detection:
            self.revised_rpn = self.revised_severity * self.revised_occurrence * self.revised_detection


@dataclass
class FMEAReport:
    """Complete FMEA analysis report."""
    fmea_type: str
    product_process: str
    team: List[str]
    date: str
    entries: List[FMEAEntry]
    summary: Dict
    risk_reduction_actions: List[Dict]


class FMEAAnalyzer:
    """Analyzes FMEA data and generates risk assessments."""

    # RPN thresholds
    RPN_CRITICAL = 200
    RPN_HIGH = 100
    RPN_MEDIUM = 50

    def __init__(self, fmea_type: FMEAType = FMEAType.DESIGN):
        self.fmea_type = fmea_type

    def analyze_entries(self, entries: List[FMEAEntry]) -> Dict:
        """Analyze all FMEA entries and generate summary."""
        for entry in entries:
            entry.calculate_rpn()
            entry.calculate_revised_rpn()

        rpns = [e.rpn for e in entries if e.rpn > 0]
        revised_rpns = [e.revised_rpn for e in entries if e.revised_rpn > 0]

        critical = [e for e in entries if e.criticality == "CRITICAL"]
        high = [e for e in entries if e.criticality == "HIGH"]
        medium = [e for e in entries if e.criticality == "MEDIUM"]

        # Severity distribution
        sev_dist = {}
        for e in entries:
            sev_range = "1-3 (Low)" if e.severity <= 3 else "4-6 (Medium)" if e.severity <= 6 else "7-10 (High)"
            sev_dist[sev_range] = sev_dist.get(sev_range, 0) + 1

        summary = {
            "total_entries": len(entries),
            "rpn_statistics": {
                "min": min(rpns) if rpns else 0,
                "max": max(rpns) if rpns else 0,
                "average": round(sum(rpns) / len(rpns), 1) if rpns else 0,
                "median": sorted(rpns)[len(rpns) // 2] if rpns else 0
            },
            "risk_distribution": {
                "critical_severity": len(critical),
                "high_rpn": len(high),
                "medium_rpn": len(medium),
                "low_rpn": len(entries) - len(critical) - len(high) - len(medium)
            },
            "severity_distribution": sev_dist,
            "top_risks": [
                {
                    "item": e.item_process,
                    "failure_mode": e.failure_mode,
                    "rpn": e.rpn,
                    "severity": e.severity
                }
                for e in sorted(entries, key=lambda x: x.rpn, reverse=True)[:5]
            ]
        }

        if revised_rpns:
            summary["revised_rpn_statistics"] = {
                "min": min(revised_rpns),
                "max": max(revised_rpns),
                "average": round(sum(revised_rpns) / len(revised_rpns), 1),
                "improvement": round((sum(rpns) - sum(revised_rpns)) / sum(rpns) * 100, 1) if rpns else 0
            }

        return summary

    def generate_risk_reduction_actions(self, entries: List[FMEAEntry]) -> List[Dict]:
        """Generate recommended risk reduction actions."""
        actions = []

        # Sort by RPN descending
        sorted_entries = sorted(entries, key=lambda e: e.rpn, reverse=True)

        for entry in sorted_entries[:10]:  # Top 10 risks
            if entry.rpn >= self.RPN_HIGH or entry.severity >= 8:
                strategies = []

                # Severity reduction strategies (highest priority for high severity)
                if entry.severity >= 7:
                    strategies.append({
                        "type": "Severity Reduction",
                        "action": f"Redesign {entry.item_process} to eliminate failure mode: {entry.failure_mode}",
                        "priority": "Highest",
                        "expected_impact": "May reduce severity by 2-4 points"
                    })

                # Occurrence reduction strategies
                if entry.occurrence >= 5:
                    strategies.append({
                        "type": "Occurrence Reduction",
                        "action": f"Implement preventive controls for cause: {entry.cause}",
                        "priority": "High",
                        "expected_impact": f"Target occurrence reduction from {entry.occurrence} to {max(1, entry.occurrence - 3)}"
                    })

