R-TF-013-001 Risk Management Plan
Purpose and scope
This risk management plan defines the planned activities for risk management throughout the life cycle of Legit.Health Plus in accordance with ISO 14971:2019 section 4.4.
| Attribute | Value |
|---|---|
| Device name | Legit.Health Plus |
| Software version | 1.1.0.0 |
| Device classification | Class IIb according to MDR 2017/745, Rule 11 |
| Device type | Software as a Medical Device (SaMD) with AI/ML components |
| Intended purpose | AI-based dermatology clinical decision support system for HCPs |
Relationship with design and development process
Risk management activities are integrated into the software development life cycle as defined in GP-012 Design, Redesign and Development. The procedure GP-012 serves as the central process that coordinates all development activities, including the integration of risk management inputs from multiple specialized processes:
Risk management file structure
The risk management file for this device consists of three documents that work together:
| Document | Purpose | When it is created/updated |
|---|---|---|
R-TF-013-001 | Risk Management Plan (this document) | At project start; updated if scope changes |
R-TF-013-002 | Risk Management Record (risk matrix) | Continuously during development and post-market |
R-TF-013-003 | Risk Management Report | Before market release; updated annually or as needed |
How these documents work together:
- This Plan defines what activities will be done, who does them, and how risks are evaluated
- The Record (matrix) is the working document where risks are identified, analyzed, and controlled
- The Report summarizes the conclusions and declares whether residual risk is acceptable
Assignment of responsibilities and authorities
In accordance with ISO 14971:2019 section 4.4 b), the following personnel are responsible for executing risk management activities.
Risk management team
| Name | Role | Specific responsibilities |
|---|---|---|
| Taig Mac Carthy | D&D Manager (JD-003) | Leads risk sessions; maintains R-TF-013-002; coordinates risk control implementation |
| Alfonso Medela | Technical Manager (JD-005) | Provides AI/ML expertise; estimates probability based on algorithm behavior |
| Gerardo Fernández | Technology Manager (JD-007) | Cybersecurity risk analysis; software architecture risk assessment |
| Jordi Barrachina | Clinical Coordinator (JD-018) | Estimates clinical severity; validates benefit-risk analysis |
| Saray Ugidos | Quality Manager (JD-004) | Reviews process compliance; approves risk management file |
| Andy Aguilar | General Manager (JD-001) | Final approval of overall residual risk acceptability |
Qualification of team members
Taig Mac Carthy
- Position: Design and Development Manager
- Education: with a specialization in Strategic Management and Innovation from Copenhagen Business School, he has a foundational understanding of business practices essential in product development. His knowledge in quality management systems is well-established, having completed ISO 13485, ISO 9001:2015, and ISO 27001 Lead Auditor certifications from Bureau Veritas Group. These certifications underscore his ability to maintain high-quality standards in device manufacturing. Additionally, his training in ICH Good Clinical Practice and as an Equal Opportunity Agent, alongside courses in Python, Data Science, and Graphic Design, provide a diverse skill set applicable to his current role. His academic journey also includes a degree from the University of the Basque Country.
- Experience: solid background in both the medical and entrepreneurial fields. He has contributed to four scientific publications in computer vision applied to medicine, showcasing his expertise in areas directly relevant to medical device development. His involvement from the inception of the company, given his position as co-founder, has afforded him comprehensive knowledge of the device's development journey. His six years as a front-end software developer and the founding of three companies demonstrate his technical skills and entrepreneurial mindset. Additionally, his authorship of two business management books indicates his grasp on business operations, all of which collectively support his capacity to lead in design and development.
- Training: ISO 13485, ISO 27001
- Qualification: QUALIFIED (02/07/2023)
Alfonso Medela
- Position: Technical Manager & PRRC
- Education: Physics (University of the Basque Country), MSc Physics, MSc Big Data and Business Intelligence
- Experience: 5+ years in computer vision and ML for medical applications; 7 publications on ML/image recognition
- Training: ISO 13485, Medical Device regulatory
- Qualification: QUALIFIED (02/07/2023)
Gerardo Fernández
- Position: Technology Manager
- Education: Computer Science
- Experience: Software architecture, cybersecurity, backend development for medical devices
- Qualification: QUALIFIED (02/07/2023)
Jordi Barrachina
- Position: Clinical Research Coordinator
- Education: PhD
- Experience: 4+ years in clinical research and clinical validations for medical devices; literature review and medical writing per MDR requirements
- Qualification: QUALIFIED (02/07/2023)
Saray Ugidos
- Position: Quality Manager & PRRC
- Education: Economics (University of La Laguna), MSc Quality, Safety and Environment
- Experience: 12+ years in Quality and Regulatory Affairs; 7 years in Medical Devices (Class I, II, III); SaMD with AI experience
- Training: ISO 13485, ISO 14971, ISO 27001, MDR 2017/745
- Qualification: QUALIFIED (30/04/2025)
Andy Aguilar
- Position: General Manager
- Education: Business Administration, Tecnologico de Monterrey
- Experience: 3+ years with the device throughout its life cycle
- Qualification: QUALIFIED (02/07/2023)
Execution of risk management activities
This section describes how the risk management activities are executed in practice.
