R-TF-013-003 Risk management report
Introduction
Purpose
This Risk Management Report summarizes the results of risk management activities performed for the medical device Legit.Health Plus in accordance with the requirements of ISO 14971:2019 - Medical devices — Application of risk management to medical devices and the guidance provided in ISO/TR 24971:2020.
The purpose of this document is to provide evidence that:
- The risk management plan has been appropriately implemented
- The overall residual risk is acceptable
- Appropriate methods are in place to collect and review relevant production and post-production information
Scope
This report covers all risk management activities performed throughout the product lifecycle of Legit.Health Plus, from initial concept through design, development, verification, validation, and post-market surveillance planning.
Risk management file structure
The complete risk management documentation for this medical device consists of the following documents:
| Document | Description |
|---|---|
GP-013 Risk management | General procedure defining the risk management process, risk acceptability criteria, risk control options, and responsibilities |
R-TF-013-001 Risk Management Plan | Defines the scope, responsibilities, risk acceptability criteria, verification activities, and review requirements for this specific device |
R-TF-013-002 Risk Management Record | Contains the complete risk analysis matrix with all identified hazards, hazardous situations, risk estimations, control measures, and residual risk evaluations |
R-TF-013-003 Risk Management Report | This document - summarizes the risk management activities and conclusions |
R-TF-012-037 Labeling and IFU Requirements | Defines labeling requirements (LR-XXX) for risk mitigation through information for safety |
Device description
Device identification
Device name: Legit.Health Plus
Device type: Software as a Medical Device (SaMD)
Classification: Class IIb (MDR 2017/745, Rule 11)
Intended purpose
The intended purpose of Legit.Health Plus is to support clinicians during the dermatosis diagnosis process through the medical information provided by the device as a result of skin structure image processing and analysis. This process contributes indirectly to:
- Faster, more efficient, and affordable diagnosis
- More continuous and objective monitoring of the severity of skin conditions
- Enhanced telemedicine capabilities
Intended users
The device is intended to be used by:
- Healthcare Professionals (HCP): Dermatologists and other qualified healthcare practitioners who interpret the device outputs for clinical decision-making
- IT Personnel (ITP): Technical staff responsible for integrating the device into healthcare organization systems
Technical characteristics
The device is a standalone software delivered as an API (Application Programming Interface) with the following key characteristics:
- REST Protocol: Ensures platform independence and system compatibility
- HL7 FHIR Standard: Follows healthcare interoperability standards for data exchange
- OpenAPI Specification: Provides comprehensive API documentation
- ICD Classification Support: Compatible with ICD-11 coding system
Risk management process implementation
Risk management plan execution
The risk management activities were executed according to R-TF-013-001 Risk Management Plan. The plan defined:
- The scope of risk management activities across all product lifecycle phases
- Assignment of responsibilities and authorities for each phase
- Risk acceptability criteria based on severity and probability matrices
- Verification requirements for risk control measures
- Methods for collecting production and post-production information
Risk management review throughout the product lifecycle
As defined in GP-013 Risk management and R-TF-013-001 Risk Management Plan, the risk management file is reviewed at critical stages of the product lifecycle to ensure that identified risks remain valid and that risk control measures continue to be effective:
| Lifecycle phase | Review activities | Related documentation |
|---|---|---|
| Design and development | Initial hazard identification, risk estimation, and control measure definition | R-TF-012-023 Software Development Plan, R-TF-012-028 Software Requirement Specification (SRS) |
| Verification and validation | Verification of risk control implementation through software testing and usability evaluation | R-TF-012-033 Software Test Plan, R-TF-012-034 Software Test Description, R-TF-025-007 Summative Evaluation Report |
| Clinical evaluation | Confirmation that assigned risk probabilities and identified risks are coherent with clinical evidence | R-TF-015-003 Clinical Evaluation Report |
| Transfer to production (commissioning) | Final review before market release to confirm all risks are controlled and the overall residual risk is acceptable | R-TF-012-038 Verified Version Release, R-TF-012-039 Validated Version Transfer |
| Post-market phase | Continuous monitoring and update based on PMS and PMCF data | R-TF-007-001 Post-Market Surveillance (PMS) Plan, R-TF-007-002 Post-Market Clinical Follow-up (PMCF) Plan |
This iterative approach ensures that risk management remains a living process throughout the device lifecycle, with updates triggered by new information from any phase.