                # Detection improvement strategies
                if entry.detection >= 5:
                    strategies.append({
                        "type": "Detection Improvement",
                        "action": f"Enhance detection methods: {entry.current_controls}",
                        "priority": "Medium",
                        "expected_impact": f"Target detection improvement from {entry.detection} to {max(1, entry.detection - 3)}"
                    })

                actions.append({
                    "item": entry.item_process,
                    "failure_mode": entry.failure_mode,
                    "current_rpn": entry.rpn,
                    "current_severity": entry.severity,
                    "strategies": strategies
                })

        return actions

    def create_entry_from_dict(self, data: Dict) -> FMEAEntry:
        """Create FMEA entry from dictionary."""
        entry = FMEAEntry(
            item_process=data.get("item_process", ""),
            function=data.get("function", ""),
            failure_mode=data.get("failure_mode", ""),
            effect=data.get("effect", ""),
            severity=data.get("severity", 1),
            cause=data.get("cause", ""),
            occurrence=data.get("occurrence", 1),
            current_controls=data.get("current_controls", ""),
            detection=data.get("detection", 1),
            recommended_actions=data.get("recommended_actions", []),
            responsibility=data.get("responsibility", ""),
            target_date=data.get("target_date", ""),
            actions_taken=data.get("actions_taken", ""),
            revised_severity=data.get("revised_severity", 0),
            revised_occurrence=data.get("revised_occurrence", 0),
            revised_detection=data.get("revised_detection", 0)
        )
        entry.calculate_rpn()
        entry.calculate_revised_rpn()
        return entry

    def generate_report(self, product_process: str, team: List[str], entries_data: List[Dict]) -> FMEAReport:
        """Generate complete FMEA report."""
        entries = [self.create_entry_from_dict(e) for e in entries_data]
        summary = self.analyze_entries(entries)
        actions = self.generate_risk_reduction_actions(entries)

        return FMEAReport(
            fmea_type=self.fmea_type.value,
            product_process=product_process,
            team=team,
            date=datetime.now().strftime("%Y-%m-%d"),
            entries=entries,
            summary=summary,
            risk_reduction_actions=actions
        )


def format_fmea_text(report: FMEAReport) -> str:
    """Format FMEA report as text."""
    lines = [
        "=" * 80,
        f"{report.fmea_type.upper()} REPORT",
        "=" * 80,
        f"Product/Process: {report.product_process}",
        f"Date: {report.date}",
        f"Team: {', '.join(report.team)}",
        "",
        "SUMMARY",
        "-" * 60,
        f"Total Failure Modes Analyzed: {report.summary['total_entries']}",
        f"Critical Severity (≥8): {report.summary['risk_distribution']['critical_severity']}",
        f"High RPN (≥100): {report.summary['risk_distribution']['high_rpn']}",
        f"Medium RPN (50-99): {report.summary['risk_distribution']['medium_rpn']}",
        "",
        "RPN Statistics:",
        f"  Min: {report.summary['rpn_statistics']['min']}",
        f"  Max: {report.summary['rpn_statistics']['max']}",
        f"  Average: {report.summary['rpn_statistics']['average']}",
        f"  Median: {report.summary['rpn_statistics']['median']}",
    ]

    if "revised_rpn_statistics" in report.summary:
        lines.extend([
            "",
            "Revised RPN Statistics:",
            f"  Average: {report.summary['revised_rpn_statistics']['average']}",
            f"  Improvement: {report.summary['revised_rpn_statistics']['improvement']}%",
        ])

    lines.extend([
        "",
        "TOP RISKS",
        "-" * 60,
        f"{'Item':<25} {'Failure Mode':<30} {'RPN':>5} {'Sev':>4}",
        "-" * 66,
    ])
    for risk in report.summary.get("top_risks", []):
        lines.append(f"{risk['item'][:24]:<25} {risk['failure_mode'][:29]:<30} {risk['rpn']:>5} {risk['severity']:>4}")

    lines.extend([
        "",
        "FMEA ENTRIES",
        "-" * 60,
    ])

    for i, entry in enumerate(report.entries, 1):
        marker = "⚠" if entry.criticality in ["CRITICAL", "HIGH"] else "•"
        lines.extend([
            f"",
            f"{marker} Entry {i}: {entry.item_process} - {entry.function}",
            f"  Failure Mode: {entry.failure_mode}",
            f"  Effect: {entry.effect}",
            f"  Cause: {entry.cause}",
            f"  S={entry.severity} × O={entry.occurrence} × D={entry.detection} = RPN {entry.rpn} [{entry.criticality}]",
            f"  Current Controls: {entry.current_controls}",
        ])
        if entry.recommended_actions:
            lines.append(f"  Recommended Actions:")
            for action in entry.recommended_actions:
                lines.append(f"    → {action}")
        if entry.revised_rpn > 0:
            lines.append(f"  Revised: S={entry.revised_severity} × O={entry.revised_occurrence} × D={entry.revised_detection} = RPN {entry.revised_rpn}")

