Skip to main content
QMSQMS
QMS
  • Welcome to your QMS
  • Quality Manual
  • Procedures
    • GP-001 Control of documents
    • GP-002 Quality planning
      • Specific procedures
        • SP-002-001 Process risk management
        • T-002-010 Process risk register
      • Templates
    • GP-003 Audits
    • GP-004 Vigilance system
    • GP-005 Human Resources and Training
    • GP-006 Non-conformity, Corrective and Preventive actions
    • GP-007 Post-market surveillance
    • GP-009 Sales
    • GP-010 Purchases and suppliers evaluation
    • GP-011 Provision of service
    • GP-012 Design, redesign and development
    • GP-013 Risk management
    • GP-014 Feedback and complaints
    • GP-015 Clinical evaluation
    • GP-016 Traceability and identification
    • GP-017 Technical assistance service
    • GP-018 Infrastructure and facilities
    • GP-019 Non-product software validation
    • GP-020 QMS Data analysis
    • GP-021 Communications
    • GP-022 Document translation
    • GP-023 Change control management
    • GP-024 Predetermined Change Control Plan
    • GP-025 Usability and Human Factors Engineering
    • GP-027 Corporate Governance
    • GP-028 AI Development
    • GP-029 Software Delivery and Commissioning
    • GP-030 Cyber Security Management
    • GP-050 Data Protection
    • GP-051 Security violations
    • GP-052 Data Privacy Impact Assessment (DPIA)
    • GP-100 Business Continuity (BCP) and Disaster Recovery plans (DRP)
    • GP-101 Information security
    • GP-200 Remote Data Acquisition in Clinical Investigations
    • GP-026 Market-specific product requirements
    • GP-110 Esquema Nacional de Seguridad
  • Records
  • Legit.Health Plus Version 1.1.0.0
  • Legit.Health Plus Version 1.1.0.1
  • Legit.Health Utilities
  • Licenses and accreditations
  • Applicable Standards and Regulations
  • Pricing
  • Public tenders
  • Procedures
  • GP-002 Quality planning
  • Specific procedures
  • SP-002-001 Process risk management

SP-002-001 Process risk management

Purpose​

To define the methodology for identifying, assessing, monitoring, and controlling risks related to Quality Management System (QMS) processes. This procedure ensures that process risks are systematically managed to maintain the effectiveness of the QMS and support continuous improvement.

Distinction from product risk management

This specific procedure addresses process risks — risks that could affect the effectiveness of QMS processes and quality management activities. Product risks related to medical device safety and performance are managed according to GP-013 Risk management, which follows ISO 14971 requirements.

Scope​

All processes defined in the QMS Process Map (Annex-2 Process map), including but not limited to:

  • Management processes
  • Operational processes
  • Support processes

Definitions​

  • Process risk: The possibility that a process may not achieve its intended objectives or may negatively impact other processes, product quality, or regulatory compliance.
  • Risk identification: The systematic process of finding, recognizing, and describing process risks.
  • Risk assessment: The overall process of risk analysis and risk evaluation for processes.
  • Risk control: Actions implemented to eliminate or reduce process risks to acceptable levels.
  • RPN (Risk Priority Number): A numerical value calculated as Severity × Probability × Detection, used to prioritize process risks.

Responsibilities​

JD-001​

To approve the process risk assessments and ensure adequate resources are allocated for risk control measures.

JD-004​

To coordinate the process risk management activities, maintain the T-002-010 Process risk register, and monitor the effectiveness of risk control measures.

JD-003​

To participate in the identification and assessment of process risks related to technical and design processes.

JD-005​

To participate in the identification and assessment of process risks related to validation, clinical, and technical processes.

Process owners​

To identify and report process risks within their areas of responsibility, implement risk control measures, and monitor their effectiveness.

Inputs​

  • Process validation results (T-002-007 Process validation card)
  • Quality indicators data (T-002-003 Quality indicators)
  • Audit findings (GP-003 Audits)
  • Non-conformities and CAPAs (GP-006 Non-conformity. Corrective and preventive actions)
  • Customer feedback and complaints
  • Changes in regulatory requirements
  • Management review outputs

Outputs​

  • T-002-010 Process risk register
  • Risk control measures and action plans
  • Updated process validation cards
  • Input for management review

Development​

Process risk identification​

Process risks shall be identified considering the following sources:

  1. Process validation: During the validation of each process, potential risks are identified and documented in the T-002-007 Process validation card.

  2. Quality indicators: Deviations from expected indicator values may indicate process risks that need to be addressed.

  3. Internal and external audits: Findings from audits may reveal process weaknesses or risks.

  4. Non-conformities: Recurring non-conformities may indicate underlying process risks.

  5. Changes: Any change to processes, equipment, personnel, or regulatory requirements shall trigger a risk review.

  6. SWOT analysis: The annual SWOT and CAME analysis performed during the Management Review (documented in T-002-004 Annual management review report) may identify strategic risks affecting processes.