Risk estimation and evaluation methodology
The following methodology, defined in GP-013 Risk Management, was applied for risk estimation and evaluation in this report.
Risk estimation formula
Risk is estimated as the combination of probability of occurrence of harm and severity of that harm. The Risk Priority Number (RPN) is calculated as:
Where:
- P₁ = Probability of occurrence of the hazardous situation
- P₂ = Probability of the hazardous situation leading to harm
- S = Severity of harm
For Legit.Health Plus, as a diagnostic support software that does not directly touch or interact with patients, P₂ is always equal to 1. The device cannot directly cause physical harm; any harm pathway is indirect through clinical decision-making. Therefore:
Severity (S) scale
| Score | Impact | Description | Effect |
|---|---|---|---|
| 5 | Critical | Damage capable of causing serious harm to health or breach of essential requirements | Loss or degradation of primary function or death; non-compliance with requirements |
| 4 | Serious | Harm capable of causing severe or significant harm; non-compliance endangering essential commitments | Permanent impairment or irreversible injury; minor non-conformities affecting requirements |
| 3 | Major | Damage capable of causing minor harm; non-compliance endangering non-essential requirements | Injury or impairment requiring medical or surgical intervention |
| 2 | Minor | Nuisance without danger; small QMS errors not jeopardizing compliance | Temporary injury or impairment not requiring intervention |
| 1 | Negligible | No discernible effect or detriment | Inconvenience or temporary discomfort |
Probability (P₁) scale
| Score | Probability | Frequency range | Meaning |
|---|---|---|---|
| 5 | Frequent | 1 - 1/10 | Very likely; expected in more than 10% of cases |
| 4 | Probable | 1/10 - 1/100 | Probable; expected in 1-10% of cases |
| 3 | Occasional | 1/100 - 1/1000 | May occur occasionally; expected in 0.1-1% of cases |
| 2 | Remote | 1/1000 - 1/10000 | Unlikely but possible; expected in 0.01-0.1% of cases |
| 1 | Improbable | 0 - 1/10000 | Highly improbable but not impossible; less than 0.01% of cases |
Detectability (D) scale
When probability of occurrence cannot be estimated, detectability is used:
| Score | Detectability | Meaning |
|---|---|---|
| 5 | Almost Certain | Detection probability >80%; hazard will almost certainly be detected |
| 4 | High | Detection probability 50-80%; high chance of detection |
| 3 | Moderate | Detection probability 25-50%; moderate chance of detection |
| 2 | Low | Detection probability 10-25%; low chance of detection |
| 1 | Remote | Detection probability <10%; very remote chance of detection |
Risk acceptability criteria
Based on the RPN value, risks are classified into three acceptability levels:
| RPN range | Acceptability level | Definition |
|---|---|---|
| 0 - 5 | Acceptable | Risk is acceptable without further risk reduction |
| 6 - 12 | AFAP | Risk is As Far As Possible; acceptable only with documented minimization actions |
| 13 - 25 | Unacceptable | Risk exceeds acceptable threshold; benefit-risk analysis required, risk control mandatory |
Risk matrix
The following matrix visualizes the risk acceptability regions:
PROBABILITY OF OCURRENCE | 5 | Acceptable | As far as possible | Not acceptable | Not acceptable | Not acceptable | |||||
|---|---|---|---|---|---|---|---|---|---|---|---|
4 | Acceptable | As far as possible | As far as possible | Not acceptable | Not acceptable | ||||||
3 | Acceptable | As far as possible | As far as possible | As far as possible | Not acceptable | ||||||
2 | Acceptable | Acceptable | As far as possible | As far as possible | As far as possible | ||||||
1 | Acceptable | Acceptable | Acceptable | Acceptable | Acceptable | ||||||
1 | 2 | 3 | 4 | 5 | |||||||
SEVERITY OF HARM | |||||||||||
Risk management team
The risk management activities were performed by a qualified team with appropriate knowledge and experience:
| Role | Responsibility |
|---|---|
| Design and Development Manager | Hazard identification, risk control implementation, verification |
| Technical Manager & PRRC | Technical risk assessment, control measure design, regulatory compliance |
| Quality Manager & PRRC | Risk management process oversight, documentation review, approval |
The qualification of the risk management team is documented in the respective personnel files and includes training in ISO 14971, ISO 13485, and relevant regulatory requirements.