    if report.risk_reduction_actions:
        lines.extend([
            "",
            "RISK REDUCTION RECOMMENDATIONS",
            "-" * 60,
        ])
        for action in report.risk_reduction_actions:
            lines.extend([
                f"",
                f"  {action['item']} - {action['failure_mode']}",
                f"  Current RPN: {action['current_rpn']} (Severity: {action['current_severity']})",
            ])
            for strategy in action["strategies"]:
                lines.append(f"    [{strategy['priority']}] {strategy['type']}: {strategy['action']}")
                lines.append(f"      Expected: {strategy['expected_impact']}")

    lines.append("=" * 80)
    return "\n".join(lines)


def main():
    parser = argparse.ArgumentParser(description="FMEA Analyzer for Medical Device Risk Management")
    parser.add_argument("--type", choices=["design", "process"], default="design", help="FMEA type")
    parser.add_argument("--data", type=str, help="JSON file with FMEA data")
    parser.add_argument("--output", choices=["text", "json"], default="text", help="Output format")
    parser.add_argument("--interactive", action="store_true", help="Interactive mode")

    args = parser.parse_args()

    fmea_type = FMEAType.DESIGN if args.type == "design" else FMEAType.PROCESS
    analyzer = FMEAAnalyzer(fmea_type)

    if args.data:
        with open(args.data) as f:
            data = json.load(f)
        report = analyzer.generate_report(
            product_process=data.get("product_process", ""),
            team=data.get("team", []),
            entries_data=data.get("entries", [])
        )
    else:
        # Demo data
        demo_entries = [
            {
                "item_process": "Battery Module",
                "function": "Provide power for 8 hours",
                "failure_mode": "Premature battery drain",
                "effect": "Device shuts down during procedure",
                "severity": 8,
                "cause": "Cell degradation due to temperature cycling",
                "occurrence": 4,
                "current_controls": "Incoming battery testing, temperature spec in IFU",
                "detection": 5,
                "recommended_actions": ["Add battery health monitoring algorithm", "Implement low-battery warning at 20%"]
            },
            {
                "item_process": "Software Controller",
                "function": "Control device operation",
                "failure_mode": "Firmware crash",
                "effect": "Device becomes unresponsive",
                "severity": 7,
                "cause": "Memory leak in logging module",
                "occurrence": 3,
                "current_controls": "Code review, unit testing, integration testing",
                "detection": 4,
                "recommended_actions": ["Add watchdog timer", "Implement memory usage monitoring"]
            },
            {
                "item_process": "Sterile Packaging",
                "function": "Maintain sterility until use",
                "failure_mode": "Seal breach",
                "effect": "Device contamination",
                "severity": 9,
                "cause": "Sealing jaw temperature variation",
                "occurrence": 2,
                "current_controls": "Seal integrity testing (dye penetration), SPC on sealing process",
                "detection": 3,
                "recommended_actions": ["Add real-time seal temperature monitoring", "Implement 100% seal integrity testing"]
            }
        ]
        report = analyzer.generate_report(
            product_process="Insulin Pump Model X200",
            team=["Quality Engineer", "R&D Lead", "Manufacturing Engineer", "Risk Manager"],
            entries_data=demo_entries
        )

    if args.output == "json":
        result = {
            "fmea_type": report.fmea_type,
            "product_process": report.product_process,
            "date": report.date,
            "team": report.team,
            "entries": [asdict(e) for e in report.entries],
            "summary": report.summary,
            "risk_reduction_actions": report.risk_reduction_actions
        }
        print(json.dumps(result, indent=2))
    else:
        print(format_fmea_text(report))


if __name__ == "__main__":
    main()

#!/usr/bin/env python3
"""
Risk Matrix Calculator

Calculate risk levels based on probability and severity ratings per ISO 14971.
Supports multiple risk matrix configurations and FMEA RPN calculations.