Risk analysis sessions
Risk analysis is conducted in structured sessions led by the D&D Manager with participation from relevant team members.
When sessions are held
| Trigger | Session type | Participants |
|---|---|---|
| New product development | Initial hazard identification | Full team |
| Design review milestones (DR1, DR2, SR) | Risk update review | D&D Manager + Technical Manager + Clinical Coord. |
| New feature or significant change | Change impact analysis | D&D Manager + relevant experts |
| Post-market safety signal | Risk re-evaluation | Quality Manager + D&D Manager + Clinical Coord. |
| Annual review | Complete file review | Full team |
Session process
-
Preparation (D&D Manager):
- Prepares the agenda identifying areas to analyze
- Gathers inputs from specialized processes (usability, AI, cybersecurity)
- Distributes relevant documentation to participants
-
Execution (Full team):
- Hazards are identified using systematic techniques (FMEA, fault tree, brainstorming)
- For each hazard: sequence of events, hazardous situation, and potential harm are defined
- Risk estimation is performed (severity and probability)
- Risk control measures are proposed
-
Documentation (D&D Manager):
- All findings are recorded in
R-TF-013-002 Risk Management Record - Session minutes are kept as objective evidence
- All findings are recorded in
How to complete the Risk Management Record (R-TF-013-002)
The Risk Management Record is a spreadsheet matrix where each row represents one identified risk. The following columns must be completed:
Step 1: Hazard identification
| Column | How to fill it |
|---|---|
| Risk ID | Unique identifier (format: R-XXX) |
| Hazard | The potential source of harm (e.g., "Incorrect AI classification") |
| Sequence of events | How the hazard leads to a hazardous situation |
| Hazardous situation | The circumstance where the user/patient is exposed to the hazard |
| Harm | The injury or damage that could result (e.g., "Delayed diagnosis of melanoma") |
Step 2: Risk estimation (before controls)
| Column | Scale | Criteria |
|---|---|---|
| Severity (S) | 1-5 | 1=Negligible, 2=Minor, 3=Serious, 4=Critical, 5=Catastrophic (death) |
| Probability (P) | 1-5 | 1=Improbable, 2=Remote, 3=Occasional, 4=Probable, 5=Frequent |
| Initial RPN | S×P | Calculated automatically |
Jordi Barrachina (Clinical Coordinator) is responsible for estimating severity based on clinical consequences. When uncertain, assume the worst credible case.
Alfonso Medela (Technical Manager) estimates probability for AI-related risks based on validation data. Gerardo Fernández estimates probability for software/cybersecurity risks. When probability cannot be estimated, use detectability as a surrogate.
Step 3: Risk evaluation
Based on the Initial RPN, classify the risk:
| Initial RPN | Classification | Action required |
|---|---|---|
| 1-6 | Acceptable | Document the risk; no further action required |
| 7-12 | AFAP | Implement controls if practicable; justify if not; benefit-risk required |
| 13-25 | Unacceptable | Risk control measures are mandatory; cannot proceed without them |
Step 4: Risk control
For each risk requiring control, document:
| Column | How to fill it |
|---|---|
| Control option | A (inherent safety), B (protective measure), or C (information for safety) |
| Risk control measure | Specific description of what is implemented |
| Verification method | How we verify the control is implemented (test, review, inspection) |
| Verification evidence | Reference to test report, review record, or document |
Step 5: Residual risk estimation (after controls)
| Column | How to fill it |
|---|---|
| Residual Severity | Usually unchanged unless harm is reduced |
| Residual Probability | Re-estimated considering the control measures |
| Residual RPN | Calculated automatically |
| Final classification | Re-classify based on residual RPN |
Step 6: Traceability
For each risk, complete the traceability columns to ensure full end-to-end traceability:
| Column | How to fill it |
|---|---|
| Labeling Requirement | For Option C controls, link to LR-xxx in R-TF-012-037 |
| Software Requirement | For Option A/B controls, link to SRS-xxx in R-TF-012-043 Traceability Matrix |
| New hazards introduced? | Yes/No - if yes, create new risk entry |
The full traceability of risk controls is achieved by combining two documents:
- R-TF-013-002 (Risk Management Record): Contains Risk ID → Control measure → LR-xxx or SRS-xxx
- R-TF-012-043 (Traceability Matrix): Contains SRS-xxx → Design specification → Test case → Verification evidence
Together, these documents provide:
- Risk → Requirement: Which requirement implements the risk control
- Requirement → Design: How the requirement is designed
- Design → Verification: How the implementation is verified
- Risk → IFU: For Option C, which section of the IFU addresses the risk (via LR-xxx)
Risk control option categories
Risk controls are selected in the following priority order per ISO 14971:2019 section 7.1:
| Option | Description | Examples for this device |
|---|---|---|
| A | Eliminate or reduce the hazard through design | Input validation, algorithm design, authentication enforcement |
| B | Add protective measures in the device | Image quality scoring, entropy calculation, encryption, monitoring |
| C | Provide information through labeling | Warnings in IFU, precautions, contraindications, training |
When a risk is mitigated by Option C, a Labeling Requirement (LR-xxx) is created in R-TF-012-037. This ensures the required information appears in the IFU. The LR code is recorded in the risk matrix for traceability.
