AI Risk Assessment Writer
Risk assessments under ISO 14971 and ISO 12100 require systematic hazard identification, risk estimation, and mitigation documentation. Vespper helps you build traceable risk assessments that connect hazards to mitigations to verification evidence.
1. Risk Management Process
ISO 14971:2019 defines the risk management framework that medical device manufacturers must follow throughout the product lifecycle.
ISO 14971:2019
- Risk management plan defining scope, risk acceptability criteria, and verification activities
- Hazard identification using systematic techniques (FMEA, FTA, HAZOP)
- Risk estimation combining severity and probability for each hazard-harm sequence
- Risk control measure selection, implementation, and verification of effectiveness
Risk Analysis Techniques
- FMEA (Failure Mode and Effects Analysis) with severity, occurrence, and detection scoring
- Fault Tree Analysis (FTA) for systematic top-down hazard decomposition
- HAZOP (Hazard and Operability Study) for process-related hazard identification
- Risk management plan must be established before risk analysis begins — retroactive plans are an audit finding
- Risk acceptability matrix must define severity and probability scales before risk estimation, not after
2. Hazard Identification Standards
Different device types require hazard identification methods appropriate to their specific risk profile.
IEC 62366-1:2015 — Usability Engineering
- Use-related hazard identification through task analysis and use scenarios
- Foreseeable misuse documentation with associated risk analysis
- Usability validation confirmation that use-related risks are controlled
Domain-Specific Hazard Standards
- IEC 60601-1 hazard identification for electromedical devices including electrical, thermal, and mechanical hazards
- ISO 10993 series for biocompatibility hazard identification and biological evaluation
- IEC 62304 software hazard analysis including software of unknown provenance (SOUP) risks
- Hazard identification must cover all hazard categories relevant to the device — missing a category creates uncontrolled risk
- Software hazard analysis must be consistent with software classification per IEC 62304
3. Residual Risk Assessment
After risk controls are applied, residual risk must be evaluated and the overall residual risk must be acceptable.
Overall Residual Risk Evaluation
- Individual residual risk acceptability documented for each hazard-harm sequence
- Overall residual risk evaluation considering the totality of residual risks
- ALARP (As Low As Reasonably Practicable) demonstration where required
- Benefit-risk analysis integration with clinical evaluation for Class III devices
- Individual risk acceptability alone is insufficient — ISO 14971 requires overall residual risk evaluation
- Benefit-risk documentation must align with the Clinical Evaluation Report conclusions
4. Post-Market Risk Monitoring
Risk management is a lifecycle activity that must incorporate post-market data into ongoing risk assessment.
Post-Market Feedback Integration
- Trend analysis methodology for complaint and vigilance data
- Periodic risk management review triggers and documentation requirements
- CAPA integration linking corrective actions back to the risk management file
- Field Safety Corrective Action (FSCA) documentation and risk reassessment
- Risk management files without post-market data updates are non-compliant with ISO 14971 lifecycle requirements
- CAPA effectiveness verification must demonstrate that the corrective action actually reduced risk
What happens when documentation falls short
- Patient harm from unidentified or inadequately controlled hazards
- Product recall triggered by risk controls found to be insufficient post-market
- Regulatory non-conformity findings during ISO 13485 and Notified Body audits
- Product liability exposure from undocumented risk acceptance decisions
- Delayed market clearance from incomplete risk management files
What this means for your team
How Vespper helps with risk assessments
Hazard-to-mitigation traceability
Build risk assessments where every hazard traces to its risk control measures and verification evidence — no broken links.
Standards-compliant structure
Generate risk assessments following ISO 14971 or ISO 12100 process requirements with proper documentation structure.
Source document integration
Upload design specs, test reports, FMEA outputs, and field data. Vespper connects risk findings to the evidence that supports them.
Incremental updates
When design changes occur, update your risk assessment with AI assistance and review only the affected hazard-mitigation chains.
Build your risk assessment in 3 steps
Upload design and safety data
Connect design specifications, FMEA outputs, test reports, field complaint data, and applicable standards.
Generate risk assessment
Vespper drafts your risk assessment with hazard identification, risk estimation, and mitigation measures traced to source evidence.
Review and validate
Walk through hazard-mitigation chains, verify risk levels, confirm mitigation adequacy, and export for quality review.
Built for
Related solutions
Start writing risk assessments with AI
Build traceable, standards-compliant risk assessments connected to your design evidence.
Sign in