Usage:
    python risk_matrix_calculator.py --probability 3 --severity 4
    python risk_matrix_calculator.py --fmea --severity 8 --occurrence 5 --detection 6
    python risk_matrix_calculator.py --interactive
    python risk_matrix_calculator.py --list-criteria
"""

import argparse
import json
import sys
from typing import Tuple, Optional


# Standard 5x5 Risk Matrix per ISO 14971 common practice
PROBABILITY_LEVELS = {
    1: {"name": "Improbable", "description": "Very unlikely to occur", "frequency": "<10^-6"},
    2: {"name": "Remote", "description": "Unlikely to occur", "frequency": "10^-5 to 10^-6"},
    3: {"name": "Occasional", "description": "May occur", "frequency": "10^-4 to 10^-5"},
    4: {"name": "Probable", "description": "Likely to occur", "frequency": "10^-3 to 10^-4"},
    5: {"name": "Frequent", "description": "Expected to occur", "frequency": ">10^-3"}
}

SEVERITY_LEVELS = {
    1: {"name": "Negligible", "description": "Inconvenience or temporary discomfort", "harm": "No injury"},
    2: {"name": "Minor", "description": "Temporary injury not requiring intervention", "harm": "Temporary discomfort"},
    3: {"name": "Serious", "description": "Injury requiring professional intervention", "harm": "Reversible injury"},
    4: {"name": "Critical", "description": "Permanent impairment or life-threatening", "harm": "Permanent impairment"},
    5: {"name": "Catastrophic", "description": "Death", "harm": "Death"}
}

# Risk matrix: RISK_MATRIX[probability][severity] = risk_level
RISK_MATRIX = {
    1: {1: "Low", 2: "Low", 3: "Low", 4: "Medium", 5: "Medium"},
    2: {1: "Low", 2: "Low", 3: "Medium", 4: "Medium", 5: "High"},
    3: {1: "Low", 2: "Medium", 3: "Medium", 4: "High", 5: "High"},
    4: {1: "Medium", 2: "Medium", 3: "High", 4: "High", 5: "Unacceptable"},
    5: {1: "Medium", 2: "High", 3: "High", 4: "Unacceptable", 5: "Unacceptable"}
}

# Risk level definitions and required actions
RISK_ACTIONS = {
    "Low": {
        "acceptable": True,
        "action": "Document and accept. No further action required.",
        "color": "green"
    },
    "Medium": {
        "acceptable": "ALARP",
        "action": "Reduce risk if practicable. Document ALARP rationale if not reduced.",
        "color": "yellow"
    },
    "High": {
        "acceptable": "ALARP",
        "action": "Risk reduction required. Must demonstrate ALARP if residual risk remains high.",
        "color": "orange"
    },
    "Unacceptable": {
        "acceptable": False,
        "action": "Risk reduction mandatory. Design change required before proceeding.",
        "color": "red"
    }
}

# FMEA scales (1-10)
FMEA_SEVERITY = {
    1: "No effect",
    2: "Very minor effect",
    3: "Minor effect",
    4: "Very low effect",
    5: "Low effect",
    6: "Moderate effect",
    7: "High effect",
    8: "Very high effect",
    9: "Hazardous with warning",
    10: "Hazardous without warning"
}

FMEA_OCCURRENCE = {
    1: "Remote (<1 in 1,500,000)",
    2: "Very low (1 in 150,000)",
    3: "Low (1 in 15,000)",
    4: "Moderately low (1 in 2,000)",
    5: "Moderate (1 in 400)",
    6: "Moderately high (1 in 80)",
    7: "High (1 in 20)",
    8: "Very high (1 in 8)",
    9: "Extremely high (1 in 3)",
    10: "Almost certain (>1 in 2)"
}

FMEA_DETECTION = {
    1: "Almost certain detection",
    2: "Very high detection",
    3: "High detection",
    4: "Moderately high detection",
    5: "Moderate detection",
    6: "Low detection",
    7: "Very low detection",
    8: "Remote detection",
    9: "Very remote detection",
    10: "Cannot detect"
}


def calculate_risk_level(probability: int, severity: int) -> dict:
    """Calculate risk level from probability and severity ratings."""
    if probability < 1 or probability > 5:
        return {"error": f"Probability must be 1-5, got {probability}"}
    if severity < 1 or severity > 5:
        return {"error": f"Severity must be 1-5, got {severity}"}

    risk_level = RISK_MATRIX[probability][severity]
    risk_info = RISK_ACTIONS[risk_level]

    return {
        "probability": {
            "rating": probability,
            **PROBABILITY_LEVELS[probability]
        },
        "severity": {
            "rating": severity,
            **SEVERITY_LEVELS[severity]
        },
        "risk_level": risk_level,
        "acceptable": risk_info["acceptable"],
        "action_required": risk_info["action"],
        "risk_index": probability * severity
    }


