Regulatory & Compliance RiskISO 14971Medical

Risk Management Specialist

Medical device risk management implementing ISO 14971.

$skillfish add ~skills/risk-management-specialist

Real Examples Get Started Models & Context

Real Conversations

See how the Risk Management Specialist skill responds to actual requests. These are representative examples of what your AI agent will produce.

You

We're developing a SaMD for detecting cardiac arrhythmias. We need to set up our ISO 14971 risk management process from scratch. Where do we start?

Agent

For a SaMD like a cardiac arrhythmia detector, ISO 14971 requires you to build a risk management system — not just fill out a form. Here's how to stand it up from scratch.

The ISO 14971 Lifecycle

The standard defines a closed-loop process with seven stages:

Risk Management Plan — define scope, responsibilities, acceptability criteria, and verification methods before you do anything else
Hazard Identification — systematically identify hazards associated with the device and its intended use
Risk Estimation — assign severity and probability to each hazard situation
Risk Evaluation — compare estimated risk against your acceptability criteria
Risk Control — implement measures to reduce unacceptable risks
Residual Risk Evaluation — confirm that controlled risks are now acceptable
Benefit-Risk Analysis — demonstrate that overall residual risk is outweighed by clinical benefit

The process is iterative. Design changes trigger re-evaluation of affected hazards.

Required Documents

Document	Purpose
Risk Management Plan (RMP)	Defines criteria, scope, roles, and timeline
Risk Management File (RMF)	The container — references all risk records
Hazard Log	Master list of hazards, situations, and harms
FMEA Worksheet	Failure mode analysis by subsystem or function
Risk Management Report	Final summary required before commercial release

All of these are living documents. The Risk Management File is not a report you write at the end — it is the accumulation of all risk records throughout the development lifecycle.

Example Hazard Identification for Cardiac SaMD

Hazard: Algorithm produces false negative (misses true AFib)

Hazard Situation: Patient with active AFib is classified as normal rhythm

Harm: Delayed treatment, stroke, cardiac event, death

Severity: S5 (catastrophic — can lead to life-threatening harm)

Initial Probability: P3 (occasional — known limitation of ML classifiers on low-quality ECG input)

Initial Risk: Unacceptable — requires risk control

This is the format to use for every hazard in your log. For a cardiac arrhythmia SaMD, additional hazards to document include: false positive (unnecessary treatment), processing delay exceeding clinical utility window, incorrect patient record association, and display rendering failure on clinical workstation.

Severity / Probability Matrix

ISO 14971 does not prescribe specific S/P scales — you define them in your Risk Management Plan. A common approach for SaMD:

Severity (S1–S5):

S1: No injury or negligible
S2: Minor, reversible injury
S3: Moderate, reversible injury
S4: Severe, irreversible injury
S5: Death or life-threatening

Probability (P1–P5):

P1: Incredible (< 1 in 1,000,000 uses)
P2: Remote (1 in 100,000)
P3: Occasional (1 in 10,000)
P4: Probable (1 in 1,000)
P5: Frequent (> 1 in 100)

Your Risk Management Plan must define which S/P combinations are acceptable, broadly acceptable, and require ALARP (As Low As Reasonably Practicable) justification.

The SaMD-Specific Challenge: Algorithm as Failure Mode

For traditional hardware devices, failure modes are physical: component breaks, power fails, signal degrades. For SaMD, the algorithm itself is a failure mode.

This has two implications:

1. The algorithm's performance envelope is a hazard. Your training data distribution, class imbalance, and edge-case behavior (e.g., pediatric ECG, pacemaker artifact, atrial flutter near AFib threshold) must all be documented as potential hazard causes. The FMEA must include rows for algorithmic failure modes, not just software bugs.

2. Performance validation is a risk control. Clinical validation studies, held-out test sets, and post-market surveillance data are your evidence that the algorithm's failure probability is at the level you claimed in your risk estimation. Regulators and notified bodies will ask to see the link between your validation data and your probability ratings.