Inputs from specialized processes
The Risk Management Record receives inputs from four processes. Each process evaluates whether its identified risks could affect patient safety:
| Source process | What they analyze | Transfer to R-TF-013-002 when... |
|---|---|---|
GP-013 | Product-inherent risks | Always (this is the main source) |
GP-025 | Use errors, UI issues, misuse | Use error could lead to patient harm |
GP-028 | AI bias, model drift, algorithm errors | AI issue could affect clinical decision-making |
GP-030 | Data breaches, unauthorized access | Security incident could compromise patient safety or data |
The D&D Manager is responsible for collecting these inputs and consolidating them in the risk matrix.
Criteria for risk acceptability
In accordance with ISO 14971:2019 section 4.4 d), the following criteria are used to determine risk acceptability.
Severity scale
| Level | Category | Description |
|---|---|---|
| 1 | Negligible | Inconvenience or temporary discomfort |
| 2 | Minor | Temporary injury or impairment not requiring medical intervention |
| 3 | Serious | Injury requiring medical intervention |
| 4 | Critical | Permanent impairment or life-threatening injury |
| 5 | Catastrophic | Death |
Probability scale
| Level | Category | Description |
|---|---|---|
| 1 | Improbable | < 1 in 1,000,000 uses |
| 2 | Remote | 1 in 100,000 to 1 in 1,000,000 uses |
| 3 | Occasional | 1 in 10,000 to 1 in 100,000 uses |
| 4 | Probable | 1 in 1,000 to 1 in 10,000 uses |
| 5 | Frequent | > 1 in 1,000 uses |
Risk acceptability matrix
PROBABILITY OF OCURRENCE | 5 | Acceptable | As far as possible | Not acceptable | Not acceptable | Not acceptable | |||||
|---|---|---|---|---|---|---|---|---|---|---|---|
4 | Acceptable | As far as possible | As far as possible | Not acceptable | Not acceptable | ||||||
3 | Acceptable | As far as possible | As far as possible | As far as possible | Not acceptable | ||||||
2 | Acceptable | Acceptable | As far as possible | As far as possible | As far as possible | ||||||
1 | Acceptable | Acceptable | Acceptable | Acceptable | Acceptable | ||||||
1 | 2 | 3 | 4 | 5 | |||||||
SEVERITY OF HARM | |||||||||||
Benefit-risk analysis for AFAP residual risks
For risks that remain classified as AFAP after applying all practicable risk controls, a benefit-risk analysis is required to justify their acceptability. The analysis considers:
- Clinical benefits: As documented in
R-TF-015-003 Clinical Evaluation Report - State of the art: As documented in
R-TF-015-011 State of the Art - Available alternatives: What would happen without the device?
- Patient population: Specific considerations for intended users
The benefit-risk analysis for AFAP residual risks is documented in R-TF-013-003 Risk Management Report, section 5 "Evaluation of overall residual risk". The Report concludes whether the clinical benefits outweigh the residual risks for each AFAP risk and for the device as a whole.
Verification of risk control measures
In accordance with ISO 14971:2019 section 4.4 e), each risk control measure must be verified for both implementation and effectiveness.
Verification of implementation
| Control type | Verification method | Responsible | Evidence |
|---|---|---|---|
| Option A | Design review, code review | D&D Manager | Design review record |
| Option B | Software testing, security testing | Technical Manager | Test report (R-TF-012-038) |
| Option C | IFU review, labeling inspection | Quality Manager | IFU review record |
Verification of effectiveness
After implementation, verify that:
- The control reduces the risk as intended
- No new hazards are introduced by the control
- The residual risk is acceptable
If new hazards are introduced, they are added to the risk matrix and analyzed.
Documentation
Verification results are recorded:
- In the "Verification evidence" column of R-TF-013-002
- In
R-TF-012-043 Traceability Matrixfor requirements traceability
How to complete the Risk Management Report (R-TF-013-003)
The Risk Management Report summarizes the risk management activities and concludes whether the device is safe. It is prepared before market release and updated annually or when significant changes occur.
