ISO 14971:2019 Risk Management Checklist

1. Risk Management Plan (Clause 4.1, 4.2)

- Define scope, intended use, and lifecycle stages.
- Identify responsibilities and authorities for risk management.
- Define criteria for risk acceptability and residual risk evaluation.
- Establish methods for verification and validation of risk controls.
- Define risk review frequency and conditions for periodic reviews.
- Include criteria for risk/benefit analysis.

2. Risk Analysis (Clause 5)

- Identify intended use, system boundaries, and operating environment.
- Identify known and foreseeable hazards (hardware, software, human factors).
- Define hazardous situations and potential harms.
- Perform Preliminary Hazard Analysis (PHA), FMEA, or FTA.
- Assign severity and probability to each identified hazard.
- Document risk estimation methodology.

3. Risk Evaluation (Clause 6)

- Establish risk acceptability criteria.
- Compare identified risks against predefined risk acceptability criteria.
- Determine if risk reduction measures are required.
- Evaluate individual and aggregate risks to ensure overall residual risk is acceptable.

4. Risk Control Measures (Clause 7)

- Identify and apply appropriate risk control measures (inherent safety, protective
measures, user information).
- Verify implementation and effectiveness of risk control measures.
- Perform verification and validation to ensure controls reduce risk as intended.
- Analyze new or residual risks introduced by control measures.

5. Evaluation of Residual Risk (Clause 8)

- Evaluate residual risks after applying control measures.
- Perform risk/benefit analysis where residual risks remain.
- Justify any residual risks as acceptable per defined criteria.
- Document rationale for accepting residual risks.

6. Risk Management Review (Clause 9)

- Conduct periodic risk management reviews.
- Review effectiveness of risk controls and update risk analysis as necessary.
- Assess cumulative residual risks.
- Determine the need for post-market surveillance inputs.
7. Production and Post-Production Activities (Clause 10)
- Establish a Post-Market Surveillance (PMS) process.
- Monitor complaints, incidents, and trends from the field.
- Analyze post-market data for emerging risks.
- Implement corrective and preventive actions (CAPA) as required.
- Update risk management file based on post-production information.

8. Risk Management File (Clause 4.4)

- Maintain a Risk Management File with traceability.
- Include all risk analysis, evaluations, controls, and reviews.
- Document decisions, justifications, and risk/benefit analyses.
- Ensure records are accessible throughout the lifecycle.

9. Risk Communication and Documentation

- Communicate identified risks, control measures, and residual risks to stakeholders.
- Provide adequate information to users about safe use and foreseeable misuse.
- Update instructions for use (IFU) and user manuals with risk-related content.

10. Risk Management Report (Clause 9)

- Summarize all risk management activities.
- Include verification of risk control measures and evaluation of residual risks.
- Provide justification for the acceptability of residual risks.
- Ensure management’s approval of the final risk management report.

11. Risk Reassessment and Updates

- Update risk management activities during design changes or modifications.
- Periodically reassess risks throughout the lifecycle.
- Integrate feedback from clinical use, incidents, and adverse events.

12. Periodic Review and Continual Improvement

- Define intervals for risk management plan reviews.
- Incorporate lessons learned from incidents and CAPA.
- Ensure continuous improvement of risk management processes.

Additional Considerations
- Compliance with ISO 13485:2016 for QMS integration.
- Alignment with IEC 62304 for software safety classification and lifecycle management.
- Interface with post-market surveillance (PMS) as per EU MDR and FDA requirements.