Building a Self-driving Car or an Airplane? Get Risk Management Help from Medical Device Industry!

All businesses are familiar with risk management, be it strategic business risks, financial risks, project risks, products risks or any combination of these that they are managing.

Most product development projects include managing product risks to ensure that the product works as envisioned within the range of acceptable risk.

For safety-critical products such as cars, airplanes or medical devices, product risk management is a requirement for market entry. Safety-critical product developers need to design safety into their products to ensure that these products are, in fact, safe to use.


With more and more software in safety-critical products like cars or medical devices today, and more software being in control of their critical functionality, regulatory aspects should seamlessly integrate into the software development lifecycle.

SoftComply Risk Manager was developed to help safety-critical product development companies automate their product risk management and integrate it into their software development lifecycle in Jira to support establishing full traceability between software requirements, risks and test cases.

Fig.1 – example of how you can link medical device risks to product requirements and tests with SoftComply Risk Manager on Jira

If you are developing medical devices, you know how important it is to have your device risk management closely linked to the software development lifecycle where software requirements are linked:

(a) to risks (as risks could arise from these requirements),

(b) to mitigation actions for unacceptable risks (that are, in fact, additional software requirements), and

(c) to the verification of the mitigation actions (i.e. the test cases where the implementation of the mitigation actions are verified).


In a medical device risk project, each identified Harm has an associated Severity – one Harm has the same Severity throughout the medical device development project, i.e. when the failure of a software function could potentially lead to a patient’s serious injury, the severity associated with it is always Catastrophic.

Fig. 2 – mapping of Harm and Severity

Since the SoftComply Risk Manager was developed based on ISO 14971 requirements for hazard analysis of medical devices, ‘Harm’ and ‘Severity’ are strictly mapped to each other.

In other words, if you change the Severity of a risk (e.g. the Severity of Serious Injury is now Medium, not Catastrophic – see Fig. 3) in the Risk Management table, all risks in the Risk Management table are automatically analyzed to set this new Severity (Medium) to all risks that have that same Harm (Serious injury) as depicted in Fig 4.

Fig. 3 – changing the Severity of a hazard

Fig. 4 – all Severity ratings are automatically updated for hazards with the same Harm


Not all risks are managed in the same way as medical device risks though. Strategic business risks, operational risks, project risks or compliance risks are all managed in a slightly different way. For these risks, there is a risk board that discusses and determines the level of risk that can change overtime as business objectives and circumstances change.

In other words, project risks that have the same ‘Harm’ or ‘Effect’, may be associated to different levels of Severity depending on the risk itself.

To that end, when you start a risk project with the SoftComply Risk Manager, you can now disable the feature of mapping ‘Harm’ to ‘Severity’, allowing you to manage all kinds of risks related to your business.

Fig. 5 – enabling or disabling the Harm-Severity mapping for your risk projects


Different product development projects require different types of risks to be managed. In the regulated domains, the most common risk management approaches are hazards analysis and FMEA.

We would love to make sure that we can help you manage and integrate your risks to the software development lifecycle by making sure the SoftComply Risk Manager supports your needs. In order for us to do that, we would like to learn about the types of risks you need to manage and how you need to manage them – please drop us a line.

Read more about SoftComply Risk Manager