Where to Start This Week

Draft your Risk Management Plan first — get it reviewed and approved before writing a single FMEA row
Define your severity/probability matrix and acceptability criteria in the plan
Identify your top 10 hazards using a structured session (PHA — Preliminary Hazard Analysis) with your clinical, engineering, and regulatory leads
Stand up a tracking tool (even a shared spreadsheet is acceptable at this stage — the structure matters more than the tool)

Once your plan is approved, the rest of the documentation has a home to live in.

You

Help me build out the FMEA for our algorithm module. The main function is classifying ECG signals as normal, AFib, or other arrhythmia.

Agent

An FMEA for a classification algorithm follows the same structure as hardware FMEA, but the failure modes are functional rather than physical. Here's how to build it out for your ECG classification module.

FMEA Structure

Each row captures one failure mode using this column set:

Column	Description
Item / Function	The component or function being analyzed
Failure Mode	How it fails
Effect	Impact on patient or clinical workflow
Cause	Root cause or contributing factor
Current Controls	Design or process controls already in place
S	Severity (1–5)
O	Occurrence probability (1–5)
D	Detectability — how likely the failure is caught before causing harm (1=easily detected, 5=undetectable)
RPN	Risk Priority Number = S × O × D
Recommended Action	Additional controls if RPN is unacceptable

FMEA Table: ECG Classification Module

#	Item / Function	Failure Mode	Effect	Cause	Current Controls	S	O	D	RPN
1	AFib Classification	False negative — AFib classified as Normal	Patient with AFib discharged without treatment; stroke risk	Class imbalance in training data; low signal quality input; atypical AFib morphology	Validation on held-out clinical dataset; minimum signal quality gate	5	3	3	45
2	Normal Classification	False positive — Normal classified as AFib	Unnecessary cardiology referral; patient anxiety; healthcare resource waste	Training distribution artifacts; noise misclassified as irregularity	Confidence threshold filtering; clinical review workflow	3	3	2	18
3	Signal Processing	Processing delay > clinical utility window	Clinician receives result too late to affect acute decision	Threading bottleneck; memory pressure; network latency in cloud-based processing	Performance SLA in software requirements; timeout handling with user alert	4	2	2	16
4	Input Handling	Corrupted or partial ECG input accepted	Classification produced from incomplete data; unreliable result delivered to clinician	Missing input validation; partial packet accepted as complete	Input schema validation; lead-off detection; minimum signal duration check	4	2	2	16
5	Runtime Environment	Memory overflow causing process crash or silent incorrect output	Classification not delivered; or incorrect classification returned without error state	Memory leak in preprocessing pipeline; unbounded buffer on continuous monitoring stream	Memory profiling in CI; watchdog process; output integrity check	5	1	2	10

Interpreting the Ratings

Row 1 (False Negative AFib) — RPN 45 is your highest priority. The severity is maximal (S5 — potential stroke or death from missed AFib) and it is moderately detectable only if the clinician reviews the raw trace. This row will require additional controls: for example, a secondary review trigger when confidence score is below threshold, or a mandatory "signal quality insufficient" output state that prevents classification rather than guessing.

Row 5 (Memory Overflow) — RPN 10 has low RPN but S5 severity. Watch for this pattern — low RPN with high severity often means you have good detection controls in place, but the severity justifies documenting those controls explicitly as risk mitigations.

Setting Severity for Diagnostic Software

For SaMD, severity is driven by clinical decision impact:

S5: Output directly informs a high-stakes acute decision (e.g., shock/no-shock, emergency admission) with no secondary check
S4: Output influences treatment planning; a wrong result leads to delayed or inappropriate treatment
S3: Output is one input among several; clinical judgment provides a backstop
S2: Output is advisory; no direct treatment consequence
S1: Cosmetic or administrative impact only

Your cardiac arrhythmia classifier sits at S4–S5 for most failure modes because downstream clinical action is likely based on the output.

dFMEA vs. pFMEA

Design FMEA (dFMEA): What you are building here. Analyzes failure modes inherent to the product design — algorithm behavior, software architecture, input handling. This lives in your Risk Management File and is updated as the design evolves.