Summary of risk analysis
Hazard identification methodology
Hazards were identified through systematic analysis using multiple approaches:
- Analysis of the intended use and reasonably foreseeable misuse
- Review of device characteristics that could affect safety (per ISO/TR 24971 Annex A.2)
- Analysis of hazards associated with software medical devices (per IEC 62304)
- Review of usability-related hazards (per IEC 62366-1)
- Cybersecurity threat modeling
- Analysis of AI/ML-specific risks
Risk categories identified
The comprehensive risk analysis identified hazards across the following categories:
| Category | Number of risks | Description |
|---|---|---|
| Product | 25 | Risks related to device functionality, software behavior, and technical performance |
| Usability | 14 | Risks related to user interaction, interpretation of outputs, and use errors |
| Regulatory | 18 | Risks related to compliance with regulatory requirements and labeling |
| Cybersecurity | 8 | Risks related to data security, unauthorized access, and system integrity |
| Artificial Intelligence | 5 | Risks specific to AI/ML algorithms, training data, and model behavior |
Summary of identified risks
A total of 62 risks were identified and documented in R-TF-013-002 Risk Management Record. The primary hazardous situations identified include:
Clinical output risks:
- Incorrect clinical information (R-75H)
- Incorrect diagnosis or follow-up (R-DAG)
- Incorrect results shown to patient (R-SKK)
- Misinterpretation of device outputs (R-HAX)
Data and connectivity risks:
- Data transmission failures (R-T8Q, R-3N5, R-YF4, R-LRP)
- Service interruption (R-MWD)
- Data breach or unauthorized access (R-3YJ)
Image quality risks:
- Image artifacts or poor resolution (R-AGQ)
- Inadequate lighting conditions (R-5L4)
- Inadequate camera usage (R-TA9)
Integration and usability risks:
- System incompatibility (R-U6M)
- Integration failure or errors (R-2S3)
- Incorrect interpretation of device outputs (R-HAX)
AI/ML-specific risks:
- Inaccurate training data (R-GY6)
- Biased or incomplete training data (R-7US)
- Sensitivity to image variability (R-RAJ)
Risk control measures
Risk control strategy
Risk control measures were selected and implemented following the priority order established in ISO 14971:
- Inherent safety by design (Option A): Design features that eliminate or reduce risks
- Protective measures in the medical device or manufacturing process (Option B): Technical safeguards and controls
- Information for safety (Option C): Warnings, instructions, and training
Summary of implemented controls
| Control type | Number of risks addressed | Examples |
|---|---|---|
| Design measures (A) | 52 | FHIR standard compliance, image quality algorithms, REST protocol, elastic server architecture |
| Protective measures (B) | 18 | Security measures (OAuth, JWT, SSL/TLS), data encryption, backup systems, error messaging |
| Information for safety (C) | 34 | Instructions for Use, labeling, user training, Swagger documentation |
Labeling and IFU requirements summary
As part of the Information for Safety (Option C) risk control measures, specific Labeling Requirements (LR) have been defined to ensure that all necessary safety information is communicated to users through the Instructions for Use (IFU) and device labeling. These requirements are documented in R-TF-012-037 Labeling and IFU Requirements.