def calculate_rpn(severity: int, occurrence: int, detection: int) -> dict:
    """Calculate FMEA Risk Priority Number."""
    if not all(1 <= x <= 10 for x in [severity, occurrence, detection]):
        return {"error": "All FMEA ratings must be 1-10"}

    rpn = severity * occurrence * detection

    # Determine priority level
    if rpn > 200:
        priority = "Critical"
        action = "Immediate action required"
    elif rpn > 100:
        priority = "High"
        action = "Action plan required"
    elif rpn > 50:
        priority = "Medium"
        action = "Consider risk reduction"
    else:
        priority = "Low"
        action = "Monitor"

    return {
        "severity": {
            "rating": severity,
            "description": FMEA_SEVERITY[severity]
        },
        "occurrence": {
            "rating": occurrence,
            "description": FMEA_OCCURRENCE[occurrence]
        },
        "detection": {
            "rating": detection,
            "description": FMEA_DETECTION[detection]
        },
        "rpn": rpn,
        "priority": priority,
        "action_required": action,
        "max_rpn": 1000,
        "rpn_percentage": round(rpn / 10, 1)
    }


def display_risk_matrix():
    """Display the full risk matrix."""
    print("\n" + "=" * 70)
    print("ISO 14971 RISK MATRIX (5x5)")
    print("=" * 70)

    # Header
    print("\n" + " " * 15, end="")
    for s in range(1, 6):
        print(f"S{s:^10}", end="")
    print()

    print(" " * 15, end="")
    for s in range(1, 6):
        print(f"{SEVERITY_LEVELS[s]['name'][:10]:^10}", end="")
    print()

    print("-" * 70)

    # Matrix rows
    for p in range(5, 0, -1):
        print(f"P{p} {PROBABILITY_LEVELS[p]['name'][:10]:>10} |", end="")
        for s in range(1, 6):
            level = RISK_MATRIX[p][s]
            print(f"{level:^10}", end="")
        print()

    print("\n" + "-" * 70)
    print("Risk Levels: Low (Acceptable) | Medium (ALARP) | High (ALARP) | Unacceptable")
    print("=" * 70)


def display_criteria():
    """Display probability and severity criteria."""
    print("\n" + "=" * 70)
    print("PROBABILITY CRITERIA")
    print("=" * 70)
    for level, info in PROBABILITY_LEVELS.items():
        print(f"\nP{level}: {info['name']}")
        print(f"   Description: {info['description']}")
        print(f"   Frequency: {info['frequency']}")

    print("\n" + "=" * 70)
    print("SEVERITY CRITERIA")
    print("=" * 70)
    for level, info in SEVERITY_LEVELS.items():
        print(f"\nS{level}: {info['name']}")
        print(f"   Description: {info['description']}")
        print(f"   Harm: {info['harm']}")

    print("\n" + "=" * 70)
    print("RISK LEVEL ACTIONS")
    print("=" * 70)
    for level, info in RISK_ACTIONS.items():
        acceptable = "Yes" if info['acceptable'] == True else ("ALARP" if info['acceptable'] == "ALARP" else "No")
        print(f"\n{level}:")
        print(f"   Acceptable: {acceptable}")
        print(f"   Action: {info['action']}")


def format_result_text(result: dict, analysis_type: str) -> str:
    """Format result for text output."""
    lines = []
    lines.append("\n" + "=" * 50)

    if analysis_type == "risk":
        lines.append("RISK ASSESSMENT RESULT")
        lines.append("=" * 50)
        lines.append(f"\nProbability: P{result['probability']['rating']} - {result['probability']['name']}")
        lines.append(f"  {result['probability']['description']}")
        lines.append(f"\nSeverity: S{result['severity']['rating']} - {result['severity']['name']}")
        lines.append(f"  {result['severity']['description']}")
        lines.append(f"\n{'-' * 50}")
        lines.append(f"RISK LEVEL: {result['risk_level']}")
        lines.append(f"Risk Index: {result['risk_index']} (P × S)")
        lines.append(f"Acceptable: {result['acceptable']}")
        lines.append(f"\nAction Required:")
        lines.append(f"  {result['action_required']}")

