The risk management process for medical devices can be overwhelming. It’s a lot of pressure to account for and mitigate risks so your medical device is both safe for users and meets the FDA’s exacting requirements.

Not to mention the risk management process itself is never-ending. It starts at the beginning of your development project and never ceases — unless your device is taken off of the market.

Even though the risk management process is continuous, you can break it down into steps to make it more manageable for you and your team. Let’s explore the steps that should happen after you’ve determined the hazards associated with your forthcoming product.

Hazards and Hazardous Situations: A Recap

Determining hazards and hazardous situations is an important initial step during your risk management journey. You can find much of the information you need to document hazards and hazardous situations in ISO 14971:2019 Medical Devices — Application of risk management to medical devices. You may also find this article about how to develop a medical device risk management plan helpful.

A hazard refers to a potential source of harm. And a hazardous situation is the scenario that exposes users or the environment to one or more hazards.

For clarity, consider a non-medical device example. A hazard could be a pothole in the road. A related hazardous situation could be a car driving over that pothole.

Your documented hazards and hazardous situations should be listed in a hazard analysis table — a spreadsheet that tracks all pertinent risk management details — before you move on in the process.


Understanding and Determining Harms

After documenting hazards and hazardous situations in your hazard analysis table, it’s time to discern the potential harms associated with those hazardous situations.

Harms describe damage to people, property, or the environment because of a hazardous situation. Let’s return to our pothole example. The harm in that case could be damage to the car — the property.

Figuring out the harms at play for your product can be laborious. For starters, you’ll need to research what other medical device manufacturers have noted as harms resulting from each hazardous situation. You may also need to conduct your own usability testing, which will allow you to see potential harms in action with real users. Additionally, a usability test will help you predict how likely those harms are to occur and how badly the person, property, or environment are affected (more on this to come).

Selecting your risk management panel and/or enlisting outside experts is crucial to success here. Not only is the risk management process arduous, as noted, but the FDA will review your risk assessment methods. If you’re guessing at the impact of harms and ignoring credible findings from others in the industry, you’ll likely have to go back and rework your hazard analysis table. And we don’t need to tell you how costly backtracking is during medical device development.

As you’re gathering as much information on harms as you can, be sure to document it alongside the hazards and hazardous situations in your hazard analysis table.

Hazard Analysis Worksheet

Use this table to document your hazards and hazardous situations. Doing so is crucial to the risk management process.

Defining and Calculating the Probabilities of Occurrence and Severity

Importantly, determining harms is what allows you to take the next step on your risk management journey: calculating the probabilities of occurrence and severity.

The probability of occurrence is exactly as it sounds. It refers to how likely it is that a specific harm will take place in real use cases. The probability of severity is also relatively straightforward. It refers to how seriously a harm would impact people, property, and/or environment if a harm were to occur.

There are preset scales associated with the probability of occurrence and the probability of severity. You should extract these scales from the appendix in ISO 14971:2019 so you can carry out your own calculations based on the standard’s recommendations.

For the probability of occurrence, the scale goes from one to five. One indicates the likelihood of occurrence is improbable and five indicates the likelihood of occurrence is certain.


The probability of severity has a similar scale. It goes from one to five with one being the severity is negligible and five being the severity is catastrophic. All of the terms — like “certain” and “catastrophic” — are also defined in the ISO standard.


Despite the fact that the ISO standard gives you a starting point for calculating occurrence and severity probabilities, it’s still up to your team to determine the risk level of your product.

Again, you have to do research and have the right team in place. What have others in the industry said about certain harms and their probabilities of occurrence and severity? What do your own usability studies reveal about risks when your product is in the hands of actual people? Compile all of the data you have to inform your occurrence and severity numbers. And, as always, document the results in your hazard analysis table.

Populating the Overall Probability-of-Risk Table

Once you have the probabilities of occurrence and severity filled in on your hazard analysis table, it’s time to populate the overall probability-of-risk table.

Much of the information for the overall probability of risk table is also in ISO 14971:2019. Basically, the calculation takes the probability of occurrence and multiples it by the probability of severity to give you the severity of harm in your overall probability-of-risk table.

Each harm in your hazard analysis table gets assigned an initial risk rating based on the completed overall probability-of-risk table. The initial risk rating represents the severity of harm as determined by the culmination of the probabilities of occurrence and severity.


Your Risk Management Journey Isn’t Quite Complete

In sum, the harms are used to figure out the probabilities of occurrence and severity, which are then used to determine the overall probability-of-risk and severity of harm. In the end, you’re left with initial risk ratings for each column in your hazard analysis table.

You’ve come a long way in your risk management journey if you’ve made it this far. But, as we initially mentioned, it’s never really over.

Next, you’ll need to complete arguably the most important aspect of risk management: mitigating the most problematic risks associated with your medical device before it goes to the FDA.