The following table summarizes the labeling requirements by category:
| Category | Number of LRs | Description |
|---|---|---|
| General Safety | 2 | Read IFU instructions, general safety warnings |
| Intended Use | 2 | Device purpose, description, and mode of action |
| Intended User | 1 | User profile and qualification requirements (HCPs, ITPs) |
| Clinical Safety | 3 | Output interpretation, warnings and precautions, contraindications |
| Technical Specifications | 3 | Camera requirements, API integration, system compatibility |
| Image Capture | 2 | How to take pictures, image quality requirements |
| Cybersecurity | 3 | Security requirements, data protection, authentication guidance |
| Regulatory | 6 | Symbols, UDI, manufacturer information, CE marking, version identification, eIFU access |
| Other | 4 | Maintenance, lifetime, clinical benefits, training recommendations |
Traceability summary:
- Total Labeling Requirements: 26 (coded LR-XXX)
- Risks mitigated by LRs: 41 of 62 identified risks
- Location coverage: All LRs specify whether information must appear in IFU, Label, or both
The complete traceability between labeling requirements and the risks they mitigate is maintained in R-TF-012-037 Labeling and IFU Requirements and R-TF-013-002 Risk Management Record.
Verification of risk control implementation
All risk control measures have been verified through:
- Software test cases: Documented in
R-TF-012-034 Software Test Descriptionwith execution results recorded inR-TF-012-033 Software Test Plan. The traceability between risks, software requirements (SRS), and labeling requirements (LR) is maintained inR-TF-013-002 Risk Management Record, while the traceability between SRS and test cases is maintained inR-TF-012-043 Traceability Matrix. - Summative usability evaluation: Documented in
R-TF-025-007 Summative Evaluation Report, which validates that use-related risks have been adequately addressed through the user interface design and Instructions for Use. - Clinical evaluation: Documented in
R-TF-015-003 Clinical Evaluation Report, which confirms that clinical risks are controlled and that the assigned risk probabilities are consistent with clinical evidence. - Design verification and validation: Documented in
R-TF-012-035 Software Test Reportand commissioning records (R-TF-029-001,R-TF-029-002,R-TF-029-003). - Internal and external audits
For risk control measures implemented through Information for Safety (Option C), particularly those related to Labeling Requirements (LR-XXX), verification is performed through visual inspection of the IFU and labeling content. This verification confirms that the required information, warnings, instructions, and symbols have been correctly included in the published Instructions for Use and device labeling. The visual inspection is documented as part of the IFU validation process in R-TF-001-006 IFU and label validation.
The complete traceability from risks to requirements to verification activities is documented in the Design History File (DHF), ensuring full transparency and auditability of risk control implementation.
Verification of risk control effectiveness
The effectiveness of risk control measures was verified through:
- Clinical performance evaluation
- Usability testing with representative users
- Software verification and validation testing
- Security testing and vulnerability assessments
All verification activities confirmed that implemented controls effectively reduce risks to acceptable levels.
Assessment of risks from control measures
Each risk control measure was evaluated to determine whether it introduced new hazards. The analysis confirmed that no new unacceptable risks were introduced by the implemented control measures.
Residual risk evaluation
Individual residual risk assessment
After implementation of all risk control measures, each individual risk was re-evaluated. The residual risks are classified as:
| Classification | Number of risks | Description |
|---|---|---|
| Acceptable | 54 | Residual risk is acceptable; no further action required |
| AFAP (As Far As Possible) | 8 | Residual risk requires benefit-risk analysis |
Risks classified as AFAP
The following risks remain classified as AFAP after all practicable risk control measures have been implemented:
| Risk ID | Hazard | Hazardous situation | Residual severity | Residual probability |
|---|---|---|---|---|
| R-75H | Incorrect clinical information | Care provider receives erroneous data | 3 | 2 |
| R-DAG | Incorrect diagnosis or follow-up | Device outputs wrong result to HCP | 3 | 2 |
| R-AGQ | Image artifacts/resolution | Device receives insufficient quality input | 3 | 2 |
| R-T8Q | Data transmission failure from care provider | System cannot connect to device | 3 | 2 |
| R-3N5 | Data input failure | Device cannot receive data from providers | 3 | 2 |
| R-YF4 | Data accessibility failure | Care provider cannot receive device data | 3 | 2 |
| R-LRP | Data transmission failure | Device cannot send data to providers | 3 | 2 |
| R-5L4 | Inadequate lighting conditions | Device receives insufficient quality input | 3 | 2 |
These risks require individual benefit-risk analysis as detailed in Section 7.