    elif analysis_type == "fmea":
        lines.append("FMEA RPN CALCULATION")
        lines.append("=" * 50)
        lines.append(f"\nSeverity: {result['severity']['rating']}/10")
        lines.append(f"  {result['severity']['description']}")
        lines.append(f"\nOccurrence: {result['occurrence']['rating']}/10")
        lines.append(f"  {result['occurrence']['description']}")
        lines.append(f"\nDetection: {result['detection']['rating']}/10")
        lines.append(f"  {result['detection']['description']}")
        lines.append(f"\n{'-' * 50}")
        lines.append(f"RPN: {result['rpn']} / {result['max_rpn']} ({result['rpn_percentage']}%)")
        lines.append(f"Priority: {result['priority']}")
        lines.append(f"\nAction Required:")
        lines.append(f"  {result['action_required']}")

    lines.append("=" * 50)
    return "\n".join(lines)


def interactive_mode():
    """Run interactive risk assessment."""
    print("\n" + "=" * 50)
    print("RISK MATRIX CALCULATOR - Interactive Mode")
    print("=" * 50)

    print("\nSelect analysis type:")
    print("1. Risk Matrix (ISO 14971 style)")
    print("2. FMEA RPN Calculation")
    print("3. Display Risk Matrix")
    print("4. Display Criteria")
    print("5. Exit")

    choice = input("\nEnter choice (1-5): ").strip()

    if choice == "1":
        display_criteria()
        print("\n" + "-" * 50)
        try:
            p = int(input("Enter Probability (1-5): "))
            s = int(input("Enter Severity (1-5): "))
            result = calculate_risk_level(p, s)
            if "error" in result:
                print(f"\nError: {result['error']}")
            else:
                print(format_result_text(result, "risk"))
        except ValueError:
            print("Invalid input. Please enter numbers.")

    elif choice == "2":
        print("\nFMEA Scales:")
        print("  Severity: 1 (No effect) to 10 (Hazardous without warning)")
        print("  Occurrence: 1 (Remote) to 10 (Almost certain)")
        print("  Detection: 1 (Almost certain) to 10 (Cannot detect)")
        print("-" * 50)
        try:
            s = int(input("Enter Severity (1-10): "))
            o = int(input("Enter Occurrence (1-10): "))
            d = int(input("Enter Detection (1-10): "))
            result = calculate_rpn(s, o, d)
            if "error" in result:
                print(f"\nError: {result['error']}")
            else:
                print(format_result_text(result, "fmea"))
        except ValueError:
            print("Invalid input. Please enter numbers.")

    elif choice == "3":
        display_risk_matrix()

    elif choice == "4":
        display_criteria()

    elif choice == "5":
        print("Exiting.")
        return

    else:
        print("Invalid choice.")


def main():
    parser = argparse.ArgumentParser(
        description="Calculate risk levels per ISO 14971 or FMEA RPN",
        formatter_class=argparse.RawDescriptionHelpFormatter,
        epilog="""
Examples:
  # ISO 14971 risk matrix calculation
  python risk_matrix_calculator.py --probability 3 --severity 4

  # FMEA RPN calculation
  python risk_matrix_calculator.py --fmea --severity 8 --occurrence 5 --detection 6

  # Interactive mode
  python risk_matrix_calculator.py --interactive

  # Display risk matrix
  python risk_matrix_calculator.py --show-matrix

  # Display criteria definitions
  python risk_matrix_calculator.py --list-criteria

  # JSON output
  python risk_matrix_calculator.py -p 4 -s 3 --output json
        """
    )

    parser.add_argument("-p", "--probability", type=int, help="Probability rating (1-5)")
    parser.add_argument("-s", "--severity", type=int, help="Severity rating (1-5 for risk, 1-10 for FMEA)")
    parser.add_argument("-o", "--occurrence", type=int, help="FMEA occurrence rating (1-10)")
    parser.add_argument("-d", "--detection", type=int, help="FMEA detection rating (1-10)")
    parser.add_argument("--fmea", action="store_true", help="Use FMEA RPN calculation")
    parser.add_argument("--output", choices=["text", "json"], default="text", help="Output format")
    parser.add_argument("--show-matrix", action="store_true", help="Display risk matrix")
    parser.add_argument("--list-criteria", action="store_true", help="Display probability and severity criteria")
    parser.add_argument("--interactive", action="store_true", help="Run in interactive mode")

    args = parser.parse_args()

    if args.interactive:
        interactive_mode()
        return

    if args.show_matrix:
        display_risk_matrix()
        return

    if args.list_criteria:
        display_criteria()
        return

    if args.fmea:
        if not all([args.severity, args.occurrence, args.detection]):
            parser.error("FMEA requires --severity, --occurrence, and --detection")