Process FMEA (pFMEA): Analyzes failures in your manufacturing or deployment process — incorrect build deployed, wrong model version installed, incorrect configuration pushed to production environment. For SaMD, pFMEA covers your CI/CD pipeline, release verification steps, and clinical site deployment process.

Both are required for a complete risk management system. Start with dFMEA for the algorithm module, then address pFMEA when you define your deployment and update process.

Next Steps

Once your FMEA rows are populated, link each high-RPN row to a specific risk control in your design (a requirement, a test, a constraint). The control is only a control if it's traceable — a general statement that "we validate the algorithm" does not close the loop.

You

We've implemented all our risk controls. Now I need to document the residual risk acceptance and complete the benefit-risk analysis. How does this work?

Agent

Residual risk documentation is one of the most scrutinized sections of a technical file in a Notified Body review. Here's how to do it correctly.

Residual Risk vs. Initial Risk

Initial risk is the estimated risk before any controls are applied — the raw S × P estimate you assigned in your hazard log when you first identified the hazard.

Residual risk is the risk that remains after all implemented controls have been applied. For each control, you re-estimate the probability (and sometimes severity, if the control can limit harm extent) and record the post-control risk level.

The key principle: residual risk must be documented for every hazard, not just the ones that started unacceptable. A hazard that was initially broadly acceptable still needs a residual risk statement confirming it remains acceptable after design evolution.

Documenting Residual Risk: Row by Row

For each hazard in your log, add these columns after your controls are recorded:

Column	Content
Controls Implemented	Specific design controls, with reference to requirements or test records
Post-Control Severity	Usually unchanged — controls rarely eliminate the harm itself
Post-Control Probability	Revised probability after controls reduce occurrence likelihood
Residual Risk Level	S × P post-control
Acceptability Decision	Acceptable / ALARP / Unacceptable (should have none by this stage)
Justification	Why this residual level is acceptable

For your false-negative AFib row: initial risk was S5/P3 (unacceptable). After implementing a confidence threshold gate, signal quality minimum, and clinician review workflow, you might re-rate probability to P1 (rare — the combination of good signal quality check and low model confidence detection catches most cases). Residual risk becomes S5/P1 — which most risk frameworks treat as broadly acceptable or ALARP for a device providing significant clinical benefit.

Benefit-Risk Analysis

ISO 14971 Clause 9 requires that when residual risk remains after all practicable controls, you justify acceptance by demonstrating that clinical benefit outweighs the risk.

A benefit-risk statement has three parts:

1. Clinical benefit characterization

What clinical problem does the device address?
What is the benefit to patients and clinicians?
What is the magnitude and likelihood of that benefit?

Example: "The device enables timely detection of paroxysmal AFib in outpatient settings where continuous ECG monitoring is not feasible. Early detection reduces stroke incidence by an estimated 30–40% through timely anticoagulation initiation (per published clinical literature)."

2. Residual risk summary

Quantified (or bounded) statement of residual risk for all significant hazards
Reference to your controlled risk levels

3. Comparative conclusion

The benefit must clearly and explicitly outweigh the residual risk
This is a judgment, but it must be justified with evidence

Do not make this vague. "The benefits outweigh the risks" is not acceptable without supporting data. Cite published clinical evidence, your clinical validation study results, or comparator device performance where available.

Risk Management Report Requirements

The Risk Management Report (RMR) is required by ISO 14971 Clause 10 before commercial release. It must address:

Confirmation that the Risk Management Plan was implemented (reference each plan requirement and its fulfillment)
Summary of all identified hazards and initial risk levels
Summary of all risk controls implemented
All residual risks and their acceptability status
Overall benefit-risk conclusion
Statement that the methods and criteria in the Risk Management Plan were met

The RMR is a summary document — it references your hazard log and FMEA rather than repeating them. It should be short enough that a reviewer can read it in 30 minutes and follow every claim back to evidence.