Benefit-risk analysis for AFAP residual risks
Applicability
According to ISO 14971:2019 section 7.4, a benefit-risk analysis is required when the residual risk is not acceptable using the criteria established in the risk management plan. For this device, benefit-risk analysis is applicable only to the 8 risks classified as AFAP after implementing all practicable risk control measures.
These risks are inherent to the clinical decision support nature of the device and cannot be eliminated without removing the device's clinical functionality.
The clinical benefits, state of the art, and benefit-risk determination are fully documented in R-TF-015-003 Clinical Evaluation Report. This section summarizes the benefit-risk conclusions for each AFAP risk based on the evidence presented in the CER.
Individual benefit-risk analysis
For each AFAP risk, the residual risk was weighed against the clinical benefits documented in the CER:
R-75H & R-DAG: Incorrect clinical information / Incorrect diagnosis
| Factor | Assessment |
|---|---|
| Residual risk | RPN = 6 (Severity 3 × Probability 2) |
| Risk control measures implemented | Option A: Interpretative distribution output (not single diagnosis); Option B: Explainability features, metadata; Option C: IFU warnings on HCP supervision requirement (LR-8YN, LR-4RZ) |
| Why further reduction is not practicable | Eliminating this risk would require the device to provide no clinical output, negating its intended purpose |
| Benefit-risk conclusion | Benefits outweigh the residual risk - As documented in the CER, the device provides significant diagnostic support while the residual risk is mitigated by mandatory HCP supervision |
R-AGQ & R-5L4: Image quality-related risks
| Factor | Assessment |
|---|---|
| Residual risk | RPN = 6 (Severity 3 × Probability 2) |
| Risk control measures implemented | Option A: Image quality scoring algorithm; Option B: Quality feedback to users; Option C: IFU guidance on image capture (LR-3KN, LR-4RZ) |
| Why further reduction is not practicable | The device cannot control image quality at source; it can only detect and inform about quality issues |
| Benefit-risk conclusion | Benefits outweigh the residual risk - As documented in the CER, quality controls adequately manage this inherent limitation of image-based analysis |
R-T8Q, R-3N5, R-YF4, R-LRP: Data transmission/connectivity risks
| Factor | Assessment |
|---|---|
| Residual risk | RPN = 6 (Severity 3 × Probability 2) |
| Risk control measures implemented | Option A: Elastic server architecture, redundancy; Option B: Error handling, meaningful error messages; Option C: IFU guidance on connectivity requirements (LR-5TG) |
| Why further reduction is not practicable | Network connectivity depends on infrastructure outside the device's control |
| Benefit-risk conclusion | Benefits outweigh the residual risk - As documented in the CER, connectivity risks cause delays but not direct patient harm, and are inherent to any cloud-based medical device |
Global benefit-risk conclusion
Based on the benefit-risk analysis documented in R-TF-015-003 Clinical Evaluation Report:
The overall benefit-risk ratio is FAVORABLE.
| Conclusion element | Reference |
|---|---|
| Clinical benefits demonstrated | CER Section 9 - Clinical benefits |
| State of the art considered | CER Section 5 - State of the art; R-TF-015-011 |
| Specific populations addressed | CER Section 10 - Benefit-risk for specific populations |
| Undesirable side-effects minimized | CER Section 10.3 - Undesirable side-effects |
| AFAP risks justified | This section - Individual analysis above |
The CER concludes that the clinical benefits of Legit.Health Plus—diagnostic support, objective monitoring, workflow efficiency, and telemedicine enablement—outweigh the residual risks when the device is used according to its intended purpose under HCP supervision.
Overall residual risk evaluation
Evaluation methodology
The overall residual risk was evaluated by considering:
- The cumulative effect of all individual residual risks
- The interaction between different residual risks
- The clinical context of use
- The effectiveness of post-market surveillance in detecting emerging risks
Overall residual risk conclusion
The overall residual risk of Legit.Health Plus is ACCEPTABLE.