        result = calculate_rpn(args.severity, args.occurrence, args.detection)
        if "error" in result:
            print(f"Error: {result['error']}")
            sys.exit(1)

        if args.output == "json":
            print(json.dumps(result, indent=2))
        else:
            print(format_result_text(result, "fmea"))

    else:
        if not all([args.probability, args.severity]):
            parser.error("Risk calculation requires --probability and --severity")

        result = calculate_risk_level(args.probability, args.severity)
        if "error" in result:
            print(f"Error: {result['error']}")
            sys.exit(1)

        if args.output == "json":
            print(json.dumps(result, indent=2))
        else:
            print(format_result_text(result, "risk"))


if __name__ == "__main__":
    main()

Install this Skill

Skills give your AI agent a consistent, structured approach to this task — better output than a one-off prompt.

npx skills add alirezarezvani/claude-skills --skill ra-qm-team/risk-management-specialist

Download ZIP

Community skill by @alirezarezvani. Need a walkthrough? See the install guide →

Works with

Claude Code OpenAI Codex CLI Gemini CLI

Prefer no terminal? Download the ZIP and place it manually.

Details

Category: Compliance
License: MIT
Author: @alirezarezvani
Source: GitHub →
Source file: show path
ra-qm-team/risk-management-specialist/SKILL.md

ISO-14971 risk-management FMEA medical-device safety

People who install this also use

📋

QMS ISO 13485 Specialist

Implement and maintain ISO 13485 quality management systems for medical devices — gap analysis, process design, procedure writing, and certification readiness.

@alirezarezvani

🔧

CAPA Officer

Manage Corrective and Preventive Actions — root cause analysis, CAPA documentation, effectiveness verification, and closing the quality loop per ISO standards.

@alirezarezvani

🇪🇺

EU MDR 2017/745 Specialist

EU Medical Device Regulation compliance — device classification, UDI registration, EUDAMED submission, and technical file documentation under MDR 2017/745.

@alirezarezvani

Risk Management Specialist (ISO 14971)

Risk Management Specialist

Table of Contents

Risk Management Planning Workflow

Workflow: Create Risk Management Plan

Risk Management Plan Content

Risk Acceptability Matrix (5x5)

Risk Level Actions

Risk Analysis Workflow

Workflow: Conduct Risk Analysis

Hazard Categories Checklist

Analysis Method Selection

Probability Criteria

Severity Criteria

Risk Evaluation Workflow

Workflow: Evaluate Identified Risks

Risk Evaluation Decision Tree

ALARP Demonstration Requirements

Benefit-Risk Analysis Triggers

Risk Control Workflow

Workflow: Implement Risk Controls

Risk Control Hierarchy

Risk Control Option Analysis Template

Risk Control Verification Methods

Residual Risk Evaluation

Post-Production Risk Management

Workflow: Post-Production Risk Monitoring

Information Sources

Risk Management File Update Triggers

Periodic Review Requirements

Risk Assessment Templates

Decision Frameworks

Risk Control Selection

New Hazard Analysis

Risk Acceptability Decision

Tools and References

Scripts

References

Quick Reference: ISO 14971 Process

Related Skills

ISO 14971:2019 Implementation Guide

Table of Contents

Risk Management Planning

Risk Management Plan Content

Risk Management Plan Template

Risk Acceptability Criteria Definition

Risk Matrix Example (5x5)

Risk Analysis

Hazard Identification Methods

Intended Use Analysis Checklist

Hazard Categories (Informative Annex C)

Hazardous Situation Documentation

Risk Estimation

Risk Evaluation

Evaluation Workflow

Risk Acceptability Decision

ALARP Demonstration

Risk Control

Risk Control Hierarchy

Risk Control Option Analysis

Risk Control Implementation Record

Risk Control Verification Methods

Overall Residual Risk Evaluation

Evaluation Process

Benefit-Risk Analysis

Benefit-Risk Documentation

Risk Management Report

Report Content Requirements

Risk Management Report Template

Production and Post-Production Activities

Information Sources

Risk Management File Update Triggers

Risk Management Review Record

Risk Analysis Methods

Table of Contents

Method Selection Guide

Method Application Matrix

Selection Decision Tree

When to Use Each Method

FMEA - Failure Mode and Effects Analysis