The Auditor Question: How Did You Determine Acceptability Criteria?

This is the first question a Notified Body technical reviewer will ask, because everything downstream depends on it.

Your answer must be in your Risk Management Plan, documented before you started risk analysis. Acceptable responses:

"We used a published industry standard as a reference — IEC 62304 annex, MDCG guidance on SaMD, or published risk acceptance matrices from comparable devices in literature"
"We consulted with clinical advisors to establish harm thresholds appropriate for the clinical context"
"Our criteria align with our intended use risk classification under IMDRF SaMD framework (Class III — high risk)"

What auditors do not accept: criteria that were set retroactively to make your residual risks pass, or criteria with no documented rationale.

Evidence Required for Notified Body Review

Evidence Item	Where It Lives
Risk Management Plan (approved)	Risk Management File
Hazard log with initial and residual risk ratings	Risk Management File
FMEA worksheets, traced to design requirements	Risk Management File
Risk control verification records (test results, validation study)	Design History File / Technical File
Clinical validation data (sensitivity/specificity on clinical population)	Clinical Evaluation Report
Benefit-risk analysis	Risk Management Report
Risk Management Report (signed, dated)	Technical File

The clinical validation data is what makes your probability ratings credible. If you claim P1 for false negative AFib, you need performance data showing your false negative rate on a representative clinical population. Without that link, your residual risk acceptance is unsupported.

Get Started

How to install and use this skill in your preferred environment.

Skills are designed for AI coding agents (Claude Code, Cursor, Windsurf) and IDE-based workflows where the agent can read files, run scripts, and act on your codebase. Web-based AI can use the knowledge and frameworks, but won't have tool access.

Models & Context

Which AI models and context windows work best with this skill.

Recommended Models

Best

Claude Opus 4 Claude Sonnet 4 GPT-4.1 Gemini 2.5 Pro Grok 3 Kimi K2

Good

Claude Haiku 4.5 GPT-4.1 mini Gemini 2.5 Flash Grok 3 mini

Larger models produce more detailed, production-ready outputs.

Context Window

This skill's SKILL.md is typically 3–10 KB — fits in any modern context window.

8K Skill only

32K+ Skill + conversation

100K+ Skill + references + codebase

All current frontier models (Claude, GPT, Gemini) support 100K+ context. Use the full window for complex multi-service work.

Pro tips for best results

1

Be specific

Include numbers — users, budget, RPS — so the skill can size the architecture.

2

Share constraints

Compliance needs, team size, and existing stack all improve the output.

3

Iterate

Start with a high-level design, then ask follow-ups for IaC, cost analysis, or security review.

4

Combine skills

Pair with companion skills below for end-to-end coverage.

Ready to try Risk Management Specialist?

Install the skill and start getting expert-level guidance in your workflow — any agent, any IDE.

$skillfish add ~skills/risk-management-specialist

← Browse all 169 skills

Risk Management Specialist

Real Conversations

The ISO 14971 Lifecycle

Required Documents

Example Hazard Identification for Cardiac SaMD

Severity / Probability Matrix

The SaMD-Specific Challenge: Algorithm as Failure Mode

Where to Start This Week

FMEA Structure

FMEA Table: ECG Classification Module

Interpreting the Ratings

Setting Severity for Diagnostic Software

dFMEA vs. pFMEA

Next Steps

Residual Risk vs. Initial Risk

Documenting Residual Risk: Row by Row

Benefit-Risk Analysis

Risk Management Report Requirements

The Auditor Question: How Did You Determine Acceptability Criteria?

Evidence Required for Notified Body Review

Get Started

Claude Code, OpenCode, or any CLI agent

Cursor, Windsurf, or IDE-based agents

Claude.ai, ChatGPT, Gemini, or any web AI

Models & Context

Recommended Models

Context Window

Pro tips for best results

Ready to try Risk Management Specialist?