This conclusion is based on:
- All individual risks are controlled: Every identified risk has been addressed with appropriate control measures
- Residual risks are within acceptable limits: All residual risks are either Acceptable or AFAP with favorable benefit-risk ratios
- No uncontrolled hazards: No identified hazards remain without implemented controls
- Cumulative risk is manageable: The combination of residual risks does not create unacceptable cumulative risk
- Post-market surveillance is planned: Systems are in place to monitor for emerging risks
Production and post-production information
Information to be collected
According to the risk management plan and GP-013 Risk management, the following information will be collected during production and post-production phases. This information feeds back into the risk management process to validate initial risk estimates and identify emerging risks:
| Information type | Source | Purpose |
|---|---|---|
| User feedback | Customer support, surveys | Identify use errors and usability issues |
| Complaints | Complaint handling system | Detect safety issues and trends |
| Adverse events | Vigilance reporting | Monitor serious incidents |
| Performance data | System monitoring | Track device reliability and accuracy |
| Clinical outcomes | PMCF activities | Validate clinical benefits |
| Literature | Systematic literature review | Monitor state of the art |
Post-market surveillance plan
The Post-Market Surveillance plan (R-TF-007-001 Post-Market Surveillance (PMS) Plan) defines:
- Proactive and reactive data collection methods
- Analysis and trending requirements
- Criteria for risk management file updates
- Reporting requirements (PSUR, vigilance)
Post-market clinical follow-up
The Post-Market Clinical Follow-up plan (R-TF-007-002 Post-Market Clinical Follow-up (PMCF) Plan) defines activities to:
- Confirm clinical performance in real-world use
- Identify emerging risks or previously unknown side effects
- Verify that benefits continue to outweigh risks
- Detect off-label use or misuse patterns
- Validate that the risk probabilities assigned during the pre-market phase remain accurate
Risk management file updates
The risk management file will be updated when:
- New hazards are identified through PMS or PMCF activities
- Clinical evidence suggests that risk probabilities need to be revised
- Changes to the device design require re-evaluation of existing risks
- Regulatory requirements change
- Corrective and Preventive Actions (CAPA) are implemented (per
GP-009 CAPA management)
Any updates to the risk management file will trigger a review of the R-TF-015-003 Clinical Evaluation Report to ensure consistency across the technical documentation.
Risk management review
Review at transfer to production
Prior to market release, a comprehensive review of the risk management file was conducted during the transfer to production (commissioning) phase. This review, documented in R-TF-012-038 Verified Version Release and R-TF-012-039 Validated Version Transfer, confirmed that:
- All identified risks have been addressed with appropriate control measures
- No new risks have emerged during the verification and validation phases
- The clinical evaluation has validated the assigned risk probabilities
- The overall residual risk remains acceptable
Review confirmation
The risk management process has been reviewed in accordance with GP-013 Risk management procedure. This review confirms that:
| Requirement | Status | Evidence |
|---|---|---|
| Risk management plan has been appropriately implemented | ✓ Confirmed | All planned activities completed and documented |
| Risk analysis is complete | ✓ Confirmed | All foreseeable hazards identified and evaluated |
| Risk control measures are implemented | ✓ Confirmed | All controls verified and validated |
| Overall residual risk is acceptable | ✓ Confirmed | All risks acceptable or AFAP with favorable benefit-risk |
| Methods for production/post-production monitoring are in place | ✓ Confirmed | PMS and PMCF plans established |
| Risk probabilities validated by clinical evidence | ✓ Confirmed | R-TF-015-003 Clinical Evaluation Report |
| Risk management file reviewed at commissioning | ✓ Confirmed | R-TF-012-038 Verified Version Release |
Conclusion
Based on this comprehensive review of risk management activities, it is concluded that:
-
The risk management plan has been fully executed according to the requirements of ISO 14971:2019 and
GP-013 Risk management -
All foreseeable risks have been identified and appropriate risk control measures have been implemented
-
The overall residual risk is acceptable when compared to the clinical benefits provided by the device
-
Appropriate systems are in place to collect and review production and post-production information
-
The medical device Legit.Health Plus is safe for its intended use when used according to the Instructions for Use by qualified users
Record signature meaning
- Author: JD-004
- Reviewer: JD-003
- Approval: JD-005