Report structure
The report must contain:
| Section | Content |
|---|---|
| 1. Executive summary | Brief conclusion on overall residual risk acceptability |
| 2. Scope | Device identification, software version, life cycle phase |
| 3. Summary of risk analysis | Total risks identified, classification breakdown |
| 4. Summary of risk controls | Controls by option (A/B/C), verification status |
| 5. Evaluation of overall residual risk | Consideration of cumulative risks, benefit-risk conclusion |
| 6. Review of production/post-production information | Summary of PMS data reviewed |
| 7. Conclusion | Statement that overall residual risk is acceptable (or not) |
| 8. Approval | Signatures from Quality Manager and General Manager |
How to evaluate overall residual risk
The evaluation considers:
- Individual risks: All risks in R-TF-013-002 must be Acceptable or AFAP with favorable benefit-risk
- Cumulative effect: Consider if multiple risks together create unacceptable risk
- Completeness: Confirm all foreseeable hazards have been analyzed
- Benefit-risk ratio: Clinical benefits must outweigh overall residual risk
Approval workflow
Requirements for review of risk management activities
In accordance with ISO 14971:2019 section 4.4 c), the following review requirements are established.
Scheduled reviews
| Review | Frequency | Responsible | Scope |
|---|---|---|---|
| Design phase reviews | Per GP-012 | D&D Manager | Risk inputs at DR1, DR2, Software Review |
| Verification review | Per GP-012 | D&D Manager | Verification of risk control implementation |
| Validation review | Per GP-012 | Quality Manager | Overall residual risk, benefit-risk conclusion |
| Annual review | Yearly | Quality Manager | Complete risk management file |
| PSUR review | Per PSUR cycle | Quality Manager | Integration with post-market safety data |
Event-triggered reviews
A review is triggered when:
- A new hazard is identified from any source
- A risk control measure is found to be ineffective
- Significant changes are made to the device or intended use
- Post-market information indicates a change in risk profile
- A serious incident or near-miss occurs
Collection and review of post-production information
In accordance with ISO 14971:2019 section 4.4 f) and section 10, the following system collects and reviews post-production information.
Information sources
| Information type | Source | Procedure | Review frequency |
|---|---|---|---|
| User feedback | Customer support | GP-014 | Continuous |
| Complaints | Complaint system | GP-014 | Continuous |
| Adverse events | Vigilance reporting | GP-004 | Immediate |
| Clinical data | PMCF, literature | GP-015 | Per PMCF plan |
| Security incidents | Security monitoring | GP-030 | Continuous |
| AI performance | Model monitoring | GP-028 | Monthly |
Review process
- Screening: Quality Manager screens incoming information for safety relevance
- Evaluation: Relevant information is evaluated against R-TF-013-002
- Action: If risk estimates change, update the matrix and re-evaluate
- Documentation: All evaluations are documented; updates to R-TF-013-002 are versioned
Triggers for risk management updates
The following information requires updating the risk management file:
- New or previously unrecognized hazards
- Risk estimates are no longer accurate based on real-world data
- Risk control measures are ineffective or causing new hazards
- Changes in use conditions or user population
- Changes in state of the art
- New regulatory requirements or guidance
Related documents
Risk management file
| Document code | Document name |
|---|---|
R-TF-013-001 | Risk Management Plan |
R-TF-013-002 | Risk Management Record |
R-TF-013-003 | Risk Management Report |
Related procedures
| Document code | Document name | Relationship |
|---|---|---|
GP-013 | Risk Management | General procedure for risk management process |
GP-012 | Design, Redesign and Development | Central process integrating risk management |
GP-025 | Usability and Human Factors | Source of usability risks |
GP-028 | AI Development | Source of AI-related risks |
GP-030 | Cybersecurity Risk Management | Source of cybersecurity risks |
GP-004 | Vigilance System | Post-market safety reporting |
GP-007 | Post-Market Surveillance | PMS information collection |
GP-014 | Feedback and Complaints | Customer feedback handling |
GP-015 | Clinical Evaluation | Clinical data for benefit-risk analysis |
Related technical file documents
| Document code | Document name |
|---|---|
R-TF-012-037 | Labeling and IFU Requirements |
R-TF-012-038 | Verified Version Release |
R-TF-012-043 | Traceability Matrix |
R-TF-015-003 | Clinical Evaluation Report |
R-TF-015-011 | State of the Art Legit.Health Plus |
Signature meaning
The signatures for the approval process of this document can be found in the verified commits at the repository for the QMS. As a reference, the team members who are expected to participate in this document and their roles in the approval process, as defined in Annex I Responsibility Matrix of the GP-001, are:
- Author: Team members involved
- Reviewer: JD-003 Design & Development Manager, JD-004 Quality Manager & PRRC
- Approver: JD-001 General Manager