Comprehensive Risk Management Specialist

A specialized skill for medical device risk management per ISO 14971 — covering hazard identification, risk analysis and evaluation, risk control implementation, residual risk assessment, benefit-risk analysis, and post-production risk monitoring throughout the device lifecycle.

When to Use This Skill

Choose Comprehensive Risk Management Specialist when you need to:

• Create or update a risk management file per ISO 14971:2019
• Perform systematic hazard identification for medical devices
• Conduct risk analysis with severity and probability estimation
• Design risk control measures and verify their effectiveness
• Perform overall residual risk evaluation and benefit-risk analysis

Consider alternatives when:

• You need enterprise risk management (use a business risk skill)
• You need cybersecurity risk assessment (use a security skill)
• You need financial risk analysis (use a financial modeling skill)

Quick Start

Copy
# Create a risk analysis for a medical device
claude "Create an ISO 14971 risk analysis for a wireless blood pressure monitor, including hazard identification, risk estimation, and risk control measures."

Copy
# Risk Management Report
## Device: Wireless Blood Pressure Monitor
## Standard: ISO 14971:2019

## Risk Acceptability Matrix

| Probability →    | Negligible | Marginal  | Serious   | Critical  | Catastrophic |
| Severity ↓       | (S1)       | (S2)      | (S3)      | (S4)      | (S5)         |
| Frequent (P5)    | Medium     | High      | High      | Unacceptable | Unacceptable |
| Probable (P4)    | Low        | Medium    | High      | Unacceptable | Unacceptable |
| Occasional (P3)  | Low        | Medium    | Medium    | High      | Unacceptable |
| Remote (P2)      | Negligible | Low       | Medium    | Medium    | High         |
| Improbable (P1)  | Negligible | Negligible| Low       | Low       | Medium       |

## Hazard Analysis (Selected Entries)

| ID   | Hazard              | Harm                  | S  | P  | Risk  | Control                        | S  | P  | Residual |
|------|--------------------|-----------------------|----|----|----- |-------------------------------|----|-----|----------|
| H-01 | Inaccurate reading | Misdiagnosis          | S4 | P3 | High | Algorithm validation, cal spec | S4 | P1  | Low      |
| H-02 | Battery failure    | Missed measurement    | S2 | P3 | Med  | Low battery warning, auto-save | S2 | P1  | Negl     |
| H-03 | Cuff over-pressure | Tissue injury         | S3 | P2 | Med  | Pressure relief valve, limit   | S3 | P1  | Low      |
| H-04 | Data transmission  | Privacy breach        | S3 | P3 | Med  | AES-256 encryption, BLE secure | S3 | P1  | Low      |
| H-05 | Allergic reaction  | Skin irritation       | S2 | P2 | Low  | Biocompatible materials, IFU   | S2 | P1  | Negl     |

Core Concepts

ISO 14971 Risk Management Process

Phase	Activities	Deliverable
Risk Management Plan	Define scope, criteria, activities	Risk management plan
Hazard Identification	Systematic hazard analysis	Hazard list
Risk Estimation	Estimate severity and probability	Risk estimation records
Risk Evaluation	Compare against acceptability criteria	Risk evaluation results
Risk Control	Implement and verify controls	Risk control records
Residual Risk	Evaluate remaining risk	Residual risk evaluation
Benefit-Risk	Overall benefit-risk determination	Benefit-risk analysis
Production Monitoring	Post-production risk monitoring	Updated risk file

Hazard Identification Methods

Copy
## Systematic Hazard Analysis Techniques

### Preliminary Hazard Analysis (PHA)
- Brainstorm-based identification
- Uses generic hazard checklists (ISO 14971 Annex C)
- Good for early design phase

### FMEA (Failure Mode and Effects Analysis)
- Component-level failure analysis
- Each component: What can fail? How? What happens?
- Structured severity × occurrence × detection scoring

### Fault Tree Analysis (FTA)
- Top-down: Start with top-level harm
- Work backward to identify contributing causes
- Boolean logic (AND/OR gates)
- Good for complex system failures

### Hazardous Situation Analysis
- From ISO 14971 Annex C categories:
  - Energy hazards (electrical, thermal, mechanical)
  - Biological/chemical hazards
  - Operational hazards (use error, maintenance)
  - Information hazards (labeling, IFU)
  - Software hazards (SaMD-specific)

Risk Control Hierarchy

Copy
## Risk Control Options (ISO 14971 Priority Order)

### 1. Inherent Safety by Design
Eliminate the hazard entirely through design choices.
Example: Use a non-toxic material instead of adding
warnings about a toxic one.

### 2. Protective Measures in Device or Manufacturing
Add safeguards that reduce risk automatically.
Example: Pressure relief valve prevents over-inflation.
Example: Software limit prevents excessive dosage.

### 3. Information for Safety
Provide warnings, precautions, and training.
Example: IFU states "Do not use on patients with
pacemakers." (Least effective — relies on user behavior)

## Risk Control Verification
For each control measure:
- [ ] Implementation verified (is it built/documented?)
- [ ] Effectiveness verified (does it reduce the risk?)
- [ ] New hazards introduced? (evaluate secondary risks)
- [ ] Risk-benefit of control measure assessed

Configuration

Parameter	Description	Example
device_type	Type of medical device	"blood pressure monitor"
device_class	Regulatory classification	"Class II"
standard	Risk management standard version	"ISO 14971:2019"
risk_criteria	Risk acceptability criteria	"3x5 matrix"
include_fmea	Include FMEA analysis	true
output_format	Risk file format	"markdown" / "xlsx"

Best Practices

1. Define risk acceptability criteria before starting analysis — If you don't define what's acceptable before evaluating risks, there's a tendency to adjust criteria to match the results you want. Document your risk matrix, ALARP boundaries, and acceptance thresholds in the risk management plan.

2. Use ISO 14971 Annex C as a starting checklist, not the complete list — Annex C provides generic hazard categories, but your device has specific hazards that generic lists miss. Supplement with hazard brainstorming sessions involving engineering, clinical, and manufacturing perspectives.

3. Verify every risk control measure independently — Implementing a control is not the same as proving it works. A pressure relief valve must be tested to confirm it activates at the correct threshold. A software alarm must be validated with boundary condition testing. Document verification evidence for every control.

4. Update the risk management file with post-production data — ISO 14971:2019 explicitly requires post-production risk monitoring. Complaint data, field safety events, and literature findings must feed back into the risk file. A risk analysis that hasn't been updated since initial design is incomplete.

5. Perform benefit-risk analysis for all residual risks, not just individual hazards — After controlling all identified risks, evaluate the overall residual risk. Even if each individual residual risk is acceptable, the cumulative residual risk of the entire device must be evaluated against the clinical benefits.

Common Issues

Probability estimates are not evidence-based — Teams assign probability scores based on gut feeling rather than data. Use failure rate databases (GIDEP, FIDES), field data from similar devices, and testing results to support probability estimates. "We think it's unlikely" is not a valid justification for an auditor.

Risk controls introduce new hazards that aren't analyzed — A software alarm added to prevent over-dosing introduces a new hazard: alarm fatigue leading to ignored warnings. Every risk control must be evaluated for secondary hazards, and those secondary hazards must be added to the risk analysis.

Residual risk is always reported as "acceptable" regardless of evidence — Some organizations treat the risk analysis as a document to produce a desired conclusion rather than an honest assessment. If your risk analysis has never found an unacceptable risk, it's likely not being performed rigorously. Auditors notice when every risk conveniently falls in the green zone.