Process risk categories​

Process risks shall be categorized according to their nature:

CategoryDescriptionExamples
OperationalRisks related to day-to-day process executionEquipment failure, human error, resource unavailability
ComplianceRisks related to regulatory or standard requirementsNon-compliance with ISO 13485, MDR requirements gaps
StrategicRisks affecting long-term QMS objectivesTechnology obsolescence, market changes
ResourceRisks related to human, financial, or infrastructure resourcesKey personnel loss, budget constraints
ExternalRisks from external factorsSupplier failures, regulatory changes, force majeure

Process risk assessment​

Severity assessment​

The severity of a process risk is assessed based on its potential impact:

ScoreSeverityDescription
1NegligibleMinor impact, easily corrected, no effect on QMS effectiveness
2MinorLimited impact, correctable with minor effort, minimal effect on QMS
3ModerateNoticeable impact, requires significant effort to correct, affects QMS effectiveness
4MajorSignificant impact on QMS, may affect product quality or compliance
5CriticalSevere impact, regulatory non-compliance, potential product safety issues

Probability assessment​

The probability of occurrence is assessed as follows:

ScoreProbabilityDescription
1RemoteUnlikely to occur (< 1% chance)
2LowCould occur occasionally (1-10% chance)
3ModerateMay occur sometimes (10-30% chance)
4HighLikely to occur (30-60% chance)
5Very highExpected to occur (> 60% chance)

Detection assessment​

The ability to detect the risk before it causes impact:

ScoreDetectionDescription
1Almost certainRisk will almost always be detected before impact
2HighHigh probability of detection
3ModerateModerate probability of detection
4LowLow probability of detection
5RemoteRisk is unlikely to be detected

Risk Priority Number (RPN) calculation​

The RPN is calculated as:

RPN=Severity×Probability×DetectionRPN = Severity \times Probability \times DetectionRPN=Severity×Probability×Detection

The maximum RPN is 125 (5 × 5 × 5).

Risk acceptability criteria​

RPN RangeRisk LevelRequired Action
1-15LowMonitor, no immediate action required
16-40MediumImplement risk reduction measures within 6 months
41-75HighImplement risk reduction measures within 3 months
76-125CriticalImmediate action required, escalate to management

Process risk control​

When process risks exceed acceptable levels, risk control measures shall be implemented following this hierarchy:

  1. Elimination: Remove the risk source entirely (e.g., automate error-prone manual processes)
  2. Substitution: Replace the risky element with a safer alternative
  3. Engineering controls: Implement process changes or safeguards
  4. Administrative controls: Procedures, training, and work instructions
  5. Monitoring: Enhanced monitoring and detection measures

Each risk control measure shall be documented in the T-002-010 Process risk register including:

  • Description of the control measure
  • Responsible person
  • Implementation deadline
  • Verification method
  • Expected residual RPN

Process risk monitoring​

Process risks shall be monitored through:

  1. Quarterly review: The JD-004 reviews the T-002-010 Process risk register quarterly to assess:

    • Status of risk control measures
    • Effectiveness of implemented controls
    • New risks identified
    • Changes in existing risk levels

  2. Annual management review: Process risks are reviewed during the annual management review and documented in the T-002-004 Annual management review report.

  3. Triggered reviews: A risk review is triggered by:

    • Significant non-conformities
    • Changes to processes
    • Audit findings
    • Changes in regulatory requirements

Documentation​

All process risks and their management shall be documented in the T-002-010 Process risk register, which includes:

  • Risk identification (ID, description, category)
  • Risk assessment (severity, probability, detection, RPN)
  • Risk acceptability determination
  • Risk control measures (if applicable)
  • Responsible person and deadline
  • Verification of effectiveness
  • Current status
  • Residual risk assessment

Process flowchart​

Associated documents​

  • GP-002 Quality planning
  • GP-006 Non-conformity. Corrective and preventive actions
  • GP-013 Risk management (for product risks)
  • T-002-003 Quality indicators
  • T-002-004 Annual management review report
  • T-002-007 Process validation card
  • T-002-010 Process risk register

Signature meaning

The signatures for the approval process of this document can be found in the verified commits at the repository for the QMS. As a reference, the team members who are expected to participate in this document and their roles in the approval process, as defined in Annex I Responsibility Matrix of the GP-001, are:

  • Author: Team members involved
  • Reviewer: JD-003 Design & Development Manager, JD-004 Quality Manager & PRRC
  • Approver: JD-001 General Manager
Previous
GP-002 Quality planning
Next
T-002-010 Process risk register
  • Purpose
  • Scope
  • Definitions
  • Responsibilities
    • JD-001
    • JD-004
    • JD-003
    • JD-005
    • Process owners
  • Inputs
  • Outputs
  • Development
    • Process risk identification
    • Process risk categories
    • Process risk assessment
      • Severity assessment
      • Probability assessment
      • Detection assessment
      • Risk Priority Number (RPN) calculation
      • Risk acceptability criteria
    • Process risk control
    • Process risk monitoring
    • Documentation
  • Process flowchart
  • Associated documents
All the information contained in this QMS is confidential. The recipient agrees not to transmit or reproduce the information, neither by himself nor by third parties, through whichever means, without obtaining the prior written permission of Legit.Health (AI Labs Group S.L.)